diff --git a/browser/base/content/aboutaccounts/aboutaccounts.xhtml b/browser/base/content/aboutaccounts/aboutaccounts.xhtml
index 3f46162e84c3..81e4f1273d85 100644
--- a/browser/base/content/aboutaccounts/aboutaccounts.xhtml
+++ b/browser/base/content/aboutaccounts/aboutaccounts.xhtml
@@ -42,7 +42,7 @@
         </header>
 
         <section>
-            <img class="graphic graphic-sync-intro" src="chrome://browser/skin/fxa/sync-illustration.svg#blueFill"/>
+            <img class="graphic graphic-sync-intro" src="chrome://browser/skin/fxa/sync-illustration.svg"/>
 
             <div class="button-row">
               <button id="buttonOpenPrefs" class="button" href="#" tabindex="0">&aboutAccountsConfig.syncPreferences.label;</button>
@@ -56,7 +56,7 @@
         </header>
 
         <section>
-            <img class="graphic graphic-sync-intro" src="chrome://browser/skin/fxa/sync-illustration.svg#blueFill"/>
+            <img class="graphic graphic-sync-intro" src="chrome://browser/skin/fxa/sync-illustration.svg"/>
             <div class="description">&aboutAccountsConfig.description;</div>
 
             <div class="button-row">
@@ -71,7 +71,7 @@
         </header>
 
         <section>
-            <img class="graphic graphic-sync-intro" src="chrome://browser/skin/fxa/sync-illustration.svg#blueFill"/>
+            <img class="graphic graphic-sync-intro" src="chrome://browser/skin/fxa/sync-illustration.svg"/>
             <div class="description">&aboutAccounts.noConnection.description;</div>
 
             <div class="button-row">
@@ -86,7 +86,7 @@
         </header>
 
         <section>
-            <img class="graphic graphic-sync-intro" src="chrome://browser/skin/fxa/sync-illustration.svg#blueFill"/>
+            <img class="graphic graphic-sync-intro" src="chrome://browser/skin/fxa/sync-illustration.svg"/>
             <div class="description">&aboutAccounts.badConfig.description;</div>
 
         </section>
diff --git a/browser/base/content/aboutaccounts/main.css b/browser/base/content/aboutaccounts/main.css
index 2abb60f40d1a..a5d2db9bd57c 100644
--- a/browser/base/content/aboutaccounts/main.css
+++ b/browser/base/content/aboutaccounts/main.css
@@ -118,6 +118,8 @@ header h1
   overflow: hidden;
   text-indent: 100%;
   white-space: nowrap;
+  -moz-context-properties: fill;
+  fill: #bfcbd3;
 }
 
 .description,
diff --git a/browser/base/content/test/general/browser_windowopen_reflows.js b/browser/base/content/test/general/browser_windowopen_reflows.js
index bfb79f6495f6..5cdda1ee6848 100644
--- a/browser/base/content/test/general/browser_windowopen_reflows.js
+++ b/browser/base/content/test/general/browser_windowopen_reflows.js
@@ -19,10 +19,6 @@ const EXPECTED_REFLOWS = [
 
   // Focusing the content area causes a reflow.
   "_delayedStartup@chrome://browser/content/browser.js|",
-
-  // Sometimes sessionstore collects data during this test, which causes a sync reflow
-  // (https://bugzilla.mozilla.org/show_bug.cgi?id=892154 will fix this)
-  "ssi_getWindowDimension@resource:///modules/sessionstore/SessionStore.jsm",
 ];
 
 if (Services.appinfo.OS == "WINNT" || Services.appinfo.OS == "Darwin") {
diff --git a/browser/base/content/urlbarBindings.xml b/browser/base/content/urlbarBindings.xml
index 2254413b7b3b..f5cc953d63c5 100644
--- a/browser/base/content/urlbarBindings.xml
+++ b/browser/base/content/urlbarBindings.xml
@@ -189,9 +189,9 @@ file, You can obtain one at http://mozilla.org/MPL/2.0/.
               }
             }
           } else {
-            let originalUrl = ReaderMode.getOriginalUrl(aValue);
+            let originalUrl = ReaderMode.getOriginalUrlObjectForDisplay(aValue);
             if (originalUrl) {
-              returnValue = originalUrl;
+              returnValue = originalUrl.spec;
             }
           }
 
@@ -825,16 +825,17 @@ file, You can obtain one at http://mozilla.org/MPL/2.0/.
           }
 
           // Avoid copying 'about:reader?url=', and always provide the original URI:
-          let readerOriginalURL = ReaderMode.getOriginalUrl(uri.spec);
-          if (readerOriginalURL) {
-            uri = uriFixup.createFixupURI(readerOriginalURL, Ci.nsIURIFixup.FIXUP_FLAG_NONE);
+          // Reader mode ensures we call createExposableURI itself.
+          let readerStrippedURI = ReaderMode.getOriginalUrlObjectForDisplay(uri.spec);
+          if (readerStrippedURI) {
+            uri = readerStrippedURI;
+          } else {
+            // Only copy exposable URIs
+            try {
+              uri = uriFixup.createExposableURI(uri);
+            } catch (ex) {}
           }
 
-          // Only copy exposable URIs
-          try {
-            uri = uriFixup.createExposableURI(uri);
-          } catch (ex) {}
-
           // If the entire URL is selected, just use the actual loaded URI,
           // unless we want a decoded URI, or it's a data: or javascript: URI,
           // since those are hard to read when encoded.
diff --git a/browser/components/contextualidentity/test/browser/browser.ini b/browser/components/contextualidentity/test/browser/browser.ini
index af7bd6dbafaf..30150bde4c8f 100644
--- a/browser/components/contextualidentity/test/browser/browser.ini
+++ b/browser/components/contextualidentity/test/browser/browser.ini
@@ -12,6 +12,7 @@ support-files =
 [browser_favicon.js]
 [browser_forgetaboutsite.js]
 [browser_forgetAPI_cookie_getCookiesWithOriginAttributes.js]
+[browser_restore_getCookiesWithOriginAttributes.js]
 [browser_forgetAPI_EME_forgetThisSite.js]
 [browser_forgetAPI_quota_clearStoragesForPrincipal.js]
 [browser_newtabButton.js]
diff --git a/browser/components/contextualidentity/test/browser/browser_restore_getCookiesWithOriginAttributes.js b/browser/components/contextualidentity/test/browser/browser_restore_getCookiesWithOriginAttributes.js
new file mode 100644
index 000000000000..35cad08c31c8
--- /dev/null
+++ b/browser/components/contextualidentity/test/browser/browser_restore_getCookiesWithOriginAttributes.js
@@ -0,0 +1,114 @@
+/*
+ * Bug 1334587 - A Test case for checking whether forgetting APIs are working for cookies.
+ */
+
+const { classes: Cc, Constructor: CC, interfaces: Ci, utils: Cu } = Components;
+
+const TEST_HOST = "example.com";
+const TEST_URL = "http://" + TEST_HOST + "/browser/browser/components/contextualidentity/test/browser/";
+
+const USER_CONTEXTS = [
+  "default",
+  "personal",
+  "work"
+];
+
+const DELETE_CONTEXT = 1;
+const COOKIE_NAME = "userContextId";
+
+//
+// Support functions.
+//
+
+function* openTabInUserContext(uri, userContextId) {
+  // Open the tab in the correct userContextId.
+  let tab = gBrowser.addTab(uri, {userContextId});
+
+  // Select tab and make sure its browser is focused.
+  gBrowser.selectedTab = tab;
+  tab.ownerGlobal.focus();
+
+  let browser = gBrowser.getBrowserForTab(tab);
+  yield BrowserTestUtils.browserLoaded(browser);
+  return {tab, browser};
+}
+
+function getCookiesForOA(host, userContextId) {
+  return Services.cookies.getCookiesFromHost(host, {userContextId});
+}
+
+//
+// Test functions.
+//
+
+add_task(function* setup() {
+  // Make sure userContext is enabled.
+  yield SpecialPowers.pushPrefEnv({"set": [
+      [ "privacy.userContext.enabled", true ],
+  ]});
+});
+
+function checkCookies(ignoreContext = null) {
+  for (let userContextId of Object.keys(USER_CONTEXTS)) {
+    if (ignoreContext && userContextId === String(ignoreContext)) {
+      continue;
+    }
+    let enumerator = getCookiesForOA(TEST_HOST, userContextId);
+    ok(enumerator.hasMoreElements(), "Cookies available");
+
+    let foundCookie = enumerator.getNext().QueryInterface(Ci.nsICookie2);
+    is(foundCookie["name"], COOKIE_NAME, "Check cookie name");
+    is(foundCookie["value"], USER_CONTEXTS[userContextId], "Check cookie value");
+  }
+}
+
+function deleteCookies(onlyContext = null) {
+  // Using getCookiesWithOriginAttributes() to get all cookies for a certain
+  // domain by using the originAttributes pattern, and clear all these cookies.
+  let enumerator = Services.cookies.getCookiesWithOriginAttributes(JSON.stringify({}), TEST_HOST);
+  while (enumerator.hasMoreElements()) {
+    let cookie = enumerator.getNext().QueryInterface(Ci.nsICookie);
+    if (!onlyContext || cookie.originAttributes.userContextId == onlyContext) {
+      Services.cookies.remove(cookie.host, cookie.name, cookie.path, false, cookie.originAttributes);
+    }
+  }
+}
+
+add_task(function* test_cookie_getCookiesWithOriginAttributes() {
+  let tabs = [];
+
+  for (let userContextId of Object.keys(USER_CONTEXTS)) {
+    // Load the page in different contexts and set a cookie
+    // which should only be visible in that context.
+    let value = USER_CONTEXTS[userContextId];
+
+    // Open our tab in the given user context.
+    tabs[userContextId] = yield* openTabInUserContext(TEST_URL + "file_reflect_cookie_into_title.html?" + value, userContextId);
+
+    // Close this tab.
+    yield BrowserTestUtils.removeTab(tabs[userContextId].tab);
+  }
+
+  // Check that cookies have been set properly.
+  for (let userContextId of Object.keys(USER_CONTEXTS)) {
+    let enumerator = getCookiesForOA(TEST_HOST, userContextId);
+    ok(enumerator.hasMoreElements(), "Cookies available");
+
+    let foundCookie = enumerator.getNext().QueryInterface(Ci.nsICookie2);
+    is(foundCookie["name"], COOKIE_NAME, "Check cookie name");
+    is(foundCookie["value"], USER_CONTEXTS[userContextId], "Check cookie value");
+  }
+  checkCookies();
+
+  deleteCookies(DELETE_CONTEXT);
+
+  checkCookies(DELETE_CONTEXT);
+
+  deleteCookies();
+
+  // Check that whether cookies has been cleared.
+  for (let userContextId of Object.keys(USER_CONTEXTS)) {
+    let e = getCookiesForOA(TEST_HOST, userContextId);
+    ok(!e.hasMoreElements(), "No Cookie should be here");
+  }
+});
diff --git a/browser/components/preferences/in-content-old/sync.xul b/browser/components/preferences/in-content-old/sync.xul
index ad11fee817d4..1eb421677eae 100755
--- a/browser/components/preferences/in-content-old/sync.xul
+++ b/browser/components/preferences/in-content-old/sync.xul
@@ -60,7 +60,7 @@
         </groupbox>
       </vbox>
       <vbox>
-        <html:img class="fxaSyncIllustration" src="chrome://browser/skin/fxa/sync-illustration.svg#blueFill"/>
+        <html:img class="fxaSyncIllustration" src="chrome://browser/skin/fxa/sync-illustration.svg"/>
       </vbox>
     </hbox>
     <label class="fxaMobilePromo">
@@ -178,7 +178,7 @@
         </groupbox>
       </vbox>
       <vbox>
-        <html:img  class="fxaSyncIllustration" src="chrome://browser/skin/fxa/sync-illustration.svg#blueFill"/>
+        <html:img  class="fxaSyncIllustration" src="chrome://browser/skin/fxa/sync-illustration.svg"/>
       </vbox>
     </hbox>
     <groupbox>
diff --git a/browser/components/preferences/in-content/containers.xul b/browser/components/preferences/in-content/containers.xul
index 9f5dc9646b4d..5b1ee9c8e83d 100644
--- a/browser/components/preferences/in-content/containers.xul
+++ b/browser/components/preferences/in-content/containers.xul
@@ -18,7 +18,7 @@
 <hbox hidden="true"
       class="container-header-links"
       data-category="paneContainers">
-  <label class="text-link" id="backContainersLink" value="&backLink.label;" />
+  <label class="text-link" id="backContainersLink">&backLink.label;</label>
 </hbox>
 
 <hbox id="header-containers"
diff --git a/browser/components/preferences/in-content/findInPage.js b/browser/components/preferences/in-content/findInPage.js
index adfab0696cf5..dfdfc212f2e2 100644
--- a/browser/components/preferences/in-content/findInPage.js
+++ b/browser/components/preferences/in-content/findInPage.js
@@ -291,6 +291,10 @@ var gSearchResultsPane = {
         valueResult = this.stringMatchesFilters(nodeObject.getAttribute("value"), searchPhrase);
       }
 
+      if (nodeObject.tagName == "button" && (labelResult || valueResult)) {
+        nodeObject.setAttribute("highlightable", "true");
+      }
+
       matchesFound = matchesFound || complexTextNodesResult || labelResult || valueResult;
     }
 
diff --git a/browser/components/preferences/in-content/main.xul b/browser/components/preferences/in-content/main.xul
index c48342b807ee..f814342343ec 100644
--- a/browser/components/preferences/in-content/main.xul
+++ b/browser/components/preferences/in-content/main.xul
@@ -380,7 +380,7 @@
   <separator class="thin"/>
 
   <hbox id="addEnginesBox" pack="start">
-    <label id="addEngines" class="text-link" value="&addMoreSearchEngines2.label;"/>
+    <label id="addEngines" class="text-link">&addMoreSearchEngines2.label;</label>
   </hbox>
 </groupbox>
 
diff --git a/browser/components/preferences/in-content/privacy.xul b/browser/components/preferences/in-content/privacy.xul
index c4409a89f212..0e6cea84cd7b 100644
--- a/browser/components/preferences/in-content/privacy.xul
+++ b/browser/components/preferences/in-content/privacy.xul
@@ -355,8 +355,7 @@
       <vbox flex="1">
         <description>
           &trackingProtection.description;
-          <label id="trackingProtectionLearnMore" class="learnMore text-link"
-                 value="&trackingProtectionLearnMore.label;"/>
+          <label id="trackingProtectionLearnMore" class="learnMore text-link">&trackingProtectionLearnMore.label;</label>
         </description>
         <description id="trackingProtectionDesc"
                      control="trackingProtectionRadioGroup">
@@ -397,8 +396,7 @@
                 accesskey="&trackingProtectionPBM5.accesskey;"
                 label="&trackingProtectionPBM5.label;" />
       <label id="trackingProtectionPBMLearnMore"
-             class="learnMore text-link"
-             value="&trackingProtectionPBMLearnMore.label;"/>
+             class="learnMore text-link">&trackingProtectionPBMLearnMore.label;</label>
       <spacer flex="1" />
       <button id="changeBlockListPBM"
               label="&changeBlockList.label;" accesskey="&changeBlockList.accesskey;"
@@ -441,8 +439,7 @@
         <hbox flex="1">
           <label id="notificationsPolicy">&notificationsPolicyDesc3.label;</label>
           <label id="notificationsPolicyLearnMore"
-                 class="learnMore text-link"
-                 value="&notificationsPolicyLearnMore.label;"/>
+                 class="learnMore text-link">&notificationsPolicyLearnMore.label;</label>
         </hbox>
         <hbox pack="end">
           <button id="notificationsPolicyButton"
@@ -457,8 +454,7 @@
     <checkbox id="notificationsDoNotDisturb" label="&notificationsDoNotDisturb.label;"
               accesskey="&notificationsDoNotDisturb.accesskey;"/>
     <label id="notificationsDoNotDisturbDetails"
-           class="indent"
-           value="&notificationsDoNotDisturbDetails.value;"/>
+           class="indent">&notificationsDoNotDisturbDetails.value;</label>
   </vbox>
 </groupbox>
 
@@ -570,7 +566,9 @@
         <hbox align="center">
           <checkbox id="playDRMContent" preference="media.eme.enabled"
                     label="&playDRMContent.label;" accesskey="&playDRMContent.accesskey;"/>
-          <label id="playDRMContentLink" class="learnMore text-link" value="&playDRMContent.learnMore.label;"/>
+          <label id="playDRMContentLink" class="learnMore text-link">
+            &playDRMContent.learnMore.label;
+          </label>
         </hbox>
       </row>
     </rows>
@@ -587,8 +585,9 @@
                 accesskey="&browserContainersEnabled.accesskey;"
                 preference="privacy.userContext.enabled"
                 onsyncfrompreference="return gPrivacyPane.readBrowserContainersCheckbox();"/>
-      <label id="browserContainersLearnMore" class="learnMore text-link"
-             value="&browserContainersLearnMore.label;"/>
+      <label id="browserContainersLearnMore" class="learnMore text-link">
+        &browserContainersLearnMore.label;
+      </label>
       <spacer flex="1"/>
       <button id="browserContainersSettings"
               class="accessory-button"
diff --git a/browser/components/preferences/in-content/sync.xul b/browser/components/preferences/in-content/sync.xul
index 5ce88b1cceff..c69afa4994aa 100755
--- a/browser/components/preferences/in-content/sync.xul
+++ b/browser/components/preferences/in-content/sync.xul
@@ -59,7 +59,7 @@
         </groupbox>
       </vbox>
       <vbox>
-        <html:img class="fxaSyncIllustration" src="chrome://browser/skin/fxa/sync-illustration.svg#blueFill"/>
+        <html:img class="fxaSyncIllustration" src="chrome://browser/skin/fxa/sync-illustration.svg"/>
       </vbox>
     </hbox>
     <label class="fxaMobilePromo">
@@ -178,7 +178,7 @@
         </groupbox>
       </vbox>
       <vbox>
-        <html:img  class="fxaSyncIllustration" src="chrome://browser/skin/fxa/sync-illustration.svg#blueFill"/>
+        <html:img  class="fxaSyncIllustration" src="chrome://browser/skin/fxa/sync-illustration.svg"/>
       </vbox>
     </hbox>
     <groupbox>
diff --git a/browser/components/preferences/in-content/tests/browser_performance.js b/browser/components/preferences/in-content/tests/browser_performance.js
index aec32be239b2..9dfa533d8d63 100644
--- a/browser/components/preferences/in-content/tests/browser_performance.js
+++ b/browser/components/preferences/in-content/tests/browser_performance.js
@@ -1,10 +1,8 @@
-add_task(function*() {
-  yield SpecialPowers.pushPrefEnv({set: [
-    ["browser.preferences.defaultPerformanceSettings.enabled", true],
-    ["dom.ipc.processCount", 4],
-    ["layers.acceleration.disabled", false],
-  ]});
-});
+SpecialPowers.pushPrefEnv({set: [
+  ["browser.preferences.defaultPerformanceSettings.enabled", true],
+  ["dom.ipc.processCount", 4],
+  ["layers.acceleration.disabled", false],
+]});
 
 add_task(function*() {
   let prefs = yield openPreferencesViaOpenPreferencesAPI("paneGeneral", {leaveOpen: true});
diff --git a/browser/themes/osx/browser.css b/browser/themes/osx/browser.css
index f15462f571af..e7ab1df6e87f 100644
--- a/browser/themes/osx/browser.css
+++ b/browser/themes/osx/browser.css
@@ -576,6 +576,19 @@ toolbarpaletteitem[place="palette"] > #personal-bookmarks > #bookmarks-toolbar-p
   list-style-image: url("chrome://browser/skin/menu-forward.png") !important;
 }
 
+@media (-moz-mac-yosemite-theme) {
+  #forward-button > .toolbarbutton-icon {
+    border-top: none !important;
+    border-bottom: none !important;
+    box-shadow: 0 .5px 0 0 rgba(0,0,0,0.2) !important;
+  }
+  #forward-button:-moz-window-inactive > .toolbarbutton-icon {
+    box-shadow: 0 1px 0 0 rgba(0,0,0,0.2) inset,
+                0 -1px 0 0 rgba(0,0,0,0.2) inset !important;
+  }
+}
+
+
 /* ----- FULLSCREEN WINDOW CONTROLS ----- */
 
 #minimize-button,
diff --git a/browser/themes/shared/customizableui/panelUI.inc.css b/browser/themes/shared/customizableui/panelUI.inc.css
index af75e56e53f9..239412fcf5d9 100644
--- a/browser/themes/shared/customizableui/panelUI.inc.css
+++ b/browser/themes/shared/customizableui/panelUI.inc.css
@@ -817,6 +817,8 @@ toolbarpaletteitem[place="palette"] > toolbaritem > toolbarbutton {
 .fxaSyncIllustration {
   width: 180px;
   height: var(--panel-ui-sync-illustration-height);
+  -moz-context-properties: fill;
+  fill: #cdcdcd;
 }
 
 .PanelUI-remotetabs-prefs-button > .toolbarbutton-text {
diff --git a/browser/themes/shared/fxa/sync-illustration.svg b/browser/themes/shared/fxa/sync-illustration.svg
index 75f6afb87a51..fb0d2726fe23 100755
--- a/browser/themes/shared/fxa/sync-illustration.svg
+++ b/browser/themes/shared/fxa/sync-illustration.svg
@@ -1,30 +1,15 @@
-<?xml version="1.0" encoding="utf-8"?>
 <!-- This Source Code Form is subject to the terms of the Mozilla Public
    - License, v. 2.0. If a copy of the MPL was not distributed with this
    - file, You can obtain one at http://mozilla.org/MPL/2.0/. -->
-<svg xmlns="http://www.w3.org/2000/svg" preserveAspectRatio="xMidYMid" viewBox="0 0 320 280" xmlns:xlink="http://www.w3.org/1999/xlink" >
-<style>
-	#blueFill:target ~ use,
-	#blueFill:target ~ g {
-		fill: #bfcbd3;
-	}
-
-	svg {
-		fill:#cdcdcd;
-	}
-</style>
-<defs>
-    <g id="logo">
-        <path d="M46.352,148.919 L46.352,148.919 L44.938,150.333 L43.523,148.919 L43.523,148.919 L37.866,143.262 L39.281,141.848 L44.938,147.505 L50.594,141.848 L52.009,143.262 L46.352,148.919 ZM43.937,134.000 L45.938,134.000 L45.938,142.000 L43.937,142.000 L43.937,134.000 ZM43.937,122.000 L45.938,122.000 L45.938,130.000 L43.937,130.000 L43.937,122.000 Z"/>
-        <path d="M306.641,132.110 L300.984,126.453 L295.328,132.110 L293.913,130.696 L300.984,123.625 L308.055,130.696 L306.641,132.110 ZM302.000,223.969 L300.000,223.969 L300.000,215.969 L302.000,215.969 L302.000,223.969 ZM302.000,211.969 L300.000,211.969 L300.000,203.969 L302.000,203.969 L302.000,211.969 ZM302.000,199.969 L300.000,199.969 L300.000,191.969 L302.000,191.969 L302.000,199.969 ZM302.000,187.969 L300.000,187.969 L300.000,179.969 L302.000,179.969 L302.000,187.969 ZM302.000,175.969 L300.000,175.969 L300.000,167.969 L302.000,167.969 L302.000,175.969 ZM302.000,163.969 L300.000,163.969 L300.000,155.969 L302.000,155.969 L302.000,163.969 ZM300.000,131.969 L302.000,131.969 L302.000,139.969 L300.000,139.969 L300.000,131.969 ZM302.000,151.969 L300.000,151.969 L300.000,143.969 L302.000,143.969 L302.000,151.969 ZM300.000,227.969 L302.000,227.969 L302.000,232.000 L302.000,234.000 L300.000,234.000 L292.000,234.000 L292.000,232.000 L300.000,232.000 L300.000,227.969 Z"/>
-        <path d="M101.335,236.009 L99.921,234.594 L105.578,228.938 L99.921,223.281 L101.335,221.866 L108.406,228.938 L101.335,236.009 ZM100.000,229.938 L92.000,229.938 L92.000,227.937 L100.000,227.937 L100.000,229.938 ZM80.000,227.937 L88.000,227.937 L88.000,229.938 L80.000,229.938 L80.000,227.937 Z"/>
-        <path d="M182.000,54.000 L182.000,52.000 L190.000,52.000 L190.000,54.000 L182.000,54.000 ZM170.000,52.000 L178.000,52.000 L178.000,54.000 L170.000,54.000 L170.000,52.000 ZM168.488,60.071 L161.417,53.000 L168.488,45.929 L169.902,47.343 L164.245,53.000 L169.902,58.657 L168.488,60.071 Z"/>
-        <path d="M297.688,276.000 L102.312,276.000 C97.721,276.000 94.000,272.279 94.000,267.688 L94.000,260.000 L306.000,260.000 L306.000,267.688 C306.000,272.279 302.279,276.000 297.688,276.000 ZM117.906,150.312 C117.906,145.721 121.628,142.000 126.218,142.000 L273.688,142.000 C278.279,142.000 282.000,145.721 282.000,150.312 L282.000,256.000 L117.906,256.000 L117.906,150.312 ZM132.000,242.000 L270.000,242.000 L270.000,156.000 L132.000,156.000 L132.000,242.000 Z"/>
-        <path d="M307.074,115.969 L206.926,115.969 C203.101,115.969 200.000,112.868 200.000,109.042 L200.000,38.926 C200.000,35.101 203.101,32.000 206.926,32.000 L307.074,32.000 C310.899,32.000 314.000,35.101 314.000,38.926 L314.000,109.042 C314.000,112.868 310.899,115.969 307.074,115.969 ZM210.000,65.875 C210.000,64.770 209.105,63.875 208.000,63.875 C206.895,63.875 206.000,64.770 206.000,65.875 L206.000,82.000 C206.000,83.105 206.895,84.000 208.000,84.000 C209.105,84.000 210.000,83.105 210.000,82.000 L210.000,65.875 ZM302.000,42.000 L216.000,42.000 L216.000,106.000 L302.000,106.000 L302.000,42.000 Z"/>
-        <path d="M65.844,240.000 L26.156,240.000 C23.861,240.000 22.000,238.139 22.000,235.844 L22.000,162.156 C22.000,159.861 23.861,158.000 26.156,158.000 L65.844,158.000 C68.139,158.000 70.000,159.861 70.000,162.156 L70.000,235.844 C70.000,238.139 68.139,240.000 65.844,240.000 ZM46.000,236.000 C48.287,236.000 50.141,234.195 50.141,231.969 C50.141,229.742 48.287,227.938 46.000,227.938 C43.713,227.938 41.859,229.742 41.859,231.969 C41.859,234.195 43.713,236.000 46.000,236.000 ZM66.000,168.000 L26.000,168.000 L26.000,224.000 L66.000,224.000 L66.000,168.000 Z"/>
-        <path d="M171.906,86.156 C171.906,102.329 159.026,115.469 143.017,115.797 L143.039,115.955 L28.850,115.955 L28.869,115.797 C12.872,115.475 -0.000,102.333 -0.000,86.156 C-0.000,71.661 10.336,59.603 23.994,57.019 C23.620,55.457 23.401,53.834 23.401,52.156 C23.401,40.714 32.606,31.438 43.962,31.438 C47.561,31.438 50.941,32.375 53.884,34.012 C53.883,33.930 53.878,33.848 53.878,33.766 C53.878,17.137 67.301,3.656 83.858,3.656 C97.763,3.656 109.453,13.164 112.843,26.059 C116.677,23.334 121.343,21.719 126.393,21.719 C139.394,21.719 149.933,32.331 149.933,45.422 C149.933,49.572 148.868,53.468 147.007,56.861 C161.114,59.082 171.906,71.351 171.906,86.156 Z"/>
-    </g>
-</defs>
-<g id="blueFill"></g>
-<use xlink:href="#logo" />
+<svg xmlns="http://www.w3.org/2000/svg"
+     viewBox="0 0 320 280" preserveAspectRatio="xMidYMid">
+  <path fill="context-fill" d="M46.352,148.919 L46.352,148.919 L44.938,150.333 L43.523,148.919 L43.523,148.919 L37.866,143.262 L39.281,141.848 L44.938,147.505 L50.594,141.848 L52.009,143.262 L46.352,148.919 ZM43.937,134.000 L45.938,134.000 L45.938,142.000 L43.937,142.000 L43.937,134.000 ZM43.937,122.000 L45.938,122.000 L45.938,130.000 L43.937,130.000 L43.937,122.000 Z"/>
+  <path fill="context-fill" d="M306.641,132.110 L300.984,126.453 L295.328,132.110 L293.913,130.696 L300.984,123.625 L308.055,130.696 L306.641,132.110 ZM302.000,223.969 L300.000,223.969 L300.000,215.969 L302.000,215.969 L302.000,223.969 ZM302.000,211.969 L300.000,211.969 L300.000,203.969 L302.000,203.969 L302.000,211.969 ZM302.000,199.969 L300.000,199.969 L300.000,191.969 L302.000,191.969 L302.000,199.969 ZM302.000,187.969 L300.000,187.969 L300.000,179.969 L302.000,179.969 L302.000,187.969 ZM302.000,175.969 L300.000,175.969 L300.000,167.969 L302.000,167.969 L302.000,175.969 ZM302.000,163.969 L300.000,163.969 L300.000,155.969 L302.000,155.969 L302.000,163.969 ZM300.000,131.969 L302.000,131.969 L302.000,139.969 L300.000,139.969 L300.000,131.969 ZM302.000,151.969 L300.000,151.969 L300.000,143.969 L302.000,143.969 L302.000,151.969 ZM300.000,227.969 L302.000,227.969 L302.000,232.000 L302.000,234.000 L300.000,234.000 L292.000,234.000 L292.000,232.000 L300.000,232.000 L300.000,227.969 Z"/>
+  <path fill="context-fill" d="M101.335,236.009 L99.921,234.594 L105.578,228.938 L99.921,223.281 L101.335,221.866 L108.406,228.938 L101.335,236.009 ZM100.000,229.938 L92.000,229.938 L92.000,227.937 L100.000,227.937 L100.000,229.938 ZM80.000,227.937 L88.000,227.937 L88.000,229.938 L80.000,229.938 L80.000,227.937 Z"/>
+  <path fill="context-fill" d="M182.000,54.000 L182.000,52.000 L190.000,52.000 L190.000,54.000 L182.000,54.000 ZM170.000,52.000 L178.000,52.000 L178.000,54.000 L170.000,54.000 L170.000,52.000 ZM168.488,60.071 L161.417,53.000 L168.488,45.929 L169.902,47.343 L164.245,53.000 L169.902,58.657 L168.488,60.071 Z"/>
+  <path fill="context-fill" d="M297.688,276.000 L102.312,276.000 C97.721,276.000 94.000,272.279 94.000,267.688 L94.000,260.000 L306.000,260.000 L306.000,267.688 C306.000,272.279 302.279,276.000 297.688,276.000 ZM117.906,150.312 C117.906,145.721 121.628,142.000 126.218,142.000 L273.688,142.000 C278.279,142.000 282.000,145.721 282.000,150.312 L282.000,256.000 L117.906,256.000 L117.906,150.312 ZM132.000,242.000 L270.000,242.000 L270.000,156.000 L132.000,156.000 L132.000,242.000 Z"/>
+  <path fill="context-fill" d="M307.074,115.969 L206.926,115.969 C203.101,115.969 200.000,112.868 200.000,109.042 L200.000,38.926 C200.000,35.101 203.101,32.000 206.926,32.000 L307.074,32.000 C310.899,32.000 314.000,35.101 314.000,38.926 L314.000,109.042 C314.000,112.868 310.899,115.969 307.074,115.969 ZM210.000,65.875 C210.000,64.770 209.105,63.875 208.000,63.875 C206.895,63.875 206.000,64.770 206.000,65.875 L206.000,82.000 C206.000,83.105 206.895,84.000 208.000,84.000 C209.105,84.000 210.000,83.105 210.000,82.000 L210.000,65.875 ZM302.000,42.000 L216.000,42.000 L216.000,106.000 L302.000,106.000 L302.000,42.000 Z"/>
+  <path fill="context-fill" d="M65.844,240.000 L26.156,240.000 C23.861,240.000 22.000,238.139 22.000,235.844 L22.000,162.156 C22.000,159.861 23.861,158.000 26.156,158.000 L65.844,158.000 C68.139,158.000 70.000,159.861 70.000,162.156 L70.000,235.844 C70.000,238.139 68.139,240.000 65.844,240.000 ZM46.000,236.000 C48.287,236.000 50.141,234.195 50.141,231.969 C50.141,229.742 48.287,227.938 46.000,227.938 C43.713,227.938 41.859,229.742 41.859,231.969 C41.859,234.195 43.713,236.000 46.000,236.000 ZM66.000,168.000 L26.000,168.000 L26.000,224.000 L66.000,224.000 L66.000,168.000 Z"/>
+  <path fill="context-fill" d="M171.906,86.156 C171.906,102.329 159.026,115.469 143.017,115.797 L143.039,115.955 L28.850,115.955 L28.869,115.797 C12.872,115.475 -0.000,102.333 -0.000,86.156 C-0.000,71.661 10.336,59.603 23.994,57.019 C23.620,55.457 23.401,53.834 23.401,52.156 C23.401,40.714 32.606,31.438 43.962,31.438 C47.561,31.438 50.941,32.375 53.884,34.012 C53.883,33.930 53.878,33.848 53.878,33.766 C53.878,17.137 67.301,3.656 83.858,3.656 C97.763,3.656 109.453,13.164 112.843,26.059 C116.677,23.334 121.343,21.719 126.393,21.719 C139.394,21.719 149.933,32.331 149.933,45.422 C149.933,49.572 148.868,53.468 147.007,56.861 C161.114,59.082 171.906,71.351 171.906,86.156 Z"/>
 </svg>
+
diff --git a/browser/themes/shared/incontentprefs-old/preferences.inc.css b/browser/themes/shared/incontentprefs-old/preferences.inc.css
index 5c82303cf603..aacc2c067f6c 100644
--- a/browser/themes/shared/incontentprefs-old/preferences.inc.css
+++ b/browser/themes/shared/incontentprefs-old/preferences.inc.css
@@ -440,6 +440,9 @@ description > html|a {
 
 .fxaSyncIllustration {
   margin-top: 35px;
+  width: 231px;
+  -moz-context-properties: fill;
+  fill: #bfcbd3;
 }
 
 #syncOptions caption {
@@ -495,10 +498,6 @@ description > html|a {
   color: var(--in-content-link-color);
 }
 
-.fxaSyncIllustration {
-  width: 231px;
-}
-
 #fxaLoginStatus[hasName] #fxaEmailAddress1 {
   font-size: 1.1rem;
 }
diff --git a/browser/themes/shared/incontentprefs/preferences.inc.css b/browser/themes/shared/incontentprefs/preferences.inc.css
index 6e86c6721a39..d30dde796291 100644
--- a/browser/themes/shared/incontentprefs/preferences.inc.css
+++ b/browser/themes/shared/incontentprefs/preferences.inc.css
@@ -443,6 +443,9 @@ description > html|a {
 
 .fxaSyncIllustration {
   margin-top: 35px;
+  width: 231px;
+  -moz-context-properties: fill;
+  fill: #bfcbd3;
 }
 
 #syncOptions caption {
@@ -498,10 +501,6 @@ description > html|a {
   color: var(--in-content-link-color);
 }
 
-.fxaSyncIllustration {
-  width: 231px;
-}
-
 #fxaLoginStatus[hasName] #fxaEmailAddress1 {
   font-size: 1.1rem;
 }
diff --git a/devtools/client/jsonview/css/general.css b/devtools/client/jsonview/css/general.css
index 0c68d65e7764..57c639625c4e 100644
--- a/devtools/client/jsonview/css/general.css
+++ b/devtools/client/jsonview/css/general.css
@@ -6,6 +6,10 @@
 /******************************************************************************/
 /* General */
 
+html, body, #content {
+  height: 100%;
+}
+
 body {
   color: var(--theme-body-color);
   background-color: var(--theme-body-background);
@@ -18,10 +22,6 @@ body {
   outline: none !important;
 }
 
-#content {
-  height: 100%;
-}
-
 pre {
   background-color: white;
   border: none;
diff --git a/devtools/client/jsonview/json-viewer.js b/devtools/client/jsonview/json-viewer.js
index 13fd87f4170a..b8208291a381 100644
--- a/devtools/client/jsonview/json-viewer.js
+++ b/devtools/client/jsonview/json-viewer.js
@@ -95,14 +95,6 @@ define(function (require, exports, module) {
   let content = document.getElementById("content");
   let theApp = render(MainTabbedArea(input), content);
 
-  let onResize = event => {
-    window.document.body.style.height = window.innerHeight + "px";
-    window.document.body.style.width = window.innerWidth + "px";
-  };
-
-  window.addEventListener("resize", onResize);
-  onResize();
-
   // Send notification event to the window. Can be useful for
   // tests as well as extensions.
   let event = new CustomEvent("JSONViewInitialized", {});
diff --git a/dom/animation/test/document-timeline/file_document-timeline.html b/dom/animation/test/document-timeline/file_document-timeline.html
index 34f2c17bcaf3..c98ad90ef208 100644
--- a/dom/animation/test/document-timeline/file_document-timeline.html
+++ b/dom/animation/test/document-timeline/file_document-timeline.html
@@ -2,8 +2,8 @@
 <meta charset=utf-8>
 <title>Web Animations API: DocumentTimeline tests</title>
 <script src="../testcommon.js"></script>
-<iframe src="data:text/html;charset=utf-8," width="10" height="10" id="iframe"></iframe>
-<iframe src="data:text/html;charset=utf-8,%3Chtml%20style%3D%22display%3Anone%22%3E%3C%2Fhtml%3E" width="10" height="10" id="hidden-iframe"></iframe>
+<iframe srcdoc='<html><meta charset=utf-8></html>' width="10" height="10" id="iframe"></iframe>
+<iframe srcdoc='<html style="display:none"><meta charset=utf-8></html>' width="10" height="10" id="hidden-iframe"></iframe>
 <script>
 'use strict';
 
diff --git a/dom/base/CustomElementRegistry.cpp b/dom/base/CustomElementRegistry.cpp
index 15bbd94ce7ea..38fe191a84e2 100644
--- a/dom/base/CustomElementRegistry.cpp
+++ b/dom/base/CustomElementRegistry.cpp
@@ -78,12 +78,21 @@ CustomElementCallback::CustomElementCallback(Element* aThisObject,
 {
 }
 
+//-----------------------------------------------------
+// CustomElementData
+
 CustomElementData::CustomElementData(nsIAtom* aType)
-  : mType(aType),
-    mCurrentCallback(-1),
-    mElementIsBeingCreated(false),
-    mCreatedCallbackInvoked(true),
-    mAssociatedMicroTask(-1)
+  : CustomElementData(aType, CustomElementData::State::eUndefined)
+{
+}
+
+CustomElementData::CustomElementData(nsIAtom* aType, State aState)
+  : mType(aType)
+  , mCurrentCallback(-1)
+  , mElementIsBeingCreated(false)
+  , mCreatedCallbackInvoked(true)
+  , mAssociatedMicroTask(-1)
+  , mState(aState)
 {
 }
 
@@ -99,6 +108,9 @@ CustomElementData::RunCallbackQueue()
   mCurrentCallback = -1;
 }
 
+//-----------------------------------------------------
+// CustomElementRegistry
+
 // Only needed for refcounted objects.
 NS_IMPL_CYCLE_COLLECTION_CLASS(CustomElementRegistry)
 
@@ -306,10 +318,15 @@ CustomElementRegistry::SetupCustomElement(Element* aElement,
     aElement->SetAttr(kNameSpaceID_None, nsGkAtoms::is, *aTypeExtension, true);
   }
 
-  CustomElementDefinition* data = LookupCustomElementDefinition(
+  // SetupCustomElement() should be called with an element that don't have
+  // CustomElementData setup, if not we will hit the assertion in
+  // SetCustomElementData().
+  aElement->SetCustomElementData(new CustomElementData(typeAtom));
+
+  CustomElementDefinition* definition = LookupCustomElementDefinition(
     aElement->NodeInfo()->LocalName(), aTypeExtension);
 
-  if (!data) {
+  if (!definition) {
     // The type extension doesn't exist in the registry,
     // thus we don't need to enqueue callback or adjust
     // the "is" attribute, but it is possibly an upgrade candidate.
@@ -317,7 +334,7 @@ CustomElementRegistry::SetupCustomElement(Element* aElement,
     return;
   }
 
-  if (data->mLocalName != tagAtom) {
+  if (definition->mLocalName != tagAtom) {
     // The element doesn't match the local name for the
     // definition, thus the element isn't a custom element
     // and we don't need to do anything more.
@@ -326,7 +343,7 @@ CustomElementRegistry::SetupCustomElement(Element* aElement,
 
   // Enqueuing the created callback will set the CustomElementData on the
   // element, causing prototype swizzling to occur in Element::WrapObject.
-  EnqueueLifecycleCallback(nsIDocument::eCreated, aElement, nullptr, data);
+  EnqueueLifecycleCallback(nsIDocument::eCreated, aElement, nullptr, definition);
 }
 
 void
@@ -335,7 +352,8 @@ CustomElementRegistry::EnqueueLifecycleCallback(nsIDocument::ElementCallbackType
                                                 LifecycleCallbackArgs* aArgs,
                                                 CustomElementDefinition* aDefinition)
 {
-  CustomElementData* elementData = aCustomElement->GetCustomElementData();
+  RefPtr<CustomElementData> elementData = aCustomElement->GetCustomElementData();
+  MOZ_ASSERT(elementData, "CustomElementData should exist");
 
   // Let DEFINITION be ELEMENT's definition
   CustomElementDefinition* definition = aDefinition;
@@ -355,16 +373,6 @@ CustomElementRegistry::EnqueueLifecycleCallback(nsIDocument::ElementCallbackType
     }
   }
 
-  if (!elementData) {
-    // Create the custom element data the first time
-    // that we try to enqueue a callback.
-    elementData = new CustomElementData(definition->mType);
-    // aCustomElement takes ownership of elementData
-    aCustomElement->SetCustomElementData(elementData);
-    MOZ_ASSERT(aType == nsIDocument::eCreated,
-               "First callback should be the created callback");
-  }
-
   // Let CALLBACK be the callback associated with the key NAME in CALLBACKS.
   CallbackFunction* func = nullptr;
   switch (aType) {
@@ -860,33 +868,41 @@ CustomElementRegistry::Upgrade(Element* aElement,
   }
 
   MOZ_ASSERT(aElement->IsHTMLElement(aDefinition->mLocalName));
-  nsWrapperCache* cache;
-  CallQueryInterface(aElement, &cache);
-  MOZ_ASSERT(cache, "Element doesn't support wrapper cache?");
 
   AutoJSAPI jsapi;
   if (NS_WARN_IF(!jsapi.Init(mWindow))) {
     return;
   }
 
-  JSContext *cx = jsapi.cx();
-  // We want to set the custom prototype in the the compartment of define()'s caller.
-  // We store the prototype from define() directly,
-  // hence the prototype's compartment is the caller's compartment.
-  JS::RootedObject wrapper(cx);
-  JS::Rooted<JSObject*> prototype(cx, aDefinition->mPrototype);
-  { // Enter prototype's compartment.
-    JSAutoCompartment ac(cx, prototype);
+  JSContext* cx = jsapi.cx();
 
-    if ((wrapper = cache->GetWrapper()) && JS_WrapObject(cx, &wrapper)) {
-      if (!JS_SetPrototype(cx, wrapper, prototype)) {
+  JS::Rooted<JSObject*> reflector(cx, aElement->GetWrapper());
+  if (reflector) {
+    Maybe<JSAutoCompartment> ac;
+    JS::Rooted<JSObject*> prototype(cx, aDefinition->mPrototype);
+    if (aElement->NodePrincipal()->SubsumesConsideringDomain(nsContentUtils::ObjectPrincipal(prototype))) {
+      ac.emplace(cx, reflector);
+      if (!JS_WrapObject(cx, &prototype) ||
+          !JS_SetPrototype(cx, reflector, prototype)) {
+        return;
+      }
+    } else {
+      // We want to set the custom prototype in the compartment where it was
+      // registered. We store the prototype from define() without unwrapped,
+      // hence the prototype's compartment is the compartment where it was
+      // registered.
+      // In the case that |reflector| and |prototype| are in different
+      // compartments, this will set the prototype on the |reflector|'s wrapper
+      // and thus only visible in the wrapper's compartment, since we know
+      // reflector's principal does not subsume prototype's in this case.
+      ac.emplace(cx, prototype);
+      if (!JS_WrapObject(cx, &reflector) ||
+          !JS_SetPrototype(cx, reflector, prototype)) {
         return;
       }
     }
-  } // Leave prototype's compartment.
+  }
 
-  // Enqueuing the created callback will set the CustomElementData on the
-  // element, causing prototype swizzling to occur in Element::WrapObject.
   EnqueueLifecycleCallback(nsIDocument::eCreated, aElement, nullptr, aDefinition);
 }
 
diff --git a/dom/base/CustomElementRegistry.h b/dom/base/CustomElementRegistry.h
index 5ab4fb89a3e7..bf4b81d08f3a 100644
--- a/dom/base/CustomElementRegistry.h
+++ b/dom/base/CustomElementRegistry.h
@@ -72,7 +72,18 @@ struct CustomElementData
 {
   NS_INLINE_DECL_REFCOUNTING(CustomElementData)
 
+  // https://dom.spec.whatwg.org/#concept-element-custom-element-state
+  // CustomElementData is only created on the element which is a custom element
+  // or an upgrade candidate, so the state of an element without
+  // CustomElementData is "uncustomized".
+  enum class State {
+    eUndefined,
+    eFailed,
+    eCustom
+  };
+
   explicit CustomElementData(nsIAtom* aType);
+  CustomElementData(nsIAtom* aType, State aState);
   // Objects in this array are transient and empty after each microtask
   // checkpoint.
   nsTArray<nsAutoPtr<CustomElementCallback>> mCallbackQueue;
@@ -90,6 +101,8 @@ struct CustomElementData
   // it is used to determine if a new queue needs to be pushed onto the
   // processing stack.
   int32_t mAssociatedMicroTask;
+  // Custom element state as described in the custom element spec.
+  State mState;
 
   // Empties the callback queue.
   void RunCallbackQueue();
diff --git a/dom/base/Location.cpp b/dom/base/Location.cpp
index d21199596bcb..17b6755e175f 100644
--- a/dom/base/Location.cpp
+++ b/dom/base/Location.cpp
@@ -283,23 +283,33 @@ Location::SetURI(nsIURI* aURI, bool aReplace)
   return NS_OK;
 }
 
-NS_IMETHODIMP
-Location::GetHash(nsAString& aHash)
+void
+Location::GetHash(nsAString& aHash,
+                  nsIPrincipal& aSubjectPrincipal,
+                  ErrorResult& aRv)
 {
+  if (!CallerSubsumes(&aSubjectPrincipal)) {
+    aRv.Throw(NS_ERROR_DOM_SECURITY_ERR);
+    return;
+  }
+
   aHash.SetLength(0);
 
   nsCOMPtr<nsIURI> uri;
-  nsresult rv = GetURI(getter_AddRefs(uri));
-  if (NS_FAILED(rv) || !uri) {
-    return rv;
+  aRv = GetURI(getter_AddRefs(uri));
+  if (NS_WARN_IF(aRv.Failed()) || !uri) {
+    return;
   }
 
   nsAutoCString ref;
   nsAutoString unicodeRef;
 
-  rv = uri->GetRef(ref);
+  aRv = uri->GetRef(ref);
+  if (NS_WARN_IF(aRv.Failed())) {
+    return;
+  }
 
-  if (NS_SUCCEEDED(rv) && !ref.IsEmpty()) {
+  if (!ref.IsEmpty()) {
     aHash.Assign(char16_t('#'));
     AppendUTF8toUTF16(ref, aHash);
   }
@@ -312,29 +322,42 @@ Location::GetHash(nsAString& aHash)
   } else {
     mCachedHash = aHash;
   }
-
-  return rv;
 }
 
-NS_IMETHODIMP
-Location::SetHash(const nsAString& aHash)
+void
+Location::SetHash(const nsAString& aHash,
+                  nsIPrincipal& aSubjectPrincipal,
+                  ErrorResult& aRv)
 {
+  if (!CallerSubsumes(&aSubjectPrincipal)) {
+    aRv.Throw(NS_ERROR_DOM_SECURITY_ERR);
+    return;
+  }
+
   NS_ConvertUTF16toUTF8 hash(aHash);
   if (hash.IsEmpty() || hash.First() != char16_t('#')) {
     hash.Insert(char16_t('#'), 0);
   }
+
   nsCOMPtr<nsIURI> uri;
-  nsresult rv = GetWritableURI(getter_AddRefs(uri), &hash);
-  if (NS_FAILED(rv) || !uri) {
-    return rv;
+  aRv = GetWritableURI(getter_AddRefs(uri), &hash);
+  if (NS_WARN_IF(aRv.Failed()) || !uri) {
+    return;
   }
 
-  return SetURI(uri);
+  aRv = SetURI(uri);
 }
 
-NS_IMETHODIMP
-Location::GetHost(nsAString& aHost)
+void
+Location::GetHost(nsAString& aHost,
+                  nsIPrincipal& aSubjectPrincipal,
+                  ErrorResult& aRv)
 {
+  if (!CallerSubsumes(&aSubjectPrincipal)) {
+    aRv.Throw(NS_ERROR_DOM_SECURITY_ERR);
+    return;
+  }
+
   aHost.Truncate();
 
   nsCOMPtr<nsIURI> uri;
@@ -351,30 +374,42 @@ Location::GetHost(nsAString& aHost)
       AppendUTF8toUTF16(hostport, aHost);
     }
   }
-
-  return NS_OK;
 }
 
-NS_IMETHODIMP
-Location::SetHost(const nsAString& aHost)
+void
+Location::SetHost(const nsAString& aHost,
+                  nsIPrincipal& aSubjectPrincipal,
+                  ErrorResult& aRv)
 {
+  if (!CallerSubsumes(&aSubjectPrincipal)) {
+    aRv.Throw(NS_ERROR_DOM_SECURITY_ERR);
+    return;
+  }
+
   nsCOMPtr<nsIURI> uri;
-  nsresult rv = GetWritableURI(getter_AddRefs(uri));
-  if (NS_WARN_IF(NS_FAILED(rv) || !uri)) {
-    return rv;
+  aRv = GetWritableURI(getter_AddRefs(uri));
+  if (NS_WARN_IF(aRv.Failed()) || !uri) {
+    return;
   }
 
-  rv = uri->SetHostPort(NS_ConvertUTF16toUTF8(aHost));
-  if (NS_WARN_IF(NS_FAILED(rv))) {
-    return rv;
+  aRv = uri->SetHostPort(NS_ConvertUTF16toUTF8(aHost));
+  if (NS_WARN_IF(aRv.Failed())) {
+    return;
   }
 
-  return SetURI(uri);
+  aRv = SetURI(uri);
 }
 
-NS_IMETHODIMP
-Location::GetHostname(nsAString& aHostname)
+void
+Location::GetHostname(nsAString& aHostname,
+                      nsIPrincipal& aSubjectPrincipal,
+                      ErrorResult& aRv)
 {
+  if (!CallerSubsumes(&aSubjectPrincipal)) {
+    aRv.Throw(NS_ERROR_DOM_SECURITY_ERR);
+    return;
+  }
+
   aHostname.Truncate();
 
   nsCOMPtr<nsIURI> uri;
@@ -382,79 +417,85 @@ Location::GetHostname(nsAString& aHostname)
   if (uri) {
     nsContentUtils::GetHostOrIPv6WithBrackets(uri, aHostname);
   }
-
-  return NS_OK;
 }
 
-NS_IMETHODIMP
-Location::SetHostname(const nsAString& aHostname)
+void
+Location::SetHostname(const nsAString& aHostname,
+                      nsIPrincipal& aSubjectPrincipal,
+                      ErrorResult& aRv)
 {
+  if (!CallerSubsumes(&aSubjectPrincipal)) {
+    aRv.Throw(NS_ERROR_DOM_SECURITY_ERR);
+    return;
+  }
+
   nsCOMPtr<nsIURI> uri;
-  nsresult rv = GetWritableURI(getter_AddRefs(uri));
-  if (NS_WARN_IF(NS_FAILED(rv) || !uri)) {
-    return rv;
+  aRv = GetWritableURI(getter_AddRefs(uri));
+  if (NS_WARN_IF(aRv.Failed()) || !uri) {
+    return;
   }
 
-  rv = uri->SetHost(NS_ConvertUTF16toUTF8(aHostname));
-  if (NS_WARN_IF(NS_FAILED(rv))) {
-    return rv;
+  aRv = uri->SetHost(NS_ConvertUTF16toUTF8(aHostname));
+  if (NS_WARN_IF(aRv.Failed())) {
+    return;
   }
 
-  return SetURI(uri);
+  aRv = SetURI(uri);
 }
 
-NS_IMETHODIMP
+nsresult
 Location::GetHref(nsAString& aHref)
 {
   aHref.Truncate();
 
   nsCOMPtr<nsIURI> uri;
-  nsresult result;
-
-  result = GetURI(getter_AddRefs(uri));
-
-  if (uri) {
-    nsAutoCString uriString;
-
-    result = uri->GetSpec(uriString);
-
-    if (NS_SUCCEEDED(result)) {
-      AppendUTF8toUTF16(uriString, aHref);
-    }
+  nsresult rv = GetURI(getter_AddRefs(uri));
+  if (NS_WARN_IF(NS_FAILED(rv)) || !uri) {
+    return rv;
   }
 
-  return result;
+  nsAutoCString uriString;
+  rv = uri->GetSpec(uriString);
+  if (NS_WARN_IF(NS_FAILED(rv))) {
+    return rv;
+  }
+
+  AppendUTF8toUTF16(uriString, aHref);
+  return NS_OK;
 }
 
-NS_IMETHODIMP
-Location::SetHref(const nsAString& aHref)
+void
+Location::SetHref(const nsAString& aHref,
+                  nsIPrincipal& aSubjectPrincipal,
+                  ErrorResult& aRv)
 {
-  nsAutoString oldHref;
-  nsresult rv = NS_OK;
-
   JSContext *cx = nsContentUtils::GetCurrentJSContext();
   if (cx) {
-    rv = SetHrefWithContext(cx, aHref, false);
-  } else {
-    rv = GetHref(oldHref);
-
-    if (NS_SUCCEEDED(rv)) {
-      nsCOMPtr<nsIURI> oldUri;
-
-      rv = NS_NewURI(getter_AddRefs(oldUri), oldHref);
-
-      if (oldUri) {
-        rv = SetHrefWithBase(aHref, oldUri, false);
-      }
-    }
+    aRv = SetHrefWithContext(cx, aHref, false);
+    return;
   }
 
-  return rv;
+  nsAutoString oldHref;
+  aRv = GetHref(oldHref);
+  if (NS_WARN_IF(aRv.Failed())) {
+    return;
+  }
+
+  nsCOMPtr<nsIURI> oldUri;
+  aRv = NS_NewURI(getter_AddRefs(oldUri), oldHref);
+  if (NS_WARN_IF(aRv.Failed())) {
+    return;
+  }
+
+  aRv = SetHrefWithBase(aHref, oldUri, false);
+  if (NS_WARN_IF(aRv.Failed())) {
+    return;
+  }
 }
 
 nsresult
 Location::SetHrefWithContext(JSContext* cx, const nsAString& aHref,
-                               bool aReplace)
+                             bool aReplace)
 {
   nsCOMPtr<nsIURI> base;
 
@@ -470,7 +511,7 @@ Location::SetHrefWithContext(JSContext* cx, const nsAString& aHref,
 
 nsresult
 Location::SetHrefWithBase(const nsAString& aHref, nsIURI* aBase,
-                            bool aReplace)
+                          bool aReplace)
 {
   nsresult result;
   nsCOMPtr<nsIURI> newUri;
@@ -486,13 +527,12 @@ Location::SetHrefWithBase(const nsAString& aHref, nsIURI* aBase,
   if (newUri) {
     /* Check with the scriptContext if it is currently processing a script tag.
      * If so, this must be a <script> tag with a location.href in it.
-     * we want to do a replace load, in such a situation. 
+     * we want to do a replace load, in such a situation.
      * In other cases, for example if a event handler or a JS timer
      * had a location.href in it, we want to do a normal load,
      * so that the new url will be appended to Session History.
      * This solution is tricky. Hopefully it isn't going to bite
      * anywhere else. This is part of solution for bug # 39938, 72197
-     * 
      */
     bool inScriptTag = false;
     nsIScriptContext* scriptContext = nullptr;
@@ -518,96 +558,125 @@ Location::SetHrefWithBase(const nsAString& aHref, nsIURI* aBase,
   return result;
 }
 
-NS_IMETHODIMP
-Location::GetOrigin(nsAString& aOrigin)
+void
+Location::GetOrigin(nsAString& aOrigin,
+                    nsIPrincipal& aSubjectPrincipal,
+                    ErrorResult& aRv)
 {
+  if (!CallerSubsumes(&aSubjectPrincipal)) {
+    aRv.Throw(NS_ERROR_DOM_SECURITY_ERR);
+    return;
+  }
+
   aOrigin.Truncate();
 
   nsCOMPtr<nsIURI> uri;
-  nsresult rv = GetURI(getter_AddRefs(uri), true);
-  NS_ENSURE_SUCCESS(rv, rv);
-  NS_ENSURE_TRUE(uri, NS_OK);
+  aRv = GetURI(getter_AddRefs(uri), true);
+  if (NS_WARN_IF(aRv.Failed()) || !uri) {
+    return;
+  }
 
   nsAutoString origin;
-  rv = nsContentUtils::GetUTFOrigin(uri, origin);
-  NS_ENSURE_SUCCESS(rv, rv);
+  aRv = nsContentUtils::GetUTFOrigin(uri, origin);
+  if (NS_WARN_IF(aRv.Failed())) {
+    return;
+  }
 
   aOrigin = origin;
-  return NS_OK;
 }
 
-NS_IMETHODIMP
-Location::GetPathname(nsAString& aPathname)
+void
+Location::GetPathname(nsAString& aPathname,
+                      nsIPrincipal& aSubjectPrincipal,
+                      ErrorResult& aRv)
 {
+  if (!CallerSubsumes(&aSubjectPrincipal)) {
+    aRv.Throw(NS_ERROR_DOM_SECURITY_ERR);
+    return;
+  }
+
   aPathname.Truncate();
 
   nsCOMPtr<nsIURI> uri;
-  nsresult result = GetURI(getter_AddRefs(uri));
-  if (NS_FAILED(result) || !uri) {
-    return result;
+  aRv = GetURI(getter_AddRefs(uri));
+  if (NS_WARN_IF(aRv.Failed()) || !uri) {
+    return;
   }
 
   nsAutoCString file;
 
-  result = uri->GetFilePath(file);
-
-  if (NS_SUCCEEDED(result)) {
-    AppendUTF8toUTF16(file, aPathname);
+  aRv = uri->GetFilePath(file);
+  if (NS_WARN_IF(aRv.Failed())) {
+    return;
   }
 
-  return result;
+  AppendUTF8toUTF16(file, aPathname);
 }
 
-NS_IMETHODIMP
-Location::SetPathname(const nsAString& aPathname)
+void
+Location::SetPathname(const nsAString& aPathname,
+                      nsIPrincipal& aSubjectPrincipal,
+                      ErrorResult& aRv)
 {
+  if (!CallerSubsumes(&aSubjectPrincipal)) {
+    aRv.Throw(NS_ERROR_DOM_SECURITY_ERR);
+    return;
+  }
+
   nsCOMPtr<nsIURI> uri;
-  nsresult rv = GetWritableURI(getter_AddRefs(uri));
-  if (NS_WARN_IF(NS_FAILED(rv) || !uri)) {
-    return rv;
+  aRv = GetWritableURI(getter_AddRefs(uri));
+  if (NS_WARN_IF(aRv.Failed()) || !uri) {
+    return;
   }
 
   if (NS_SUCCEEDED(uri->SetFilePath(NS_ConvertUTF16toUTF8(aPathname)))) {
-    return SetURI(uri);
+    aRv = SetURI(uri);
   }
-
-  return NS_OK;
 }
 
-NS_IMETHODIMP
-Location::GetPort(nsAString& aPort)
+void
+Location::GetPort(nsAString& aPort,
+                  nsIPrincipal& aSubjectPrincipal,
+                  ErrorResult& aRv)
 {
+  if (!CallerSubsumes(&aSubjectPrincipal)) {
+    aRv.Throw(NS_ERROR_DOM_SECURITY_ERR);
+    return;
+  }
+
   aPort.SetLength(0);
 
   nsCOMPtr<nsIURI> uri;
-  nsresult result = NS_OK;
-
-  result = GetURI(getter_AddRefs(uri), true);
-
-  if (uri) {
-    int32_t port;
-    result = uri->GetPort(&port);
-
-    if (NS_SUCCEEDED(result) && -1 != port) {
-      nsAutoString portStr;
-      portStr.AppendInt(port);
-      aPort.Append(portStr);
-    }
-
-    // Don't propagate this exception to caller
-    result = NS_OK;
+  aRv = GetURI(getter_AddRefs(uri), true);
+  if (NS_WARN_IF(aRv.Failed()) || !uri) {
+    return;
   }
 
-  return result;
+  int32_t port;
+  nsresult result = uri->GetPort(&port);
+
+  // Don't propagate this exception to caller
+  if (NS_SUCCEEDED(result) && -1 != port) {
+    nsAutoString portStr;
+    portStr.AppendInt(port);
+    aPort.Append(portStr);
+  }
 }
 
-NS_IMETHODIMP
-Location::SetPort(const nsAString& aPort)
+void
+Location::SetPort(const nsAString& aPort,
+                  nsIPrincipal& aSubjectPrincipal,
+                  ErrorResult& aRv)
 {
+  if (!CallerSubsumes(&aSubjectPrincipal)) {
+    aRv.Throw(NS_ERROR_DOM_SECURITY_ERR);
+    return;
+  }
+
   nsCOMPtr<nsIURI> uri;
-  nsresult rv = GetWritableURI(getter_AddRefs(uri));
-  if (NS_WARN_IF(NS_FAILED(rv) || !uri)) {
-    return rv;
+  aRv = GetWritableURI(getter_AddRefs(uri));
+  if (NS_WARN_IF(aRv.Failed() || !uri)) {
+    return;
   }
 
   // perhaps use nsReadingIterators at some point?
@@ -624,45 +693,57 @@ Location::SetPort(const nsAString& aPort)
     }
   }
 
-  rv = uri->SetPort(port);
-  if (NS_WARN_IF(NS_FAILED(rv))) {
-    return rv;
+  aRv = uri->SetPort(port);
+  if (NS_WARN_IF(aRv.Failed())) {
+    return;
   }
 
-  return SetURI(uri);
+  aRv = SetURI(uri);
 }
 
-NS_IMETHODIMP
-Location::GetProtocol(nsAString& aProtocol)
+void
+Location::GetProtocol(nsAString& aProtocol,
+                      nsIPrincipal& aSubjectPrincipal,
+                      ErrorResult& aRv)
 {
+  if (!CallerSubsumes(&aSubjectPrincipal)) {
+    aRv.Throw(NS_ERROR_DOM_SECURITY_ERR);
+    return;
+  }
+
   aProtocol.SetLength(0);
 
   nsCOMPtr<nsIURI> uri;
-  nsresult result = NS_OK;
-
-  result = GetURI(getter_AddRefs(uri));
-
-  if (uri) {
-    nsAutoCString protocol;
-
-    result = uri->GetScheme(protocol);
-
-    if (NS_SUCCEEDED(result)) {
-      CopyASCIItoUTF16(protocol, aProtocol);
-      aProtocol.Append(char16_t(':'));
-    }
+  aRv = GetURI(getter_AddRefs(uri));
+  if (NS_WARN_IF(aRv.Failed()) || !uri) {
+    return;
   }
 
-  return result;
+  nsAutoCString protocol;
+
+  aRv = uri->GetScheme(protocol);
+  if (NS_WARN_IF(aRv.Failed())) {
+    return;
+  }
+
+  CopyASCIItoUTF16(protocol, aProtocol);
+  aProtocol.Append(char16_t(':'));
 }
 
-NS_IMETHODIMP
-Location::SetProtocol(const nsAString& aProtocol)
+void
+Location::SetProtocol(const nsAString& aProtocol,
+                      nsIPrincipal& aSubjectPrincipal,
+                      ErrorResult& aRv)
 {
+  if (!CallerSubsumes(&aSubjectPrincipal)) {
+    aRv.Throw(NS_ERROR_DOM_SECURITY_ERR);
+    return;
+  }
+
   nsCOMPtr<nsIURI> uri;
-  nsresult rv = GetWritableURI(getter_AddRefs(uri));
-  if (NS_WARN_IF(NS_FAILED(rv) || !uri)) {
-    return rv;
+  aRv = GetWritableURI(getter_AddRefs(uri));
+  if (NS_WARN_IF(aRv.Failed()) || !uri) {
+    return;
   }
 
   nsAString::const_iterator start, end;
@@ -671,16 +752,18 @@ Location::SetProtocol(const nsAString& aProtocol)
   nsAString::const_iterator iter(start);
   Unused << FindCharInReadable(':', iter, end);
 
-  rv = uri->SetScheme(NS_ConvertUTF16toUTF8(Substring(start, iter)));
+  nsresult rv = uri->SetScheme(NS_ConvertUTF16toUTF8(Substring(start, iter)));
   if (NS_WARN_IF(NS_FAILED(rv))) {
     // Oh, I wish nsStandardURL returned NS_ERROR_MALFORMED_URI for _all_ the
     // malformed cases, not just some of them!
-    return NS_ERROR_DOM_SYNTAX_ERR;
+    aRv.Throw(NS_ERROR_DOM_SYNTAX_ERR);
+    return;
   }
+
   nsAutoCString newSpec;
-  rv = uri->GetSpec(newSpec);
-  if (NS_FAILED(rv)) {
-    return rv;
+  aRv = uri->GetSpec(newSpec);
+  if (NS_WARN_IF(aRv.Failed())) {
+    return;
   }
   // We may want a new URI class for the new URI, so recreate it:
   rv = NS_NewURI(getter_AddRefs(uri), newSpec);
@@ -688,32 +771,41 @@ Location::SetProtocol(const nsAString& aProtocol)
     if (rv == NS_ERROR_MALFORMED_URI) {
       rv = NS_ERROR_DOM_SYNTAX_ERR;
     }
-    return rv;
+
+    aRv.Throw(rv);
+    return;
   }
 
   bool isHttp;
-  rv = uri->SchemeIs("http", &isHttp);
-  if (NS_WARN_IF(NS_FAILED(rv))) {
-    return rv;
+  aRv = uri->SchemeIs("http", &isHttp);
+  if (NS_WARN_IF(aRv.Failed())) {
+    return;
   }
 
   bool isHttps;
-  rv = uri->SchemeIs("https", &isHttps);
-  if (NS_WARN_IF(NS_FAILED(rv))) {
-    return rv;
+  aRv = uri->SchemeIs("https", &isHttps);
+  if (NS_WARN_IF(aRv.Failed())) {
+    return;
   }
 
   if (!isHttp && !isHttps) {
     // No-op, per spec.
-    return NS_OK;
+    return;
   }
 
-  return SetURI(uri);
+  aRv = SetURI(uri);
 }
 
-NS_IMETHODIMP
-Location::GetSearch(nsAString& aSearch)
+void
+Location::GetSearch(nsAString& aSearch,
+                    nsIPrincipal& aSubjectPrincipal,
+                    ErrorResult& aRv)
 {
+  if (!CallerSubsumes(&aSubjectPrincipal)) {
+    aRv.Throw(NS_ERROR_DOM_SECURITY_ERR);
+    return;
+  }
+
   aSearch.SetLength(0);
 
   nsCOMPtr<nsIURI> uri;
@@ -733,44 +825,36 @@ Location::GetSearch(nsAString& aSearch)
       AppendUTF8toUTF16(search, aSearch);
     }
   }
-
-  return NS_OK;
 }
 
-NS_IMETHODIMP
-Location::SetSearch(const nsAString& aSearch)
+void
+Location::SetSearch(const nsAString& aSearch,
+                    nsIPrincipal& aSubjectPrincipal,
+                    ErrorResult& aRv)
 {
-  nsresult rv = SetSearchInternal(aSearch);
-  if (NS_FAILED(rv)) {
-    return rv;
+  if (!CallerSubsumes(&aSubjectPrincipal)) {
+    aRv.Throw(NS_ERROR_DOM_SECURITY_ERR);
+    return;
   }
 
-  return NS_OK;
+  nsCOMPtr<nsIURI> uri;
+  aRv = GetWritableURI(getter_AddRefs(uri));
+  nsCOMPtr<nsIURL> url(do_QueryInterface(uri));
+  if (NS_WARN_IF(aRv.Failed()) || !url) {
+    return;
+  }
+
+  aRv = url->SetQuery(NS_ConvertUTF16toUTF8(aSearch));
+  if (NS_WARN_IF(aRv.Failed())) {
+    return;
+  }
+
+  aRv = SetURI(uri);
 }
 
 nsresult
-Location::SetSearchInternal(const nsAString& aSearch)
-{
-  nsCOMPtr<nsIURI> uri;
-  nsresult rv = GetWritableURI(getter_AddRefs(uri));
-
-  nsCOMPtr<nsIURL> url(do_QueryInterface(uri));
-  if (NS_WARN_IF(NS_FAILED(rv) || !url)) {
-    return rv;
-  }
-
-  rv = url->SetQuery(NS_ConvertUTF16toUTF8(aSearch));
-  if (NS_WARN_IF(NS_FAILED(rv))) {
-    return rv;
-  }
-
-  return SetURI(uri);
-}
-
-NS_IMETHODIMP
 Location::Reload(bool aForceget)
 {
-  nsresult rv;
   nsCOMPtr<nsIDocShell> docShell(do_QueryReferent(mDocShell));
   nsCOMPtr<nsIWebNavigation> webNav(do_QueryInterface(docShell));
   nsCOMPtr<nsPIDOMWindowOuter> window = docShell ? docShell->GetWindow()
@@ -795,85 +879,84 @@ Location::Reload(bool aForceget)
     return NS_OK;
   }
 
-  if (webNav) {
-    uint32_t reloadFlags = nsIWebNavigation::LOAD_FLAGS_NONE;
+  if (!webNav) {
+    return NS_ERROR_FAILURE;
+  }
 
-    if (aForceget) {
-      reloadFlags = nsIWebNavigation::LOAD_FLAGS_BYPASS_CACHE | 
-                    nsIWebNavigation::LOAD_FLAGS_BYPASS_PROXY;
-    }
-    rv = webNav->Reload(reloadFlags);
-    if (rv == NS_BINDING_ABORTED) {
-      // This happens when we attempt to reload a POST result and the user says
-      // no at the "do you want to reload?" prompt.  Don't propagate this one
-      // back to callers.
-      rv = NS_OK;
-    }
-  } else {
-    rv = NS_ERROR_FAILURE;
+  uint32_t reloadFlags = nsIWebNavigation::LOAD_FLAGS_NONE;
+
+  if (aForceget) {
+    reloadFlags = nsIWebNavigation::LOAD_FLAGS_BYPASS_CACHE |
+                  nsIWebNavigation::LOAD_FLAGS_BYPASS_PROXY;
+  }
+
+  nsresult rv = webNav->Reload(reloadFlags);
+  if (rv == NS_BINDING_ABORTED) {
+    // This happens when we attempt to reload a POST result and the user says
+    // no at the "do you want to reload?" prompt.  Don't propagate this one
+    // back to callers.
+    rv = NS_OK;
   }
 
   return rv;
 }
 
-NS_IMETHODIMP
-Location::Replace(const nsAString& aUrl)
+void
+Location::Replace(const nsAString& aUrl,
+                  nsIPrincipal& aSubjectPrincipal,
+                  ErrorResult& aRv)
 {
-  nsresult rv = NS_OK;
   if (JSContext *cx = nsContentUtils::GetCurrentJSContext()) {
-    return SetHrefWithContext(cx, aUrl, true);
+    aRv = SetHrefWithContext(cx, aUrl, true);
+    return;
   }
 
   nsAutoString oldHref;
-
-  rv = GetHref(oldHref);
-  NS_ENSURE_SUCCESS(rv, rv);
+  aRv = GetHref(oldHref);
+  if (NS_WARN_IF(aRv.Failed())) {
+    return;
+  }
 
   nsCOMPtr<nsIURI> oldUri;
 
-  rv = NS_NewURI(getter_AddRefs(oldUri), oldHref);
-  NS_ENSURE_SUCCESS(rv, rv);
+  aRv = NS_NewURI(getter_AddRefs(oldUri), oldHref);
+  if (NS_WARN_IF(aRv.Failed())) {
+    return;
+  }
 
-  return SetHrefWithBase(aUrl, oldUri, true);
+  aRv = SetHrefWithBase(aUrl, oldUri, true);
 }
 
-NS_IMETHODIMP
-Location::Assign(const nsAString& aUrl)
+void
+Location::Assign(const nsAString& aUrl,
+                 nsIPrincipal& aSubjectPrincipal,
+                 ErrorResult& aRv)
 {
+  if (!CallerSubsumes(&aSubjectPrincipal)) {
+    aRv.Throw(NS_ERROR_DOM_SECURITY_ERR);
+    return;
+  }
+
   if (JSContext *cx = nsContentUtils::GetCurrentJSContext()) {
-    return SetHrefWithContext(cx, aUrl, false);
+    aRv = SetHrefWithContext(cx, aUrl, false);
+    return;
   }
 
   nsAutoString oldHref;
-  nsresult result = NS_OK;
-
-  result = GetHref(oldHref);
-
-  if (NS_SUCCEEDED(result)) {
-    nsCOMPtr<nsIURI> oldUri;
-
-    result = NS_NewURI(getter_AddRefs(oldUri), oldHref);
-
-    if (oldUri) {
-      result = SetHrefWithBase(aUrl, oldUri, false);
-    }
+  aRv = GetHref(oldHref);
+  if (NS_WARN_IF(aRv.Failed())) {
+    return;
   }
 
-  return result;
-}
+  nsCOMPtr<nsIURI> oldUri;
+  aRv = NS_NewURI(getter_AddRefs(oldUri), oldHref);
+  if (NS_WARN_IF(aRv.Failed())) {
+    return;
+  }
 
-NS_IMETHODIMP
-Location::ToString(nsAString& aReturn)
-{
-  return GetHref(aReturn);
-}
-
-NS_IMETHODIMP
-Location::ValueOf(nsIDOMLocation** aReturn)
-{
-  nsCOMPtr<nsIDOMLocation> loc(this);
-  loc.forget(aReturn);
-  return NS_OK;
+  if (oldUri) {
+    aRv = SetHrefWithBase(aUrl, oldUri, false);
+  }
 }
 
 nsresult
diff --git a/dom/base/Location.h b/dom/base/Location.h
index 5924cc5f3e00..1369b6869b19 100644
--- a/dom/base/Location.h
+++ b/dom/base/Location.h
@@ -37,37 +37,24 @@ public:
   NS_DECL_CYCLE_COLLECTION_SCRIPT_HOLDER_CLASS_AMBIGUOUS(Location,
                                                          nsIDOMLocation)
 
-  // nsIDOMLocation
-  NS_DECL_NSIDOMLOCATION
-
-  #define THROW_AND_RETURN_IF_CALLER_DOESNT_SUBSUME() { \
-    if (!CallerSubsumes(&aSubjectPrincipal)) { \
-      aError.Throw(NS_ERROR_DOM_SECURITY_ERR); \
-      return; \
-    } \
-  }
-
   // WebIDL API:
   void Assign(const nsAString& aUrl,
               nsIPrincipal& aSubjectPrincipal,
-              ErrorResult& aError)
-  {
-    THROW_AND_RETURN_IF_CALLER_DOESNT_SUBSUME();
-    aError = Assign(aUrl);
-  }
+              ErrorResult& aError);
 
   void Replace(const nsAString& aUrl,
                nsIPrincipal& aSubjectPrincipal,
-               ErrorResult& aError)
-  {
-    aError = Replace(aUrl);
-  }
+               ErrorResult& aError);
 
   void Reload(bool aForceget,
               nsIPrincipal& aSubjectPrincipal,
               ErrorResult& aError)
   {
-    THROW_AND_RETURN_IF_CALLER_DOESNT_SUBSUME();
+    if (!CallerSubsumes(&aSubjectPrincipal)) {
+      aError.Throw(NS_ERROR_DOM_SECURITY_ERR);
+      return;
+    }
+
     aError = Reload(aForceget);
   }
 
@@ -75,136 +62,77 @@ public:
                nsIPrincipal& aSubjectPrincipal,
                ErrorResult& aError)
   {
-    THROW_AND_RETURN_IF_CALLER_DOESNT_SUBSUME();
+    if (!CallerSubsumes(&aSubjectPrincipal)) {
+      aError.Throw(NS_ERROR_DOM_SECURITY_ERR);
+      return;
+    }
+
     aError = GetHref(aHref);
   }
 
   void SetHref(const nsAString& aHref,
                nsIPrincipal& aSubjectPrincipal,
-               ErrorResult& aError)
-  {
-    aError = SetHref(aHref);
-  }
+               ErrorResult& aError);
 
   void GetOrigin(nsAString& aOrigin,
                  nsIPrincipal& aSubjectPrincipal,
-                 ErrorResult& aError)
-  {
-    THROW_AND_RETURN_IF_CALLER_DOESNT_SUBSUME();
-    aError = GetOrigin(aOrigin);
-  }
+                 ErrorResult& aError);
 
   void GetProtocol(nsAString& aProtocol,
                    nsIPrincipal& aSubjectPrincipal,
-                   ErrorResult& aError)
-  {
-    THROW_AND_RETURN_IF_CALLER_DOESNT_SUBSUME();
-    aError = GetProtocol(aProtocol);
-  }
+                   ErrorResult& aError);
 
   void SetProtocol(const nsAString& aProtocol,
                    nsIPrincipal& aSubjectPrincipal,
-                   ErrorResult& aError)
-  {
-    THROW_AND_RETURN_IF_CALLER_DOESNT_SUBSUME();
-    aError = SetProtocol(aProtocol);
-  }
+                   ErrorResult& aError);
 
   void GetHost(nsAString& aHost,
                nsIPrincipal& aSubjectPrincipal,
-               ErrorResult& aError)
-  {
-    THROW_AND_RETURN_IF_CALLER_DOESNT_SUBSUME();
-    aError = GetHost(aHost);
-  }
+               ErrorResult& aError);
 
   void SetHost(const nsAString& aHost,
                nsIPrincipal& aSubjectPrincipal,
-               ErrorResult& aError)
-  {
-    THROW_AND_RETURN_IF_CALLER_DOESNT_SUBSUME();
-    aError = SetHost(aHost);
-  }
+               ErrorResult& aError);
 
   void GetHostname(nsAString& aHostname,
                    nsIPrincipal& aSubjectPrincipal,
-                   ErrorResult& aError)
-  {
-    THROW_AND_RETURN_IF_CALLER_DOESNT_SUBSUME();
-    aError = GetHostname(aHostname);
-  }
+                   ErrorResult& aError);
 
   void SetHostname(const nsAString& aHostname,
                    nsIPrincipal& aSubjectPrincipal,
-                   ErrorResult& aError)
-  {
-    THROW_AND_RETURN_IF_CALLER_DOESNT_SUBSUME();
-    aError = SetHostname(aHostname);
-  }
+                   ErrorResult& aError);
 
   void GetPort(nsAString& aPort,
                nsIPrincipal& aSubjectPrincipal,
-               ErrorResult& aError)
-  {
-    THROW_AND_RETURN_IF_CALLER_DOESNT_SUBSUME();
-    aError = GetPort(aPort);
-  }
+               ErrorResult& aError);
 
   void SetPort(const nsAString& aPort,
                nsIPrincipal& aSubjectPrincipal,
-               ErrorResult& aError)
-  {
-    THROW_AND_RETURN_IF_CALLER_DOESNT_SUBSUME();
-    aError = SetPort(aPort);
-  }
+               ErrorResult& aError);
 
   void GetPathname(nsAString& aPathname,
                    nsIPrincipal& aSubjectPrincipal,
-                   ErrorResult& aError)
-  {
-    THROW_AND_RETURN_IF_CALLER_DOESNT_SUBSUME();
-    aError = GetPathname(aPathname);
-  }
+                   ErrorResult& aError);
 
   void SetPathname(const nsAString& aPathname,
                    nsIPrincipal& aSubjectPrincipal,
-                   ErrorResult& aError)
-  {
-    THROW_AND_RETURN_IF_CALLER_DOESNT_SUBSUME();
-    aError = SetPathname(aPathname);
-  }
+                   ErrorResult& aError);
 
   void GetSearch(nsAString& aSeach,
                  nsIPrincipal& aSubjectPrincipal,
-                 ErrorResult& aError)
-  {
-    THROW_AND_RETURN_IF_CALLER_DOESNT_SUBSUME();
-    aError = GetSearch(aSeach);
-  }
+                 ErrorResult& aError);
 
   void SetSearch(const nsAString& aSeach,
                  nsIPrincipal& aSubjectPrincipal,
-                 ErrorResult& aError)
-  {
-    THROW_AND_RETURN_IF_CALLER_DOESNT_SUBSUME();
-    aError = SetSearch(aSeach);
-  }
+                 ErrorResult& aError);
 
   void GetHash(nsAString& aHash,
                nsIPrincipal& aSubjectPrincipal,
-               ErrorResult& aError)
-  {
-    THROW_AND_RETURN_IF_CALLER_DOESNT_SUBSUME();
-    aError = GetHash(aHash);
-  }
+               ErrorResult& aError);
 
   void SetHash(const nsAString& aHash,
                nsIPrincipal& aSubjectPrincipal,
-               ErrorResult& aError)
-  {
-    THROW_AND_RETURN_IF_CALLER_DOESNT_SUBSUME();
-    aError = SetHash(aHash);
-  }
+               ErrorResult& aError);
 
   void Stringify(nsAString& aRetval,
                  nsIPrincipal& aSubjectPrincipal,
@@ -222,11 +150,20 @@ public:
   virtual JSObject* WrapObject(JSContext* aCx,
                                JS::Handle<JSObject*> aGivenProto) override;
 
+  // Non WebIDL methods:
+
+  nsresult GetHref(nsAString& aHref);
+
+  nsresult ToString(nsAString& aString)
+  {
+    return GetHref(aString);
+  }
+
+  nsresult Reload(bool aForceget);
+
 protected:
   virtual ~Location();
 
-  nsresult SetSearchInternal(const nsAString& aSearch);
-
   // In the case of jar: uris, we sometimes want the place the jar was
   // fetched from as the URI instead of the jar: uri itself.  Pass in
   // true for aGetInnermostURI when that's the case.
diff --git a/dom/base/nsDocument.cpp b/dom/base/nsDocument.cpp
index dbbf749e3f4a..e84cf3ef5448 100644
--- a/dom/base/nsDocument.cpp
+++ b/dom/base/nsDocument.cpp
@@ -5745,12 +5745,10 @@ nsDocument::CreateElement(const nsAString& aTagName,
   if (aOptions.IsElementCreationOptions()) {
     const ElementCreationOptions& options =
       aOptions.GetAsElementCreationOptions();
-    // Throw NotFoundError if 'is' is not-null and definition is null
-    is = CheckCustomElementName(options,
-                                needsLowercase ? lcTagName : aTagName,
-                                mDefaultElementType, rv);
-    if (rv.Failed()) {
-      return nullptr;
+
+    if (CustomElementRegistry::IsCustomElementEnabled() &&
+        options.mIs.WasPassed()) {
+      is = &options.mIs.Value();
     }
 
     // Check 'pseudo' and throw an exception if it's not one allowed
@@ -5809,12 +5807,11 @@ nsDocument::CreateElementNS(const nsAString& aNamespaceURI,
   }
 
   const nsString* is = nullptr;
-  if (aOptions.IsElementCreationOptions()) {
-    // Throw NotFoundError if 'is' is not-null and definition is null
-    is = CheckCustomElementName(aOptions.GetAsElementCreationOptions(),
-                                aQualifiedName, nodeInfo->NamespaceID(), rv);
-    if (rv.Failed()) {
-      return nullptr;
+  if (CustomElementRegistry::IsCustomElementEnabled() &&
+      aOptions.IsElementCreationOptions()) {
+    const ElementCreationOptions& options = aOptions.GetAsElementCreationOptions();
+    if (options.mIs.WasPassed()) {
+      is = &options.mIs.Value();
     }
   }
 
@@ -13187,30 +13184,6 @@ nsIDocument::UpdateStyleBackendType()
 #endif
 }
 
-const nsString*
-nsDocument::CheckCustomElementName(const ElementCreationOptions& aOptions,
-                                   const nsAString& aLocalName,
-                                   uint32_t aNamespaceID,
-                                   ErrorResult& rv)
-{
-  // only check aOptions if 'is' is passed and the webcomponents preference
-  // is enabled
-  if (!aOptions.mIs.WasPassed() ||
-      !CustomElementRegistry::IsCustomElementEnabled()) {
-      return nullptr;
-  }
-
-  const nsString* is = &aOptions.mIs.Value();
-
-  // Throw NotFoundError if 'is' is not-null and definition is null
-  if (!nsContentUtils::LookupCustomElementDefinition(this, aLocalName,
-                                                     aNamespaceID, is)) {
-      rv.Throw(NS_ERROR_DOM_NOT_FOUND_ERR);
-  }
-
-  return is;
-}
-
 /**
  * Helper function for |nsDocument::PrincipalFlashClassification|
  *
diff --git a/dom/base/nsDocument.h b/dom/base/nsDocument.h
index 8a1663e4c78b..c0108d5b6fba 100644
--- a/dom/base/nsDocument.h
+++ b/dom/base/nsDocument.h
@@ -1463,20 +1463,6 @@ private:
   void UpdatePossiblyStaleDocumentState();
   static bool CustomElementConstructor(JSContext* aCx, unsigned aArgc, JS::Value* aVp);
 
-  /**
-   * Check if the passed custom element name, aOptions.mIs, is a registered
-   * custom element type or not, then return the custom element name for future
-   * usage.
-   *
-   * If there is no existing custom element definition for this name, throw a
-   * NotFoundError.
-   */
-  const nsString* CheckCustomElementName(
-    const mozilla::dom::ElementCreationOptions& aOptions,
-    const nsAString& aLocalName,
-    uint32_t aNamespaceID,
-    ErrorResult& rv);
-
 public:
   virtual already_AddRefed<mozilla::dom::CustomElementRegistry>
     GetCustomElementRegistry() override;
diff --git a/dom/base/nsFrameLoader.cpp b/dom/base/nsFrameLoader.cpp
index bac3f10398eb..04820685d307 100644
--- a/dom/base/nsFrameLoader.cpp
+++ b/dom/base/nsFrameLoader.cpp
@@ -1507,9 +1507,6 @@ nsFrameLoader::SwapWithOtherRemoteLoader(nsFrameLoader* aOther,
   ourShell->BackingScaleFactorChanged();
   otherShell->BackingScaleFactorChanged();
 
-  ourDoc->FlushPendingNotifications(FlushType::Layout);
-  otherDoc->FlushPendingNotifications(FlushType::Layout);
-
   // Initialize browser API if needed now that owner content has changed.
   InitializeBrowserAPI();
   aOther->InitializeBrowserAPI();
@@ -1950,9 +1947,6 @@ nsFrameLoader::SwapWithOtherLoader(nsFrameLoader* aOther,
   ourShell->BackingScaleFactorChanged();
   otherShell->BackingScaleFactorChanged();
 
-  ourParentDocument->FlushPendingNotifications(FlushType::Layout);
-  otherParentDocument->FlushPendingNotifications(FlushType::Layout);
-
   // Initialize browser API if needed now that owner content has changed
   InitializeBrowserAPI();
   aOther->InitializeBrowserAPI();
diff --git a/dom/base/nsGkAtomList.h b/dom/base/nsGkAtomList.h
index 780d6dec3df7..9e2894ee02dc 100644
--- a/dom/base/nsGkAtomList.h
+++ b/dom/base/nsGkAtomList.h
@@ -107,6 +107,37 @@ GK_ATOM(applyImports, "apply-imports")
 GK_ATOM(applyTemplates, "apply-templates")
 GK_ATOM(archive, "archive")
 GK_ATOM(area, "area")
+GK_ATOM(aria_activedescendant, "aria-activedescendant")
+GK_ATOM(aria_atomic, "aria-atomic")
+GK_ATOM(aria_autocomplete, "aria-autocomplete")
+GK_ATOM(aria_busy, "aria-busy")
+GK_ATOM(aria_checked, "aria-checked")
+GK_ATOM(aria_controls, "aria-controls")
+GK_ATOM(aria_describedby, "aria-describedby")
+GK_ATOM(aria_disabled, "aria-disabled")
+GK_ATOM(aria_dropeffect, "aria-dropeffect")
+GK_ATOM(aria_expanded, "aria-expanded")
+GK_ATOM(aria_flowto, "aria-flowto")
+GK_ATOM(aria_haspopup, "aria-haspopup")
+GK_ATOM(aria_hidden, "aria-hidden")
+GK_ATOM(aria_invalid, "aria-invalid")
+GK_ATOM(aria_labelledby, "aria-labelledby")
+GK_ATOM(aria_level, "aria-level")
+GK_ATOM(aria_live, "aria-live")
+GK_ATOM(aria_multiline, "aria-multiline")
+GK_ATOM(aria_multiselectable, "aria-multiselectable")
+GK_ATOM(aria_owns, "aria-owns")
+GK_ATOM(aria_posinset, "aria-posinset")
+GK_ATOM(aria_pressed, "aria-pressed")
+GK_ATOM(aria_readonly, "aria-readonly")
+GK_ATOM(aria_relevant, "aria-relevant")
+GK_ATOM(aria_required, "aria-required")
+GK_ATOM(aria_selected, "aria-selected")
+GK_ATOM(aria_setsize, "aria-setsize")
+GK_ATOM(aria_sort, "aria-sort")
+GK_ATOM(aria_valuemax, "aria-valuemax")
+GK_ATOM(aria_valuemin, "aria-valuemin")
+GK_ATOM(aria_valuenow, "aria-valuenow")
 GK_ATOM(arrow, "arrow")
 GK_ATOM(article, "article")
 GK_ATOM(ascending, "ascending")
@@ -1218,6 +1249,7 @@ GK_ATOM(sub, "sub")
 GK_ATOM(sum, "sum")
 GK_ATOM(sup, "sup")
 GK_ATOM(summary, "summary")
+GK_ATOM(_switch, "switch")
 GK_ATOM(systemProperty, "system-property")
 GK_ATOM(tab, "tab")
 GK_ATOM(tabbox, "tabbox")
@@ -2242,47 +2274,16 @@ GK_ATOM(restore,    "restore")
 GK_ATOM(alert, "alert")
 GK_ATOM(alertdialog, "alertdialog")
 GK_ATOM(application, "application")
-GK_ATOM(aria_activedescendant, "aria-activedescendant")
-GK_ATOM(aria_atomic, "aria-atomic")
-GK_ATOM(aria_autocomplete, "aria-autocomplete")
-GK_ATOM(aria_busy, "aria-busy")
-GK_ATOM(aria_checked, "aria-checked")
 GK_ATOM(aria_colcount, "aria-colcount")
 GK_ATOM(aria_colindex, "aria-colindex")
-GK_ATOM(aria_controls, "aria-controls")
-GK_ATOM(aria_describedby, "aria-describedby")
 GK_ATOM(aria_details, "aria-details")
-GK_ATOM(aria_disabled, "aria-disabled")
-GK_ATOM(aria_dropeffect, "aria-dropeffect")
 GK_ATOM(aria_errormessage, "aria-errormessage")
-GK_ATOM(aria_expanded, "aria-expanded")
-GK_ATOM(aria_flowto, "aria-flowto")
 GK_ATOM(aria_grabbed, "aria-grabbed")
-GK_ATOM(aria_haspopup, "aria-haspopup")
-GK_ATOM(aria_hidden, "aria-hidden")
-GK_ATOM(aria_invalid, "aria-invalid")
 GK_ATOM(aria_label, "aria-label")
-GK_ATOM(aria_labelledby, "aria-labelledby")
-GK_ATOM(aria_level, "aria-level")
-GK_ATOM(aria_live, "aria-live")
 GK_ATOM(aria_modal, "aria-modal")
-GK_ATOM(aria_multiline, "aria-multiline")
-GK_ATOM(aria_multiselectable, "aria-multiselectable")
 GK_ATOM(aria_orientation, "aria-orientation")
-GK_ATOM(aria_owns, "aria-owns")
-GK_ATOM(aria_posinset, "aria-posinset")
-GK_ATOM(aria_pressed, "aria-pressed")
-GK_ATOM(aria_readonly, "aria-readonly")
-GK_ATOM(aria_relevant, "aria-relevant")
-GK_ATOM(aria_required, "aria-required")
 GK_ATOM(aria_rowcount, "aria-rowcount")
 GK_ATOM(aria_rowindex, "aria-rowindex")
-GK_ATOM(aria_selected, "aria-selected")
-GK_ATOM(aria_setsize, "aria-setsize")
-GK_ATOM(aria_sort, "aria-sort")
-GK_ATOM(aria_valuenow, "aria-valuenow")
-GK_ATOM(aria_valuemin, "aria-valuemin")
-GK_ATOM(aria_valuemax, "aria-valuemax")
 GK_ATOM(aria_valuetext, "aria-valuetext")
 GK_ATOM(auto_generated, "auto-generated")
 GK_ATOM(banner, "banner")
@@ -2330,7 +2331,6 @@ GK_ATOM(setsize, "setsize")
 GK_ATOM(spelling, "spelling")
 GK_ATOM(spinbutton, "spinbutton")
 GK_ATOM(status, "status")
-GK_ATOM(_switch, "switch")
 GK_ATOM(tableCellIndex, "table-cell-index")
 GK_ATOM(tablist, "tablist")
 GK_ATOM(textIndent, "text-indent")
diff --git a/dom/base/nsJSEnvironment.cpp b/dom/base/nsJSEnvironment.cpp
index 606f76859314..f6a074859ba7 100644
--- a/dom/base/nsJSEnvironment.cpp
+++ b/dom/base/nsJSEnvironment.cpp
@@ -1740,8 +1740,7 @@ void
 InterSliceGCTimerFired(nsITimer *aTimer, void *aClosure)
 {
   nsJSContext::KillInterSliceGCTimer();
-  bool e10sParent = XRE_IsParentProcess() && BrowserTabsRemoteAutostart();
-  int64_t budget = e10sParent && nsContentUtils::GetUserIsInteracting() && sActiveIntersliceGCBudget ?
+  int64_t budget = XRE_IsE10sParentProcess() && nsContentUtils::GetUserIsInteracting() && sActiveIntersliceGCBudget ?
     sActiveIntersliceGCBudget : NS_INTERSLICE_GC_BUDGET;
   nsJSContext::GarbageCollectNow(JS::gcreason::INTER_SLICE_GC,
                                  nsJSContext::IncrementalGC,
diff --git a/dom/base/test/embed_bug455472.html b/dom/base/test/embed_bug455472.html
new file mode 100644
index 000000000000..d244ea939642
--- /dev/null
+++ b/dom/base/test/embed_bug455472.html
@@ -0,0 +1 @@
+<svg xmlns='http://www.w3.org/2000/svg' onload='parent.ran[2]=true'/>
diff --git a/dom/base/test/iframe1_bug431701.html b/dom/base/test/iframe1_bug431701.html
new file mode 100644
index 000000000000..18ecdcb795c3
--- /dev/null
+++ b/dom/base/test/iframe1_bug431701.html
@@ -0,0 +1 @@
+<html></html>
diff --git a/dom/base/test/iframe2_bug431701.html b/dom/base/test/iframe2_bug431701.html
new file mode 100644
index 000000000000..6c963c545508
--- /dev/null
+++ b/dom/base/test/iframe2_bug431701.html
@@ -0,0 +1 @@
+<html><meta charset="UTF-8"></html>
diff --git a/dom/base/test/iframe3_bug431701.html b/dom/base/test/iframe3_bug431701.html
new file mode 100644
index 000000000000..c0aac3876642
--- /dev/null
+++ b/dom/base/test/iframe3_bug431701.html
@@ -0,0 +1 @@
+<html><meta charset="ISO-8859-1"></html>
diff --git a/dom/base/test/iframe4_bug431701.xml b/dom/base/test/iframe4_bug431701.xml
new file mode 100644
index 000000000000..18ecdcb795c3
--- /dev/null
+++ b/dom/base/test/iframe4_bug431701.xml
@@ -0,0 +1 @@
+<html></html>
diff --git a/dom/base/test/iframe5_bug431701.xml b/dom/base/test/iframe5_bug431701.xml
new file mode 100644
index 000000000000..d761751ee19b
--- /dev/null
+++ b/dom/base/test/iframe5_bug431701.xml
@@ -0,0 +1 @@
+<?xml version='1.0'?><html></html>
diff --git a/dom/base/test/iframe6_bug431701.xml b/dom/base/test/iframe6_bug431701.xml
new file mode 100644
index 000000000000..17704b893afa
--- /dev/null
+++ b/dom/base/test/iframe6_bug431701.xml
@@ -0,0 +1 @@
+<?xml version='1.0' encoding='UTF-8'?><html></html>
diff --git a/dom/base/test/iframe7_bug431701.xml b/dom/base/test/iframe7_bug431701.xml
new file mode 100644
index 000000000000..73757924a7df
--- /dev/null
+++ b/dom/base/test/iframe7_bug431701.xml
@@ -0,0 +1 @@
+<?xml version='1.0' encoding='ISO-8859-1'?><html></html>
diff --git a/dom/base/test/mochitest.ini b/dom/base/test/mochitest.ini
index bd35c24917c6..665e22cc41cf 100644
--- a/dom/base/test/mochitest.ini
+++ b/dom/base/test/mochitest.ini
@@ -227,6 +227,16 @@ support-files =
   intersectionobserver_iframe.html
   intersectionobserver_cross_domain_iframe.html
   intersectionobserver_window.html
+  object_bug353334.html
+  embed_bug455472.html
+  object_bug455472.html
+  iframe1_bug431701.html
+  iframe2_bug431701.html
+  iframe3_bug431701.html
+  iframe4_bug431701.xml
+  iframe5_bug431701.xml
+  iframe6_bug431701.xml
+  iframe7_bug431701.xml
 
 [test_anchor_area_referrer.html]
 [test_anchor_area_referrer_changing.html]
diff --git a/dom/base/test/object_bug353334.html b/dom/base/test/object_bug353334.html
new file mode 100644
index 000000000000..8e73c916c64c
--- /dev/null
+++ b/dom/base/test/object_bug353334.html
@@ -0,0 +1 @@
+<body>test</body>
diff --git a/dom/base/test/object_bug455472.html b/dom/base/test/object_bug455472.html
new file mode 100644
index 000000000000..b2f3ae4f44d9
--- /dev/null
+++ b/dom/base/test/object_bug455472.html
@@ -0,0 +1 @@
+<script>parent.ran[1]=true</script>
diff --git a/dom/base/test/test_bug353334.html b/dom/base/test/test_bug353334.html
index 0f0acd42363f..2625ae43277a 100644
--- a/dom/base/test/test_bug353334.html
+++ b/dom/base/test/test_bug353334.html
@@ -14,8 +14,8 @@ https://bugzilla.mozilla.org/show_bug.cgi?id=353334
 <p id="display">
 <iframe id="one"></iframe>
 <object id="two" data="about:blank"></object>
-<iframe id="three" src="data:text/html,<body>test</body>"></iframe>
-<object id="four" data="data:text/html,<body>test</body>"></object>
+<iframe id="three" srcdoc="<body>test</body>"></iframe>
+<object id="four" data="object_bug353334.html"></object>
 <iframe id="five" src="javascript:parent.x"></iframe>
 <object id="six" data="javascript:x"></object>
 </p>
diff --git a/dom/base/test/test_bug358660.html b/dom/base/test/test_bug358660.html
index bad975936949..f6dab4561881 100644
--- a/dom/base/test/test_bug358660.html
+++ b/dom/base/test/test_bug358660.html
@@ -13,7 +13,7 @@ https://bugzilla.mozilla.org/show_bug.cgi?id=358660
 <p id="display"></p>
 <div id="content" style="display: none">
   <iframe id="testframe"
-          src="data:text/html,<html><body>Some text</body></html>"></iframe>  
+          srcdoc="<html><body>Some text</body></html>"></iframe>
 </div>
 <pre id="test">
 <script class="testbody" type="text/javascript">
diff --git a/dom/base/test/test_bug372964-2.html b/dom/base/test/test_bug372964-2.html
index d90c749b4ec7..043f90f0b61a 100644
--- a/dom/base/test/test_bug372964-2.html
+++ b/dom/base/test/test_bug372964-2.html
@@ -52,7 +52,7 @@ addLoadEvent(runTest);
 
 </script>
 </pre>
-<iframe src="data:text/html,<script>function listener() { ++parent.eventCount; } </script>">
+<iframe srcdoc="<script>function listener() { ++parent.eventCount; } </script>"></iframe>
 </body>
 </html>
 
diff --git a/dom/base/test/test_bug401662.html b/dom/base/test/test_bug401662.html
index c390a80d0a2b..66657b1f4ce4 100644
--- a/dom/base/test/test_bug401662.html
+++ b/dom/base/test/test_bug401662.html
@@ -13,7 +13,7 @@ https://bugzilla.mozilla.org/show_bug.cgi?id=401662
 <p id="display"></p>
 <div id="content" style="display: none">
   <iframe id="testframe"
-          src="data:text/html,<html><body>foo<style>bar</style></body></html>">
+          srcdoc="<html><body>foo<style>bar</style></body></html>">
   </iframe>
 </div>
 <pre id="test">
diff --git a/dom/base/test/test_bug431701.html b/dom/base/test/test_bug431701.html
index 19947c147eb2..ee5c5d79d2d7 100644
--- a/dom/base/test/test_bug431701.html
+++ b/dom/base/test/test_bug431701.html
@@ -28,13 +28,13 @@ https://bugzilla.mozilla.org/show_bug.cgi?id=431701
 SimpleTest.waitForExplicitFinish();
 
 var docSources = [
-  "data:text/html,<html></html>",
-  "data:text/html;charset=UTF-8,<html></html>",
-  "data:text/html;charset=ISO-8859-1,<html></html>",
-  "data:text/xml,<html></html>",
-  "data:text/xml,<?xml version='1.0'?><html></html>",
-  "data:text/xml,<?xml version='1.0' encoding='UTF-8'?><html></html>",
-  "data:text/xml,<?xml version='1.0' encoding='ISO-8859-1'?><html></html>",
+  "iframe1_bug431701.html",
+  "iframe2_bug431701.html",
+  "iframe3_bug431701.html",
+  "iframe4_bug431701.xml",
+  "iframe5_bug431701.xml",
+  "iframe6_bug431701.xml",
+  "iframe7_bug431701.xml",
 ];
 
 for (var i = 0; i < docSources.length; ++i) {
diff --git a/dom/base/test/test_bug431833.html b/dom/base/test/test_bug431833.html
index 24c2367b6445..2f17382936a6 100644
--- a/dom/base/test/test_bug431833.html
+++ b/dom/base/test/test_bug431833.html
@@ -19,9 +19,9 @@ https://bugzilla.mozilla.org/show_bug.cgi?id=431833
 
 <a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=431833">Mozilla Bug 431833</a>
 <p id="display">
- <iframe id="f1" src="data:text/html,1"></iframe>
- <iframe id="f2" src="data:text/html,2"></iframe>
- <iframe id="f3" src="data:text/html,<iframe id='f4' src='data:text/html,3'></iframe>"></iframe>
+ <iframe id="f1" srcdoc="1"></iframe>
+ <iframe id="f2" srcdoc="2"></iframe>
+ <iframe id="f3" srcdoc="<iframe id='f4' src='data:text/html,3'></iframe>"></iframe>
 </p>
 <div id="content" style="display: none">
   
diff --git a/dom/base/test/test_bug455472.html b/dom/base/test/test_bug455472.html
index 33fc24d876dc..f82d72e363ad 100644
--- a/dom/base/test/test_bug455472.html
+++ b/dom/base/test/test_bug455472.html
@@ -15,9 +15,9 @@ https://bugzilla.mozilla.org/show_bug.cgi?id=455472
   var ran = [ false, false, false, false, false ];
 </script>
 <div id="content" style="display: none">
-  <iframe src="data:text/html,<script>parent.ran[0]=true</script>"></iframe>
-  <object type="text/html" data="data:text/html,<script>parent.ran[1]=true</script>"></object>
-  <embed type="image/svg+xml" src="data:image/svg+xml,<svg%20xmlns='http://www.w3.org/2000/svg'%20onload='parent.ran[2]=true'/>">
+  <iframe srcdoc="<script>parent.ran[0]=true</script>"></iframe>
+  <object id="o1" type="text/html" data="object_bug455472.html"></object>
+  <embed type="image/svg+xml" src="embed_bug455472.html">
   <object type="text/html" data="data:application/octet-stream,<script>parent.ran[3]=true</script>"></object>
   <embed type="image/svg+xml" src="data:application/octet-stream,<svg%20xmlns='http://www.w3.org/2000/svg'%20onload='parent.ran[4]=true'/>">
 </div>
diff --git a/dom/bindings/BindingUtils.cpp b/dom/bindings/BindingUtils.cpp
index c694ca7a794a..b3cb3c7f61e8 100644
--- a/dom/bindings/BindingUtils.cpp
+++ b/dom/bindings/BindingUtils.cpp
@@ -3542,6 +3542,9 @@ CreateHTMLElement(const GlobalObject& aGlobal, const JS::CallArgs& aCallArgs,
     element = CreateHTMLElement(tag, nodeInfo.forget(), NOT_FROM_PARSER);
   }
 
+  element->SetCustomElementData(
+    new CustomElementData(definition->mType, CustomElementData::State::eCustom));
+
   return element.forget();
 }
 
diff --git a/dom/events/test/test_bug367781.html b/dom/events/test/test_bug367781.html
index 867044a3c0b4..01064837173d 100644
--- a/dom/events/test/test_bug367781.html
+++ b/dom/events/test/test_bug367781.html
@@ -46,8 +46,8 @@ addLoadEvent(SimpleTest.finish);
 
 </script>
 </pre>
-<iframe id="i1" src="data:text/html,&lt;html&gt;&lt;body&gt;&lt;pre&gt;Foobar&lt;/pre&gt;&lt;/body&gt;&lt;/html&gt;"></iframe>
-<iframe id="i2" src="data:text/html,&lt;html&gt;&lt;body&gt;&lt;/body&gt;&lt;/html&gt;"></iframe>
+<iframe id="i1" srcdoc="&lt;html&gt;&lt;body&gt;&lt;pre&gt;Foobar&lt;/pre&gt;&lt;/body&gt;&lt;/html&gt;"></iframe>
+<iframe id="i2" srcdoc="&lt;html&gt;&lt;body&gt;&lt;/body&gt;&lt;/html&gt;"></iframe>
 </body>
 </html>
 
diff --git a/dom/file/FileReader.cpp b/dom/file/FileReader.cpp
index e8e3fa4f66e4..d9a68f681e59 100644
--- a/dom/file/FileReader.cpp
+++ b/dom/file/FileReader.cpp
@@ -111,12 +111,18 @@ FileReader::FileReader(nsIGlobalObject* aGlobal,
   , mReadyState(EMPTY)
   , mTotal(0)
   , mTransferred(0)
-  , mTarget(do_GetCurrentThread())
   , mBusyCount(0)
   , mWorkerPrivate(aWorkerPrivate)
 {
   MOZ_ASSERT(aGlobal);
   MOZ_ASSERT(NS_IsMainThread() == !mWorkerPrivate);
+
+  if (NS_IsMainThread()) {
+    mTarget = aGlobal->EventTargetFor(TaskCategory::Other);
+  } else {
+    mTarget = do_GetCurrentThread();
+  }
+
   SetDOMStringToNull(mResult);
 }
 
@@ -645,10 +651,10 @@ FileReader::OnInputStreamReady(nsIAsyncInputStream* aStream)
 
   if (NS_SUCCEEDED(rv) && count) {
     rv = DoReadData(count);
-  }
 
-  if (NS_SUCCEEDED(rv)) {
-    rv = DoAsyncWait();
+    if (NS_SUCCEEDED(rv)) {
+      rv = DoAsyncWait();
+    }
   }
 
   if (NS_FAILED(rv) || !count) {
diff --git a/dom/file/ipc/IPCBlobInputStreamChild.cpp b/dom/file/ipc/IPCBlobInputStreamChild.cpp
index 228621a95263..fda381365bb3 100644
--- a/dom/file/ipc/IPCBlobInputStreamChild.cpp
+++ b/dom/file/ipc/IPCBlobInputStreamChild.cpp
@@ -167,15 +167,24 @@ IPCBlobInputStreamChild::StreamNeeded(IPCBlobInputStream* aStream,
 mozilla::ipc::IPCResult
 IPCBlobInputStreamChild::RecvStreamReady(const OptionalIPCStream& aStream)
 {
-  MOZ_ASSERT(!mPendingOperations.IsEmpty());
-
   nsCOMPtr<nsIInputStream> stream = DeserializeIPCStream(aStream);
 
-  RefPtr<StreamReadyRunnable> runnable =
-    new StreamReadyRunnable(mPendingOperations[0].mStream, stream);
-  mPendingOperations[0].mEventTarget->Dispatch(runnable, NS_DISPATCH_NORMAL);
+  RefPtr<IPCBlobInputStream> pendingStream;
+  nsCOMPtr<nsIEventTarget> eventTarget;
 
-  mPendingOperations.RemoveElementAt(0);
+  {
+    MutexAutoLock lock(mMutex);
+    MOZ_ASSERT(!mPendingOperations.IsEmpty());
+
+    pendingStream = mPendingOperations[0].mStream;
+    eventTarget = mPendingOperations[0].mEventTarget;
+
+    mPendingOperations.RemoveElementAt(0);
+  }
+
+  RefPtr<StreamReadyRunnable> runnable =
+    new StreamReadyRunnable(pendingStream, stream);
+  eventTarget->Dispatch(runnable, NS_DISPATCH_NORMAL);
 
   return IPC_OK();
 }
diff --git a/dom/file/ipc/tests/script_file.js b/dom/file/ipc/tests/script_file.js
index 9e90c834aaa6..1e8bcfaaceea 100644
--- a/dom/file/ipc/tests/script_file.js
+++ b/dom/file/ipc/tests/script_file.js
@@ -6,7 +6,17 @@ addMessageListener("file.open", function (e) {
                    .getService(Ci.nsIDirectoryService)
                    .QueryInterface(Ci.nsIProperties)
                    .get("ProfD", Ci.nsIFile);
-  testFile.append("prefs.js");
+  testFile.append("ipc_fileReader_testing");
+  testFile.create(Components.interfaces.nsIFile.NORMAL_FILE_TYPE, 0o600);
+
+  var outStream = Components.classes["@mozilla.org/network/file-output-stream;1"]
+                      .createInstance(Components.interfaces.nsIFileOutputStream);
+  outStream.init(testFile, 0x02 | 0x08 | 0x20, // write, create, truncate
+                 0666, 0);
+
+  var fileData = "Hello World!";
+  outStream.write(fileData, fileData.length);
+  outStream.close();
 
   File.createFromNsIFile(testFile).then(function(file) {
     sendAsyncMessage("file.opened", { file });
diff --git a/dom/file/ipc/tests/test_ipcBlob_fileReaderSync.html b/dom/file/ipc/tests/test_ipcBlob_fileReaderSync.html
index 814e49c71b41..2a628987d6aa 100644
--- a/dom/file/ipc/tests/test_ipcBlob_fileReaderSync.html
+++ b/dom/file/ipc/tests/test_ipcBlob_fileReaderSync.html
@@ -13,21 +13,74 @@ function workerScript() {
   onmessage = function(event) {
     let readerMemoryBlob = new FileReaderSync();
     let status = readerMemoryBlob.readAsText(new Blob(['hello world'])) == 'hello world';
+    postMessage({ status, message: "FileReaderSync with memory blob still works" });
 
-    let readerIPCBlob = new FileReaderSync();
-    postMessage({ blob: event.data, data: readerIPCBlob.readAsText(event.data), status });
+    let readerIPCBlob1 = new FileReaderSync();
+    postMessage({ blob: event.data, method: 'readAsText',
+                  data: readerIPCBlob1.readAsText(event.data)});
+
+    let readerIPCBlob2 = new FileReaderSync();
+    postMessage({ blob: event.data, method: 'readAsArrayBuffer',
+                  data: readerIPCBlob2.readAsArrayBuffer(event.data)});
+
+    let readerIPCBlob3 = new FileReaderSync();
+    postMessage({ blob: event.data, method: 'readAsDataURL',
+                  data: readerIPCBlob3.readAsDataURL(event.data)});
+
+    let multipartBlob = new Blob(['wow', event.data]);
+
+    let readerIPCBlobMultipart1 = new FileReaderSync();
+    postMessage({ blob: multipartBlob, method: 'readAsText',
+                  data: readerIPCBlobMultipart1.readAsText(multipartBlob)});
+
+    let readerIPCBlobMultipart2 = new FileReaderSync();
+    postMessage({ blob: multipartBlob, method: 'readAsArrayBuffer',
+                  data: readerIPCBlobMultipart2.readAsArrayBuffer(multipartBlob)});
+
+    let readerIPCBlobMultipart3 = new FileReaderSync();
+    postMessage({ blob: multipartBlob, method: 'readAsDataURL',
+                  data: readerIPCBlobMultipart3.readAsDataURL(multipartBlob)});
+
+    postMessage({ finish: true });
+  }
+}
+
+let completed = false;
+let pendingTasks = 0;
+function maybeFinish() {
+  if (completed && !pendingTasks) {
+    SimpleTest.finish();
   }
 }
 
 let workerUrl = URL.createObjectURL(new Blob(["(", workerScript.toSource(), ")()"]));
 let worker = new Worker(workerUrl);
 worker.onmessage = event => {
-  let fr = new FileReader();
-  fr.readAsText(event.data.blob);
-  fr.onload = () => {
-    is(event.data.data, fr.result, "The file has been read");
-    ok(event.data.status, "FileReaderSync with memory blob still works");
-    SimpleTest.finish();
+  if ("status" in event.data) {
+    ok(event.data.status, event.data.message);
+    return;
+  }
+
+  if ("blob" in event.data) {
+    let fr = new FileReader();
+    fr[event.data.method](event.data.blob);
+    ++pendingTasks;
+    fr.onload = () => {
+      if (event.data.method != 'readAsArrayBuffer') {
+        is(event.data.data, fr.result, "The file has been read");
+      } else {
+        is(event.data.data.byteLength, fr.result.byteLength, "The file has been read");
+      }
+      --pendingTasks;
+      maybeFinish();
+    }
+
+    return;
+  }
+
+  if ("finish" in event.data) {
+    completed = true;
+    maybeFinish();
   }
 };
 
diff --git a/dom/file/nsHostObjectProtocolHandler.cpp b/dom/file/nsHostObjectProtocolHandler.cpp
index 1b9b92ca010b..4de46fe36cd3 100644
--- a/dom/file/nsHostObjectProtocolHandler.cpp
+++ b/dom/file/nsHostObjectProtocolHandler.cpp
@@ -17,6 +17,7 @@
 #include "mozilla/LoadInfo.h"
 #include "mozilla/ModuleUtils.h"
 #include "mozilla/Preferences.h"
+#include "mozilla/SystemGroup.h"
 #include "nsClassHashtable.h"
 #include "nsContentUtils.h"
 #include "nsError.h"
@@ -424,6 +425,7 @@ class BlobURLsReporter final : public nsIMemoryReporter
 NS_IMPL_ISUPPORTS(BlobURLsReporter, nsIMemoryReporter)
 
 class ReleasingTimerHolder final : public nsITimerCallback
+                                 , public nsINamed
 {
 public:
   NS_DECL_ISUPPORTS
@@ -439,6 +441,9 @@ public:
       return;
     }
 
+    MOZ_ALWAYS_SUCCEEDS(holder->mTimer->SetTarget(
+      SystemGroup::EventTargetFor(TaskCategory::Other)));
+
     nsresult rv = holder->mTimer->InitWithCallback(holder, RELEASING_TIMER,
                                                    nsITimer::TYPE_ONE_SHOT);
     NS_ENSURE_SUCCESS_VOID(rv);
@@ -457,6 +462,20 @@ public:
     return NS_OK;
   }
 
+  NS_IMETHOD
+  GetName(nsACString& aName) override
+  {
+    aName.AssignLiteral("ReleasingTimerHolder");
+    return NS_OK;
+  }
+
+  NS_IMETHOD
+  SetName(const char* aName) override
+  {
+    MOZ_CRASH("The name shall never be set!");
+    return NS_OK;
+  }
+
 private:
   explicit ReleasingTimerHolder(nsTArray<nsWeakPtr>&& aArray)
     : mURIs(aArray)
@@ -469,7 +488,7 @@ private:
   nsCOMPtr<nsITimer> mTimer;
 };
 
-NS_IMPL_ISUPPORTS(ReleasingTimerHolder, nsITimerCallback)
+NS_IMPL_ISUPPORTS(ReleasingTimerHolder, nsITimerCallback, nsINamed)
 
 } // namespace mozilla
 
diff --git a/dom/html/test/forms/test_restore_form_elements.html b/dom/html/test/forms/test_restore_form_elements.html
index d92c5c7e9ad6..ccbc9244e9a9 100644
--- a/dom/html/test/forms/test_restore_form_elements.html
+++ b/dom/html/test/forms/test_restore_form_elements.html
@@ -21,7 +21,7 @@ https://bugzilla.mozilla.org/show_bug.cgi?id=737851
 
 <div id="content">
 
-  <iframe id="frame" width="800px" height="600px" src='data:text/html,
+  <iframe id="frame" width="800px" height="600px" srcdoc='
           <html>
             <body style="display:none;">
 
diff --git a/dom/html/test/forms/test_valueAsDate_pref.html b/dom/html/test/forms/test_valueAsDate_pref.html
index 0369980e4d28..34f9690bb772 100644
--- a/dom/html/test/forms/test_valueAsDate_pref.html
+++ b/dom/html/test/forms/test_valueAsDate_pref.html
@@ -36,7 +36,7 @@ https://bugzilla.mozilla.org/show_bug.cgi?id=874640
       ["dom.forms.datetime", state[1] === 'true'],
       ["dom.forms.datetime.others", state[2] === 'true']]},
       function() {
-        iframe.src = 'data:text/html,<script>' +
+        iframe.srcdoc = '<script>' +
                  'parent.is("valueAsDate" in document.createElement("input"), ' +
                  state[3] + ', "valueAsDate presence state should be ' + state[3] + '");' +
                  '<\/script>'
diff --git a/dom/html/test/mochitest.ini b/dom/html/test/mochitest.ini
index 839c8ebc5b49..080e848060f3 100644
--- a/dom/html/test/mochitest.ini
+++ b/dom/html/test/mochitest.ini
@@ -187,6 +187,9 @@ support-files =
   file_bug1166138_2x.png
   file_bug1166138_def.png
   script_fakepath.js
+  object_bug287465_o1.html
+  object_bug287465_o2.html
+  object_bug556645.html
 
 [test_a_text.html]
 [test_anchor_href_cache_invalidation.html]
diff --git a/dom/html/test/object_bug287465_o1.html b/dom/html/test/object_bug287465_o1.html
new file mode 100644
index 000000000000..0a65a7f9e10d
--- /dev/null
+++ b/dom/html/test/object_bug287465_o1.html
@@ -0,0 +1 @@
+<svg xmlns='http://www.w3.org/2000/svg'></svg>
diff --git a/dom/html/test/object_bug287465_o2.html b/dom/html/test/object_bug287465_o2.html
new file mode 100644
index 000000000000..18ecdcb795c3
--- /dev/null
+++ b/dom/html/test/object_bug287465_o2.html
@@ -0,0 +1 @@
+<html></html>
diff --git a/dom/html/test/object_bug556645.html b/dom/html/test/object_bug556645.html
new file mode 100644
index 000000000000..773837502adf
--- /dev/null
+++ b/dom/html/test/object_bug556645.html
@@ -0,0 +1 @@
+<body><button>Child</button></body>
diff --git a/dom/html/test/test_bug287465.html b/dom/html/test/test_bug287465.html
index fb5430e95d8c..99ba673ff996 100644
--- a/dom/html/test/test_bug287465.html
+++ b/dom/html/test/test_bug287465.html
@@ -13,10 +13,10 @@ https://bugzilla.mozilla.org/show_bug.cgi?id=287465
 <p id="display"></p>
 <div id="content" style="display:none">
 
-<iframe id="i1" src="data:image/svg+xml,<svg xmlns='http://www.w3.org/2000/svg'></svg>"></iframe>
-<object id="o1" data="data:image/svg+xml,<svg xmlns='http://www.w3.org/2000/svg'></svg>"></object>
-<iframe id="i2" src="data:text/html,<html></html>"></iframe>
-<object id="o2" data="data:text/html,<html></html>"></object>
+<iframe id="i1" srcdoc="<svg xmlns='http://www.w3.org/2000/svg'></svg>"></iframe>
+<object id="o1" data="object_bug287465_o1.html"></object>
+<iframe id="i2" srcdoc="<html></html>"></iframe>
+<object id="o2" data="object_bug287465_o2.html"></object>
 
 </div>
 <pre id="test">
diff --git a/dom/html/test/test_bug386496.html b/dom/html/test/test_bug386496.html
index 0397ec6a00e5..09de826ce2bd 100644
--- a/dom/html/test/test_bug386496.html
+++ b/dom/html/test/test_bug386496.html
@@ -14,7 +14,7 @@ https://bugzilla.mozilla.org/show_bug.cgi?id=386496
 <p id="display"></p>
 <div id="content">
   <iframe style='display: block;' id="testIframe"
-    src="data:text/html,<div><a id='a' href='http://a.invalid/'>Link</a></div>">
+    srcdoc="<div><a id='a' href='http://a.invalid/'>Link</a></div>">
   </iframe>
 </div>
 <pre id="test">
diff --git a/dom/html/test/test_bug556645.html b/dom/html/test/test_bug556645.html
index 449f956a61d2..3602963175cc 100644
--- a/dom/html/test/test_bug556645.html
+++ b/dom/html/test/test_bug556645.html
@@ -43,7 +43,7 @@ function runTest()
 
 <button id="pbutton">Parent</button>
 <object id="obj" type="text/html"
-        data="data:text/html,%3Cbody%3E%3Cbutton%3EChild%3C/button%3E%3C/body%3E"
+        data="object_bug556645.html"
         width="200" height="200"></object>
 
 </body>
diff --git a/dom/interfaces/base/nsIDOMLocation.idl b/dom/interfaces/base/nsIDOMLocation.idl
index d6577582f169..7f66c2d2cfee 100644
--- a/dom/interfaces/base/nsIDOMLocation.idl
+++ b/dom/interfaces/base/nsIDOMLocation.idl
@@ -8,26 +8,5 @@
 [scriptable, uuid(79de76e5-994e-4f6b-81aa-42d9adb6e67e)]
 interface nsIDOMLocation : nsISupports
 {
-           /**
-            * These properties refer to the current location of the document.
-            * This will correspond to the URI shown in the location bar, which
-            * can be different from the documentURI of the document.
-            */
-           attribute DOMString        hash;
-           attribute DOMString        host;
-           attribute DOMString        hostname;
-           attribute DOMString        href;
-           attribute DOMString        pathname;
-           attribute DOMString        port;
-           attribute DOMString        protocol;
-           attribute DOMString        search;
-
-  readonly attribute DOMString        origin;
-
-  void                      reload([optional] in boolean forceget);
-  void                      replace(in DOMString url);
-  void                      assign(in DOMString url);
-
-  DOMString                 toString();
-  nsIDOMLocation            valueOf();
+  // Empty interface. Location is defined using WebIDL.
 };
diff --git a/dom/media/MediaManager.cpp b/dom/media/MediaManager.cpp
index b4129452c7fc..bdcdf5c8fdea 100644
--- a/dom/media/MediaManager.cpp
+++ b/dom/media/MediaManager.cpp
@@ -1620,6 +1620,12 @@ public:
     return NS_OK;
   }
 
+  uint64_t
+  GetWindowID()
+  {
+    return mWindowID;
+  }
+
 private:
   MediaStreamConstraints mConstraints;
 
@@ -3010,6 +3016,12 @@ MediaManager::Observe(nsISupports* aSubject, const char* aTopic,
       return NS_OK;
     }
 
+    nsTArray<nsString>* array;
+    if (!mCallIds.Get(task->GetWindowID(), &array)) {
+      return NS_OK;
+    }
+    array->RemoveElement(key);
+
     if (aSubject) {
       // A particular device or devices were chosen by the user.
       // NOTE: does not allow setting a device to null; assumes nullptr
@@ -3074,6 +3086,11 @@ MediaManager::Observe(nsISupports* aSubject, const char* aTopic,
     mActiveCallbacks.Remove(key, getter_AddRefs(task));
     if (task) {
       task->Denied(errorMessage);
+      nsTArray<nsString>* array;
+      if (!mCallIds.Get(task->GetWindowID(), &array)) {
+        return NS_OK;
+      }
+      array->RemoveElement(key);
     }
     return NS_OK;
 
diff --git a/dom/media/test/mochitest.ini b/dom/media/test/mochitest.ini
index 647df0560068..1adec66631f1 100644
--- a/dom/media/test/mochitest.ini
+++ b/dom/media/test/mochitest.ini
@@ -1152,7 +1152,7 @@ tags = suspend
 skip-if = toolkit == 'android' # bug 1346705
 tags = suspend
 [test_background_video_resume_after_end_show_last_frame.html]
-skip-if = toolkit == 'android' # bug 1346705
+skip-if = toolkit == 'android' || (os == "win" && debug) # bug 1346705, win bug 1360452
 tags = suspend
 [test_background_video_suspend.html]
 skip-if = toolkit == 'android' # android(bug 1304480)
diff --git a/dom/tests/mochitest/bugs/file_bug593174_2.html b/dom/tests/mochitest/bugs/file_bug593174_2.html
index 8379b11d55d4..080b016d7c90 100644
--- a/dom/tests/mochitest/bugs/file_bug593174_2.html
+++ b/dom/tests/mochitest/bugs/file_bug593174_2.html
@@ -1,7 +1,7 @@
 <html>
 <body>
 Page 2 has an iframe of its own.
-<iframe id='inner-iframe' onload='innerIframeLoaded()' src='data:text/html,
+<iframe id='inner-iframe' onload='innerIframeLoaded()' srcdoc='
       <html><body>
         <script>function go() { window.location = "file_bug593174_1.html"; }</script>
       </body></html>'>
diff --git a/dom/tests/mochitest/bugs/test_bug1022869.html b/dom/tests/mochitest/bugs/test_bug1022869.html
index d094f5a6cd08..1cd707200577 100644
--- a/dom/tests/mochitest/bugs/test_bug1022869.html
+++ b/dom/tests/mochitest/bugs/test_bug1022869.html
@@ -8,7 +8,7 @@ https://bugzilla.mozilla.org/show_bug.cgi?id=1022869
   <title>Test for Bug 1022869</title>
   <script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
   <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
-  <iframe src="data:text/html,<html><body>"></iframe>
+  <iframe srcdoc="<html><body>"></iframe>
   <script type="application/javascript">
 
   var f = document.getElementsByTagName("iframe")[0];
diff --git a/dom/tests/mochitest/bugs/test_bug335976.xhtml b/dom/tests/mochitest/bugs/test_bug335976.xhtml
index 39137eb645e1..5b7ef4375062 100644
--- a/dom/tests/mochitest/bugs/test_bug335976.xhtml
+++ b/dom/tests/mochitest/bugs/test_bug335976.xhtml
@@ -11,7 +11,7 @@ https://bugzilla.mozilla.org/show_bug.cgi?id=335976
 <a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=335976">Mozilla Bug 335976</a>
 <p id="display"></p>
 
-<iframe src="data:application/xhtml+xml,&lt;html xmlns='http://www.w3.org/1999/xhtml'&gt;&lt;body&gt; &lt;textbox xmlns='http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul'/&gt; &lt;/body&gt;&lt;/html&gt;" style="width: 95%; height: 150px;"></iframe>
+<iframe srcdoc="&lt;html xmlns='http://www.w3.org/1999/xhtml'&gt;&lt;body&gt; &lt;textbox xmlns='http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul'/&gt; &lt;/body&gt;&lt;/html&gt;" style="width: 95%; height: 150px;"></iframe>
 
 <div id="rootish" style="background: yellow">
   <div>
diff --git a/dom/tests/mochitest/bugs/test_bug377539.html b/dom/tests/mochitest/bugs/test_bug377539.html
index 37b3041d914c..f9fee3187299 100644
--- a/dom/tests/mochitest/bugs/test_bug377539.html
+++ b/dom/tests/mochitest/bugs/test_bug377539.html
@@ -23,7 +23,7 @@ var sw;
 var child_sw = -1;
 
 function test(){
-        var t = '<div style="display: none;"><iframe onload="doChecks()" src="data:text/html,<body><scr'+'ipt>try {parent.child_sw=screen.width}catch(e){}</scr'+'ipt>"></iframe></div>';
+        var t = '<div style="display: none;"><iframe onload="doChecks()" srcdoc="<body><scr'+'ipt>try {parent.child_sw=screen.width}catch(e){}</scr'+'ipt>"></iframe></div>';
         var div = document.createElement('div');
         div.innerHTML = t;
         document.getElementsByTagName('body')[0].appendChild(div);
diff --git a/dom/tests/mochitest/bugs/test_bug42976.html b/dom/tests/mochitest/bugs/test_bug42976.html
index 900928d85b5b..75d47da7f40d 100644
--- a/dom/tests/mochitest/bugs/test_bug42976.html
+++ b/dom/tests/mochitest/bugs/test_bug42976.html
@@ -12,12 +12,12 @@ https://bugzilla.mozilla.org/show_bug.cgi?id=42976
 <a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=42976">Mozilla Bug 42976</a>
 <p id="display"></p>
 <div id="content">
-    <iframe id=specialtest src="data:text/html,<meta http-equiv='Content-Language' content='ja-JP'><base href='http://www.mozilla.org'><p>asdf"></iframe>;
-    <iframe id=htmlquirks src="data:text/html;charset=ISO-8859-2,<html><body><div></div></body></html>"></iframe>
-    <iframe id=htmlstd src="data:text/html;charset=ISO-8859-3,<!DOCTYPE html><html><body><div></div></body></html>"></iframe>
-    <iframe id=textplain src="data:text/plain;charset=ISO-8859-4,asdf%0Azxcv%0A"></iframe>
-    <iframe id=xhtmlstd src="data:application/xhtml+xml;charset=ISO-8859-5,<!DOCTYPE html><html xmlns='http://www.w3.org/1999/xhtml'><body><div></div></body></html>"></iframe>
-    <iframe id=xmlstd src="data:image/svg+xml;charset=ISO-8859-6,<svg xmlns=&quot;http://www.w3.org/2000/svg&quot; width='300' height='300'><text x='60' y='150' fill='blue'>Hello, World!</text><text x='60' y='250' fill='blue'>Hello, World!</text></svg>"></iframe>
+    <iframe id=specialtest srcdoc="<meta http-equiv='Content-Language' content='ja-JP'><base href='http://www.mozilla.org'><p>asdf"></iframe>;
+    <iframe id=htmlquirks srcdoc="<html><meta charset=ISO-8859-2><body><div></div></body></html>"></iframe>
+    <iframe id=htmlstd srcdoc="<!DOCTYPE html><html><meta charset=ISO-8859-3><body><div></div></body></html>"></iframe>
+    <iframe id=textplain srcdoc="<meta charset=ISO-8859-4>asdf%0Azxcv%0A"></iframe>
+    <iframe id=xhtmlstd srcdoc="<!DOCTYPE html><html xmlns='http://www.w3.org/1999/xhtml'><meta charset=ISO-8859-5><body><div></div></body></html>"></iframe>
+    <iframe id=xmlstd srcdoc="<meta charset=ISO-8859-6><svg xmlns=&quot;http://www.w3.org/2000/svg&quot; width='300' height='300'><text x='60' y='150' fill='blue'>Hello, World!</text><text x='60' y='250' fill='blue'>Hello, World!</text></svg>"></iframe>
 </div>
 <pre id="test">
 <script class="testbody" type="text/javascript">
diff --git a/dom/tests/mochitest/bugs/test_bug707749.html b/dom/tests/mochitest/bugs/test_bug707749.html
index 18d197e1ed1f..a535104319fa 100644
--- a/dom/tests/mochitest/bugs/test_bug707749.html
+++ b/dom/tests/mochitest/bugs/test_bug707749.html
@@ -27,7 +27,7 @@ function loaded() {
 }
 
 </script>
-<iframe id="ifr" onload="loaded()" src="data:text/html,<script>navigator</script>"></iframe>
+<iframe id="ifr" onload="loaded()" srcdoc="<script>navigator</script>"></iframe>
 </pre>
 </body>
 </html>
diff --git a/dom/tests/mochitest/general/test_clientRects.html b/dom/tests/mochitest/general/test_clientRects.html
index 058db69f9b4c..a7ca37ccf81e 100644
--- a/dom/tests/mochitest/general/test_clientRects.html
+++ b/dom/tests/mochitest/general/test_clientRects.html
@@ -90,15 +90,15 @@ function checkElement(id, list, eps, doc) {
 <!-- Root element; see d9 -->
 <!-- Element in iframe -->
 <iframe id="f1" style="position:absolute; left:300px; top:0; width:100px; height:200px; border:none"
-        src="data:text/html,<div id='d10' style='position:absolute; left:0; top:25px; width:100px; height:100px; background:cyan'>">
+        srcdoc="<div id='d10' style='position:absolute; left:0; top:25px; width:100px; height:100px; background:cyan'>">
 </iframe>
 <!-- Root element in iframe -->
 <iframe id="f2" style="position:absolute; left:300px; top:250px; width:100px; height:200px; border:none"
-        src="data:text/html,<html id='d11' style='width:100px; height:100px; background:magenta'>">
+        srcdoc="<html id='d11' style='width:100px; height:100px; background:magenta'>">
 </iframe>
 <!-- Fixed-pos element in iframe -->
 <iframe id="f3" style="position:absolute; left:300px; top:400px; border:none"
-        src="data:text/html,<div id='d12' style='position:fixed; left:0; top:0; width:100px; height:100px;'>"></iframe>
+        srcdoc="<div id='d12' style='position:fixed; left:0; top:0; width:100px; height:100px;'>"></iframe>
 
 <script>
 function doTest() {
diff --git a/dom/tests/mochitest/general/test_domWindowUtils_scrollXY.html b/dom/tests/mochitest/general/test_domWindowUtils_scrollXY.html
index fc7be54eb36e..2bf87b3c7646 100644
--- a/dom/tests/mochitest/general/test_domWindowUtils_scrollXY.html
+++ b/dom/tests/mochitest/general/test_domWindowUtils_scrollXY.html
@@ -77,7 +77,7 @@
   <!-- can't run this in the test document, since it potentially runs in a
        scrolling="no" test harness iframe, and that causes a failure for some
        reason -->
-  <iframe src="data:text/html,<body style='width: 100000px; height: 100000px;'><p>top</p></body>"
+  <iframe srcdoc="<body style='width: 100000px; height: 100000px;'><p>top</p></body>"
           id="iframe"
           onload="doTests();">
   </iframe>
diff --git a/dom/tests/mochitest/sessionstorage/test_cookieSession.html b/dom/tests/mochitest/sessionstorage/test_cookieSession.html
index 01bd596ee3d7..7203f552ac81 100644
--- a/dom/tests/mochitest/sessionstorage/test_cookieSession.html
+++ b/dom/tests/mochitest/sessionstorage/test_cookieSession.html
@@ -119,6 +119,6 @@ SimpleTest.waitForExplicitFinish();
 </head>
 
 <body onload="startTest();">
-<iframe id="testframe" src="data:text/html;charset=utf-8,"></iframe>
+<iframe id="testframe" srcdoc="<meta charset=utf-8>"></iframe>
 </body>
 </html>
diff --git a/dom/tests/mochitest/sessionstorage/test_sessionStorageBaseSessionOnly.html b/dom/tests/mochitest/sessionstorage/test_sessionStorageBaseSessionOnly.html
index 38db680cebea..b080af8c14a6 100644
--- a/dom/tests/mochitest/sessionstorage/test_sessionStorageBaseSessionOnly.html
+++ b/dom/tests/mochitest/sessionstorage/test_sessionStorageBaseSessionOnly.html
@@ -226,6 +226,6 @@ SimpleTest.waitForExplicitFinish();
 </head>
 
 <body onload="startTest();">
-<iframe id="testframe" src="data:text/html;charset=utf-8,"></iframe>
+<iframe id="testframe" srcdoc="<meta charset=utf-8>"></iframe>
 </body>
 </html>
diff --git a/dom/tests/mochitest/webcomponents/test_document_register.html b/dom/tests/mochitest/webcomponents/test_document_register.html
index a9c194b60feb..aa80fef5f077 100644
--- a/dom/tests/mochitest/webcomponents/test_document_register.html
+++ b/dom/tests/mochitest/webcomponents/test_document_register.html
@@ -103,52 +103,12 @@ function startTest() {
   is(extendedButton.getAttribute("is"), "x-extended-button", "The |is| attribute of the created element should be the extended type.");
   is(extendedButton.type, "submit", "Created element should be a button with type of \"submit\"");
 
-  // document.createElementNS with different namespace than definition.
-  try {
-    var svgButton = document.createElementNS("http://www.w3.org/2000/svg", "button", {is: "x-extended-button"});
-    ok(false, "An exception should've been thrown");
-  } catch(err) {
-    is(err.name, "NotFoundError", "A NotFoundError exception should've been thrown");
-  }
-
-  // document.createElementNS with no namespace.
-  try {
-    var noNamespaceButton = document.createElementNS("", "button", {is: "x-extended-button"});
-    ok(false, "An exception should've been thrown");
-  } catch(err) {
-    is(err.name, "NotFoundError", "A NotFoundError exception should've been thrown");
-  }
-
-  // document.createElement with non-existant extended type.
-  try {
-    var normalButton = document.createElement("button", {is: "x-non-existant"});
-    ok(false, "An exception should've been thrown");
-  } catch(err) {
-    is(err.name, "NotFoundError", "A NotFoundError exception should've been thrown");
-  }
-
-  // document.createElement with exteneded type that does not match with local name of element.
-  try {
-    var normalDiv = document.createElement("div", {is: "x-extended-button"});
-    ok(false, "An exception should've been thrown");
-  } catch(err) {
-    is(err.name, "NotFoundError", "A NotFoundError exception should've been thrown");
-  }
-
   // Custom element constructor.
   var constructedButton = new buttonConstructor();
   is(constructedButton.tagName, "BUTTON", "Created element should have local name of BUTTON");
   is(constructedButton.__proto__, extendedProto, "Created element should have the prototype of the extended type.");
   is(constructedButton.getAttribute("is"), "x-extended-button", "The |is| attribute of the created element should be the extended type.");
 
-  // document.createElement with different namespace than definition for extended element.
-  try {
-    var htmlText = document.createElement("text", {is: "x-extended-text"});
-    ok(false, "An exception should've been thrown");
-  } catch(err) {
-    is(err.name, "NotFoundError", "A NotFoundError exception should've been thrown");
-  }
-
   // Try creating an element with a custom element name, but not in the html namespace.
   var htmlNamespaceProto = Object.create(HTMLElement.prototype);
   document.registerElement("x-in-html-namespace", { prototype: htmlNamespaceProto });
diff --git a/dom/vr/VRServiceTest.h b/dom/vr/VRServiceTest.h
index f4add405dbb8..e397cff18a53 100644
--- a/dom/vr/VRServiceTest.h
+++ b/dom/vr/VRServiceTest.h
@@ -10,6 +10,8 @@
 #include "mozilla/DOMEventTargetHelper.h"
 #include "mozilla/dom/VRServiceTestBinding.h"
 
+#include "gfxVR.h"
+
 namespace mozilla {
 namespace dom {
 
diff --git a/dom/workers/FileReaderSync.cpp b/dom/workers/FileReaderSync.cpp
index 4bf8e5fd6d06..a8da4abd3ea9 100644
--- a/dom/workers/FileReaderSync.cpp
+++ b/dom/workers/FileReaderSync.cpp
@@ -21,6 +21,7 @@
 #include "nsIConverterInputStream.h"
 #include "nsIInputStream.h"
 #include "nsIMultiplexInputStream.h"
+#include "nsStreamUtils.h"
 #include "nsStringStream.h"
 #include "nsISupportsImpl.h"
 #include "nsNetUtil.h"
@@ -78,11 +79,16 @@ FileReaderSync::ReadAsArrayBuffer(JSContext* aCx,
   }
 
   uint32_t numRead;
-  aRv = Read(stream, bufferData.get(), blobSize, &numRead);
+  aRv = SyncRead(stream, bufferData.get(), blobSize, &numRead);
   if (NS_WARN_IF(aRv.Failed())) {
     return;
   }
-  NS_ASSERTION(numRead == blobSize, "failed to read data");
+
+  // The file is changed in the meantime?
+  if (numRead != blobSize) {
+    aRv.Throw(NS_ERROR_FAILURE);
+    return;
+  }
 
   JSObject* arrayBuffer = JS_NewArrayBufferWithContents(aCx, blobSize, bufferData.get());
   if (!arrayBuffer) {
@@ -110,7 +116,7 @@ FileReaderSync::ReadAsBinaryString(Blob& aBlob,
   uint32_t numRead;
   do {
     char readBuf[4096];
-    aRv = Read(stream, readBuf, sizeof(readBuf), &numRead);
+    aRv = SyncRead(stream, readBuf, sizeof(readBuf), &numRead);
     if (NS_WARN_IF(aRv.Failed())) {
       return;
     }
@@ -145,11 +151,17 @@ FileReaderSync::ReadAsText(Blob& aBlob,
   }
 
   uint32_t numRead = 0;
-  aRv = Read(stream, sniffBuf.BeginWriting(), sniffBuf.Length(), &numRead);
+  aRv = SyncRead(stream, sniffBuf.BeginWriting(), sniffBuf.Length(), &numRead);
   if (NS_WARN_IF(aRv.Failed())) {
     return;
   }
 
+  // No data, we don't need to continue.
+  if (numRead == 0) {
+    aResult.Truncate();
+    return;
+  }
+
   // The BOM sniffing is baked into the "decode" part of the Encoding
   // Standard, which the File API references.
   if (!nsContentUtils::CheckForBOM((const unsigned char*)sniffBuf.BeginReading(),
@@ -182,16 +194,10 @@ FileReaderSync::ReadAsText(Blob& aBlob,
   }
 
   // Let's recreate the full stream using a:
-  // multiplexStream(stringStream + original stream)
+  // multiplexStream(syncStream + original stream)
   // In theory, we could try to see if the inputStream is a nsISeekableStream,
   // but this doesn't work correctly for nsPipe3 - See bug 1349570.
 
-  nsCOMPtr<nsIInputStream> stringStream;
-  aRv = NS_NewCStringInputStream(getter_AddRefs(stringStream), sniffBuf);
-  if (NS_WARN_IF(aRv.Failed())) {
-    return;
-  }
-
   nsCOMPtr<nsIMultiplexInputStream> multiplexStream =
     do_CreateInstance("@mozilla.org/io/multiplex-input-stream;1");
   if (NS_WARN_IF(!multiplexStream)) {
@@ -199,12 +205,24 @@ FileReaderSync::ReadAsText(Blob& aBlob,
     return;
   }
 
-  aRv = multiplexStream->AppendStream(stringStream);
+  nsCOMPtr<nsIInputStream> sniffStringStream;
+  aRv = NS_NewCStringInputStream(getter_AddRefs(sniffStringStream), sniffBuf);
   if (NS_WARN_IF(aRv.Failed())) {
     return;
   }
 
-  aRv = multiplexStream->AppendStream(stream);
+  aRv = multiplexStream->AppendStream(sniffStringStream);
+  if (NS_WARN_IF(aRv.Failed())) {
+    return;
+  }
+
+  nsCOMPtr<nsIInputStream> syncStream;
+  aRv = ConvertAsyncToSyncStream(stream, getter_AddRefs(syncStream));
+  if (NS_WARN_IF(aRv.Failed())) {
+    return;
+  }
+
+  aRv = multiplexStream->AppendStream(syncStream);
   if (NS_WARN_IF(aRv.Failed())) {
     return;
   }
@@ -238,19 +256,30 @@ FileReaderSync::ReadAsDataURL(Blob& aBlob, nsAString& aResult,
     return;
   }
 
-  uint64_t size = aBlob.GetSize(aRv);
+  nsCOMPtr<nsIInputStream> syncStream;
+  aRv = ConvertAsyncToSyncStream(stream, getter_AddRefs(syncStream));
+  if (NS_WARN_IF(aRv.Failed())) {
+    return;
+  }
+
+  uint64_t size;
+  aRv = syncStream->Available(&size);
+  if (NS_WARN_IF(aRv.Failed())) {
+    return;
+  }
+
+  uint64_t blobSize = aBlob.GetSize(aRv);
   if (NS_WARN_IF(aRv.Failed())){
     return;
   }
 
-  nsCOMPtr<nsIInputStream> bufferedStream;
-  aRv = NS_NewBufferedInputStream(getter_AddRefs(bufferedStream), stream, size);
-  if (NS_WARN_IF(aRv.Failed())){
+  // The file is changed in the meantime?
+  if (blobSize != size) {
     return;
   }
 
   nsAutoString encodedData;
-  aRv = Base64EncodeInputStream(bufferedStream, encodedData, size);
+  aRv = Base64EncodeInputStream(syncStream, encodedData, size);
   if (NS_WARN_IF(aRv.Failed())){
     return;
   }
@@ -361,8 +390,8 @@ NS_INTERFACE_MAP_END
 } // anonymous
 
 nsresult
-FileReaderSync::Read(nsIInputStream* aStream, char* aBuffer, uint32_t aBufferSize,
-                     uint32_t* aRead)
+FileReaderSync::SyncRead(nsIInputStream* aStream, char* aBuffer,
+                         uint32_t aBufferSize, uint32_t* aRead)
 {
   MOZ_ASSERT(aStream);
   MOZ_ASSERT(aBuffer);
@@ -370,10 +399,34 @@ FileReaderSync::Read(nsIInputStream* aStream, char* aBuffer, uint32_t aBufferSiz
 
   // Let's try to read, directly.
   nsresult rv = aStream->Read(aBuffer, aBufferSize, aRead);
-  if (NS_SUCCEEDED(rv) || rv != NS_BASE_STREAM_WOULD_BLOCK) {
+
+  // Nothing else to read.
+  if (rv == NS_BASE_STREAM_CLOSED ||
+      (NS_SUCCEEDED(rv) && *aRead == 0)) {
+    return NS_OK;
+  }
+
+  // An error.
+  if (NS_FAILED(rv) && rv != NS_BASE_STREAM_WOULD_BLOCK) {
     return rv;
   }
 
+  // All good.
+  if (NS_SUCCEEDED(rv)) {
+    // Not enough data, let's read recursively.
+    if (*aRead != aBufferSize) {
+      uint32_t byteRead = 0;
+      rv = SyncRead(aStream, aBuffer + *aRead, aBufferSize - *aRead, &byteRead);
+      if (NS_WARN_IF(NS_FAILED(rv))) {
+        return rv;
+      }
+
+      *aRead += byteRead;
+    }
+
+    return NS_OK;
+  }
+
   // We need to proceed async.
   nsCOMPtr<nsIAsyncInputStream> asyncStream = do_QueryInterface(aStream);
   if (!asyncStream) {
@@ -408,5 +461,44 @@ FileReaderSync::Read(nsIInputStream* aStream, char* aBuffer, uint32_t aBufferSiz
   }
 
   // Now, we can try to read again.
-  return Read(aStream, aBuffer, aBufferSize, aRead);
+  return SyncRead(aStream, aBuffer, aBufferSize, aRead);
+}
+
+nsresult
+FileReaderSync::ConvertAsyncToSyncStream(nsIInputStream* aAsyncStream,
+                                         nsIInputStream** aSyncStream)
+{
+  // If the stream is not async, we just need it to be bufferable.
+  nsCOMPtr<nsIAsyncInputStream> asyncStream = do_QueryInterface(aAsyncStream);
+  if (!asyncStream) {
+    return NS_NewBufferedInputStream(aSyncStream, aAsyncStream, 4096);
+  }
+
+  uint64_t length;
+  nsresult rv = aAsyncStream->Available(&length);
+  if (NS_WARN_IF(NS_FAILED(rv))) {
+    return rv;
+  }
+
+  nsAutoCString buffer;
+  if (!buffer.SetLength(length, fallible)) {
+    return NS_ERROR_OUT_OF_MEMORY;
+  }
+
+  uint32_t read;
+  rv = SyncRead(aAsyncStream, buffer.BeginWriting(), length, &read);
+  if (NS_WARN_IF(NS_FAILED(rv))) {
+    return rv;
+  }
+
+  if (read != length) {
+    return NS_ERROR_FAILURE;
+  }
+
+  rv = NS_NewCStringInputStream(aSyncStream, buffer);
+  if (NS_WARN_IF(NS_FAILED(rv))) {
+    return rv;
+  }
+
+  return NS_OK;
 }
diff --git a/dom/workers/FileReaderSync.h b/dom/workers/FileReaderSync.h
index c23803161b92..6b61f039ee8a 100644
--- a/dom/workers/FileReaderSync.h
+++ b/dom/workers/FileReaderSync.h
@@ -32,8 +32,11 @@ private:
   nsresult ConvertStream(nsIInputStream *aStream, const char *aCharset,
                          nsAString &aResult);
 
-  nsresult Read(nsIInputStream* aStream, char* aBuffer, uint32_t aBufferSize,
-                uint32_t* aRead);
+  nsresult ConvertAsyncToSyncStream(nsIInputStream* aAsyncStream,
+                                    nsIInputStream** aSyncStream);
+
+  nsresult SyncRead(nsIInputStream* aStream, char* aBuffer,
+                    uint32_t aBufferSize, uint32_t* aRead);
 
 public:
   static already_AddRefed<FileReaderSync>
diff --git a/dom/xhr/XMLHttpRequestMainThread.cpp b/dom/xhr/XMLHttpRequestMainThread.cpp
index 6df1cdf0e7f2..f2bccfaf6e82 100644
--- a/dom/xhr/XMLHttpRequestMainThread.cpp
+++ b/dom/xhr/XMLHttpRequestMainThread.cpp
@@ -2827,6 +2827,7 @@ XMLHttpRequestMainThread::Send(nsIVariant* aVariant)
 void
 XMLHttpRequestMainThread::UnsuppressEventHandlingAndResume()
 {
+  MOZ_ASSERT(NS_IsMainThread());
   MOZ_ASSERT(mFlagSynchronous);
 
   if (mSuspendedDoc) {
@@ -2835,7 +2836,7 @@ XMLHttpRequestMainThread::UnsuppressEventHandlingAndResume()
   }
 
   if (mResumeTimeoutRunnable) {
-    NS_DispatchToCurrentThread(mResumeTimeoutRunnable);
+    DispatchToMainThread(mResumeTimeoutRunnable.forget());
     mResumeTimeoutRunnable = nullptr;
   }
 }
@@ -2843,6 +2844,8 @@ XMLHttpRequestMainThread::UnsuppressEventHandlingAndResume()
 nsresult
 XMLHttpRequestMainThread::SendInternal(const BodyExtractorBase* aBody)
 {
+  MOZ_ASSERT(NS_IsMainThread());
+
   NS_ENSURE_TRUE(mPrincipal, NS_ERROR_NOT_INITIALIZED);
 
   // Step 1
@@ -3026,11 +3029,9 @@ XMLHttpRequestMainThread::SendInternal(const BodyExtractorBase* aBody)
     } else {
       // Defer the actual sending of async events just in case listeners
       // are attached after the send() method is called.
-      NS_DispatchToCurrentThread(
-        NewRunnableMethod<ProgressEventType>(this,
-          &XMLHttpRequestMainThread::CloseRequestWithError,
-          ProgressEventType::error));
-      return NS_OK;
+      return DispatchToMainThread(NewRunnableMethod<ProgressEventType>(this,
+                 &XMLHttpRequestMainThread::CloseRequestWithError,
+                 ProgressEventType::error));
     }
   }
 
@@ -3127,6 +3128,19 @@ XMLHttpRequestMainThread::SetTimerEventTarget(nsITimer* aTimer)
   }
 }
 
+nsresult
+XMLHttpRequestMainThread::DispatchToMainThread(already_AddRefed<nsIRunnable> aRunnable)
+{
+  if (nsCOMPtr<nsIGlobalObject> global = GetOwnerGlobal()) {
+    nsCOMPtr<nsIEventTarget> target = global->EventTargetFor(TaskCategory::Other);
+    MOZ_ASSERT(target);
+
+    return target->Dispatch(Move(aRunnable), NS_DISPATCH_NORMAL);
+  }
+
+  return NS_DispatchToMainThread(Move(aRunnable));
+}
+
 void
 XMLHttpRequestMainThread::StartTimeoutTimer()
 {
diff --git a/dom/xhr/XMLHttpRequestMainThread.h b/dom/xhr/XMLHttpRequestMainThread.h
index b606aff1e9e6..23e2cfb13e9a 100644
--- a/dom/xhr/XMLHttpRequestMainThread.h
+++ b/dom/xhr/XMLHttpRequestMainThread.h
@@ -580,6 +580,8 @@ protected:
 
   void SetTimerEventTarget(nsITimer* aTimer);
 
+  nsresult DispatchToMainThread(already_AddRefed<nsIRunnable> aRunnable);
+
   already_AddRefed<nsXMLHttpRequestXPCOMifier> EnsureXPCOMifier();
 
   nsCOMPtr<nsISupports> mContext;
diff --git a/dom/xhr/XMLHttpRequestWorker.cpp b/dom/xhr/XMLHttpRequestWorker.cpp
index daf519ddeb8a..f9cd680fce3e 100644
--- a/dom/xhr/XMLHttpRequestWorker.cpp
+++ b/dom/xhr/XMLHttpRequestWorker.cpp
@@ -460,7 +460,7 @@ public:
       return false;
     }
 
-    return NS_SUCCEEDED(NS_DispatchToCurrentThread(this));
+    return NS_SUCCEEDED(mWorkerPrivate->DispatchToMainThread(this));
   }
 
 private:
diff --git a/editor/composer/test/test_bug519928.html b/editor/composer/test/test_bug519928.html
index a46045d5b91a..f5712914b742 100644
--- a/editor/composer/test/test_bug519928.html
+++ b/editor/composer/test/test_bug519928.html
@@ -42,8 +42,8 @@ function expectJSAllowed(allowed, testCondition, callback) {
     is(self_.ICanRunMyJS, allowed, msg);
     callback();
   }, {once: true});
-  var iframeSrc = "data:text/html,<script>parent.parent.ICanRunMyJS = true;</scr" + "ipt>";
-  innerFrame.src = iframeSrc;
+  var iframeSrc = "<script>parent.parent.ICanRunMyJS = true;</scr" + "ipt>";
+  innerFrame.srcdoc = iframeSrc;
 }
 
 SimpleTest.waitForExplicitFinish();
@@ -109,8 +109,8 @@ function testDocumentDisabledJS() {
     is(self_.ICanRunMyJS, false, msg);
     SimpleTest.finish();
   }, {once: true});
-  var iframeSrc = "data:text/html,<script>parent.parent.ICanRunMyJS = true;</scr" + "ipt>";
-  innerFrame.src = iframeSrc;
+  var iframeSrc = "<script>parent.parent.ICanRunMyJS = true;</scr" + "ipt>";
+  innerFrame.srcdoc = iframeSrc;
 }
 
 </script>
diff --git a/editor/libeditor/tests/test_bug1332876.html b/editor/libeditor/tests/test_bug1332876.html
index 76dfa0fc79f9..ae5782bfe8e0 100644
--- a/editor/libeditor/tests/test_bug1332876.html
+++ b/editor/libeditor/tests/test_bug1332876.html
@@ -16,7 +16,7 @@ https://bugzilla.mozilla.org/show_bug.cgi?id=795418
 <div id="content" style="display: none">
 </div>
 
-<iframe src="data:text/html,<html><body><span>Edit me!</span>"></iframe>
+<iframe srcdoc="<html><body><span>Edit me!</span>"></iframe>
 
 <pre id="test">
 
diff --git a/editor/libeditor/tests/test_bug372345.html b/editor/libeditor/tests/test_bug372345.html
index b71ce67b1d76..2929563d8c1d 100644
--- a/editor/libeditor/tests/test_bug372345.html
+++ b/editor/libeditor/tests/test_bug372345.html
@@ -13,7 +13,7 @@ https://bugzilla.mozilla.org/show_bug.cgi?id=372345
 <a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=372345">Mozilla Bug 372345</a>
 <p id="display"></p>
 <div id="content">
-  <iframe src="data:text/html,<body>"></iframe>
+  <iframe srcdoc="<body>"></iframe>
 </div>
 <pre id="test">
 <script type="application/javascript">
diff --git a/editor/libeditor/tests/test_bug620906.html b/editor/libeditor/tests/test_bug620906.html
index 61a9662bf2b8..f58aa236614b 100644
--- a/editor/libeditor/tests/test_bug620906.html
+++ b/editor/libeditor/tests/test_bug620906.html
@@ -13,8 +13,8 @@ https://bugzilla.mozilla.org/show_bug.cgi?id=620906
 <a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=620906">Mozilla Bug 620906</a>
 <p id="display"></p>
 <div id="content">
-  <iframe src="data:text/html,
-    <body contenteditable
+  <iframe srcdoc=
+    "<body contenteditable
           onmousedown='
             document.designMode=&quot;on&quot;;
             document.designMode=&quot;off&quot;;
diff --git a/editor/libeditor/tests/test_bug622371.html b/editor/libeditor/tests/test_bug622371.html
index d08ba8214357..02370a2555e0 100644
--- a/editor/libeditor/tests/test_bug622371.html
+++ b/editor/libeditor/tests/test_bug622371.html
@@ -13,7 +13,7 @@ https://bugzilla.mozilla.org/show_bug.cgi?id=622371
 <a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=622371">Mozilla Bug 622371</a>
 <p id="display"></p>
 <div id="content">
-  <iframe src="data:text/html,<body contenteditable>abc</body>"></iframe>
+  <iframe srcdoc="<body contenteditable>abc</body>"></iframe>
 </div>
 <pre id="test">
 <script type="application/javascript">
diff --git a/editor/libeditor/tests/test_bug646194.html b/editor/libeditor/tests/test_bug646194.html
index 8a0e4a8299b3..068fda6de94d 100644
--- a/editor/libeditor/tests/test_bug646194.html
+++ b/editor/libeditor/tests/test_bug646194.html
@@ -4,7 +4,7 @@
 <script src="/tests/SimpleTest/SimpleTest.js"></script>
 <a href="https://bugzilla.mozilla.org/show_bug.cgi?id=646194"
    target="_blank">Mozilla Bug 646194</a>
-<iframe id="i" src="data:text/html,&lt;div contenteditable=true id=t&gt;test me now&lt;/div&gt;"></iframe>
+<iframe id="i" srcdoc="&lt;div contenteditable=true id=t&gt;test me now&lt;/div&gt;"></iframe>
 <script>
 SimpleTest.expectAssertions(1);
 
diff --git a/gfx/graphite2/README.mozilla b/gfx/graphite2/README.mozilla
index 9d8def40f949..d7f2ac906911 100644
--- a/gfx/graphite2/README.mozilla
+++ b/gfx/graphite2/README.mozilla
@@ -1,6 +1,3 @@
-This directory contains the Graphite2 library release 1.3.9 from
-https://github.com/silnrsi/graphite/releases/download/1.3.9/graphite2-minimal-1.3.9.tgz
-See gfx/graphite2/moz-gr-update.sh for update procedure.
-
-Cherry-picked post-1.3.9 commit 1ce331d5548b98ed8b818532b2556d6f2c7a3b83 to fix
-https://bugzilla.mozilla.org/show_bug.cgi?id=1345461.
+This directory contains the Graphite2 library release 1.3.10 from
+https://github.com/silnrsi/graphite/releases/download/1.3.10/graphite2-minimal-1.3.10.tgz
+See ./gfx/graphite2/moz-gr-update.sh for update procedure.
diff --git a/gfx/graphite2/include/graphite2/Font.h b/gfx/graphite2/include/graphite2/Font.h
index b0de8e82b7cd..729ebff88ab7 100644
--- a/gfx/graphite2/include/graphite2/Font.h
+++ b/gfx/graphite2/include/graphite2/Font.h
@@ -30,7 +30,7 @@
 
 #define GR2_VERSION_MAJOR   1
 #define GR2_VERSION_MINOR   3
-#define GR2_VERSION_BUGFIX  9
+#define GR2_VERSION_BUGFIX  10
 
 #ifdef __cplusplus
 extern "C"
diff --git a/gfx/graphite2/src/CMakeLists.txt b/gfx/graphite2/src/CMakeLists.txt
index 4f1e7e5dbf88..08e1c8fa3d7c 100644
--- a/gfx/graphite2/src/CMakeLists.txt
+++ b/gfx/graphite2/src/CMakeLists.txt
@@ -111,6 +111,9 @@ if  (${CMAKE_SYSTEM_NAME} STREQUAL "Linux")
         COMPILE_FLAGS   "-Wall -Wextra -Wno-unknown-pragmas -Wendif-labels -Wshadow -Wctor-dtor-privacy -Wnon-virtual-dtor -fno-rtti -fno-exceptions -fvisibility=hidden -fvisibility-inlines-hidden -fno-stack-protector"
         LINK_FLAGS      "-nodefaultlibs ${GRAPHITE_LINK_FLAGS}" 
         LINKER_LANGUAGE C)
+    if (${CMAKE_SYSTEM_PROCESSOR} MATCHES "x86|i.86")
+        add_definitions(-mfpmath=sse -msse2)
+    endif (${CMAKE_SYSTEM_PROCESSOR} MATCHES "x86|i.86")
     if (CMAKE_COMPILER_IS_GNUCXX)
         add_definitions(-Wdouble-promotion)
     endif (CMAKE_COMPILER_IS_GNUCXX)
@@ -135,7 +138,7 @@ endif (${CMAKE_SYSTEM_NAME} STREQUAL "Linux")
 
 if  (${CMAKE_SYSTEM_NAME} STREQUAL "Darwin")
     set_target_properties(graphite2 PROPERTIES 
-        COMPILE_FLAGS   "-Wall -Wextra -Wno-unknown-pragmas -Wimplicit-fallthrough -Wendif-labels -Wshadow -Wno-ctor-dtor-privacy -Wno-non-virtual-dtor -fno-rtti -fno-exceptions -fvisibility=hidden -fvisibility-inlines-hidden -fno-stack-protector"
+        COMPILE_FLAGS   "-Wall -Wextra -Wno-unknown-pragmas -Wimplicit-fallthrough -Wendif-labels -Wshadow -Wno-ctor-dtor-privacy -Wno-non-virtual-dtor -fno-rtti -fno-exceptions -fvisibility=hidden -fvisibility-inlines-hidden -fno-stack-protector -mfpmath=sse -msse2"
         LINK_FLAGS      "-nodefaultlibs" 
         LINKER_LANGUAGE C)
     target_link_libraries(graphite2 c)
diff --git a/gfx/graphite2/src/Collider.cpp b/gfx/graphite2/src/Collider.cpp
index ba59d9231bee..035bb9a31258 100644
--- a/gfx/graphite2/src/Collider.cpp
+++ b/gfx/graphite2/src/Collider.cpp
@@ -262,7 +262,7 @@ inline void ShiftCollider::removeBox(const Rect &box, const BBox &bb, const Slan
 // Adjust the movement limits for the target to avoid having it collide
 // with the given neighbor slot. Also determine if there is in fact a collision
 // between the target and the given slot.
-bool ShiftCollider::mergeSlot(Segment *seg, Slot *slot, const Position &currShift,
+bool ShiftCollider::mergeSlot(Segment *seg, Slot *slot, const SlotCollision *cslot, const Position &currShift,
 		bool isAfter,  // slot is logically after _target
 		bool sameCluster, bool &hasCol, bool isExclusion,
         GR_MAYBE_UNUSED json * const dbgout )
@@ -282,7 +282,7 @@ bool ShiftCollider::mergeSlot(Segment *seg, Slot *slot, const Position &currShif
         return false;
     const BBox &bb = gc.getBoundingBBox(gid);
 
-    SlotCollision * cslot = seg->collisionInfo(slot);
+    // SlotCollision * cslot = seg->collisionInfo(slot);
     int orderFlags = 0;
     bool sameClass = _seqProxClass == 0 && cslot->seqClass() == _seqClass;
     if (sameCluster && _seqClass 
@@ -561,7 +561,8 @@ bool ShiftCollider::mergeSlot(Segment *seg, Slot *slot, const Position &currShif
         exclSlot->setGlyph(seg, cslot->exclGlyph());
         Position exclOrigin(slot->origin() + cslot->exclOffset());
         exclSlot->origin(exclOrigin);
-        res &= mergeSlot(seg, exclSlot, currShift, isAfter, sameCluster, isCol, true, dbgout );
+        SlotCollision exclInfo(seg, exclSlot);
+        res &= mergeSlot(seg, exclSlot, &exclInfo, currShift, isAfter, sameCluster, isCol, true, dbgout );
         seg->freeSlot(exclSlot);
     }
     hasCol |= isCol;
diff --git a/gfx/graphite2/src/Decompressor.cpp b/gfx/graphite2/src/Decompressor.cpp
index 084570ff3c3c..4b8b1b4958d4 100644
--- a/gfx/graphite2/src/Decompressor.cpp
+++ b/gfx/graphite2/src/Decompressor.cpp
@@ -51,7 +51,7 @@ bool read_sequence(u8 const * &src, u8 const * const end, u8 const * &literal, u
     literal = src;
     src += literal_len;
     
-    if (src > end - 2)
+    if (src > end - 2 || src < literal)
         return false;
     
     match_dist  = *src++;
@@ -85,7 +85,7 @@ int lz4::decompress(void const *in, size_t in_size, void *out, size_t out_size)
         {
             // Copy in literal. At this point the last full sequence must be at
             // least MINMATCH + 5 from the end of the output buffer.
-            if (dst + align(literal_len) > dst_end - (MINMATCH+5))
+            if (align(literal_len) > unsigned(dst_end - dst - (MINMATCH+5)) || dst_end - dst < MINMATCH + 5)
                 return -1;
             dst = overrun_copy(dst, literal, literal_len);
         }
@@ -94,7 +94,9 @@ int lz4::decompress(void const *in, size_t in_size, void *out, size_t out_size)
         //  decoded output.
         u8 const * const pcpy = dst - match_dist;
         if (pcpy < static_cast<u8*>(out)
-                  || dst + match_len + MINMATCH > dst_end - 5)
+                  || pcpy >= dst
+                  || match_len > unsigned(dst_end - dst - (MINMATCH+5))
+                  || dst_end - dst < MINMATCH + 5)
             return -1;
         if (dst > pcpy+sizeof(unsigned long) 
             && dst + align(match_len + MINMATCH) <= dst_end)
@@ -103,8 +105,8 @@ int lz4::decompress(void const *in, size_t in_size, void *out, size_t out_size)
             dst = safe_copy(dst, pcpy, match_len + MINMATCH);
     }
     
-    if (literal + literal_len > src_end
-              || dst + literal_len > dst_end)
+    if (literal_len > src_end - literal
+              || literal_len > dst_end - dst)
         return -1;
     dst = fast_copy(dst, literal, literal_len);
     
diff --git a/gfx/graphite2/src/FeatureMap.cpp b/gfx/graphite2/src/FeatureMap.cpp
index 990616770d48..d0fc55ddf500 100644
--- a/gfx/graphite2/src/FeatureMap.cpp
+++ b/gfx/graphite2/src/FeatureMap.cpp
@@ -275,7 +275,8 @@ bool FeatureRef::applyValToFeature(uint32 val, Features & pDest) const
     else
       if (pDest.m_pMap!=&m_pFace->theSill().theFeatureMap())
         return false;       //incompatible
-    pDest.reserve(m_index + 1);
+    if (m_index >= pDest.size())
+        pDest.resize(m_index+1);
     pDest[m_index] &= ~m_mask;
     pDest[m_index] |= (uint32(val) << m_bits);
     return true;
diff --git a/gfx/graphite2/src/GlyphCache.cpp b/gfx/graphite2/src/GlyphCache.cpp
index b521d5e5a936..c4ab807b8192 100644
--- a/gfx/graphite2/src/GlyphCache.cpp
+++ b/gfx/graphite2/src/GlyphCache.cpp
@@ -380,12 +380,16 @@ const GlyphFace * GlyphCache::Loader::read_glyph(unsigned short glyphid, GlyphFa
         be::skip<uint16>(gloc,2);
         if (_long_fmt)
         {
+            if (8 + glyphid * sizeof(uint32) > m_pGloc.size())
+                return 0;
             be::skip<uint32>(gloc, glyphid);
             glocs = be::read<uint32>(gloc);
             gloce = be::peek<uint32>(gloc);
         }
         else
         {
+            if (8 + glyphid * sizeof(uint16) > m_pGloc.size())
+                return 0;
             be::skip<uint16>(gloc, glyphid);
             glocs = be::read<uint16>(gloc);
             gloce = be::peek<uint16>(gloc);
diff --git a/gfx/graphite2/src/Pass.cpp b/gfx/graphite2/src/Pass.cpp
index 69ad700c86a2..683143c50971 100644
--- a/gfx/graphite2/src/Pass.cpp
+++ b/gfx/graphite2/src/Pass.cpp
@@ -171,7 +171,7 @@ bool Pass::readPass(const byte * const pass_start, size_t pass_length, size_t su
     const uint16 * const o_actions = reinterpret_cast<const uint16 *>(p);
     be::skip<uint16>(p, m_numRules + 1);
     const byte * const states = p;
-    if (e.test(p + 2u*m_numTransition*m_numColumns >= pass_end, E_BADPASSLENGTH)) return face.error(e);
+    if (e.test(2u*m_numTransition*m_numColumns >= (unsigned)(pass_end - p), E_BADPASSLENGTH)) return face.error(e);
     be::skip<int16>(p, m_numTransition*m_numColumns);
     be::skip<uint8>(p);
     if (e.test(p != pcCode, E_BADPASSCCODEPTR)) return face.error(e);
@@ -192,7 +192,7 @@ bool Pass::readPass(const byte * const pass_start, size_t pass_length, size_t su
         m_cPConstraint = vm::Machine::Code(true, pcCode, pcCode + pass_constraint_len, 
                                   precontext[0], be::peek<uint16>(sort_keys), *m_silf, face, PASS_TYPE_UNKNOWN);
         if (e.test(!m_cPConstraint, E_OUTOFMEM)
-                || e.test(!m_cPConstraint, m_cPConstraint.status() + E_CODEFAILURE))
+                || e.test(m_cPConstraint.status() != Code::loaded, m_cPConstraint.status() + E_CODEFAILURE))
             return face.error(e);
         face.error_context(face.error_context() - 1);
     }
@@ -974,7 +974,7 @@ bool Pass::resolveCollisions(Segment *seg, Slot *slotFix, Slot *start,
                             || !(cNbor->flags() & SlotCollision::COLL_FIX)     // merge in immovable stuff
                             || ((cNbor->flags() & SlotCollision::COLL_KERN) && !sameCluster)     // ignore other kernable clusters
                             || (cNbor->flags() & SlotCollision::COLL_ISCOL))   // test against other collided glyphs
-                      && !coll.mergeSlot(seg, nbor, cNbor->shift(), !ignoreForKern, sameCluster, collides, false, dbgout))
+                      && !coll.mergeSlot(seg, nbor, cNbor, cNbor->shift(), !ignoreForKern, sameCluster, collides, false, dbgout))
             return false;
         else if (nbor == slotFix)
             // Switching sides of this glyph - if we were ignoring kernable stuff before, don't anymore.
diff --git a/gfx/graphite2/src/Silf.cpp b/gfx/graphite2/src/Silf.cpp
index 72a22cd46866..e36b50289f0d 100644
--- a/gfx/graphite2/src/Silf.cpp
+++ b/gfx/graphite2/src/Silf.cpp
@@ -155,8 +155,8 @@ bool Silf::readGraphite(const byte * const silf_start, size_t lSilf, Face& face,
     be::skip<uint32>(p, be::read<uint8>(p));    // don't use scriptTag array.
     if (e.test(p + sizeof(uint16) + sizeof(uint32) >= silf_end, E_BADSCRIPTTAGS)) { releaseBuffers(); return face.error(e); }
     m_gEndLine  = be::read<uint16>(p);          // lbGID
-    const byte * o_passes = p,
-               * const passes_start = silf_start + be::read<uint32>(p);
+    const byte * o_passes = p;
+    uint32 passes_start = be::read<uint32>(p);
 
     const size_t num_attrs = face.glyphs().numAttrs();
     if (e.test(m_aPseudo   >= num_attrs, E_BADAPSEUDO)
@@ -164,7 +164,7 @@ bool Silf::readGraphite(const byte * const silf_start, size_t lSilf, Face& face,
         || e.test(m_aBidi  >= num_attrs, E_BADABIDI)
         || e.test(m_aMirror>= num_attrs, E_BADAMIRROR)
         || e.test(m_aCollision && m_aCollision >= num_attrs - 5, E_BADACOLLISION)
-        || e.test(m_numPasses > 128, E_BADNUMPASSES) || e.test(passes_start >= silf_end, E_BADPASSESSTART)
+        || e.test(m_numPasses > 128, E_BADNUMPASSES) || e.test(passes_start >= lSilf, E_BADPASSESSTART)
         || e.test(m_pPass < m_sPass, E_BADPASSBOUND) || e.test(m_pPass > m_numPasses, E_BADPPASS) || e.test(m_sPass > m_numPasses, E_BADSPASS)
         || e.test(m_jPass < m_pPass, E_BADJPASSBOUND) || e.test(m_jPass > m_numPasses, E_BADJPASS)
         || e.test((m_bPass != 0xFF && (m_bPass < m_jPass || m_bPass > m_numPasses)), E_BADBPASS)
@@ -174,11 +174,11 @@ bool Silf::readGraphite(const byte * const silf_start, size_t lSilf, Face& face,
         return face.error(e);
     }
     be::skip<uint32>(p, m_numPasses);
-    if (e.test(p + sizeof(uint16) >= passes_start, E_BADPASSESSTART)) { releaseBuffers(); return face.error(e); }
+    if (e.test(unsigned(p - silf_start) + sizeof(uint16) >= passes_start, E_BADPASSESSTART)) { releaseBuffers(); return face.error(e); }
     m_numPseudo = be::read<uint16>(p);
     be::skip<uint16>(p, 3); // searchPseudo, pseudoSelector, pseudoShift
     m_pseudos = new Pseudo[m_numPseudo];
-    if (e.test(p + m_numPseudo*(sizeof(uint32) + sizeof(uint16)) >= passes_start, E_BADNUMPSEUDO)
+    if (e.test(unsigned(p - silf_start) + m_numPseudo*(sizeof(uint32) + sizeof(uint16)) >= passes_start, E_BADNUMPSEUDO)
         || e.test(!m_pseudos, E_OUTOFMEM))
     {
         releaseBuffers(); return face.error(e);
@@ -189,20 +189,20 @@ bool Silf::readGraphite(const byte * const silf_start, size_t lSilf, Face& face,
         m_pseudos[i].gid = be::read<uint16>(p);
     }
 
-    const size_t clen = readClassMap(p, passes_start - p, version, e);
+    const size_t clen = readClassMap(p, passes_start + silf_start - p, version, e);
     m_passes = new Pass[m_numPasses];
-    if (e || e.test(p + clen > passes_start, E_BADPASSESSTART)
+    if (e || e.test(clen > unsigned(passes_start + silf_start - p), E_BADPASSESSTART)
           || e.test(!m_passes, E_OUTOFMEM))
     { releaseBuffers(); return face.error(e); }
 
     for (size_t i = 0; i < m_numPasses; ++i)
     {
-        const byte * const pass_start = silf_start + be::read<uint32>(o_passes),
-                   * const pass_end = silf_start + be::peek<uint32>(o_passes);
+        uint32 pass_start = be::read<uint32>(o_passes);
+        uint32 pass_end = be::peek<uint32>(o_passes);
         face.error_context((face.error_context() & 0xFF00) + EC_ASILF + (i << 16));
         if (e.test(pass_start > pass_end, E_BADPASSSTART) 
                 || e.test(pass_start < passes_start, E_BADPASSSTART)
-                || e.test(pass_end > silf_end, E_BADPASSEND)) {
+                || e.test(pass_end > lSilf, E_BADPASSEND)) {
             releaseBuffers(); return face.error(e);
         }
 
@@ -213,7 +213,7 @@ bool Silf::readGraphite(const byte * const silf_start, size_t lSilf, Face& face,
         else pt = PASS_TYPE_LINEBREAK;
 
         m_passes[i].init(this);
-        if (!m_passes[i].readPass(pass_start, pass_end - pass_start, pass_start - silf_start, face, pt,
+        if (!m_passes[i].readPass(silf_start + pass_start, pass_end - pass_start, pass_start, face, pt,
             version, e))
         {
             releaseBuffers();
@@ -293,7 +293,8 @@ size_t Silf::readClassMap(const byte *p, size_t data_len, uint32 version, Error
         if (e.test(*o + 4 > max_off, E_HIGHCLASSOFFSET)                        // LookupClass doesn't stretch over max_off
          || e.test(lookup[0] == 0                                                   // A LookupClass with no looks is a suspicious thing ...
                     || lookup[0] * 2 + *o + 4 > max_off                             // numIDs lookup pairs fits within (start of LookupClass' lookups array, max_off]
-                    || lookup[3] + lookup[1] != lookup[0], E_BADCLASSLOOKUPINFO))   // rangeShift:   numIDs  - searchRange
+                    || lookup[3] + lookup[1] != lookup[0], E_BADCLASSLOOKUPINFO)    // rangeShift:   numIDs  - searchRange
+         || e.test(((o[1] - *o) & 1) != 0, ERROROFFSET))                         // glyphs are in pairs so difference must be even.
             return ERROROFFSET;
     }
 
diff --git a/gfx/graphite2/src/inc/Collider.h b/gfx/graphite2/src/inc/Collider.h
index 84008128ab45..5d953b4a4cbb 100644
--- a/gfx/graphite2/src/inc/Collider.h
+++ b/gfx/graphite2/src/inc/Collider.h
@@ -133,7 +133,7 @@ public:
     bool initSlot(Segment *seg, Slot *aSlot, const Rect &constraint,
                 float margin, float marginMin, const Position &currShift,
                 const Position &currOffset, int dir, GR_MAYBE_UNUSED json * const dbgout);
-    bool mergeSlot(Segment *seg, Slot *slot, const Position &currShift, bool isAfter, 
+    bool mergeSlot(Segment *seg, Slot *slot, const SlotCollision *cinfo, const Position &currShift, bool isAfter, 
                 bool sameCluster, bool &hasCol, bool isExclusion, GR_MAYBE_UNUSED json * const dbgout);
     Position resolve(Segment *seg, bool &isCol, GR_MAYBE_UNUSED json * const dbgout);
     void addBox_slope(bool isx, const Rect &box, const BBox &bb, const SlantBox &sb, const Position &org, float weight, float m, bool minright, int mode);
diff --git a/gfx/graphite2/src/inc/UtfCodec.h b/gfx/graphite2/src/inc/UtfCodec.h
index 3417bac7b15b..9dc760fdcd7c 100644
--- a/gfx/graphite2/src/inc/UtfCodec.h
+++ b/gfx/graphite2/src/inc/UtfCodec.h
@@ -124,7 +124,7 @@ struct _utf_codec<8>
 private:
     static const int8 sz_lut[16];
     static const byte mask_lut[5];
-
+    static const uchar_t    limit = 0x110000;
 
 public:
     typedef uint8   codeunit_t;
@@ -157,7 +157,7 @@ public:
             case 0:     l = -1; return 0xFFFD;
         }
 
-        if (l != seq_sz || toolong)
+        if (l != seq_sz || toolong  || u >= limit)
         {
             l = -l;
             return 0xFFFD;
diff --git a/gfx/graphite2/src/inc/locale2lcid.h b/gfx/graphite2/src/inc/locale2lcid.h
index bc3e3d830478..25d5c0a3c8f9 100644
--- a/gfx/graphite2/src/inc/locale2lcid.h
+++ b/gfx/graphite2/src/inc/locale2lcid.h
@@ -36,8 +36,8 @@ namespace graphite2 {
 struct IsoLangEntry
 {
     unsigned short mnLang;
-    const char maLangStr[4];
-    const char maCountry[3];
+    char maLangStr[4];
+    char maCountry[3];
 };
 
 // Windows Language ID, Locale ISO-639 language, country code as used in
diff --git a/gfx/layers/apz/public/IAPZCTreeManager.h b/gfx/layers/apz/public/IAPZCTreeManager.h
index 383181e8ff2f..b334ec2058bc 100644
--- a/gfx/layers/apz/public/IAPZCTreeManager.h
+++ b/gfx/layers/apz/public/IAPZCTreeManager.h
@@ -157,14 +157,6 @@ public:
    */
   virtual void CancelAnimation(const ScrollableLayerGuid &aGuid) = 0;
 
-  /**
-   * Adjusts the root APZC to compensate for a shift in the surface. See the
-   * documentation on AsyncPanZoomController::AdjustScrollForSurfaceShift for
-   * some more details. This is only currently needed due to surface shifts
-   * caused by the dynamic toolbar on Android.
-   */
-  virtual void AdjustScrollForSurfaceShift(const ScreenPoint& aShift) = 0;
-
   virtual void SetDPI(float aDpiValue) = 0;
 
   /**
diff --git a/gfx/layers/apz/src/APZCTreeManager.h b/gfx/layers/apz/src/APZCTreeManager.h
index 3f30046f0af6..eb1257488a35 100644
--- a/gfx/layers/apz/src/APZCTreeManager.h
+++ b/gfx/layers/apz/src/APZCTreeManager.h
@@ -255,7 +255,7 @@ public:
    * some more details. This is only currently needed due to surface shifts
    * caused by the dynamic toolbar on Android.
    */
-  void AdjustScrollForSurfaceShift(const ScreenPoint& aShift) override;
+  void AdjustScrollForSurfaceShift(const ScreenPoint& aShift);
 
   /**
    * Calls Destroy() on all APZC instances attached to the tree, and resets the
diff --git a/gfx/layers/apz/src/AndroidDynamicToolbarAnimator.cpp b/gfx/layers/apz/src/AndroidDynamicToolbarAnimator.cpp
index 0d9ca3a56e35..f476531b99cf 100644
--- a/gfx/layers/apz/src/AndroidDynamicToolbarAnimator.cpp
+++ b/gfx/layers/apz/src/AndroidDynamicToolbarAnimator.cpp
@@ -73,10 +73,17 @@ AndroidDynamicToolbarAnimator::AndroidDynamicToolbarAnimator()
 void
 AndroidDynamicToolbarAnimator::Initialize(uint64_t aRootLayerTreeId)
 {
+  MOZ_ASSERT(CompositorThreadHolder::IsInCompositorThread());
   mRootLayerTreeId = aRootLayerTreeId;
   RefPtr<UiCompositorControllerParent> uiController = UiCompositorControllerParent::GetFromRootLayerTreeId(mRootLayerTreeId);
   MOZ_ASSERT(uiController);
   uiController->RegisterAndroidDynamicToolbarAnimator(this);
+
+  // Send queued messages that were posted before Initialize() was called.
+  for (QueuedMessage* message = mCompositorQueuedMessages.getFirst(); message != nullptr; message = message->getNext()) {
+    uiController->ToolbarAnimatorMessageFromCompositor(message->mMessage);
+  }
+  mCompositorQueuedMessages.clear();
 }
 
 static bool
@@ -461,6 +468,7 @@ AndroidDynamicToolbarAnimator::Shutdown()
   mCompositorShutdown = true;
   mCompositorToolbarEffect = nullptr;
   mCompositorToolbarTexture = nullptr;
+  mCompositorQueuedMessages.clear();
   if (mCompositorToolbarPixels) {
     RefPtr<UiCompositorControllerParent> uiController = UiCompositorControllerParent::GetFromRootLayerTreeId(mRootLayerTreeId);
     uiController->DeallocShmem(mCompositorToolbarPixels.ref());
@@ -571,6 +579,7 @@ AndroidDynamicToolbarAnimator::HandleTouchEnd(StaticToolbarState aCurrentToolbar
   mControllerStartTouch = 0;
   mControllerPreviousTouch = 0;
   mControllerTotalDistance = 0;
+  bool dragThresholdReached = mControllerDragThresholdReached;
   mControllerDragThresholdReached = false;
   mControllerLastEventTimeStamp = 0;
   bool cancelTouchTracking = mControllerCancelTouchTracking;
@@ -587,6 +596,12 @@ AndroidDynamicToolbarAnimator::HandleTouchEnd(StaticToolbarState aCurrentToolbar
     return;
   }
 
+  // The drag threshold has not been reach and the toolbar is either completely visible or completely hidden.
+  if (!dragThresholdReached && ((mControllerToolbarHeight == mControllerMaxToolbarHeight) || (mControllerToolbarHeight == 0))) {
+    ShowToolbarIfNotVisible(aCurrentToolbarState);
+    return;
+  }
+
   // The toolbar is already where it needs to be so just return.
   if (((direction == MOVE_TOOLBAR_DOWN) && (mControllerToolbarHeight == mControllerMaxToolbarHeight)) ||
       ((direction == MOVE_TOOLBAR_UP) && (mControllerToolbarHeight == 0))) {
@@ -620,11 +635,19 @@ AndroidDynamicToolbarAnimator::HandleTouchEnd(StaticToolbarState aCurrentToolbar
 
 void
 AndroidDynamicToolbarAnimator::PostMessage(int32_t aMessage) {
+  // if the root layer tree id is zero then Initialize() has not been called yet
+  // so queue the message until Initialize() is called.
+  if (mRootLayerTreeId == 0) {
+    QueueMessage(aMessage);
+    return;
+  }
+
   RefPtr<UiCompositorControllerParent> uiController = UiCompositorControllerParent::GetFromRootLayerTreeId(mRootLayerTreeId);
   if (!uiController) {
     // Looks like IPC may be shutdown.
     return;
   }
+
   // ToolbarAnimatorMessageFromCompositor may be called from any thread.
   uiController->ToolbarAnimatorMessageFromCompositor(aMessage);
 }
@@ -958,5 +981,23 @@ AndroidDynamicToolbarAnimator::CheckForResetOnNextMove(ScreenIntCoord aCurrentTo
   }
 }
 
+void
+AndroidDynamicToolbarAnimator::QueueMessage(int32_t aMessage)
+{
+  if (!CompositorThreadHolder::IsInCompositorThread()) {
+    CompositorThreadHolder::Loop()->PostTask(NewRunnableMethod<int32_t>(this, &AndroidDynamicToolbarAnimator::QueueMessage, aMessage));
+    return;
+  }
+
+  // If the root layer tree id is no longer zero, Initialize() was called before QueueMessage was processed
+  // so just post the message now.
+  if (mRootLayerTreeId != 0) {
+    PostMessage(aMessage);
+    return;
+  }
+
+  mCompositorQueuedMessages.insertBack(new QueuedMessage(aMessage));
+}
+
 } // namespace layers
 } // namespace mozilla
diff --git a/gfx/layers/apz/src/AndroidDynamicToolbarAnimator.h b/gfx/layers/apz/src/AndroidDynamicToolbarAnimator.h
index 0896d9194897..dac2b6a6d57b 100644
--- a/gfx/layers/apz/src/AndroidDynamicToolbarAnimator.h
+++ b/gfx/layers/apz/src/AndroidDynamicToolbarAnimator.h
@@ -13,6 +13,7 @@
 #include "mozilla/ipc/Shmem.h"
 #include "mozilla/layers/Effects.h"
 #include "mozilla/layers/TextureHost.h"
+#include "mozilla/LinkedList.h"
 #include "mozilla/Maybe.h"
 #include "mozilla/TimeStamp.h"
 #include "nsISupports.h"
@@ -151,6 +152,7 @@ protected:
   ScreenIntCoord GetFixedLayerMarginsBottom();
   void NotifyControllerSnapshotFailed();
   void CheckForResetOnNextMove(ScreenIntCoord aCurrentTouch);
+  void QueueMessage(int32_t aMessage);
 
   // Read only Compositor and Controller threads after Initialize()
   uint64_t mRootLayerTreeId;
@@ -195,6 +197,17 @@ protected:
   // Controller thread only
   FrameMetricsState mControllerFrameMetrics;
 
+  class QueuedMessage : public LinkedListElement<QueuedMessage> {
+  public:
+    explicit QueuedMessage(int32_t aMessage) :
+      mMessage(aMessage) {}
+    int32_t mMessage;
+  private:
+    QueuedMessage() = delete;
+    QueuedMessage(const QueuedMessage&) = delete;
+    QueuedMessage& operator=(const QueuedMessage&) = delete;
+  };
+
   // Compositor thread only
   bool    mCompositorShutdown;
   bool    mCompositorAnimationDeferred;           // An animation has been deferred until the toolbar is unlocked
@@ -211,6 +224,7 @@ protected:
   RefPtr<DataTextureSource> mCompositorToolbarTexture; // The OGL texture used to render the snapshot in the compositor
   RefPtr<EffectRGB> mCompositorToolbarEffect;          // Effect used to render the snapshot in the compositor
   TimeStamp mCompositorAnimationStartTimeStamp;        // Time stamp when the current animation started
+  AutoCleanLinkedList<QueuedMessage> mCompositorQueuedMessages; // Queue to contain messages sent before Initialize() called
 };
 
 } // namespace layers
diff --git a/gfx/layers/apz/src/AsyncPanZoomController.cpp b/gfx/layers/apz/src/AsyncPanZoomController.cpp
index da35760ef1cf..7b19f5a100f0 100644
--- a/gfx/layers/apz/src/AsyncPanZoomController.cpp
+++ b/gfx/layers/apz/src/AsyncPanZoomController.cpp
@@ -1427,6 +1427,10 @@ nsEventStatus AsyncPanZoomController::OnScale(const PinchGestureInput& aEvent) {
       }
 
       UpdateSharedCompositorFrameMetrics();
+
+    } else {
+      // Trigger a repaint request after scrolling.
+      RequestContentRepaint();
     }
 
     // We did a ScrollBy call above even if we didn't do a scale, so we
diff --git a/gfx/layers/apz/test/gtest/TestPinching.cpp b/gfx/layers/apz/test/gtest/TestPinching.cpp
index 54fb7a75790a..075889db8464 100644
--- a/gfx/layers/apz/test/gtest/TestPinching.cpp
+++ b/gfx/layers/apz/test/gtest/TestPinching.cpp
@@ -292,3 +292,29 @@ TEST_F(APZCPinchGestureDetectorTester, Pinch_NoSpan) {
 
   apzc->AssertStateIsReset();
 }
+
+TEST_F(APZCPinchTester, Pinch_TwoFinger_APZZoom_Disabled_Bug1354185) {
+  // Set up APZ such that mZoomConstraints.mAllowZoom is false.
+  SCOPED_GFX_PREF(APZAllowZooming, bool, false);
+  apzc->SetFrameMetrics(GetPinchableFrameMetrics());
+  MakeApzcUnzoomable();
+
+  // We expect a repaint request for scrolling.
+  EXPECT_CALL(*mcc, RequestContentRepaint(_)).Times(1);
+
+  // Send only the PINCHGESTURE_START and PINCHGESTURE_SCALE events,
+  // in order to trigger a call to AsyncPanZoomController::OnScale
+  // but not to AsyncPanZoomController::OnScaleEnd.
+  ScreenIntPoint aFocus(250, 350);
+  ScreenIntPoint aSecondFocus(200, 300);
+  float aScale = 10;
+  apzc->ReceiveInputEvent(
+      CreatePinchGestureInput(PinchGestureInput::PINCHGESTURE_START,
+                              aFocus, 10.0, 10.0),
+      nullptr);
+
+  apzc->ReceiveInputEvent(
+      CreatePinchGestureInput(PinchGestureInput::PINCHGESTURE_SCALE,
+                              aSecondFocus, 10.0 * aScale, 10.0),
+      nullptr);
+}
diff --git a/gfx/layers/ipc/APZCTreeManagerChild.cpp b/gfx/layers/ipc/APZCTreeManagerChild.cpp
index 71747520b098..5cb749a4c0ba 100644
--- a/gfx/layers/ipc/APZCTreeManagerChild.cpp
+++ b/gfx/layers/ipc/APZCTreeManagerChild.cpp
@@ -165,12 +165,6 @@ APZCTreeManagerChild::CancelAnimation(const ScrollableLayerGuid &aGuid)
   SendCancelAnimation(aGuid);
 }
 
-void
-APZCTreeManagerChild::AdjustScrollForSurfaceShift(const ScreenPoint& aShift)
-{
-  SendAdjustScrollForSurfaceShift(aShift);
-}
-
 void
 APZCTreeManagerChild::SetDPI(float aDpiValue)
 {
diff --git a/gfx/layers/ipc/APZCTreeManagerChild.h b/gfx/layers/ipc/APZCTreeManagerChild.h
index 7d8210e17f7c..5b090839efb6 100644
--- a/gfx/layers/ipc/APZCTreeManagerChild.h
+++ b/gfx/layers/ipc/APZCTreeManagerChild.h
@@ -54,9 +54,6 @@ public:
   void
   CancelAnimation(const ScrollableLayerGuid &aGuid) override;
 
-  void
-  AdjustScrollForSurfaceShift(const ScreenPoint& aShift) override;
-
   void
   SetDPI(float aDpiValue) override;
 
diff --git a/gfx/layers/ipc/APZCTreeManagerParent.cpp b/gfx/layers/ipc/APZCTreeManagerParent.cpp
index 95fd736de694..940cdf630f1d 100644
--- a/gfx/layers/ipc/APZCTreeManagerParent.cpp
+++ b/gfx/layers/ipc/APZCTreeManagerParent.cpp
@@ -222,13 +222,6 @@ APZCTreeManagerParent::RecvCancelAnimation(const ScrollableLayerGuid& aGuid)
   return IPC_OK();
 }
 
-mozilla::ipc::IPCResult
-APZCTreeManagerParent::RecvAdjustScrollForSurfaceShift(const ScreenPoint& aShift)
-{
-  mTreeManager->AdjustScrollForSurfaceShift(aShift);
-  return IPC_OK();
-}
-
 mozilla::ipc::IPCResult
 APZCTreeManagerParent::RecvSetDPI(const float& aDpiValue)
 {
diff --git a/gfx/layers/ipc/APZCTreeManagerParent.h b/gfx/layers/ipc/APZCTreeManagerParent.h
index 4962784e2c6d..b078787249c2 100644
--- a/gfx/layers/ipc/APZCTreeManagerParent.h
+++ b/gfx/layers/ipc/APZCTreeManagerParent.h
@@ -102,9 +102,6 @@ public:
   mozilla::ipc::IPCResult
   RecvCancelAnimation(const ScrollableLayerGuid& aGuid) override;
 
-  mozilla::ipc::IPCResult
-  RecvAdjustScrollForSurfaceShift(const ScreenPoint& aShift) override;
-
   mozilla::ipc::IPCResult
   RecvSetDPI(const float& aDpiValue) override;
 
diff --git a/gfx/layers/ipc/PAPZCTreeManager.ipdl b/gfx/layers/ipc/PAPZCTreeManager.ipdl
index 56342da8f064..f14a1d2b2aca 100644
--- a/gfx/layers/ipc/PAPZCTreeManager.ipdl
+++ b/gfx/layers/ipc/PAPZCTreeManager.ipdl
@@ -68,8 +68,6 @@ parent:
 
   async CancelAnimation(ScrollableLayerGuid aGuid);
 
-  async AdjustScrollForSurfaceShift(ScreenPoint aShift);
-
   async SetDPI(float aDpiValue);
 
   async SetAllowedTouchBehavior(uint64_t aInputBlockId, TouchBehaviorFlags[] aValues);
diff --git a/gfx/src/nsDeviceContext.cpp b/gfx/src/nsDeviceContext.cpp
index be87fa069327..8fc71f6a164d 100644
--- a/gfx/src/nsDeviceContext.cpp
+++ b/gfx/src/nsDeviceContext.cpp
@@ -194,7 +194,8 @@ nsDeviceContext::nsDeviceContext()
     : mWidth(0), mHeight(0),
       mAppUnitsPerDevPixel(-1), mAppUnitsPerDevPixelAtUnitFullZoom(-1),
       mAppUnitsPerPhysicalInch(-1),
-      mFullZoom(1.0f), mPrintingScale(1.0f)
+      mFullZoom(1.0f), mPrintingScale(1.0f),
+      mIsCurrentlyPrintingDoc(false)
 #ifdef DEBUG
     , mIsInitialized(false)
 #endif
@@ -489,12 +490,18 @@ nsDeviceContext::BeginDocument(const nsAString& aTitle,
                                int32_t          aStartPage,
                                int32_t          aEndPage)
 {
+    MOZ_ASSERT(!mIsCurrentlyPrintingDoc,
+               "Mismatched BeginDocument/EndDocument calls");
+
     nsresult rv = mPrintTarget->BeginPrinting(aTitle, aPrintToFileName,
                                               aStartPage, aEndPage);
 
-    if (NS_SUCCEEDED(rv) && mDeviceContextSpec) {
-      rv = mDeviceContextSpec->BeginDocument(aTitle, aPrintToFileName,
-                                             aStartPage, aEndPage);
+    if (NS_SUCCEEDED(rv)) {
+        if (mDeviceContextSpec) {
+           rv = mDeviceContextSpec->BeginDocument(aTitle, aPrintToFileName,
+                                                  aStartPage, aEndPage);
+        }
+        mIsCurrentlyPrintingDoc = true;
     }
 
     return rv;
@@ -504,8 +511,13 @@ nsDeviceContext::BeginDocument(const nsAString& aTitle,
 nsresult
 nsDeviceContext::EndDocument(void)
 {
+    MOZ_ASSERT(mIsCurrentlyPrintingDoc,
+               "Mismatched BeginDocument/EndDocument calls");
+
     nsresult rv = NS_OK;
 
+    mIsCurrentlyPrintingDoc = false;
+
     rv = mPrintTarget->EndPrinting();
     if (NS_SUCCEEDED(rv)) {
         mPrintTarget->Finish();
@@ -523,8 +535,13 @@ nsDeviceContext::EndDocument(void)
 nsresult
 nsDeviceContext::AbortDocument(void)
 {
+    MOZ_ASSERT(mIsCurrentlyPrintingDoc,
+               "Mismatched BeginDocument/EndDocument calls");
+
     nsresult rv = mPrintTarget->AbortPrinting();
 
+    mIsCurrentlyPrintingDoc = false;
+
     if (mDeviceContextSpec)
         mDeviceContextSpec->EndDocument();
 
diff --git a/gfx/src/nsDeviceContext.h b/gfx/src/nsDeviceContext.h
index 2d2ed497e1f9..2e3370741e33 100644
--- a/gfx/src/nsDeviceContext.h
+++ b/gfx/src/nsDeviceContext.h
@@ -189,6 +189,12 @@ public:
      */
     nsresult GetClientRect(nsRect& aRect);
 
+    /**
+     * Returns true if we're currently between BeginDocument() and
+     * EndDocument() calls.
+     */
+    bool IsCurrentlyPrintingDocument() const { return mIsCurrentlyPrintingDoc; }
+
     /**
      * Inform the output device that output of a document is beginning
      * Used for print related device contexts. Must be matched 1:1 with
@@ -305,6 +311,7 @@ private:
     nsCOMPtr<nsIScreenManager>     mScreenManager;
     nsCOMPtr<nsIDeviceContextSpec> mDeviceContextSpec;
     RefPtr<PrintTarget>            mPrintTarget;
+    bool                           mIsCurrentlyPrintingDoc;
 #ifdef DEBUG
     bool mIsInitialized;
 #endif
diff --git a/gfx/thebes/gfxBlur.cpp b/gfx/thebes/gfxBlur.cpp
index 50362daf66ad..9e278f86636b 100644
--- a/gfx/thebes/gfxBlur.cpp
+++ b/gfx/thebes/gfxBlur.cpp
@@ -75,7 +75,12 @@ gfxAlphaBoxBlur::InitDrawTarget(const DrawTarget* aReferenceDT,
   // Check if the backend has an accelerated DrawSurfaceWithShadow.
   // Currently, only D2D1.1 supports this.
   // Otherwise, DrawSurfaceWithShadow only supports square blurs without spread.
+  // When blurring small draw targets such as short spans text, the cost of
+  // creating and flushing an accelerated draw target may exceed the speedup
+  // gained from the faster blur, so we also make sure the blurred data exceeds
+  // a sufficient number of pixels to offset this cost.
   if (aBlurRadius.IsSquare() && aSpreadRadius.IsEmpty() &&
+      blurDataSize >= 8192 &&
       backend == BackendType::DIRECT2D1_1) {
     mAccelerated = true;
     mDrawTarget =
diff --git a/image/DecodePool.cpp b/image/DecodePool.cpp
index aefe99158e38..92e38404600e 100644
--- a/image/DecodePool.cpp
+++ b/image/DecodePool.cpp
@@ -252,7 +252,7 @@ DecodePool::DecodePool()
   }
   // The parent process where there are content processes doesn't need as many
   // threads for decoding images.
-  if (limit > 4 && XRE_IsParentProcess() && BrowserTabsRemoteAutostart()) {
+  if (limit > 4 && XRE_IsE10sParentProcess()) {
     limit = 4;
   }
 
diff --git a/ipc/glue/GeckoChildProcessHost.cpp b/ipc/glue/GeckoChildProcessHost.cpp
index 7c8446f0c537..0e1eaaf47fcc 100644
--- a/ipc/glue/GeckoChildProcessHost.cpp
+++ b/ipc/glue/GeckoChildProcessHost.cpp
@@ -746,6 +746,11 @@ GeckoChildProcessHost::PerformAsyncLaunchInternal(std::vector<std::string>& aExt
   if (mProcessType == GeckoProcessType_Content) {
     // disable IM module to avoid sandbox violation
     newEnvVars["GTK_IM_MODULE"] = "gtk-im-context-simple";
+
+    // Disable ATK accessibility code in content processes because it conflicts
+    // with the sandbox, and we proxy that information through the main process
+    // anyway.
+    newEnvVars["NO_AT_BRIDGE"] = "1";
   }
 #endif
 
diff --git a/js/public/GCAPI.h b/js/public/GCAPI.h
index 8bf8031cc84b..e9da6cb65c40 100644
--- a/js/public/GCAPI.h
+++ b/js/public/GCAPI.h
@@ -13,6 +13,7 @@
 #include "js/GCAnnotations.h"
 #include "js/HeapAPI.h"
 #include "js/UniquePtr.h"
+#include "js/Utility.h"
 
 namespace js {
 namespace gc {
@@ -345,9 +346,20 @@ struct JS_PUBLIC_API(GCDescription) {
     char16_t* formatSummaryMessage(JSContext* cx) const;
     char16_t* formatJSON(JSContext* cx, uint64_t timestamp) const;
 
+    mozilla::TimeStamp startTime(JSContext* cx) const;
+    mozilla::TimeStamp endTime(JSContext* cx) const;
+    mozilla::TimeStamp lastSliceStart(JSContext* cx) const;
+    mozilla::TimeStamp lastSliceEnd(JSContext* cx) const;
+
+    JS::UniqueChars sliceToJSON(JSContext* cx) const;
+    JS::UniqueChars summaryToJSON(JSContext* cx) const;
+
     JS::dbg::GarbageCollectionEvent::Ptr toGCEvent(JSContext* cx) const;
 };
 
+extern JS_PUBLIC_API(UniqueChars)
+MinorGcToJSON(JSContext* cx);
+
 typedef void
 (* GCSliceCallback)(JSContext* cx, GCProgress progress, const GCDescription& desc);
 
diff --git a/js/public/HeapAPI.h b/js/public/HeapAPI.h
index 006884b446ac..ba48d4edf7f2 100644
--- a/js/public/HeapAPI.h
+++ b/js/public/HeapAPI.h
@@ -36,9 +36,11 @@ const size_t ChunkShift = 20;
 const size_t ChunkSize = size_t(1) << ChunkShift;
 const size_t ChunkMask = ChunkSize - 1;
 
-const size_t CellShift = 3;
-const size_t CellSize = size_t(1) << CellShift;
-const size_t CellMask = CellSize - 1;
+const size_t CellAlignShift = 3;
+const size_t CellAlignBytes = size_t(1) << CellAlignShift;
+const size_t CellAlignMask = CellAlignBytes - 1;
+
+const size_t CellBytesPerMarkBit = CellAlignBytes;
 
 /* These are magic constants derived from actual offsets in gc/Heap.h. */
 #ifdef JS_GC_SMALL_CHUNK_SIZE
@@ -303,7 +305,7 @@ GetGCThingMarkWordAndMask(const uintptr_t addr, uint32_t color,
                           uintptr_t** wordp, uintptr_t* maskp)
 {
     MOZ_ASSERT(addr);
-    const size_t bit = (addr & js::gc::ChunkMask) / js::gc::CellSize + color;
+    const size_t bit = (addr & js::gc::ChunkMask) / js::gc::CellBytesPerMarkBit + color;
     MOZ_ASSERT(bit < js::gc::ChunkMarkBitmapBits);
     uintptr_t* bitmap = GetGCThingMarkBitmap(addr);
     const uintptr_t nbits = sizeof(*bitmap) * CHAR_BIT;
diff --git a/js/public/RootingAPI.h b/js/public/RootingAPI.h
index f74e8342c73d..bd159278e915 100644
--- a/js/public/RootingAPI.h
+++ b/js/public/RootingAPI.h
@@ -727,7 +727,7 @@ class alignas(8) DispatchWrapper
 
     using TraceFn = void (*)(JSTracer*, T*, const char*);
     TraceFn tracer;
-    alignas(gc::CellSize) T storage;
+    alignas(gc::CellAlignBytes) T storage;
 
   public:
     template <typename U>
diff --git a/js/src/gc/Allocator.cpp b/js/src/gc/Allocator.cpp
index afb38457c78d..31a91a35c653 100644
--- a/js/src/gc/Allocator.cpp
+++ b/js/src/gc/Allocator.cpp
@@ -34,7 +34,7 @@ js::Allocate(JSContext* cx, AllocKind kind, size_t nDynamicSlots, InitialHeap he
 
     MOZ_ASSERT(thingSize == Arena::thingSize(kind));
     MOZ_ASSERT(thingSize >= sizeof(JSObject_Slots0));
-    static_assert(sizeof(JSObject_Slots0) >= CellSize,
+    static_assert(sizeof(JSObject_Slots0) >= MinCellSize,
                   "All allocations must be at least the allocator-imposed minimum size.");
 
     MOZ_ASSERT_IF(nDynamicSlots != 0, clasp->isNative() || clasp->isProxy());
@@ -131,7 +131,7 @@ T*
 js::Allocate(JSContext* cx)
 {
     static_assert(!mozilla::IsConvertible<T*, JSObject*>::value, "must not be JSObject derived");
-    static_assert(sizeof(T) >= CellSize,
+    static_assert(sizeof(T) >= MinCellSize,
                   "All allocations must be at least the allocator-imposed minimum size.");
 
     AllocKind kind = MapTypeToFinalizeKind<T>::kind;
diff --git a/js/src/gc/AtomMarking-inl.h b/js/src/gc/AtomMarking-inl.h
index 0262d44b44a5..02655f82a9b3 100644
--- a/js/src/gc/AtomMarking-inl.h
+++ b/js/src/gc/AtomMarking-inl.h
@@ -18,7 +18,7 @@ GetAtomBit(TenuredCell* thing)
 {
     MOZ_ASSERT(thing->zoneFromAnyThread()->isAtomsZone());
     Arena* arena = thing->arena();
-    size_t arenaBit = (reinterpret_cast<uintptr_t>(thing) - arena->address()) / CellSize;
+    size_t arenaBit = (reinterpret_cast<uintptr_t>(thing) - arena->address()) / CellBytesPerMarkBit;
     return arena->atomBitmapStart() * JS_BITS_PER_WORD + arenaBit;
 }
 
diff --git a/js/src/gc/AtomMarking.cpp b/js/src/gc/AtomMarking.cpp
index 2190d2884943..64348293f0ea 100644
--- a/js/src/gc/AtomMarking.cpp
+++ b/js/src/gc/AtomMarking.cpp
@@ -48,7 +48,7 @@ void
 AtomMarkingRuntime::registerArena(Arena* arena)
 {
     MOZ_ASSERT(arena->getThingSize() != 0);
-    MOZ_ASSERT(arena->getThingSize() % CellSize == 0);
+    MOZ_ASSERT(arena->getThingSize() % CellAlignBytes == 0);
     MOZ_ASSERT(arena->zone->isAtomsZone());
     MOZ_ASSERT(arena->zone->runtimeFromAnyThread()->currentThreadHasExclusiveAccess());
 
diff --git a/js/src/gc/Heap.h b/js/src/gc/Heap.h
index 2ecb7e9122a8..03c7c57e927e 100644
--- a/js/src/gc/Heap.h
+++ b/js/src/gc/Heap.h
@@ -261,6 +261,8 @@ struct Cell
     // May be overridden by GC thing kinds that have a compartment pointer.
     inline JSCompartment* maybeCompartment() const { return nullptr; }
 
+    // The StoreBuffer used to record incoming pointers from the tenured heap.
+    // This will return nullptr for a tenured cell.
     inline StoreBuffer* storeBuffer() const;
 
     inline JS::TraceKind getTraceKind() const;
@@ -323,24 +325,39 @@ class TenuredCell : public Cell
 #endif
 };
 
-/* Cells are aligned to CellShift, so the largest tagged null pointer is: */
-const uintptr_t LargestTaggedNullCellPointer = (1 << CellShift) - 1;
+/* Cells are aligned to CellAlignShift, so the largest tagged null pointer is: */
+const uintptr_t LargestTaggedNullCellPointer = (1 << CellAlignShift) - 1;
+
+/*
+ * The minimum cell size ends up as twice the cell alignment because the mark
+ * bitmap contains one bit per CellBytesPerMarkBit bytes (which is equal to
+ * CellAlignBytes) and we need two mark bits per cell.
+ */
+const size_t MarkBitsPerCell = 2;
+const size_t MinCellSize = CellBytesPerMarkBit * MarkBitsPerCell;
 
 constexpr size_t
 DivideAndRoundUp(size_t numerator, size_t divisor) {
     return (numerator + divisor - 1) / divisor;
 }
 
-const size_t ArenaCellCount = ArenaSize / CellSize;
-static_assert(ArenaSize % CellSize == 0, "Arena size must be a multiple of cell size");
+static_assert(ArenaSize % CellAlignBytes == 0,
+              "Arena size must be a multiple of cell alignment");
 
 /*
- * The mark bitmap has one bit per each GC cell. For multi-cell GC things this
- * wastes space but allows to avoid expensive devisions by thing's size when
- * accessing the bitmap. In addition this allows to use some bits for colored
- * marking during the cycle GC.
+ * We sometimes use an index to refer to a cell in an arena. The index for a
+ * cell is found by dividing by the cell alignment so not all indicies refer to
+ * valid cells.
  */
-const size_t ArenaBitmapBits = ArenaCellCount;
+const size_t ArenaCellIndexBytes = CellAlignBytes;
+const size_t MaxArenaCellIndex = ArenaSize / CellAlignBytes;
+
+/*
+ * The mark bitmap has one bit per each possible cell start position. This
+ * wastes some space for larger GC things but allows us to avoid division by the
+ * cell's size when accessing the bitmap.
+ */
+const size_t ArenaBitmapBits = ArenaSize / CellBytesPerMarkBit;
 const size_t ArenaBitmapBytes = DivideAndRoundUp(ArenaBitmapBits, 8);
 const size_t ArenaBitmapWords = DivideAndRoundUp(ArenaBitmapBits, JS_BITS_PER_WORD);
 
@@ -769,25 +786,26 @@ FreeSpan::checkRange(uintptr_t first, uintptr_t last, const Arena* arena) const
  */
 struct ChunkTrailer
 {
-    /* Construct a Nursery ChunkTrailer. */
+    // Construct a Nursery ChunkTrailer.
     ChunkTrailer(JSRuntime* rt, StoreBuffer* sb)
       : location(ChunkLocation::Nursery), storeBuffer(sb), runtime(rt)
     {}
 
-    /* Construct a Tenured heap ChunkTrailer. */
+    // Construct a Tenured heap ChunkTrailer.
     explicit ChunkTrailer(JSRuntime* rt)
       : location(ChunkLocation::TenuredHeap), storeBuffer(nullptr), runtime(rt)
     {}
 
   public:
-    /* The index the chunk in the nursery, or LocationTenuredHeap. */
+    // The index of the chunk in the nursery, or LocationTenuredHeap.
     ChunkLocation   location;
     uint32_t        padding;
 
-    /* The store buffer for writes to things in this chunk or nullptr. */
+    // The store buffer for pointers from tenured things to things in this
+    // chunk. Will be non-null only for nursery chunks.
     StoreBuffer*    storeBuffer;
 
-    /* This provides quick access to the runtime from absolutely anywhere. */
+    // Provide quick access to the runtime from absolutely anywhere.
     JSRuntime*      runtime;
 };
 
@@ -1116,7 +1134,7 @@ AssertValidColor(const TenuredCell* thing, uint32_t color)
 {
 #ifdef DEBUG
     Arena* arena = thing->arena();
-    MOZ_ASSERT(color < arena->getThingSize() / CellSize);
+    MOZ_ASSERT(color < arena->getThingSize() / CellBytesPerMarkBit);
 #endif
 }
 
@@ -1152,7 +1170,7 @@ inline uintptr_t
 Cell::address() const
 {
     uintptr_t addr = uintptr_t(this);
-    MOZ_ASSERT(addr % CellSize == 0);
+    MOZ_ASSERT(addr % CellAlignBytes == 0);
     MOZ_ASSERT(Chunk::withinValidRange(addr));
     return addr;
 }
@@ -1161,7 +1179,7 @@ Chunk*
 Cell::chunk() const
 {
     uintptr_t addr = uintptr_t(this);
-    MOZ_ASSERT(addr % CellSize == 0);
+    MOZ_ASSERT(addr % CellAlignBytes == 0);
     addr &= ~ChunkMask;
     return reinterpret_cast<Chunk*>(addr);
 }
diff --git a/js/src/gc/Marking.cpp b/js/src/gc/Marking.cpp
index fda0e480ed0d..feb3310b93a7 100644
--- a/js/src/gc/Marking.cpp
+++ b/js/src/gc/Marking.cpp
@@ -1945,7 +1945,7 @@ MarkStack::TaggedPtr::TaggedPtr(Tag tag, Cell* ptr)
   : bits(tag | uintptr_t(ptr))
 {
     MOZ_ASSERT(tag <= LastTag);
-    MOZ_ASSERT((uintptr_t(ptr) & CellMask) == 0);
+    MOZ_ASSERT((uintptr_t(ptr) & CellAlignMask) == 0);
 }
 
 inline MarkStack::Tag
@@ -2735,9 +2735,9 @@ template <typename T>
 static void
 TraceBufferedCells(TenuringTracer& mover, Arena* arena, ArenaCellSet* cells)
 {
-    for (size_t i = 0; i < ArenaCellCount; i++) {
+    for (size_t i = 0; i < MaxArenaCellIndex; i++) {
         if (cells->hasCell(i)) {
-            auto cell = reinterpret_cast<T*>(uintptr_t(arena) + CellSize * i);
+            auto cell = reinterpret_cast<T*>(uintptr_t(arena) + ArenaCellIndexBytes * i);
             TraceWholeCell(mover, cell);
         }
     }
diff --git a/js/src/gc/Marking.h b/js/src/gc/Marking.h
index fcb4e0ffb270..ee5003e4c68e 100644
--- a/js/src/gc/Marking.h
+++ b/js/src/gc/Marking.h
@@ -79,7 +79,7 @@ class MarkStack
 
     static const uintptr_t TagMask = 7;
     static_assert(TagMask >= uintptr_t(LastTag), "The tag mask must subsume the tags.");
-    static_assert(TagMask <= gc::CellMask, "The tag mask must be embeddable in a Cell*.");
+    static_assert(TagMask <= gc::CellAlignMask, "The tag mask must be embeddable in a Cell*.");
 
     class TaggedPtr
     {
diff --git a/js/src/gc/Nursery.cpp b/js/src/gc/Nursery.cpp
index 5655e35344e8..b1c02c9751be 100644
--- a/js/src/gc/Nursery.cpp
+++ b/js/src/gc/Nursery.cpp
@@ -25,6 +25,7 @@
 #if defined(DEBUG)
 #include "vm/EnvironmentObject.h"
 #endif
+#include "vm/JSONPrinter.h"
 #include "vm/Time.h"
 #include "vm/TypedArrayObject.h"
 #include "vm/TypeInference.h"
@@ -121,6 +122,11 @@ js::Nursery::Nursery(JSRuntime* rt)
   , previousPromotionRate_(0)
   , profileThreshold_(0)
   , enableProfiling_(false)
+#ifdef MOZ_GECKO_PROFILER
+  , trackTimings_(true)
+#else
+  , trackTimings_(false)
+#endif
   , reportTenurings_(0)
   , minorGCTriggerReason_(JS::gcreason::NO_REASON)
   , minorGcCount_(0)
@@ -164,6 +170,7 @@ js::Nursery::init(uint32_t maxNurseryBytes, AutoLockGC& lock)
             exit(0);
         }
         enableProfiling_ = true;
+        trackTimings_ = true;
         profileThreshold_ = TimeDuration::FromMicroseconds(atoi(env));
     }
 
@@ -297,11 +304,11 @@ js::Nursery::allocate(size_t size)
     MOZ_ASSERT(!JS::CurrentThreadIsHeapBusy());
     MOZ_ASSERT(CurrentThreadCanAccessRuntime(runtime()));
     MOZ_ASSERT_IF(currentChunk_ == currentStartChunk_, position() >= currentStartPosition_);
-    MOZ_ASSERT(position() % gc::CellSize == 0);
-    MOZ_ASSERT(size % gc::CellSize == 0);
+    MOZ_ASSERT(position() % CellAlignBytes == 0);
+    MOZ_ASSERT(size % CellAlignBytes == 0);
 
 #ifdef JS_GC_ZEAL
-    static const size_t CanarySize = (sizeof(Nursery::Canary) + CellSize - 1) & ~CellMask;
+    static const size_t CanarySize = (sizeof(Nursery::Canary) + CellAlignBytes - 1) & ~CellAlignMask;
     if (runtime()->gc.hasZealMode(ZealMode::CheckNursery))
         size += CanarySize;
 #endif
@@ -483,6 +490,30 @@ js::TenuringTracer::TenuringTracer(JSRuntime* rt, Nursery* nursery)
 {
 }
 
+void
+js::Nursery::renderProfileJSON(JSONPrinter& json) const
+{
+    if (!isEnabled()) {
+        json.beginObject();
+        json.property("status", "nursery disabled");
+        json.endObject();
+        return;
+    }
+
+    json.beginObject();
+#define EXTRACT_NAME(name, text) #name,
+    static const char* names[] = {
+FOR_EACH_NURSERY_PROFILE_TIME(EXTRACT_NAME)
+#undef EXTRACT_NAME
+    "" };
+
+    size_t i = 0;
+    for (auto time : profileDurations_)
+        json.property(names[i++], time.ToMicroseconds());
+
+    json.endObject();
+}
+
 /* static */ void
 js::Nursery::printProfileHeader()
 {
@@ -514,7 +545,7 @@ js::Nursery::printTotalProfileTimes()
 void
 js::Nursery::maybeClearProfileDurations()
 {
-    if (enableProfiling_) {
+    if (trackTimings_) {
         for (auto& duration : profileDurations_)
             duration = mozilla::TimeDuration();
     }
@@ -536,14 +567,14 @@ js::Nursery::endProfile(ProfileKey key)
 inline void
 js::Nursery::maybeStartProfile(ProfileKey key)
 {
-    if (enableProfiling_)
+    if (trackTimings_)
         startProfile(key);
 }
 
 inline void
 js::Nursery::maybeEndProfile(ProfileKey key)
 {
-    if (enableProfiling_)
+    if (trackTimings_)
         endProfile(key);
 }
 
@@ -986,8 +1017,8 @@ js::Nursery::updateNumChunksLocked(unsigned newCount,
 void
 js::Nursery::queueSweepAction(SweepThunk thunk, void* data)
 {
-    static_assert(sizeof(SweepAction) % CellSize == 0,
-                  "SweepAction size must be a multiple of cell size");
+    static_assert(sizeof(SweepAction) % CellAlignBytes == 0,
+                  "SweepAction size must be a multiple of cell alignment");
 
     MOZ_ASSERT(isEnabled());
 
diff --git a/js/src/gc/Nursery.h b/js/src/gc/Nursery.h
index 84238dba24eb..6b7026755ed3 100644
--- a/js/src/gc/Nursery.h
+++ b/js/src/gc/Nursery.h
@@ -59,6 +59,7 @@ class NativeObject;
 class Nursery;
 class HeapSlot;
 class ZoneGroup;
+class JSONPrinter;
 
 void SetGCZeal(JSRuntime*, uint8_t, uint32_t);
 
@@ -259,6 +260,9 @@ class Nursery
     void leaveZealMode();
 #endif
 
+    /* Write profile time JSON on JSONPrinter. */
+    void renderProfileJSON(JSONPrinter& json) const;
+
     /* Print header line for profile times. */
     static void printProfileHeader();
 
@@ -275,6 +279,7 @@ class Nursery
     void clearMinorGCRequest() { minorGCTriggerReason_ = JS::gcreason::NO_REASON; }
 
     bool enableProfiling() const { return enableProfiling_; }
+    bool trackTimings() const { return trackTimings_; }
 
   private:
     /* The amount of space in the mapped nursery available to allocations. */
@@ -321,6 +326,12 @@ class Nursery
     mozilla::TimeDuration profileThreshold_;
     bool enableProfiling_;
 
+    /*
+     * Track timings if either enableProfiling_ or the Gecko profiler is
+     * compiled in.
+     */
+    bool trackTimings_;
+
     /* Report ObjectGroups with at lest this many instances tenured. */
     int64_t reportTenurings_;
 
diff --git a/js/src/gc/Statistics.cpp b/js/src/gc/Statistics.cpp
index 9459b5c80957..6babf01658d0 100644
--- a/js/src/gc/Statistics.cpp
+++ b/js/src/gc/Statistics.cpp
@@ -259,7 +259,7 @@ struct AllPhaseIterator {
     {
     }
 
-    void get(Phase* phase, size_t* dagSlot, size_t* level = nullptr) {
+    void get(Phase* phase, size_t* dagSlot, int* level = nullptr) {
         MOZ_ASSERT(!done());
         *dagSlot = activeSlot;
         *phase = descendants.empty() ? Phase(current) : descendants.front();
@@ -308,17 +308,17 @@ void
 Statistics::gcDuration(TimeDuration* total, TimeDuration* maxPause) const
 {
     *total = *maxPause = 0;
-    for (const SliceData* slice = slices.begin(); slice != slices.end(); slice++) {
-        *total += slice->duration();
-        if (slice->duration() > *maxPause)
-            *maxPause = slice->duration();
+    for (auto& slice : slices_) {
+        *total += slice.duration();
+        if (slice.duration() > *maxPause)
+            *maxPause = slice.duration();
     }
     if (*maxPause > maxPauseInInterval)
         maxPauseInInterval = *maxPause;
 }
 
 void
-Statistics::sccDurations(TimeDuration* total, TimeDuration* maxPause)
+Statistics::sccDurations(TimeDuration* total, TimeDuration* maxPause) const
 {
     *total = *maxPause = 0;
     for (size_t i = 0; i < sccTimes.length(); i++) {
@@ -384,11 +384,11 @@ UniqueChars
 Statistics::formatCompactSliceMessage() const
 {
     // Skip if we OOM'ed.
-    if (slices.length() == 0)
+    if (slices_.length() == 0)
         return UniqueChars(nullptr);
 
-    const size_t index = slices.length() - 1;
-    const SliceData& slice = slices[index];
+    const size_t index = slices_.length() - 1;
+    const SliceData& slice = slices_.back();
 
     char budgetDescription[200];
     slice.budget.describe(budgetDescription, sizeof(budgetDescription) - 1);
@@ -397,14 +397,14 @@ Statistics::formatCompactSliceMessage() const
         "GC Slice %u - Pause: %.3fms of %s budget (@ %.3fms); Reason: %s; Reset: %s%s; Times: ";
     char buffer[1024];
     SprintfLiteral(buffer, format, index,
-                   t(slice.duration()), budgetDescription, t(slice.start - slices[0].start),
+                   t(slice.duration()), budgetDescription, t(slice.start - slices_[0].start),
                    ExplainReason(slice.reason),
                    slice.wasReset() ? "yes - " : "no",
                    slice.wasReset() ? ExplainAbortReason(slice.resetReason) : "");
 
     FragmentVector fragments;
     if (!fragments.append(DuplicateString(buffer)) ||
-        !fragments.append(formatCompactSlicePhaseTimes(slices[index].phaseTimes)))
+        !fragments.append(formatCompactSlicePhaseTimes(slices_[index].phaseTimes)))
     {
         return UniqueChars(nullptr);
     }
@@ -473,7 +473,7 @@ Statistics::formatCompactSlicePhaseTimes(const PhaseTimeTable& phaseTimes) const
     for (AllPhaseIterator iter; !iter.done(); iter.advance()) {
         Phase phase;
         size_t dagSlot;
-        size_t level;
+        int level;
         iter.get(&phase, &dagSlot, &level);
         MOZ_ASSERT(level < 4);
 
@@ -496,18 +496,18 @@ Statistics::formatCompactSlicePhaseTimes(const PhaseTimeTable& phaseTimes) const
 }
 
 UniqueChars
-Statistics::formatDetailedMessage()
+Statistics::formatDetailedMessage() const
 {
     FragmentVector fragments;
 
     if (!fragments.append(formatDetailedDescription()))
         return UniqueChars(nullptr);
 
-    if (slices.length() > 1) {
-        for (unsigned i = 0; i < slices.length(); i++) {
-            if (!fragments.append(formatDetailedSliceDescription(i, slices[i])))
+    if (!slices_.empty()) {
+        for (unsigned i = 0; i < slices_.length(); i++) {
+            if (!fragments.append(formatDetailedSliceDescription(i, slices_[i])))
                 return UniqueChars(nullptr);
-            if (!fragments.append(formatDetailedPhaseTimes(slices[i].phaseTimes)))
+            if (!fragments.append(formatDetailedPhaseTimes(slices_[i].phaseTimes)))
                 return UniqueChars(nullptr);
         }
     }
@@ -520,7 +520,7 @@ Statistics::formatDetailedMessage()
 }
 
 UniqueChars
-Statistics::formatDetailedDescription()
+Statistics::formatDetailedDescription() const
 {
     const double bytesPerMiB = 1024 * 1024;
 
@@ -548,7 +548,7 @@ Statistics::formatDetailedDescription()
     char buffer[1024];
     SprintfLiteral(buffer, format,
                    ExplainInvocationKind(gckind),
-                   ExplainReason(slices[0].reason),
+                   ExplainReason(slices_[0].reason),
                    nonincremental() ? "no - " : "yes",
                    nonincremental() ? ExplainAbortReason(nonincrementalReason_) : "",
                    zoneStats.collectedZoneCount, zoneStats.zoneCount, zoneStats.sweptZoneCount,
@@ -566,7 +566,7 @@ Statistics::formatDetailedDescription()
 }
 
 UniqueChars
-Statistics::formatDetailedSliceDescription(unsigned i, const SliceData& slice)
+Statistics::formatDetailedSliceDescription(unsigned i, const SliceData& slice) const
 {
     char budgetDescription[200];
     slice.budget.describe(budgetDescription, sizeof(budgetDescription) - 1);
@@ -586,14 +586,13 @@ Statistics::formatDetailedSliceDescription(unsigned i, const SliceData& slice)
                    slice.wasReset() ? ExplainAbortReason(slice.resetReason) : "",
                    gc::StateName(slice.initialState), gc::StateName(slice.finalState),
                    uint64_t(slice.endFaults - slice.startFaults),
-                   t(slice.duration()), budgetDescription, t(slice.start - slices[0].start));
+                   t(slice.duration()), budgetDescription, t(slice.start - slices_[0].start));
     return DuplicateString(buffer);
 }
 
 UniqueChars
-Statistics::formatDetailedPhaseTimes(const PhaseTimeTable& phaseTimes)
+Statistics::formatDetailedPhaseTimes(const PhaseTimeTable& phaseTimes) const
 {
-    static const char* LevelToIndent[] = { "", "  ", "    ", "      " };
     static const TimeDuration MaxUnaccountedChildTime = TimeDuration::FromMicroseconds(50);
 
     FragmentVector fragments;
@@ -601,22 +600,20 @@ Statistics::formatDetailedPhaseTimes(const PhaseTimeTable& phaseTimes)
     for (AllPhaseIterator iter; !iter.done(); iter.advance()) {
         Phase phase;
         size_t dagSlot;
-        size_t level;
+        int level;
         iter.get(&phase, &dagSlot, &level);
-        MOZ_ASSERT(level < 4);
 
         TimeDuration ownTime = phaseTimes[dagSlot][phase];
         TimeDuration childTime = SumChildTimes(dagSlot, phase, phaseTimes);
         if (!ownTime.IsZero()) {
-            SprintfLiteral(buffer, "      %s%s: %.3fms\n",
-                           LevelToIndent[level], phases[phase].name, t(ownTime));
+            SprintfLiteral(buffer, "      %*s: %.3fms\n",
+                           level * 2, phases[phase].name, t(ownTime));
             if (!fragments.append(DuplicateString(buffer)))
                 return UniqueChars(nullptr);
 
             if (childTime && (ownTime - childTime) > MaxUnaccountedChildTime) {
-                MOZ_ASSERT(level < 3);
-                SprintfLiteral(buffer, "      %s%s: %.3fms\n",
-                               LevelToIndent[level + 1], "Other", t(ownTime - childTime));
+                SprintfLiteral(buffer, "      %*s: %.3fms\n",
+                               (level + 1) * 2, "Other", t(ownTime - childTime));
                 if (!fragments.append(DuplicateString(buffer)))
                     return UniqueChars(nullptr);
             }
@@ -626,7 +623,7 @@ Statistics::formatDetailedPhaseTimes(const PhaseTimeTable& phaseTimes)
 }
 
 UniqueChars
-Statistics::formatDetailedTotals()
+Statistics::formatDetailedTotals() const
 {
     TimeDuration total, longest;
     gcDuration(&total, &longest);
@@ -642,148 +639,134 @@ Statistics::formatDetailedTotals()
     return DuplicateString(buffer);
 }
 
-UniqueChars
-Statistics::formatJsonMessage(uint64_t timestamp)
+void
+Statistics::formatJsonSlice(size_t sliceNum, JSONPrinter& json) const
 {
-    MOZ_ASSERT(!aborted);
+    json.beginObject();
+    formatJsonSliceDescription(sliceNum, slices_[sliceNum], json);
 
-    FragmentVector fragments;
+    json.beginObjectProperty("times");
+    formatJsonPhaseTimes(slices_[sliceNum].phaseTimes, json);
+    json.endObject();
 
-    if (!fragments.append(DuplicateString("{")) ||
-        !fragments.append(formatJsonDescription(timestamp)) ||
-        !fragments.append(DuplicateString("\"slices\":[")))
-    {
-        return UniqueChars(nullptr);
-    }
-
-    for (unsigned i = 0; i < slices.length(); i++) {
-        if (!fragments.append(DuplicateString("{")) ||
-            !fragments.append(formatJsonSliceDescription(i, slices[i])) ||
-            !fragments.append(DuplicateString("\"times\":{")) ||
-            !fragments.append(formatJsonPhaseTimes(slices[i].phaseTimes)) ||
-            !fragments.append(DuplicateString("}}")) ||
-            (i < (slices.length() - 1) && !fragments.append(DuplicateString(","))))
-        {
-            return UniqueChars(nullptr);
-        }
-    }
-
-    if (!fragments.append(DuplicateString("],\"totals\":{")) ||
-        !fragments.append(formatJsonPhaseTimes(phaseTimes)) ||
-        !fragments.append(DuplicateString("}}")))
-    {
-        return UniqueChars(nullptr);
-    }
-
-    return Join(fragments);
-}
-
-// JSON requires decimals to be separated by periods, but the LC_NUMERIC
-// setting may cause printf to use commas in some locales. Split a duration
-// into whole and fractional parts of milliseconds, for use in passing to
-// %llu.%03llu.
-static lldiv_t
-SplitDurationMS(TimeDuration d)
-{
-    return lldiv(static_cast<int64_t>(d.ToMicroseconds()), 1000);
+    json.endObject();
 }
 
 UniqueChars
-Statistics::formatJsonDescription(uint64_t timestamp)
+Statistics::renderJsonSlice(size_t sliceNum) const
 {
+    Sprinter printer(nullptr, false);
+    if (!printer.init())
+        return UniqueChars(nullptr);
+    JSONPrinter json(printer);
+
+    formatJsonSlice(sliceNum, json);
+    return UniqueChars(printer.release());
+}
+
+UniqueChars
+Statistics::renderNurseryJson(JSRuntime* rt) const
+{
+    Sprinter printer(nullptr, false);
+    if (!printer.init())
+        return UniqueChars(nullptr);
+    JSONPrinter json(printer);
+    rt->gc.nursery().renderProfileJSON(json);
+    return UniqueChars(printer.release());
+}
+
+UniqueChars
+Statistics::renderJsonMessage(uint64_t timestamp, bool includeSlices) const
+{
+    if (aborted)
+        return DuplicateString("{status:\"aborted\"}"); // May return nullptr
+
+    Sprinter printer(nullptr, false);
+    if (!printer.init())
+        return UniqueChars(nullptr);
+    JSONPrinter json(printer);
+
+    json.beginObject();
+    formatJsonDescription(timestamp, json);
+
+    if (includeSlices) {
+        json.beginListProperty("slices");
+        for (unsigned i = 0; i < slices_.length(); i++)
+            formatJsonSlice(i, json);
+        json.endList();
+    }
+
+    json.beginObjectProperty("totals");
+    formatJsonPhaseTimes(phaseTimes, json);
+    json.endObject();
+
+    json.endObject();
+
+    return UniqueChars(printer.release());
+}
+
+void
+Statistics::formatJsonDescription(uint64_t timestamp, JSONPrinter& json) const
+{
+    json.property("timestamp", timestamp);
+
     TimeDuration total, longest;
     gcDuration(&total, &longest);
-    lldiv_t totalParts = SplitDurationMS(total);
-    lldiv_t longestParts = SplitDurationMS(longest);
+    json.property("max_pause", longest, JSONPrinter::MILLISECONDS);
+    json.property("total_time", total, JSONPrinter::MILLISECONDS);
 
-    TimeDuration sccTotal, sccLongest;
-    sccDurations(&sccTotal, &sccLongest);
-    lldiv_t sccTotalParts = SplitDurationMS(sccTotal);
-    lldiv_t sccLongestParts = SplitDurationMS(sccLongest);
+    json.property("reason", ExplainReason(slices_[0].reason));
+    json.property("zones_collected", zoneStats.collectedZoneCount);
+    json.property("total_zones", zoneStats.zoneCount);
+    json.property("total_compartments", zoneStats.compartmentCount);
+    json.property("minor_gcs", counts[STAT_MINOR_GC]);
+    json.property("store_buffer_overflows", counts[STAT_STOREBUFFER_OVERFLOW]);
 
     const double mmu20 = computeMMU(TimeDuration::FromMilliseconds(20));
     const double mmu50 = computeMMU(TimeDuration::FromMilliseconds(50));
+    json.property("mmu_20ms", int(mmu20 * 100));
+    json.property("mmu_50ms", int(mmu50 * 100));
 
-    const char *format =
-        "\"timestamp\":%llu,"
-        "\"max_pause\":%llu.%03llu,"
-        "\"total_time\":%llu.%03llu,"
-        "\"zones_collected\":%d,"
-        "\"total_zones\":%d,"
-        "\"total_compartments\":%d,"
-        "\"minor_gcs\":%d,"
-        "\"store_buffer_overflows\":%d,"
-        "\"mmu_20ms\":%d,"
-        "\"mmu_50ms\":%d,"
-        "\"scc_sweep_total\":%llu.%03llu,"
-        "\"scc_sweep_max_pause\":%llu.%03llu,"
-        "\"nonincremental_reason\":\"%s\","
-        "\"allocated\":%u,"
-        "\"added_chunks\":%d,"
-        "\"removed_chunks\":%d,";
-    char buffer[1024];
-    SprintfLiteral(buffer, format,
-                   (unsigned long long)timestamp,
-                   longestParts.quot, longestParts.rem,
-                   totalParts.quot, totalParts.rem,
-                   zoneStats.collectedZoneCount,
-                   zoneStats.zoneCount,
-                   zoneStats.compartmentCount,
-                   getCount(STAT_MINOR_GC),
-                   getCount(STAT_STOREBUFFER_OVERFLOW),
-                   int(mmu20 * 100),
-                   int(mmu50 * 100),
-                   sccTotalParts.quot, sccTotalParts.rem,
-                   sccLongestParts.quot, sccLongestParts.rem,
-                   ExplainAbortReason(nonincrementalReason_),
-                   unsigned(preBytes / 1024 / 1024),
-                   getCount(STAT_NEW_CHUNK),
-                   getCount(STAT_DESTROY_CHUNK));
-    return DuplicateString(buffer);
+    TimeDuration sccTotal, sccLongest;
+    sccDurations(&sccTotal, &sccLongest);
+    json.property("scc_sweep_total", sccTotal, JSONPrinter::MILLISECONDS);
+    json.property("scc_sweep_max_pause", sccLongest, JSONPrinter::MILLISECONDS);
+
+    json.property("nonincremental_reason", ExplainAbortReason(nonincrementalReason_));
+    json.property("allocated", uint64_t(preBytes) / 1024 / 1024);
+    json.property("added_chunks", getCount(STAT_NEW_CHUNK));
+    json.property("removed_chunks", getCount(STAT_DESTROY_CHUNK));
+    json.property("major_gc_number", startingMajorGCNumber);
+    json.property("minor_gc_number", startingMinorGCNumber);
 }
 
-UniqueChars
-Statistics::formatJsonSliceDescription(unsigned i, const SliceData& slice)
+void
+Statistics::formatJsonSliceDescription(unsigned i, const SliceData& slice, JSONPrinter& json) const
 {
-    TimeDuration duration = slice.duration();
-    lldiv_t durationParts = SplitDurationMS(duration);
-    TimeDuration when = slice.start - slices[0].start;
-    lldiv_t whenParts = SplitDurationMS(when);
+    TimeDuration when = slice.start - slices_[0].start;
     char budgetDescription[200];
     slice.budget.describe(budgetDescription, sizeof(budgetDescription) - 1);
-    int64_t pageFaults = slice.endFaults - slice.startFaults;
     TimeStamp originTime = TimeStamp::ProcessCreation();
 
-    const char* format =
-        "\"slice\":%d,"
-        "\"pause\":%llu.%03llu,"
-        "\"when\":%llu.%03llu,"
-        "\"reason\":\"%s\","
-        "\"initial_state\":\"%s\","
-        "\"final_state\":\"%s\","
-        "\"budget\":\"%s\","
-        "\"page_faults\":%llu,"
-        "\"start_timestamp\":%llu,"
-        "\"end_timestamp\":%llu,";
-    char buffer[1024];
-    SprintfLiteral(buffer, format,
-                   i,
-                   durationParts.quot, durationParts.rem,
-                   whenParts.quot, whenParts.rem,
-                   ExplainReason(slice.reason),
-                   gc::StateName(slice.initialState),
-                   gc::StateName(slice.finalState),
-                   budgetDescription,
-                   pageFaults,
-                   (slice.start - originTime).ToSeconds(),
-                   (slice.end - originTime).ToSeconds());
-    return DuplicateString(buffer);
+    json.property("slice", i);
+    json.property("pause", slice.duration(), JSONPrinter::MILLISECONDS);
+    json.property("when", when, JSONPrinter::MILLISECONDS);
+    json.property("reason", ExplainReason(slice.reason));
+    json.property("initial_state", gc::StateName(slice.initialState));
+    json.property("final_state", gc::StateName(slice.finalState));
+    json.property("budget", budgetDescription);
+    json.property("page_faults", int64_t(slice.endFaults - slice.startFaults));
+    json.property("start_timestamp", slice.start - originTime, JSONPrinter::SECONDS);
+    json.property("end_timestamp", slice.end - originTime, JSONPrinter::SECONDS);
 }
 
-UniqueChars
-FilterJsonKey(const char*const buffer)
+static UniqueChars
+SanitizeJsonKey(const char* const buffer)
 {
     char* mut = strdup(buffer);
+    if (!mut)
+        return UniqueChars(nullptr);
+
     char* c = mut;
     while (*c) {
         if (!isalpha(*c))
@@ -792,31 +775,25 @@ FilterJsonKey(const char*const buffer)
             *c = tolower(*c);
         ++c;
     }
+
     return UniqueChars(mut);
 }
 
-UniqueChars
-Statistics::formatJsonPhaseTimes(const PhaseTimeTable& phaseTimes)
+void
+Statistics::formatJsonPhaseTimes(const PhaseTimeTable& phaseTimes, JSONPrinter& json) const
 {
-    FragmentVector fragments;
-    char buffer[128];
     for (AllPhaseIterator iter; !iter.done(); iter.advance()) {
         Phase phase;
         size_t dagSlot;
         iter.get(&phase, &dagSlot);
 
-        UniqueChars name = FilterJsonKey(phases[phase].name);
+        UniqueChars name = SanitizeJsonKey(phases[phase].name);
+        if (!name)
+            json.outOfMemory();
         TimeDuration ownTime = phaseTimes[dagSlot][phase];
-        if (!ownTime.IsZero()) {
-            lldiv_t ownParts = SplitDurationMS(ownTime);
-            SprintfLiteral(buffer, "\"%s\":%llu.%03llu",
-                           name.get(), ownParts.quot, ownParts.rem);
-
-            if (!fragments.append(DuplicateString(buffer)))
-                return UniqueChars(nullptr);
-        }
+        if (!ownTime.IsZero())
+            json.property(name.get(), ownTime, JSONPrinter::MILLISECONDS);
     }
-    return Join(fragments, ",");
 }
 
 Statistics::Statistics(JSRuntime* rt)
@@ -991,24 +968,28 @@ LongestPhaseSelfTime(const Statistics::PhaseTimeTable& times)
     for (auto i : AllPhases())
         selfTimes[i] = SumPhase(i, times);
 
-    // Subtract out the children's times.
+    // We have the total time spent in each phase, including descendant times.
+    // Loop over the children and subtract their times from their parent's self
+    // time.
     for (auto i : AllPhases()) {
         Phase parent = phases[i].parent;
         if (parent == PHASE_MULTI_PARENTS) {
-            // Subtract out only the time for the children specific to this
-            // parent.
+            // Current phase i has multiple parents. Each "instance" of this
+            // phase is in a parallel array of times indexed by 'dagSlot', so
+            // subtract only the dagSlot-specific child's time from the parent.
             for (auto edge : dagChildEdges) {
-                if (edge.parent == parent) {
+                if (edge.parent == i) {
                     size_t dagSlot = phaseExtra[edge.parent].dagSlot;
                     MOZ_ASSERT(dagSlot <= Statistics::MaxMultiparentPhases - 1);
-                    CheckSelfTime(parent, edge.child, times, selfTimes, times[dagSlot][edge.child]);
-                    MOZ_ASSERT(selfTimes[parent] >= times[dagSlot][edge.child]);
-                    selfTimes[parent] -= times[dagSlot][edge.child];
+                    CheckSelfTime(edge.parent, edge.child, times,
+                                  selfTimes, times[dagSlot][edge.child]);
+                    MOZ_ASSERT(selfTimes[edge.parent] >= times[dagSlot][edge.child]);
+                    selfTimes[edge.parent] -= times[dagSlot][edge.child];
                 }
             }
         } else if (parent != PHASE_NO_PARENT) {
-            MOZ_ASSERT(selfTimes[parent] >= selfTimes[i]);
             CheckSelfTime(parent, i, times, selfTimes, selfTimes[i]);
+            MOZ_ASSERT(selfTimes[parent] >= selfTimes[i]);
             selfTimes[parent] -= selfTimes[i];
         }
     }
@@ -1034,7 +1015,7 @@ Statistics::printStats()
         UniqueChars msg = formatDetailedMessage();
         if (msg) {
             double secSinceStart =
-                (slices[0].start - TimeStamp::ProcessCreation()).ToSeconds();
+                (slices_[0].start - TimeStamp::ProcessCreation()).ToSeconds();
             fprintf(fp, "GC(T+%.3fs) %s\n", secSinceStart, msg.get());
         }
     }
@@ -1044,12 +1025,13 @@ Statistics::printStats()
 void
 Statistics::beginGC(JSGCInvocationKind kind)
 {
-    slices.clearAndFree();
+    slices_.clearAndFree();
     sccTimes.clearAndFree();
     gckind = kind;
     nonincrementalReason_ = gc::AbortReason::None;
 
     preBytes = runtime->gc.usage.gcBytes();
+    startingMajorGCNumber = runtime->gc.majorGCCount();
 }
 
 void
@@ -1103,6 +1085,7 @@ void
 Statistics::beginNurseryCollection(JS::gcreason::Reason reason)
 {
     count(STAT_MINOR_GC);
+    startingMinorGCNumber = runtime->gc.minorGCCount();
     if (nurseryCollectionCallback) {
         (*nurseryCollectionCallback)(TlsContext.get(),
                                      JS::GCNurseryProgress::GC_NURSERY_COLLECTION_START,
@@ -1130,11 +1113,11 @@ Statistics::beginSlice(const ZoneGCStats& zoneStats, JSGCInvocationKind gckind,
     if (first)
         beginGC(gckind);
 
-    if (!slices.emplaceBack(budget,
-                            reason,
-                            TimeStamp::Now(),
-                            GetPageFaultCount(),
-                            runtime->gc.state()))
+    if (!slices_.emplaceBack(budget,
+                             reason,
+                             TimeStamp::Now(),
+                             GetPageFaultCount(),
+                             runtime->gc.state()))
     {
         // If we are OOM, set a flag to indicate we have missing slice data.
         aborted = true;
@@ -1155,25 +1138,25 @@ void
 Statistics::endSlice()
 {
     if (!aborted) {
-        slices.back().end = TimeStamp::Now();
-        slices.back().endFaults = GetPageFaultCount();
-        slices.back().finalState = runtime->gc.state();
+        slices_.back().end = TimeStamp::Now();
+        slices_.back().endFaults = GetPageFaultCount();
+        slices_.back().finalState = runtime->gc.state();
 
-        TimeDuration sliceTime = slices.back().end - slices.back().start;
+        TimeDuration sliceTime = slices_.back().end - slices_.back().start;
         runtime->addTelemetry(JS_TELEMETRY_GC_SLICE_MS, t(sliceTime));
-        runtime->addTelemetry(JS_TELEMETRY_GC_RESET, slices.back().wasReset());
-        if (slices.back().wasReset())
-            runtime->addTelemetry(JS_TELEMETRY_GC_RESET_REASON, uint32_t(slices.back().resetReason));
+        runtime->addTelemetry(JS_TELEMETRY_GC_RESET, slices_.back().wasReset());
+        if (slices_.back().wasReset())
+            runtime->addTelemetry(JS_TELEMETRY_GC_RESET_REASON, uint32_t(slices_.back().resetReason));
 
-        if (slices.back().budget.isTimeBudget()) {
-            int64_t budget_ms = slices.back().budget.timeBudget.budget;
+        if (slices_.back().budget.isTimeBudget()) {
+            int64_t budget_ms = slices_.back().budget.timeBudget.budget;
             runtime->addTelemetry(JS_TELEMETRY_GC_BUDGET_MS, budget_ms);
             if (budget_ms == runtime->gc.defaultSliceBudget())
                 runtime->addTelemetry(JS_TELEMETRY_GC_ANIMATION_MS, t(sliceTime));
 
             // Record any phase that goes more than 2x over its budget.
             if (sliceTime.ToMilliseconds() > 2 * budget_ms) {
-                Phase longest = LongestPhaseSelfTime(slices.back().phaseTimes);
+                Phase longest = LongestPhaseSelfTime(slices_.back().phaseTimes);
                 runtime->addTelemetry(JS_TELEMETRY_GC_SLOW_PHASE, phases[longest].telemetryBucket);
             }
         }
@@ -1185,7 +1168,7 @@ Statistics::endSlice()
     if (last)
         endGC();
 
-    if (enableProfiling_ && !aborted && slices.back().duration() >= profileThreshold_)
+    if (enableProfiling_ && !aborted && slices_.back().duration() >= profileThreshold_)
         printSliceProfile();
 
     // Slice callbacks should only fire for the outermost level.
@@ -1194,7 +1177,7 @@ Statistics::endSlice()
         if (sliceCallback)
             (*sliceCallback)(TlsContext.get(),
                              last ? JS::GC_CYCLE_END : JS::GC_SLICE_END,
-                             JS::GCDescription(!wasFullGC, gckind, slices.back().reason));
+                             JS::GCDescription(!wasFullGC, gckind, slices_.back().reason));
     }
 
     // Do this after the slice callback since it uses these values.
@@ -1318,8 +1301,8 @@ Statistics::recordPhaseEnd(Phase phase)
     phaseNestingDepth--;
 
     TimeDuration t = now - phaseStartTimes[phase];
-    if (!slices.empty())
-        slices.back().phaseTimes[activeDagSlot][phase] += t;
+    if (!slices_.empty())
+        slices_.back().phaseTimes[activeDagSlot][phase] += t;
     phaseTimes[activeDagSlot][phase] += t;
     phaseStartTimes[phase] = TimeStamp();
 }
@@ -1343,8 +1326,8 @@ Statistics::endParallelPhase(Phase phase, const GCParallelTask* task)
 {
     phaseNestingDepth--;
 
-    if (!slices.empty())
-        slices.back().phaseTimes[PHASE_DAG_NONE][phase] += task->duration();
+    if (!slices_.empty())
+        slices_.back().phaseTimes[PHASE_DAG_NONE][phase] += task->duration();
     phaseTimes[PHASE_DAG_NONE][phase] += task->duration();
     phaseStartTimes[phase] = TimeStamp();
 }
@@ -1376,26 +1359,28 @@ Statistics::endSCC(unsigned scc, TimeStamp start)
 double
 Statistics::computeMMU(TimeDuration window) const
 {
-    MOZ_ASSERT(!slices.empty());
+    MOZ_ASSERT(!slices_.empty());
 
-    TimeDuration gc = slices[0].end - slices[0].start;
+    TimeDuration gc = slices_[0].end - slices_[0].start;
     TimeDuration gcMax = gc;
 
     if (gc >= window)
         return 0.0;
 
     int startIndex = 0;
-    for (size_t endIndex = 1; endIndex < slices.length(); endIndex++) {
-        gc += slices[endIndex].end - slices[endIndex].start;
+    for (size_t endIndex = 1; endIndex < slices_.length(); endIndex++) {
+        auto* startSlice = &slices_[startIndex];
+        auto& endSlice = slices_[endIndex];
+        gc += endSlice.end - endSlice.start;
 
-        while (slices[endIndex].end - slices[startIndex].end >= window) {
-            gc -= slices[startIndex].end - slices[startIndex].start;
-            startIndex++;
+        while (endSlice.end - startSlice->end >= window) {
+            gc -= startSlice->end - startSlice->start;
+            startSlice = &slices_[++startIndex];
         }
 
         TimeDuration cur = gc;
-        if (slices[endIndex].end - slices[startIndex].start > window)
-            cur -= (slices[endIndex].end - slices[startIndex].start - window);
+        if (endSlice.end - startSlice->start > window)
+            cur -= (endSlice.end - startSlice->start - window);
         if (cur > gcMax)
             gcMax = cur;
     }
@@ -1444,7 +1429,7 @@ Statistics::printProfileTimes(const ProfileDurations& times)
 void
 Statistics::printSliceProfile()
 {
-    const SliceData& slice = slices.back();
+    const SliceData& slice = slices_.back();
 
     maybePrintProfileHeaders();
 
diff --git a/js/src/gc/Statistics.h b/js/src/gc/Statistics.h
index 7f7423d158f9..cb4b70e9177f 100644
--- a/js/src/gc/Statistics.h
+++ b/js/src/gc/Statistics.h
@@ -20,6 +20,7 @@
 
 #include "js/GCAPI.h"
 #include "js/Vector.h"
+#include "vm/JSONPrinter.h"
 
 using mozilla::Maybe;
 
@@ -251,7 +252,7 @@ struct Statistics
     void reset(gc::AbortReason reason) {
         MOZ_ASSERT(reason != gc::AbortReason::None);
         if (!aborted)
-            slices.back().resetReason = reason;
+            slices_.back().resetReason = reason;
     }
 
     void nonincremental(gc::AbortReason reason) {
@@ -271,7 +272,7 @@ struct Statistics
         counts[s]++;
     }
 
-    uint32_t getCount(Stat s) {
+    uint32_t getCount(Stat s) const {
         return uint32_t(counts[s]);
     }
 
@@ -283,8 +284,7 @@ struct Statistics
 
     UniqueChars formatCompactSliceMessage() const;
     UniqueChars formatCompactSummaryMessage() const;
-    UniqueChars formatJsonMessage(uint64_t timestamp);
-    UniqueChars formatDetailedMessage();
+    UniqueChars formatDetailedMessage() const;
 
     JS::GCSliceCallback setSliceCallback(JS::GCSliceCallback callback);
     JS::GCNurseryCollectionCallback setNurseryCollectionCallback(
@@ -328,20 +328,36 @@ struct Statistics
     };
 
     typedef Vector<SliceData, 8, SystemAllocPolicy> SliceDataVector;
-    typedef SliceDataVector::ConstRange SliceRange;
 
-    SliceRange sliceRange() const { return slices.all(); }
-    size_t slicesLength() const { return slices.length(); }
+    const SliceDataVector& slices() const { return slices_; }
 
-    /* Occasionally print header lines for profiling information. */
+    TimeStamp start() const {
+        return slices_[0].start;
+    }
+
+    TimeStamp end() const {
+        return slices_.back().end;
+    }
+
+    // Occasionally print header lines for profiling information.
     void maybePrintProfileHeaders();
 
-    /* Print header line for profile times. */
+    // Print header line for profile times.
     void printProfileHeader();
 
-    /* Print total profile times on shutdown. */
+    // Print total profile times on shutdown.
     void printTotalProfileTimes();
 
+    // Return JSON for a whole major GC, optionally including detailed
+    // per-slice data.
+    UniqueChars renderJsonMessage(uint64_t timestamp, bool includeSlices = true) const;
+
+    // Return JSON for the timings of just the given slice.
+    UniqueChars renderJsonSlice(size_t sliceNum) const;
+
+    // Return JSON for the previous nursery collection.
+    UniqueChars renderNurseryJson(JSRuntime* rt) const;
+
   private:
     JSRuntime* runtime;
 
@@ -354,7 +370,7 @@ struct Statistics
 
     gc::AbortReason nonincrementalReason_;
 
-    SliceDataVector slices;
+    SliceDataVector slices_;
 
     /* Most recent time when the given phase started. */
     EnumeratedArray<Phase, PHASE_LIMIT, TimeStamp> phaseStartTimes;
@@ -377,6 +393,10 @@ struct Statistics
     /* Allocated space before the GC started. */
     size_t preBytes;
 
+    /* GC numbers as of the beginning of the collection. */
+    uint64_t startingMinorGCNumber;
+    uint64_t startingMajorGCNumber;
+
     /* Records the maximum GC pause in an API-controlled interval (in us). */
     mutable TimeDuration maxPauseInInterval;
 
@@ -432,19 +452,20 @@ FOR_EACH_GC_PROFILE_TIME(DEFINE_TIME_KEY)
     void recordPhaseEnd(Phase phase);
 
     void gcDuration(TimeDuration* total, TimeDuration* maxPause) const;
-    void sccDurations(TimeDuration* total, TimeDuration* maxPause);
+    void sccDurations(TimeDuration* total, TimeDuration* maxPause) const;
     void printStats();
 
     UniqueChars formatCompactSlicePhaseTimes(const PhaseTimeTable& phaseTimes) const;
 
-    UniqueChars formatDetailedDescription();
-    UniqueChars formatDetailedSliceDescription(unsigned i, const SliceData& slice);
-    UniqueChars formatDetailedPhaseTimes(const PhaseTimeTable& phaseTimes);
-    UniqueChars formatDetailedTotals();
+    UniqueChars formatDetailedDescription() const;
+    UniqueChars formatDetailedSliceDescription(unsigned i, const SliceData& slice) const;
+    UniqueChars formatDetailedPhaseTimes(const PhaseTimeTable& phaseTimes) const;
+    UniqueChars formatDetailedTotals() const;
 
-    UniqueChars formatJsonDescription(uint64_t timestamp);
-    UniqueChars formatJsonSliceDescription(unsigned i, const SliceData& slice);
-    UniqueChars formatJsonPhaseTimes(const PhaseTimeTable& phaseTimes);
+    void formatJsonDescription(uint64_t timestamp, JSONPrinter&) const;
+    void formatJsonSliceDescription(unsigned i, const SliceData& slice, JSONPrinter&) const;
+    void formatJsonPhaseTimes(const PhaseTimeTable& phaseTimes, JSONPrinter&) const;
+    void formatJsonSlice(size_t sliceNum, JSONPrinter&) const;
 
     double computeMMU(TimeDuration resolution) const;
 
diff --git a/js/src/gc/StoreBuffer-inl.h b/js/src/gc/StoreBuffer-inl.h
index 77058693205b..35115047e605 100644
--- a/js/src/gc/StoreBuffer-inl.h
+++ b/js/src/gc/StoreBuffer-inl.h
@@ -19,27 +19,28 @@ namespace gc {
 inline /* static */ size_t
 ArenaCellSet::getCellIndex(const TenuredCell* cell)
 {
-    MOZ_ASSERT((uintptr_t(cell) & ~ArenaMask) % CellSize == 0);
-    return (uintptr_t(cell) & ArenaMask) / CellSize;
+    uintptr_t cellOffset = uintptr_t(cell) & ArenaMask;
+    MOZ_ASSERT(cellOffset % ArenaCellIndexBytes == 0);
+    return cellOffset / ArenaCellIndexBytes;
 }
 
 inline /* static */ void
 ArenaCellSet::getWordIndexAndMask(size_t cellIndex, size_t* wordp, uint32_t* maskp)
 {
-    BitArray<ArenaCellCount>::getIndexAndMask(cellIndex, wordp, maskp);
+    BitArray<MaxArenaCellIndex>::getIndexAndMask(cellIndex, wordp, maskp);
 }
 
 inline bool
 ArenaCellSet::hasCell(size_t cellIndex) const
 {
-    MOZ_ASSERT(cellIndex < ArenaCellCount);
+    MOZ_ASSERT(cellIndex < MaxArenaCellIndex);
     return bits.get(cellIndex);
 }
 
 inline void
 ArenaCellSet::putCell(size_t cellIndex)
 {
-    MOZ_ASSERT(cellIndex < ArenaCellCount);
+    MOZ_ASSERT(cellIndex < MaxArenaCellIndex);
     bits.set(cellIndex);
 }
 
diff --git a/js/src/gc/StoreBuffer.h b/js/src/gc/StoreBuffer.h
index eb8642133347..b54e5f22a58e 100644
--- a/js/src/gc/StoreBuffer.h
+++ b/js/src/gc/StoreBuffer.h
@@ -450,7 +450,7 @@ class ArenaCellSet
     ArenaCellSet* next;
 
     // Bit vector for each possible cell start position.
-    BitArray<ArenaCellCount> bits;
+    BitArray<MaxArenaCellIndex> bits;
 
   public:
     explicit ArenaCellSet(Arena* arena);
diff --git a/js/src/gc/Verifier.cpp b/js/src/gc/Verifier.cpp
index 6a98310dd631..fd12f9ca681d 100644
--- a/js/src/gc/Verifier.cpp
+++ b/js/src/gc/Verifier.cpp
@@ -590,7 +590,7 @@ CheckHeapTracer::CheckHeapTracer(JSRuntime* rt)
 inline static bool
 IsValidGCThingPointer(Cell* cell)
 {
-    return (uintptr_t(cell) & CellMask) == 0;
+    return (uintptr_t(cell) & CellAlignMask) == 0;
 }
 
 void
diff --git a/js/src/irregexp/RegExpEngine.cpp b/js/src/irregexp/RegExpEngine.cpp
index 31d09069258f..80acf7622580 100644
--- a/js/src/irregexp/RegExpEngine.cpp
+++ b/js/src/irregexp/RegExpEngine.cpp
@@ -1569,6 +1569,7 @@ class irregexp::RegExpCompiler
     inline void DecrementRecursionDepth() { recursion_depth_--; }
 
     void SetRegExpTooBig() { reg_exp_too_big_ = true; }
+    inline bool isRegExpTooBig() { return reg_exp_too_big_; }
 
     inline bool ignore_case() { return ignore_case_; }
     inline bool latin1() { return latin1_; }
@@ -1585,6 +1586,8 @@ class irregexp::RegExpCompiler
 
     static const int kNoRegister = -1;
 
+    bool CheckOverRecursed();
+
   private:
     EndNode* accept_;
     int next_register_;
@@ -1771,6 +1774,13 @@ irregexp::CompilePattern(JSContext* cx, HandleRegExpShared shared, RegExpCompile
             node = loop_node;
         }
     }
+
+    if (compiler.isRegExpTooBig()) {
+        MOZ_ASSERT(compiler.cx()->isExceptionPending()); // over recursed
+        JS_ReportErrorASCII(cx, "regexp too big");
+        return RegExpCode();
+    }
+
     if (is_latin1) {
         node = node->FilterLATIN1(RegExpCompiler::kMaxRecursion, ignore_case, unicode);
         // Do it again to propagate the new nodes to places where they were not
@@ -1884,6 +1894,9 @@ RegExpCharacterClass::ToNode(RegExpCompiler* compiler, RegExpNode* on_success)
 RegExpNode*
 RegExpDisjunction::ToNode(RegExpCompiler* compiler, RegExpNode* on_success)
 {
+    if (!compiler->CheckOverRecursed())
+        return on_success;
+
     const RegExpTreeVector& alternatives = this->alternatives();
     size_t length = alternatives.length();
     ChoiceNode* result = compiler->alloc()->newInfallible<ChoiceNode>(compiler->alloc(), length);
@@ -1977,6 +1990,9 @@ RegExpQuantifier::ToNode(int min,
     if (max == 0)
         return on_success;  // This can happen due to recursion.
 
+    if (!compiler->CheckOverRecursed())
+        return on_success;
+
     bool body_can_be_empty = (body->min_match() == 0);
     int body_start_reg = RegExpCompiler::kNoRegister;
     Interval capture_registers = body->CaptureRegisters();
@@ -2161,6 +2177,9 @@ RegExpLookahead::ToNode(RegExpCompiler* compiler, RegExpNode* on_success)
     int register_start =
         register_of_first_capture + capture_from_ * registers_per_capture;
 
+    if (!compiler->CheckOverRecursed())
+        return on_success;
+
     if (is_positive()) {
         RegExpNode* bodyNode =
             body()->ToNode(compiler,
@@ -2214,6 +2233,9 @@ RegExpCapture::ToNode(RegExpTree* body,
                       RegExpCompiler* compiler,
                       RegExpNode* on_success)
 {
+    if (!compiler->CheckOverRecursed())
+        return on_success;
+
     int start_reg = RegExpCapture::StartRegister(index);
     int end_reg = RegExpCapture::EndRegister(index);
     RegExpNode* store_end = ActionNode::StorePosition(end_reg, true, on_success);
@@ -2224,6 +2246,9 @@ RegExpCapture::ToNode(RegExpTree* body,
 RegExpNode*
 RegExpAlternative::ToNode(RegExpCompiler* compiler, RegExpNode* on_success)
 {
+    if (!compiler->CheckOverRecursed())
+        return on_success;
+
     const RegExpTreeVector& children = nodes();
     RegExpNode* current = on_success;
     for (int i = children.length() - 1; i >= 0; i--)
@@ -2497,16 +2522,22 @@ BoyerMooreLookahead::EmitSkipInstructions(RegExpMacroAssembler* masm)
 }
 
 bool
-BoyerMooreLookahead::CheckOverRecursed()
+RegExpCompiler::CheckOverRecursed()
 {
-    if (!CheckRecursionLimit(compiler()->cx())) {
-        compiler()->SetRegExpTooBig();
+    if (!CheckRecursionLimit(cx())) {
+        SetRegExpTooBig();
         return false;
     }
 
     return true;
 }
 
+bool
+BoyerMooreLookahead::CheckOverRecursed()
+{
+    return compiler()->CheckOverRecursed();
+}
+
 // -------------------------------------------------------------------
 // Trace
 
diff --git a/js/src/jit-test/tests/debug/wasm-12.js b/js/src/jit-test/tests/debug/wasm-12.js
index 18d3b574d8ab..9433934552c2 100644
--- a/js/src/jit-test/tests/debug/wasm-12.js
+++ b/js/src/jit-test/tests/debug/wasm-12.js
@@ -6,7 +6,7 @@ if (!wasmIsSupported())
 var g = newGlobal();
 g.eval(`
 function initWasm(s) { return new WebAssembly.Instance(new WebAssembly.Module(wasmTextToBinary(s))); }
-o = initWasm('(module (func) (export "" 0))');
+o1 = initWasm('(module (func) (export "" 0))');
 o2 = initWasm('(module (func) (func) (export "" 1))');
 `);
 
@@ -14,7 +14,7 @@ function isWasm(script) { return script.format === "wasm"; }
 
 function isValidWasmURL(url) {
    // The URLs will have the following format:
-   //   wasm: [<uri-econded-filename-of-host> ":"] <64-bit-hash>
+   //   wasm: [<uri-encoded-filename-of-host> ":"] <64-bit-hash>
    return /^wasm:(?:[^:]*:)*?[0-9a-f]{16}$/.test(url);
 }
 
diff --git a/js/src/jit/CacheIRSpewer.cpp b/js/src/jit/CacheIRSpewer.cpp
index e5893b59582a..8008cfdc9616 100644
--- a/js/src/jit/CacheIRSpewer.cpp
+++ b/js/src/jit/CacheIRSpewer.cpp
@@ -81,14 +81,14 @@ CacheIRSpewer::beginCache(LockGuard<Mutex>&, const IRGenerator& gen)
     JSONPrinter& j = json.ref();
 
     j.beginObject();
-    j.stringProperty("name", "%s", CacheKindNames[uint8_t(gen.cacheKind_)]);
-    j.stringProperty("file", "%s", gen.script_->filename());
-    j.integerProperty("mode", int(gen.mode_));
+    j.property("name", CacheKindNames[uint8_t(gen.cacheKind_)]);
+    j.property("file", gen.script_->filename());
+    j.property("mode", int(gen.mode_));
     if (jsbytecode* pc = gen.pc_) {
         unsigned column;
-        j.integerProperty("line", PCToLineNumber(gen.script_, pc, &column));
-        j.integerProperty("column", column);
-        j.stringProperty("pc", "%p", pc);
+        j.property("line", PCToLineNumber(gen.script_, pc, &column));
+        j.property("column", column);
+        j.formatProperty("pc", "%p", pc);
     }
 }
 
@@ -133,12 +133,12 @@ CacheIRSpewer::valueProperty(LockGuard<Mutex>&, const char* name, const Value& v
     const char* type = InformalValueTypeName(v);
     if (v.isInt32())
         type = "int32";
-    j.stringProperty("type", "%s", type);
+    j.property("type", type);
 
     if (v.isInt32()) {
-        j.integerProperty("value", v.toInt32());
+        j.property("value", v.toInt32());
     } else if (v.isDouble()) {
-        j.doubleProperty("value", v.toDouble());
+        j.property("value", v.toDouble());
     } else if (v.isString() || v.isSymbol()) {
         JSString* str = v.isString() ? v.toString() : v.toSymbol()->description();
         if (str && str->isLinear()) {
@@ -147,7 +147,7 @@ CacheIRSpewer::valueProperty(LockGuard<Mutex>&, const char* name, const Value& v
             j.endStringProperty();
         }
     } else if (v.isObject()) {
-        j.stringProperty("value", "%p (shape: %p)", &v.toObject(),
+        j.formatProperty("value", "%p (shape: %p)", &v.toObject(),
                          v.toObject().maybeShape());
     }
 
@@ -158,7 +158,7 @@ void
 CacheIRSpewer::attached(LockGuard<Mutex>&, const char* name)
 {
     MOZ_ASSERT(enabled());
-    json.ref().stringProperty("attached", "%s", name);
+    json.ref().property("attached", name);
 }
 
 void
diff --git a/js/src/jit/CacheIRSpewer.h b/js/src/jit/CacheIRSpewer.h
index 68ef4b1ddae0..d605a60a62c1 100644
--- a/js/src/jit/CacheIRSpewer.h
+++ b/js/src/jit/CacheIRSpewer.h
@@ -12,9 +12,9 @@
 #include "mozilla/Maybe.h"
 
 #include "jit/CacheIR.h"
-#include "jit/JSONPrinter.h"
 #include "js/TypeDecls.h"
 #include "threading/LockGuard.h"
+#include "vm/JSONPrinter.h"
 #include "vm/MutexIDs.h"
 
 namespace js {
diff --git a/js/src/jit/Ion.cpp b/js/src/jit/Ion.cpp
index 35fe48693c7f..ac81f22e5b86 100644
--- a/js/src/jit/Ion.cpp
+++ b/js/src/jit/Ion.cpp
@@ -68,7 +68,7 @@ using namespace js;
 using namespace js::jit;
 
 // Assert that JitCode is gc::Cell aligned.
-JS_STATIC_ASSERT(sizeof(JitCode) % gc::CellSize == 0);
+JS_STATIC_ASSERT(sizeof(JitCode) % gc::CellAlignBytes == 0);
 
 static MOZ_THREAD_LOCAL(JitContext*) TlsJitContext;
 
diff --git a/js/src/jit/JSONPrinter.cpp b/js/src/jit/JSONPrinter.cpp
deleted file mode 100644
index f355f9bb7798..000000000000
--- a/js/src/jit/JSONPrinter.cpp
+++ /dev/null
@@ -1,148 +0,0 @@
-/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*-
- * vim: set ts=8 sts=4 et sw=4 tw=99:
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#include "jit/JSONPrinter.h"
-
-#include "mozilla/Assertions.h"
-#include "mozilla/FloatingPoint.h"
-#include "mozilla/SizePrintfMacros.h"
-
-#include <stdarg.h>
-
-using namespace js;
-using namespace js::jit;
-
-void
-JSONPrinter::indent()
-{
-    MOZ_ASSERT(indentLevel_ >= 0);
-    out_.printf("\n");
-    for (int i = 0; i < indentLevel_; i++)
-        out_.printf("  ");
-}
-
-void
-JSONPrinter::property(const char* name)
-{
-    if (!first_)
-        out_.printf(",");
-    indent();
-    out_.printf("\"%s\":", name);
-    first_ = false;
-}
-
-void
-JSONPrinter::beginObject()
-{
-    if (!first_) {
-        out_.printf(",");
-        indent();
-    }
-    out_.printf("{");
-    indentLevel_++;
-    first_ = true;
-}
-
-void
-JSONPrinter::beginObjectProperty(const char* name)
-{
-    property(name);
-    out_.printf("{");
-    indentLevel_++;
-    first_ = true;
-}
-
-void
-JSONPrinter::beginListProperty(const char* name)
-{
-    property(name);
-    out_.printf("[");
-    first_ = true;
-}
-
-void
-JSONPrinter::beginStringProperty(const char* name)
-{
-    property(name);
-    out_.printf("\"");
-}
-
-void
-JSONPrinter::endStringProperty()
-{
-    out_.printf("\"");
-}
-
-void
-JSONPrinter::stringProperty(const char* name, const char* format, ...)
-{
-    va_list ap;
-    va_start(ap, format);
-
-    beginStringProperty(name);
-    out_.vprintf(format, ap);
-    endStringProperty();
-
-    va_end(ap);
-}
-
-void
-JSONPrinter::stringValue(const char* format, ...)
-{
-    va_list ap;
-    va_start(ap, format);
-
-    if (!first_)
-        out_.printf(",");
-    out_.printf("\"");
-    out_.vprintf(format, ap);
-    out_.printf("\"");
-
-    va_end(ap);
-    first_ = false;
-}
-
-void
-JSONPrinter::integerProperty(const char* name, int value)
-{
-    property(name);
-    out_.printf("%d", value);
-}
-
-void
-JSONPrinter::integerValue(int value)
-{
-    if (!first_)
-        out_.printf(",");
-    out_.printf("%d", value);
-    first_ = false;
-}
-
-void
-JSONPrinter::doubleProperty(const char* name, double value)
-{
-    property(name);
-    if (mozilla::IsFinite(value))
-        out_.printf("%f", value);
-    else
-        out_.printf("null");
-}
-
-void
-JSONPrinter::endObject()
-{
-    indentLevel_--;
-    indent();
-    out_.printf("}");
-    first_ = false;
-}
-
-void
-JSONPrinter::endList()
-{
-    out_.printf("]");
-    first_ = false;
-}
diff --git a/js/src/jit/JSONPrinter.h b/js/src/jit/JSONPrinter.h
deleted file mode 100644
index 90fdc3abf833..000000000000
--- a/js/src/jit/JSONPrinter.h
+++ /dev/null
@@ -1,52 +0,0 @@
-/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*-
- * vim: set ts=8 sts=4 et sw=4 tw=99:
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#ifndef jit_JSONPrinter_h
-#define jit_JSONPrinter_h
-
-#include <stdio.h>
-
-#include "js/TypeDecls.h"
-#include "vm/Printer.h"
-
-namespace js {
-namespace jit {
-
-class JSONPrinter
-{
-  protected:
-    int indentLevel_;
-    bool first_;
-    GenericPrinter& out_;
-
-    void indent();
-
-  public:
-    explicit JSONPrinter(GenericPrinter& out)
-      : indentLevel_(0),
-        first_(true),
-        out_(out)
-    { }
-
-    void property(const char* name);
-    void beginObject();
-    void beginObjectProperty(const char* name);
-    void beginListProperty(const char* name);
-    void stringValue(const char* format, ...) MOZ_FORMAT_PRINTF(2, 3);
-    void stringProperty(const char* name, const char* format, ...) MOZ_FORMAT_PRINTF(3, 4);
-    void beginStringProperty(const char* name);
-    void endStringProperty();
-    void integerValue(int value);
-    void integerProperty(const char* name, int value);
-    void doubleProperty(const char* name, double value);
-    void endObject();
-    void endList();
-};
-
-} // namespace jit
-} // namespace js
-
-#endif /* jit_JSONPrinter_h */
diff --git a/js/src/jit/JSONSpewer.cpp b/js/src/jit/JSONSpewer.cpp
index 96bf263c8f66..d5ca43c0f767 100644
--- a/js/src/jit/JSONSpewer.cpp
+++ b/js/src/jit/JSONSpewer.cpp
@@ -26,9 +26,9 @@ JSONSpewer::beginFunction(JSScript* script)
 {
     beginObject();
     if (script)
-        stringProperty("name", "%s:%" PRIuSIZE, script->filename(), script->lineno());
+        formatProperty("name", "%s:%" PRIuSIZE, script->filename(), script->lineno());
     else
-        stringProperty("name", "wasm compilation");
+        property("name", "wasm compilation");
     beginListProperty("passes");
 }
 
@@ -36,7 +36,7 @@ void
 JSONSpewer::beginPass(const char* pass)
 {
     beginObject();
-    stringProperty("name", "%s", pass);
+    property("name", pass);
 }
 
 void
@@ -48,26 +48,26 @@ JSONSpewer::spewMResumePoint(MResumePoint* rp)
     beginObjectProperty("resumePoint");
 
     if (rp->caller())
-        integerProperty("caller", rp->caller()->block()->id());
+        property("caller", rp->caller()->block()->id());
 
     switch (rp->mode()) {
       case MResumePoint::ResumeAt:
-        stringProperty("mode", "%s", "At");
+        property("mode", "At");
         break;
       case MResumePoint::ResumeAfter:
-        stringProperty("mode", "%s", "After");
+        property("mode", "After");
         break;
       case MResumePoint::Outer:
-        stringProperty("mode", "%s", "Outer");
+        property("mode", "Outer");
         break;
     }
 
     beginListProperty("operands");
     for (MResumePoint* iter = rp; iter; iter = iter->caller()) {
         for (int i = iter->numOperands() - 1; i >= 0; i--)
-            integerValue(iter->getOperand(i)->id());
+            value(iter->getOperand(i)->id());
         if (iter->caller())
-            stringValue("|");
+            value("|");
     }
     endList();
 
@@ -79,33 +79,33 @@ JSONSpewer::spewMDef(MDefinition* def)
 {
     beginObject();
 
-    integerProperty("id", def->id());
+    property("id", def->id());
 
-    property("opcode");
+    propertyName("opcode");
     out_.printf("\"");
     def->printOpcode(out_);
     out_.printf("\"");
 
     beginListProperty("attributes");
-#define OUTPUT_ATTRIBUTE(X) do{ if(def->is##X()) stringValue(#X); } while(0);
+#define OUTPUT_ATTRIBUTE(X) do{ if(def->is##X()) value(#X); } while(0);
     MIR_FLAG_LIST(OUTPUT_ATTRIBUTE);
 #undef OUTPUT_ATTRIBUTE
     endList();
 
     beginListProperty("inputs");
     for (size_t i = 0, e = def->numOperands(); i < e; i++)
-        integerValue(def->getOperand(i)->id());
+        value(def->getOperand(i)->id());
     endList();
 
     beginListProperty("uses");
     for (MUseDefIterator use(def); use; use++)
-        integerValue(use.def()->id());
+        value(use.def()->id());
     endList();
 
     if (!def->isLowered()) {
         beginListProperty("memInputs");
         if (def->dependency())
-            integerValue(def->dependency()->id());
+            value(def->dependency()->id());
         endList();
     }
 
@@ -119,7 +119,7 @@ JSONSpewer::spewMDef(MDefinition* def)
         out_.printf(" : %s%s", StringFromMIRType(def->type()), (isTruncated ? " (t)" : ""));
         endStringProperty();
     } else {
-        stringProperty("type", "%s%s", StringFromMIRType(def->type()), (isTruncated ? " (t)" : ""));
+        formatProperty("type", "%s%s", StringFromMIRType(def->type()), (isTruncated ? " (t)" : ""));
     }
 
     if (def->isInstruction()) {
@@ -139,30 +139,30 @@ JSONSpewer::spewMIR(MIRGraph* mir)
     for (MBasicBlockIterator block(mir->begin()); block != mir->end(); block++) {
         beginObject();
 
-        integerProperty("number", block->id());
+        property("number", block->id());
         if (block->getHitState() == MBasicBlock::HitState::Count)
-            integerProperty("count", block->getHitCount());
+            property("count", block->getHitCount());
 
         beginListProperty("attributes");
         if (block->hasLastIns()) {
             if (block->isLoopBackedge())
-                stringValue("backedge");
+                value("backedge");
             if (block->isLoopHeader())
-                stringValue("loopheader");
+                value("loopheader");
             if (block->isSplitEdge())
-                stringValue("splitedge");
+                value("splitedge");
         }
         endList();
 
         beginListProperty("predecessors");
         for (size_t i = 0; i < block->numPredecessors(); i++)
-            integerValue(block->getPredecessor(i)->id());
+            value(block->getPredecessor(i)->id());
         endList();
 
         beginListProperty("successors");
         if (block->hasLastIns()) {
             for (size_t i = 0; i < block->numSuccessors(); i++)
-                integerValue(block->getSuccessor(i)->id());
+                value(block->getSuccessor(i)->id());
         }
         endList();
 
@@ -187,16 +187,16 @@ JSONSpewer::spewLIns(LNode* ins)
 {
     beginObject();
 
-    integerProperty("id", ins->id());
+    property("id", ins->id());
 
-    property("opcode");
+    propertyName("opcode");
     out_.printf("\"");
     ins->dump(out_);
     out_.printf("\"");
 
     beginListProperty("defs");
     for (size_t i = 0; i < ins->numDefs(); i++)
-        integerValue(ins->getDef(i)->virtualRegister());
+        value(ins->getDef(i)->virtualRegister());
     endList();
 
     endObject();
@@ -214,7 +214,7 @@ JSONSpewer::spewLIR(MIRGraph* mir)
             continue;
 
         beginObject();
-        integerProperty("number", i->id());
+        property("number", i->id());
 
         beginListProperty("instructions");
         for (size_t p = 0; p < block->numPhis(); p++)
@@ -238,7 +238,7 @@ JSONSpewer::spewRanges(BacktrackingAllocator* regalloc)
 
     for (size_t bno = 0; bno < regalloc->graph.numBlocks(); bno++) {
         beginObject();
-        integerProperty("number", bno);
+        property("number", bno);
         beginListProperty("vregs");
 
         LBlock* lir = regalloc->graph.getBlock(bno);
@@ -248,16 +248,16 @@ JSONSpewer::spewRanges(BacktrackingAllocator* regalloc)
                 VirtualRegister* vreg = &regalloc->vregs[id];
 
                 beginObject();
-                integerProperty("vreg", id);
+                property("vreg", id);
                 beginListProperty("ranges");
 
                 for (LiveRange::RegisterLinkIterator iter = vreg->rangesBegin(); iter; iter++) {
                     LiveRange* range = LiveRange::get(*iter);
 
                     beginObject();
-                    stringProperty("allocation", "%s", range->bundle()->allocation().toString().get());
-                    integerProperty("start", range->from().bits());
-                    integerProperty("end", range->to().bits());
+                    property("allocation", range->bundle()->allocation().toString().get());
+                    property("start", range->from().bits());
+                    property("end", range->to().bits());
                     endObject();
                 }
 
diff --git a/js/src/jit/JSONSpewer.h b/js/src/jit/JSONSpewer.h
index 45200ffa1641..5259edf0419d 100644
--- a/js/src/jit/JSONSpewer.h
+++ b/js/src/jit/JSONSpewer.h
@@ -11,8 +11,8 @@
 
 #include <stdio.h>
 
-#include "jit/JSONPrinter.h"
 #include "js/TypeDecls.h"
+#include "vm/JSONPrinter.h"
 
 namespace js {
 namespace jit {
diff --git a/js/src/jit/MacroAssembler.cpp b/js/src/jit/MacroAssembler.cpp
index 3d119517e900..627c58603973 100644
--- a/js/src/jit/MacroAssembler.cpp
+++ b/js/src/jit/MacroAssembler.cpp
@@ -788,7 +788,7 @@ MacroAssembler::nurseryAllocate(Register result, Register temp, gc::AllocKind al
     CompileZone* zone = GetJitContext()->compartment->zone();
     int thingSize = int(gc::Arena::thingSize(allocKind));
     int totalSize = thingSize + nDynamicSlots * sizeof(HeapSlot);
-    MOZ_ASSERT(totalSize % gc::CellSize == 0);
+    MOZ_ASSERT(totalSize % gc::CellAlignBytes == 0);
     loadPtr(AbsoluteAddress(zone->addressOfNurseryPosition()), result);
     computeEffectiveAddress(Address(result, totalSize), temp);
     branchPtr(Assembler::Below, AbsoluteAddress(zone->addressOfNurseryCurrentEnd()), temp, fail);
diff --git a/js/src/jsgc.cpp b/js/src/jsgc.cpp
index 0f82fcb4aa2f..695ffcd34385 100644
--- a/js/src/jsgc.cpp
+++ b/js/src/jsgc.cpp
@@ -257,6 +257,7 @@ using mozilla::Get;
 using mozilla::HashCodeScrambler;
 using mozilla::Maybe;
 using mozilla::Swap;
+using mozilla::TimeStamp;
 
 using JS::AutoGCRooter;
 
@@ -279,8 +280,10 @@ static_assert(JS_ARRAY_LENGTH(slotsToThingKind) == SLOTS_TO_THING_KIND_LIMIT,
                   #sizedType " is smaller than SortedArenaList::MinThingSize!"); \
     static_assert(sizeof(sizedType) >= sizeof(FreeSpan), \
                   #sizedType " is smaller than FreeSpan"); \
-    static_assert(sizeof(sizedType) % CellSize == 0, \
-                  "Size of " #sizedType " is not a multiple of CellSize");
+    static_assert(sizeof(sizedType) % CellAlignBytes == 0, \
+                  "Size of " #sizedType " is not a multiple of CellAlignBytes"); \
+    static_assert(sizeof(sizedType) >= MinCellSize, \
+                  "Size of " #sizedType " is smaller than the minimum size");
 FOR_EACH_ALLOCKIND(CHECK_THING_SIZE);
 #undef CHECK_THING_SIZE
 
@@ -478,7 +481,8 @@ inline size_t
 Arena::finalize(FreeOp* fop, AllocKind thingKind, size_t thingSize)
 {
     /* Enforce requirements on size of T. */
-    MOZ_ASSERT(thingSize % CellSize == 0);
+    MOZ_ASSERT(thingSize % CellAlignBytes == 0);
+    MOZ_ASSERT(thingSize >= MinCellSize);
     MOZ_ASSERT(thingSize <= 255);
 
     MOZ_ASSERT(allocated());
@@ -7633,7 +7637,7 @@ JS::GCDescription::toGCEvent(JSContext* cx) const
 char16_t*
 JS::GCDescription::formatJSON(JSContext* cx, uint64_t timestamp) const
 {
-    UniqueChars cstr = cx->runtime()->gc.stats().formatJsonMessage(timestamp);
+    UniqueChars cstr = cx->runtime()->gc.stats().renderJsonMessage(timestamp);
 
     size_t nchars = strlen(cstr.get());
     UniqueTwoByteChars out(js_pod_malloc<char16_t>(nchars + 1));
@@ -7645,6 +7649,51 @@ JS::GCDescription::formatJSON(JSContext* cx, uint64_t timestamp) const
     return out.release();
 }
 
+TimeStamp
+JS::GCDescription::startTime(JSContext* cx) const
+{
+    return cx->runtime()->gc.stats().start();
+}
+
+TimeStamp
+JS::GCDescription::endTime(JSContext* cx) const
+{
+    return cx->runtime()->gc.stats().end();
+}
+
+TimeStamp
+JS::GCDescription::lastSliceStart(JSContext* cx) const
+{
+    return cx->runtime()->gc.stats().slices().back().start;
+}
+
+TimeStamp
+JS::GCDescription::lastSliceEnd(JSContext* cx) const
+{
+    return cx->runtime()->gc.stats().slices().back().end;
+}
+
+JS::UniqueChars
+JS::GCDescription::sliceToJSON(JSContext* cx) const
+{
+    size_t slices = cx->runtime()->gc.stats().slices().length();
+    MOZ_ASSERT(slices > 0);
+    return cx->runtime()->gc.stats().renderJsonSlice(slices - 1);
+}
+
+JS::UniqueChars
+JS::GCDescription::summaryToJSON(JSContext* cx) const
+{
+    return cx->runtime()->gc.stats().renderJsonMessage(0, false);
+}
+
+JS_PUBLIC_API(JS::UniqueChars)
+JS::MinorGcToJSON(JSContext* cx)
+{
+    JSRuntime* rt = cx->runtime();
+    return rt->gc.stats().renderNurseryJson(rt);
+}
+
 JS_PUBLIC_API(JS::GCSliceCallback)
 JS::SetGCSliceCallback(JSContext* cx, GCSliceCallback callback)
 {
diff --git a/js/src/jsobj.h b/js/src/jsobj.h
index 4855b5655cc2..edee272f81bf 100644
--- a/js/src/jsobj.h
+++ b/js/src/jsobj.h
@@ -670,7 +670,8 @@ JSObject::writeBarrierPost(void* cellp, JSObject* prev, JSObject* next)
         return;
     }
 
-    // Remove the prev entry if the new value does not need it.
+    // Remove the prev entry if the new value does not need it. There will only
+    // be a prev entry if the prev value was in the nursery.
     if (prev && (buffer = prev->storeBuffer()))
         buffer->unputCell(static_cast<js::gc::Cell**>(cellp));
 }
diff --git a/js/src/jspropertytree.cpp b/js/src/jspropertytree.cpp
index f5b08d096b3c..40634fd71ed8 100644
--- a/js/src/jspropertytree.cpp
+++ b/js/src/jspropertytree.cpp
@@ -237,7 +237,7 @@ Shape::fixupDictionaryShapeAfterMovingGC()
     // We use a fake cell pointer for this: it might not point to the beginning
     // of a cell, but will point into the right arena and will have the right
     // alignment.
-    Cell* cell = reinterpret_cast<Cell*>(uintptr_t(listp) & ~CellMask);
+    Cell* cell = reinterpret_cast<Cell*>(uintptr_t(listp) & ~CellAlignMask);
     AllocKind kind = TenuredCell::fromPointer(cell)->getAllocKind();
     MOZ_ASSERT_IF(listpPointsIntoShape, IsShapeAllocKind(kind));
     MOZ_ASSERT_IF(!listpPointsIntoShape, IsObjectAllocKind(kind));
diff --git a/js/src/jsscript.h b/js/src/jsscript.h
index 8ef696ccf719..e3da70eee436 100644
--- a/js/src/jsscript.h
+++ b/js/src/jsscript.h
@@ -976,7 +976,7 @@ class JSScript : public js::gc::TenuredCell
     // Unique Method ID passed to the VTune profiler, or 0 if unset.
     // Allows attribution of different jitcode to the same source script.
     uint32_t        vtuneMethodId_;
-    // Extra padding to maintain JSScript as a multiple of gc::CellSize.
+    // Extra padding to maintain JSScript as a multiple of gc::CellAlignBytes.
     uint32_t        __vtune_unused_padding_;
 #endif
 
@@ -2052,8 +2052,8 @@ class JSScript : public js::gc::TenuredCell
 };
 
 /* If this fails, add/remove padding within JSScript. */
-static_assert(sizeof(JSScript) % js::gc::CellSize == 0,
-              "Size of JSScript must be an integral multiple of js::gc::CellSize");
+static_assert(sizeof(JSScript) % js::gc::CellAlignBytes == 0,
+              "Size of JSScript must be an integral multiple of js::gc::CellAlignBytes");
 
 namespace js {
 
@@ -2395,8 +2395,8 @@ class LazyScript : public gc::TenuredCell
 };
 
 /* If this fails, add/remove padding within LazyScript. */
-static_assert(sizeof(LazyScript) % js::gc::CellSize == 0,
-              "Size of LazyScript must be an integral multiple of js::gc::CellSize");
+static_assert(sizeof(LazyScript) % js::gc::CellAlignBytes == 0,
+              "Size of LazyScript must be an integral multiple of js::gc::CellAlignBytes");
 
 struct ScriptAndCounts
 {
diff --git a/js/src/moz.build b/js/src/moz.build
index d3f113ac74bf..f9273e901d9e 100644
--- a/js/src/moz.build
+++ b/js/src/moz.build
@@ -237,7 +237,6 @@ UNIFIED_SOURCES += [
     'jit/JitFrames.cpp',
     'jit/JitOptions.cpp',
     'jit/JitSpewer.cpp',
-    'jit/JSONPrinter.cpp',
     'jit/JSONSpewer.cpp',
     'jit/LICM.cpp',
     'jit/Linker.cpp',
@@ -326,6 +325,7 @@ UNIFIED_SOURCES += [
     'vm/Id.cpp',
     'vm/Initialization.cpp',
     'vm/JSONParser.cpp',
+    'vm/JSONPrinter.cpp',
     'vm/MemoryMetrics.cpp',
     'vm/NativeObject.cpp',
     'vm/ObjectGroup.cpp',
diff --git a/js/src/vm/ArrayBufferObject.cpp b/js/src/vm/ArrayBufferObject.cpp
index 14818a08abaa..e8c1b7341f28 100644
--- a/js/src/vm/ArrayBufferObject.cpp
+++ b/js/src/vm/ArrayBufferObject.cpp
@@ -1073,7 +1073,7 @@ ArrayBufferObject::create(JSContext* cx, uint32_t nbytes, BufferContents content
         MOZ_ASSERT(ownsState == OwnsData);
         size_t usableSlots = NativeObject::MAX_FIXED_SLOTS - reservedSlots;
         if (nbytes <= usableSlots * sizeof(Value)) {
-            int newSlots = (nbytes - 1) / sizeof(Value) + 1;
+            int newSlots = JS_HOWMANY(nbytes, sizeof(Value));
             MOZ_ASSERT(int(nbytes) <= newSlots * int(sizeof(Value)));
             nslots = reservedSlots + newSlots;
             contents = BufferContents::createPlain(nullptr);
diff --git a/js/src/vm/Debugger.cpp b/js/src/vm/Debugger.cpp
index de17d374226a..d768f291542c 100644
--- a/js/src/vm/Debugger.cpp
+++ b/js/src/vm/Debugger.cpp
@@ -11717,21 +11717,21 @@ GarbageCollectionEvent::Create(JSRuntime* rt, ::js::gcstats::Statistics& stats,
 
     data->nonincrementalReason = stats.nonincrementalReason();
 
-    for (auto range = stats.sliceRange(); !range.empty(); range.popFront()) {
+    for (auto& slice : stats.slices()) {
         if (!data->reason) {
             // There is only one GC reason for the whole cycle, but for legacy
             // reasons this data is stored and replicated on each slice. Each
             // slice used to have its own GCReason, but now they are all the
             // same.
-            data->reason = gcreason::ExplainReason(range.front().reason);
+            data->reason = gcreason::ExplainReason(slice.reason);
             MOZ_ASSERT(data->reason);
         }
 
         if (!data->collections.growBy(1))
             return nullptr;
 
-        data->collections.back().startTimestamp = range.front().start;
-        data->collections.back().endTimestamp = range.front().end;
+        data->collections.back().startTimestamp = slice.start;
+        data->collections.back().endTimestamp = slice.end;
     }
 
     return data;
diff --git a/js/src/vm/JSONPrinter.cpp b/js/src/vm/JSONPrinter.cpp
new file mode 100644
index 000000000000..22a1aeec93be
--- /dev/null
+++ b/js/src/vm/JSONPrinter.cpp
@@ -0,0 +1,237 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*-
+ * vim: set ts=8 sts=4 et sw=4 tw=99:
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "vm/JSONPrinter.h"
+
+#include "mozilla/Assertions.h"
+#include "mozilla/FloatingPoint.h"
+#include "mozilla/IntegerPrintfMacros.h"
+#include "mozilla/SizePrintfMacros.h"
+
+#include <stdarg.h>
+
+#include "jsdtoa.h"
+
+using namespace js;
+
+JSONPrinter::~JSONPrinter()
+{
+    if (dtoaState_)
+        DestroyDtoaState(dtoaState_);
+}
+
+void
+JSONPrinter::indent()
+{
+    MOZ_ASSERT(indentLevel_ >= 0);
+    out_.printf("\n");
+    for (int i = 0; i < indentLevel_; i++)
+        out_.printf("  ");
+}
+
+void
+JSONPrinter::propertyName(const char* name)
+{
+    if (!first_)
+        out_.printf(",");
+    indent();
+    out_.printf("\"%s\":", name);
+    first_ = false;
+}
+
+void
+JSONPrinter::beginObject()
+{
+    if (!first_) {
+        out_.printf(",");
+        indent();
+    }
+    out_.printf("{");
+    indentLevel_++;
+    first_ = true;
+}
+
+void
+JSONPrinter::beginObjectProperty(const char* name)
+{
+    propertyName(name);
+    out_.printf("{");
+    indentLevel_++;
+    first_ = true;
+}
+
+void
+JSONPrinter::beginListProperty(const char* name)
+{
+    propertyName(name);
+    out_.printf("[");
+    first_ = true;
+}
+
+void
+JSONPrinter::beginStringProperty(const char* name)
+{
+    propertyName(name);
+    out_.printf("\"");
+}
+
+void
+JSONPrinter::endStringProperty()
+{
+    out_.printf("\"");
+}
+
+void
+JSONPrinter::property(const char* name, const char* value)
+{
+    beginStringProperty(name);
+    out_.put(value);
+    endStringProperty();
+}
+
+void
+JSONPrinter::formatProperty(const char* name, const char* format, ...)
+{
+    va_list ap;
+    va_start(ap, format);
+
+    beginStringProperty(name);
+    out_.vprintf(format, ap);
+    endStringProperty();
+
+    va_end(ap);
+}
+
+void
+JSONPrinter::value(const char* format, ...)
+{
+    va_list ap;
+    va_start(ap, format);
+
+    if (!first_)
+        out_.printf(",");
+    out_.printf("\"");
+    out_.vprintf(format, ap);
+    out_.printf("\"");
+
+    va_end(ap);
+    first_ = false;
+}
+
+void
+JSONPrinter::property(const char* name, int32_t value)
+{
+    propertyName(name);
+    out_.printf("%" PRId32, value);
+}
+
+void
+JSONPrinter::value(int val)
+{
+    if (!first_)
+        out_.printf(",");
+    out_.printf("%d", val);
+    first_ = false;
+}
+
+void
+JSONPrinter::property(const char* name, uint32_t value)
+{
+    propertyName(name);
+    out_.printf("%" PRIu32, value);
+}
+
+void
+JSONPrinter::property(const char* name, int64_t value)
+{
+    propertyName(name);
+    out_.printf("%" PRId64, value);
+}
+
+void
+JSONPrinter::property(const char* name, uint64_t value)
+{
+    propertyName(name);
+    out_.printf("%" PRIu64, value);
+}
+
+#ifdef XP_DARWIN
+void
+JSONPrinter::property(const char* name, size_t value)
+{
+    propertyName(name);
+    out_.printf("%" PRIuSIZE, value);
+}
+#endif
+
+void
+JSONPrinter::property(const char* name, double value)
+{
+    propertyName(name);
+    if (mozilla::IsFinite(value))
+        out_.printf("%f", value);
+    else
+        out_.printf("null");
+}
+
+void
+JSONPrinter::floatProperty(const char* name, double value, size_t precision)
+{
+    if (!mozilla::IsFinite(value)) {
+        propertyName(name);
+        out_.printf("null");
+        return;
+    }
+
+    if (!dtoaState_) {
+        dtoaState_ = NewDtoaState();
+        if (!dtoaState_) {
+            out_.reportOutOfMemory();
+            return;
+        }
+    }
+
+    char buffer[DTOSTR_STANDARD_BUFFER_SIZE];
+    char* str = js_dtostr(dtoaState_, buffer, sizeof(buffer), DTOSTR_STANDARD, precision, value);
+    if (!str) {
+        out_.reportOutOfMemory();
+        return;
+    }
+
+    property(name, str);
+}
+
+void
+JSONPrinter::property(const char* name, const mozilla::TimeDuration& dur, TimePrecision precision)
+{
+    propertyName(name);
+    lldiv_t split;
+    switch (precision) {
+      case SECONDS:
+        split = lldiv(static_cast<int64_t>(dur.ToMilliseconds()), 1000);
+        break;
+      case MILLISECONDS:
+        split = lldiv(static_cast<int64_t>(dur.ToMicroseconds()), 1000);
+        break;
+    };
+    out_.printf("%llu.%03llu", split.quot, split.rem);
+}
+
+void
+JSONPrinter::endObject()
+{
+    indentLevel_--;
+    indent();
+    out_.printf("}");
+    first_ = false;
+}
+
+void
+JSONPrinter::endList()
+{
+    out_.printf("]");
+    first_ = false;
+}
diff --git a/js/src/vm/JSONPrinter.h b/js/src/vm/JSONPrinter.h
new file mode 100644
index 000000000000..6b1be6cb599b
--- /dev/null
+++ b/js/src/vm/JSONPrinter.h
@@ -0,0 +1,87 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*-
+ * vim: set ts=8 sts=4 et sw=4 tw=99:
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef vm_JSONPrinter_h
+#define vm_JSONPrinter_h
+
+#include "mozilla/TimeStamp.h"
+
+#include <stdio.h>
+
+#include "js/TypeDecls.h"
+#include "vm/Printer.h"
+
+struct DtoaState;
+
+namespace js {
+
+class JSONPrinter
+{
+  protected:
+    int indentLevel_;
+    bool first_;
+    GenericPrinter& out_;
+    DtoaState* dtoaState_;
+
+    void indent();
+
+  public:
+    explicit JSONPrinter(GenericPrinter& out)
+      : indentLevel_(0),
+        first_(true),
+        out_(out),
+        dtoaState_(nullptr)
+    {
+    }
+
+    ~JSONPrinter();
+
+    void beginObject();
+    void beginObjectProperty(const char* name);
+    void beginListProperty(const char* name);
+
+    void value(const char* format, ...) MOZ_FORMAT_PRINTF(2, 3);
+    void value(int value);
+
+    void property(const char* name, const char* value);
+    void property(const char* name, int32_t value);
+    void property(const char* name, uint32_t value);
+    void property(const char* name, int64_t value);
+    void property(const char* name, uint64_t value);
+#ifdef XP_DARWIN
+    // On OSX, size_t is long unsigned, uint32_t is unsigned, and uint64_t is
+    // long long unsigned. Everywhere else, size_t matches either uint32_t or
+    // uint64_t.
+    void property(const char* name, size_t value);
+#endif
+    void property(const char* name, double value);
+
+    void formatProperty(const char* name, const char* format, ...) MOZ_FORMAT_PRINTF(3, 4);
+
+    // JSON requires decimals to be separated by periods, but the LC_NUMERIC
+    // setting may cause printf to use commas in some locales.
+    enum TimePrecision { SECONDS, MILLISECONDS };
+    void property(const char* name, const mozilla::TimeDuration& dur, TimePrecision precision);
+
+    void floatProperty(const char* name, double value, size_t precision);
+
+    void beginStringProperty(const char* name);
+    void endStringProperty();
+
+    void endObject();
+    void endList();
+
+    // Notify the output that the caller has detected OOM and should transition
+    // to its saw-OOM state.
+    void outOfMemory() { out_.reportOutOfMemory(); }
+
+  protected:
+    void propertyName(const char* name);
+};
+
+} // namespace js
+
+#endif /* vm_JSONPrinter_h */
diff --git a/js/src/vm/Printer.cpp b/js/src/vm/Printer.cpp
index e1a817bfc6b0..f500c898e3f4 100644
--- a/js/src/vm/Printer.cpp
+++ b/js/src/vm/Printer.cpp
@@ -150,16 +150,20 @@ Sprinter::checkInvariants() const
     MOZ_ASSERT(base[size - 1] == 0);
 }
 
-const char*
-Sprinter::string() const
+char*
+Sprinter::release()
 {
-    return base;
-}
+    checkInvariants();
+    if (hadOOM_)
+        return nullptr;
 
-const char*
-Sprinter::stringEnd() const
-{
-    return base + offset;
+    char* str = base;
+    base = nullptr;
+    offset = size = 0;
+#ifdef DEBUG
+    initialized = false;
+#endif
+    return str;
 }
 
 char*
@@ -549,18 +553,4 @@ LSprinter::put(const char* s, size_t len)
     return true;
 }
 
-void
-LSprinter::reportOutOfMemory()
-{
-    if (hadOOM_)
-        return;
-    hadOOM_ = true;
-}
-
-bool
-LSprinter::hadOutOfMemory() const
-{
-    return hadOOM_;
-}
-
 } // namespace js
diff --git a/js/src/vm/Printer.h b/js/src/vm/Printer.h
index 77135678dbdb..a60facb07c6d 100644
--- a/js/src/vm/Printer.h
+++ b/js/src/vm/Printer.h
@@ -47,9 +47,7 @@ class GenericPrinter
     bool printf(const char* fmt, ...) MOZ_FORMAT_PRINTF(2, 3);
     bool vprintf(const char* fmt, va_list ap) MOZ_FORMAT_PRINTF(2, 0);
 
-    // Report that a string operation failed to get the memory it requested. The
-    // first call to this function calls JS_ReportOutOfMemory, and sets this
-    // Sprinter's outOfMemory flag; subsequent calls do nothing.
+    // Report that a string operation failed to get the memory it requested.
     virtual void reportOutOfMemory();
 
     // Return true if this Sprinter ran out of memory.
@@ -96,8 +94,10 @@ class Sprinter final : public GenericPrinter
 
     void checkInvariants() const;
 
-    const char* string() const;
-    const char* stringEnd() const;
+    const char* string() const { return base; }
+    const char* stringEnd() const { return base + offset; }
+    char* release();
+
     // Returns the string at offset |off|.
     char* stringAt(ptrdiff_t off) const;
     // Returns the char at offset |off|.
@@ -195,14 +195,6 @@ class LSprinter final : public GenericPrinter
     // return true on success, false on failure.
     virtual bool put(const char* s, size_t len) override;
     using GenericPrinter::put; // pick up |inline bool put(const char* s);|
-
-    // Report that a string operation failed to get the memory it requested. The
-    // first call to this function calls JS_ReportOutOfMemory, and sets this
-    // Sprinter's outOfMemory flag; subsequent calls do nothing.
-    virtual void reportOutOfMemory() override;
-
-    // Return true if this Sprinter ran out of memory.
-    virtual bool hadOutOfMemory() const override;
 };
 
 // Map escaped code to the letter/symbol escaped with a backslash.
diff --git a/js/src/vm/Shape.h b/js/src/vm/Shape.h
index ecd540155449..418df3475e25 100644
--- a/js/src/vm/Shape.h
+++ b/js/src/vm/Shape.h
@@ -422,7 +422,7 @@ class BaseShape : public gc::TenuredCell
     ShapeTable*      table_;
 
 #if JS_BITS_PER_WORD == 32
-    // Ensure sizeof(BaseShape) is a multiple of gc::CellSize.
+    // Ensure sizeof(BaseShape) is a multiple of gc::CellAlignBytes.
     uint32_t padding_;
 #endif
 
@@ -505,9 +505,9 @@ class BaseShape : public gc::TenuredCell
   private:
     static void staticAsserts() {
         JS_STATIC_ASSERT(offsetof(BaseShape, clasp_) == offsetof(js::shadow::BaseShape, clasp_));
-        static_assert(sizeof(BaseShape) % gc::CellSize == 0,
+        static_assert(sizeof(BaseShape) % gc::CellAlignBytes == 0,
                       "Things inheriting from gc::Cell must have a size that's "
-                      "a multiple of gc::CellSize");
+                      "a multiple of gc::CellAlignBytes");
     }
 
     void traceShapeTable(JSTracer* trc);
diff --git a/js/src/vm/String.h b/js/src/vm/String.h
index f8bfad2e4a15..2f752812b8b3 100644
--- a/js/src/vm/String.h
+++ b/js/src/vm/String.h
@@ -961,7 +961,7 @@ class JSFatInlineString : public JSInlineString
     MOZ_ALWAYS_INLINE void finalize(js::FreeOp* fop);
 };
 
-static_assert(sizeof(JSFatInlineString) % js::gc::CellSize == 0,
+static_assert(sizeof(JSFatInlineString) % js::gc::CellAlignBytes == 0,
               "fat inline strings shouldn't waste space up to the next cell "
               "boundary");
 
@@ -1057,7 +1057,7 @@ class NormalAtom : public JSAtom
 {
   protected: // Silence Clang unused-field warning.
     HashNumber hash_;
-    uint32_t padding_; // Ensure the size is a multiple of gc::CellSize.
+    uint32_t padding_; // Ensure the size is a multiple of gc::CellAlignBytes.
 
   public:
     HashNumber hash() const {
@@ -1070,14 +1070,14 @@ class NormalAtom : public JSAtom
 
 static_assert(sizeof(NormalAtom) == sizeof(JSString) + sizeof(uint64_t),
               "NormalAtom must have size of a string + HashNumber, "
-              "aligned to gc::CellSize");
+              "aligned to gc::CellAlignBytes");
 
 class FatInlineAtom : public JSAtom
 {
   protected: // Silence Clang unused-field warning.
     char inlineStorage_[sizeof(JSFatInlineString) - sizeof(JSString)];
     HashNumber hash_;
-    uint32_t padding_; // Ensure the size is a multiple of gc::CellSize.
+    uint32_t padding_; // Ensure the size is a multiple of gc::CellAlignBytes.
 
   public:
     HashNumber hash() const {
@@ -1090,7 +1090,7 @@ class FatInlineAtom : public JSAtom
 
 static_assert(sizeof(FatInlineAtom) == sizeof(JSFatInlineString) + sizeof(uint64_t),
               "FatInlineAtom must have size of a fat inline string + HashNumber, "
-              "aligned to gc::CellSize");
+              "aligned to gc::CellAlignBytes");
 
 } // namespace js
 
@@ -1481,7 +1481,7 @@ template<>
 MOZ_ALWAYS_INLINE bool
 JSFatInlineString::lengthFits<JS::Latin1Char>(size_t length)
 {
-    static_assert((INLINE_EXTENSION_CHARS_LATIN1 * sizeof(char)) % js::gc::CellSize == 0,
+    static_assert((INLINE_EXTENSION_CHARS_LATIN1 * sizeof(char)) % js::gc::CellAlignBytes == 0,
                   "fat inline strings' Latin1 characters don't exactly "
                   "fill subsequent cells and thus are wasteful");
     static_assert(MAX_LENGTH_LATIN1 + 1 ==
@@ -1497,7 +1497,7 @@ template<>
 MOZ_ALWAYS_INLINE bool
 JSFatInlineString::lengthFits<char16_t>(size_t length)
 {
-    static_assert((INLINE_EXTENSION_CHARS_TWO_BYTE * sizeof(char16_t)) % js::gc::CellSize == 0,
+    static_assert((INLINE_EXTENSION_CHARS_TWO_BYTE * sizeof(char16_t)) % js::gc::CellAlignBytes == 0,
                   "fat inline strings' char16_t characters don't exactly "
                   "fill subsequent cells and thus are wasteful");
     static_assert(MAX_LENGTH_TWO_BYTE + 1 ==
diff --git a/layout/base/nsDocumentViewer.cpp b/layout/base/nsDocumentViewer.cpp
index df70f1f35b07..84e195d6ca80 100644
--- a/layout/base/nsDocumentViewer.cpp
+++ b/layout/base/nsDocumentViewer.cpp
@@ -2210,19 +2210,24 @@ nsDocumentViewer::Hide(void)
     mPresShell->CaptureHistoryState(getter_AddRefs(layoutState));
   }
 
-  DestroyPresShell();
+  {
+    // Do not run ScriptRunners queued by DestroyPresShell() in the intermediate
+    // state before we're done destroying PresShell, PresContext, ViewManager, etc.
+    nsAutoScriptBlocker scriptBlocker;
+    DestroyPresShell();
 
-  DestroyPresContext();
+    DestroyPresContext();
 
-  mViewManager   = nullptr;
-  mWindow        = nullptr;
-  mDeviceContext = nullptr;
-  mParentWidget  = nullptr;
+    mViewManager   = nullptr;
+    mWindow        = nullptr;
+    mDeviceContext = nullptr;
+    mParentWidget  = nullptr;
 
-  nsCOMPtr<nsIBaseWindow> base_win(mContainer);
+    nsCOMPtr<nsIBaseWindow> base_win(mContainer);
 
-  if (base_win && !mAttachedToParent) {
-    base_win->SetParentWidget(nullptr);
+    if (base_win && !mAttachedToParent) {
+      base_win->SetParentWidget(nullptr);
+    }
   }
 
   return NS_OK;
diff --git a/layout/base/nsLayoutUtils.cpp b/layout/base/nsLayoutUtils.cpp
index 057aaae73711..3cfd368b6cd5 100644
--- a/layout/base/nsLayoutUtils.cpp
+++ b/layout/base/nsLayoutUtils.cpp
@@ -2060,6 +2060,8 @@ nsLayoutUtils::SetFixedPositionLayerData(Layer* aLayer,
       } else {
         anchor.x = anchorRect.XMost();
       }
+    } else if (position->mOffset.GetLeftUnit() != eStyleUnit_Auto) {
+      sides |= eSideBitsLeft;
     }
     if (position->mOffset.GetBottomUnit() != eStyleUnit_Auto) {
       sides |= eSideBitsBottom;
@@ -2069,6 +2071,8 @@ nsLayoutUtils::SetFixedPositionLayerData(Layer* aLayer,
       } else {
         anchor.y = anchorRect.YMost();
       }
+    } else if (position->mOffset.GetTopUnit() != eStyleUnit_Auto) {
+      sides |= eSideBitsTop;
     }
   }
 
diff --git a/layout/generic/nsFloatManager.h b/layout/generic/nsFloatManager.h
index 50919b55804b..5c56dba9444b 100644
--- a/layout/generic/nsFloatManager.h
+++ b/layout/generic/nsFloatManager.h
@@ -45,7 +45,7 @@ struct nsFlowAreaRect {
     , mHasFloats(aHasFloats) {}
 };
 
-#define NS_FLOAT_MANAGER_CACHE_SIZE 4
+#define NS_FLOAT_MANAGER_CACHE_SIZE 64
 
 /**
  * nsFloatManager is responsible for implementing CSS's rules for
@@ -596,7 +596,9 @@ private:
 
   // Translation from local to global coordinate space.
   nscoord mLineLeft, mBlockStart;
-  nsTArray<FloatInfo> mFloats;
+  // We use 11 here in order to fill up the jemalloc allocatoed chunk nicely,
+  // see https://bugzilla.mozilla.org/show_bug.cgi?id=1362876#c6.
+  AutoTArray<FloatInfo, 11> mFloats;
   nsIntervalSet   mFloatDamage;
 
   // Did we try to place a float that could not fit at all and had to be
diff --git a/layout/printing/nsPrintData.cpp b/layout/printing/nsPrintData.cpp
index 465d144690b7..42073b309ea4 100644
--- a/layout/printing/nsPrintData.cpp
+++ b/layout/printing/nsPrintData.cpp
@@ -72,7 +72,8 @@ nsPrintData::~nsPrintData()
     mPrintSettings->GetIsCancelled(&isCancelled);
 
     nsresult rv = NS_OK;
-    if (mType == eIsPrinting) {
+    if (mType == eIsPrinting &&
+        mPrintDC->IsCurrentlyPrintingDocument()) {
       if (!isCancelled && !mIsAborted) {
         rv = mPrintDC->EndDocument();
       } else {
diff --git a/layout/reftests/mathml/reftest.list b/layout/reftests/mathml/reftest.list
index 4daed38c197c..cd012cd493d9 100644
--- a/layout/reftests/mathml/reftest.list
+++ b/layout/reftests/mathml/reftest.list
@@ -128,7 +128,7 @@ fails-if(gtkWidget&&!stylo) random-if(winWidget) == semantics-1.xhtml semantics-
 == mathbackground-4.xml mathbackground-4-ref.xml
 == mstyle-1.xhtml mstyle-1-ref.xhtml
 == mstyle-2.xhtml mstyle-2-ref.xhtml
-== mstyle-3.xhtml mstyle-3-ref.xhtml
+fuzzy-if(OSX,16,8) == mstyle-3.xhtml mstyle-3-ref.xhtml
 == mstyle-4.xhtml mstyle-4-ref.xhtml
 == mstyle-5.xhtml mstyle-5-ref.xhtml # Bug 787215
 == scale-stretchy-1.xhtml scale-stretchy-1-ref.xhtml
diff --git a/layout/style/ServoBindings.cpp b/layout/style/ServoBindings.cpp
index fa4b988ff9e8..989abf9d4bc4 100644
--- a/layout/style/ServoBindings.cpp
+++ b/layout/style/ServoBindings.cpp
@@ -1183,6 +1183,8 @@ CreateStyleImageRequest(nsStyleImageRequest::Mode aModeFlags,
   return req.forget();
 }
 
+NS_IMPL_THREADSAFE_FFI_REFCOUNTING(mozilla::css::ImageValue, ImageValue);
+
 void
 Gecko_SetUrlImageValue(nsStyleImage* aImage, ServoBundledURI aURI)
 {
diff --git a/layout/style/ServoBindings.h b/layout/style/ServoBindings.h
index e6ee4376b6cd..f2a24fcf94c8 100644
--- a/layout/style/ServoBindings.h
+++ b/layout/style/ServoBindings.h
@@ -41,6 +41,7 @@ namespace mozilla {
   struct StyleTransition;
   namespace css {
     struct URLValue;
+    struct ImageValue;
   };
   enum class UpdateAnimationsTasks : uint8_t;
   struct LangGroupFontPrefs;
@@ -273,6 +274,7 @@ void Gecko_CopyListStyleTypeFrom(nsStyleList* dst, const nsStyleList* src);
 // background-image style.
 void Gecko_SetNullImageValue(nsStyleImage* image);
 void Gecko_SetGradientImageValue(nsStyleImage* image, nsStyleGradient* gradient);
+NS_DECL_THREADSAFE_FFI_REFCOUNTING(mozilla::css::ImageValue, ImageValue);
 void Gecko_SetUrlImageValue(nsStyleImage* image,
                             ServoBundledURI uri);
 void Gecko_SetImageElement(nsStyleImage* image, nsIAtom* atom);
diff --git a/layout/style/nsRuleNode.cpp b/layout/style/nsRuleNode.cpp
index 5cf1da669c49..6f565179a45f 100644
--- a/layout/style/nsRuleNode.cpp
+++ b/layout/style/nsRuleNode.cpp
@@ -9637,15 +9637,14 @@ nsRuleNode::ComputeSVGData(void* aStartStruct,
   }
 
   case eCSSUnit_Inherit:
-    svg->mContextProps.Clear();
-    svg->mContextProps.AppendElements(parentSVG->mContextProps);
+  case eCSSUnit_Unset:
+    svg->mContextProps = parentSVG->mContextProps;
     svg->mContextPropsBits = parentSVG->mContextPropsBits;
     conditions.SetUncacheable();
     break;
 
   case eCSSUnit_Initial:
   case eCSSUnit_None:
-  case eCSSUnit_Unset:
     svg->mContextProps.Clear();
     svg->mContextPropsBits = 0;
     break;
diff --git a/layout/tables/nsTableRowGroupFrame.cpp b/layout/tables/nsTableRowGroupFrame.cpp
index b1482da82c88..121bd64ccfcb 100644
--- a/layout/tables/nsTableRowGroupFrame.cpp
+++ b/layout/tables/nsTableRowGroupFrame.cpp
@@ -595,7 +595,7 @@ nsTableRowGroupFrame::CalculateRowBSizes(nsPresContext*           aPresContext,
   if (numRows <= 0)
     return;
 
-  nsTArray<RowInfo> rowInfo;
+  AutoTArray<RowInfo, 32> rowInfo;
   if (!rowInfo.AppendElements(numRows)) {
     return;
   }
diff --git a/media/libcubeb/README_MOZILLA b/media/libcubeb/README_MOZILLA
index 8ce6b16571fe..022ab260ca04 100644
--- a/media/libcubeb/README_MOZILLA
+++ b/media/libcubeb/README_MOZILLA
@@ -5,4 +5,4 @@ Makefile.in build files for the Mozilla build system.
 
 The cubeb git repository is: git://github.com/kinetiknz/cubeb.git
 
-The git commit ID used was 17503c41318ec7a18ba3d728fb803a66ec60cf84 (2017-04-25 15:26:11 +0200)
+The git commit ID used was 26a50b08889a16d3f1e7fe05845cc107c7553f70 (2017-05-05 19:29:05 +1200)
diff --git a/media/libcubeb/gtest/test_mixer.cpp b/media/libcubeb/gtest/test_mixer.cpp
index a6b9ad5baa09..a7c10e5024ef 100644
--- a/media/libcubeb/gtest/test_mixer.cpp
+++ b/media/libcubeb/gtest/test_mixer.cpp
@@ -8,6 +8,7 @@
 #include "cubeb/cubeb.h"
 #include "cubeb_mixer.h"
 #include "common.h"
+#include <memory>
 #include <vector>
 
 using std::vector;
@@ -133,7 +134,11 @@ downmix_test(float const * data, cubeb_channel_layout in_layout, cubeb_channel_l
     }
   }
 
-  cubeb_downmix_float(in.data(), inframes, out.data(), in_params.channels, out_params.channels, in_params.layout, out_params.layout);
+  // Create a mixer for downmix only.
+  std::unique_ptr<cubeb_mixer, decltype(&cubeb_mixer_destroy)>
+    mixer(cubeb_mixer_create(in_params.format, CUBEB_MIXER_DIRECTION_DOWNMIX), cubeb_mixer_destroy);
+
+  cubeb_mixer_mix(mixer.get(), in.data(), inframes, out.data(), &in_params, &out_params);
 
   uint32_t in_layout_mask = 0;
   for (unsigned int i = 0 ; i < in_params.channels; ++i) {
diff --git a/media/libcubeb/src/cubeb_audiounit.cpp b/media/libcubeb/src/cubeb_audiounit.cpp
index 2d8107308da7..438bcb9e1ee4 100644
--- a/media/libcubeb/src/cubeb_audiounit.cpp
+++ b/media/libcubeb/src/cubeb_audiounit.cpp
@@ -92,41 +92,6 @@ make_sized_audio_channel_layout(size_t sz)
     return std::unique_ptr<AudioChannelLayout, decltype(&free)>(acl, free);
 }
 
-struct mixer_proxy {
-  virtual void downmix(void * buffer, long frames,
-                       cubeb_channel_layout input_layout,
-                       cubeb_channel_layout output_layout) = 0;
-  virtual ~mixer_proxy() {};
-};
-
-template <typename T>
-struct mixer_impl : public mixer_proxy {
-
-  typedef void (*downmix_func)(T * const, long, T *,
-                               unsigned int, unsigned int,
-                               cubeb_channel_layout, cubeb_channel_layout);
-
-  mixer_impl(downmix_func dmfunc) {
-    downmix_wrapper = dmfunc;
-  }
-
-  ~mixer_impl() {}
-
-  void downmix(void * buffer, long frames,
-               cubeb_channel_layout input_layout,
-               cubeb_channel_layout output_layout) override {
-    uint32_t input_channels = CUBEB_CHANNEL_LAYOUT_MAPS[input_layout].channels;
-    uint32_t output_channels = CUBEB_CHANNEL_LAYOUT_MAPS[output_layout].channels;
-    T * out = static_cast<T*>(buffer);
-    // By using same buffer for downmixing input and output, we allow downmixing
-    // from 5.0/1 to 1.0/1, 2.0/1/2, 3.0/1, 4.0/1. Do nothing on other cases.
-    downmix_wrapper(out, frames, out, input_channels, output_channels,
-                    input_layout, output_layout);
-  }
-
-  downmix_func downmix_wrapper;
-};
-
 enum io_side {
   INPUT,
   OUTPUT,
@@ -199,7 +164,7 @@ struct cubeb_stream {
   AudioDeviceID aggregate_device_id = 0;    // the aggregate device id
   AudioObjectID plugin_id = 0;              // used to create aggregate device
   /* Mixer interface */
-  std::unique_ptr<mixer_proxy> mixer;
+  std::unique_ptr<cubeb_mixer, decltype(&cubeb_mixer_destroy)> mixer;
 };
 
 bool has_input(cubeb_stream * stm)
@@ -426,22 +391,17 @@ audiounit_mix_output_buffer(cubeb_stream * stm,
                             void * output_buffer,
                             long output_frames)
 {
-  // The audio rendering mechanism on OS X will drop the extra channels beyond
-  // the channels that audio device can provide, so we need to downmix the
-  // audio data by ourselves to keep all the information.
-
-  cubeb_stream_params dest_params = {
+  cubeb_stream_params output_mixer_params = {
     stm->output_stream_params.format,
     stm->output_stream_params.rate,
     CUBEB_CHANNEL_LAYOUT_MAPS[stm->context->layout].channels,
     stm->context->layout
   };
 
-  // We only handle downmixing for now.
-  if (cubeb_should_downmix(&stm->output_stream_params, &dest_params)) {
-    stm->mixer->downmix(output_buffer, output_frames,
-                        stm->output_stream_params.layout, dest_params.layout);
-  }
+  // The downmixing(from 5.1) supports in-place conversion, so we can use
+  // the same buffer for both input and output of the mixer.
+  cubeb_mixer_mix(stm->mixer.get(), output_buffer, output_frames, output_buffer,
+                  &stm->output_stream_params, &output_mixer_params);
 }
 
 static OSStatus
@@ -817,17 +777,6 @@ audiounit_install_device_changed_callback(cubeb_stream * stm)
       LOG("AudioObjectAddPropertyListener/output/kAudioDevicePropertyDataSource rv=%d", r);
       return CUBEB_ERROR;
     }
-
-    /* This event will notify us when the default audio device changes,
-     * for example when the user plugs in a USB headset and the system chooses it
-     * automatically as the default, or when another device is chosen in the
-     * dropdown list. */
-    r = audiounit_add_listener(stm, kAudioObjectSystemObject, kAudioHardwarePropertyDefaultOutputDevice,
-        kAudioObjectPropertyScopeGlobal, &audiounit_property_listener_callback);
-    if (r != noErr) {
-      LOG("AudioObjectAddPropertyListener/output/kAudioHardwarePropertyDefaultOutputDevice rv=%d", r);
-      return CUBEB_ERROR;
-    }
   }
 
   if (stm->input_unit) {
@@ -845,14 +794,6 @@ audiounit_install_device_changed_callback(cubeb_stream * stm)
       return CUBEB_ERROR;
     }
 
-    /* This event will notify us when the default input device changes. */
-    r = audiounit_add_listener(stm, kAudioObjectSystemObject, kAudioHardwarePropertyDefaultInputDevice,
-        kAudioObjectPropertyScopeGlobal, &audiounit_property_listener_callback);
-    if (r != noErr) {
-      LOG("AudioObjectAddPropertyListener/input/kAudioHardwarePropertyDefaultInputDevice rv=%d", r);
-      return CUBEB_ERROR;
-    }
-
     /* Event to notify when the input is going away. */
     AudioDeviceID dev = audiounit_get_input_device_id(stm);
     r = audiounit_add_listener(stm, dev, kAudioDevicePropertyDeviceIsAlive,
@@ -866,6 +807,37 @@ audiounit_install_device_changed_callback(cubeb_stream * stm)
   return CUBEB_OK;
 }
 
+static int
+audiounit_install_system_changed_callback(cubeb_stream * stm)
+{
+  OSStatus r;
+
+  if (stm->output_unit) {
+    /* This event will notify us when the default audio device changes,
+     * for example when the user plugs in a USB headset and the system chooses it
+     * automatically as the default, or when another device is chosen in the
+     * dropdown list. */
+    r = audiounit_add_listener(stm, kAudioObjectSystemObject, kAudioHardwarePropertyDefaultOutputDevice,
+                               kAudioObjectPropertyScopeGlobal, &audiounit_property_listener_callback);
+    if (r != noErr) {
+      LOG("AudioObjectAddPropertyListener/output/kAudioHardwarePropertyDefaultOutputDevice rv=%d", r);
+      return CUBEB_ERROR;
+    }
+  }
+
+  if (stm->input_unit) {
+    /* This event will notify us when the default input device changes. */
+    r = audiounit_add_listener(stm, kAudioObjectSystemObject, kAudioHardwarePropertyDefaultInputDevice,
+                               kAudioObjectPropertyScopeGlobal, &audiounit_property_listener_callback);
+    if (r != noErr) {
+      LOG("AudioObjectAddPropertyListener/input/kAudioHardwarePropertyDefaultInputDevice rv=%d", r);
+      return CUBEB_ERROR;
+    }
+  }
+
+  return CUBEB_OK;
+}
+
 static int
 audiounit_uninstall_device_changed_callback(cubeb_stream * stm)
 {
@@ -883,12 +855,6 @@ audiounit_uninstall_device_changed_callback(cubeb_stream * stm)
     if (r != noErr) {
       return CUBEB_ERROR;
     }
-
-    r = audiounit_remove_listener(stm, kAudioObjectSystemObject, kAudioHardwarePropertyDefaultOutputDevice,
-        kAudioObjectPropertyScopeGlobal, &audiounit_property_listener_callback);
-    if (r != noErr) {
-      return CUBEB_ERROR;
-    }
   }
 
   if (stm->input_unit) {
@@ -904,12 +870,6 @@ audiounit_uninstall_device_changed_callback(cubeb_stream * stm)
       return CUBEB_ERROR;
     }
 
-    r = audiounit_remove_listener(stm, kAudioObjectSystemObject, kAudioHardwarePropertyDefaultInputDevice,
-        kAudioObjectPropertyScopeGlobal, &audiounit_property_listener_callback);
-    if (r != noErr) {
-      return CUBEB_ERROR;
-    }
-
     AudioDeviceID dev = audiounit_get_input_device_id(stm);
     r = audiounit_remove_listener(stm, dev, kAudioDevicePropertyDeviceIsAlive,
                                   kAudioObjectPropertyScopeGlobal, &audiounit_property_listener_callback);
@@ -921,6 +881,29 @@ audiounit_uninstall_device_changed_callback(cubeb_stream * stm)
   return CUBEB_OK;
 }
 
+static int
+audiounit_uninstall_system_changed_callback(cubeb_stream * stm)
+{
+  OSStatus r;
+
+  if (stm->output_unit) {
+    r = audiounit_remove_listener(stm, kAudioObjectSystemObject, kAudioHardwarePropertyDefaultOutputDevice,
+                                  kAudioObjectPropertyScopeGlobal, &audiounit_property_listener_callback);
+    if (r != noErr) {
+      return CUBEB_ERROR;
+    }
+  }
+
+  if (stm->input_unit) {
+    r = audiounit_remove_listener(stm, kAudioObjectSystemObject, kAudioHardwarePropertyDefaultInputDevice,
+                                  kAudioObjectPropertyScopeGlobal, &audiounit_property_listener_callback);
+    if (r != noErr) {
+      return CUBEB_ERROR;
+    }
+  }
+  return CUBEB_OK;
+}
+
 /* Get the acceptable buffer size (in frames) that this device can work with. */
 static int
 audiounit_get_acceptable_latency_range(AudioValueRange * latency_range)
@@ -1272,11 +1255,12 @@ audio_stream_desc_init(AudioStreamBasicDescription * ss,
 void
 audiounit_init_mixer(cubeb_stream * stm)
 {
-  if (stm->output_desc.mFormatFlags & kAudioFormatFlagIsFloat) {
-    stm->mixer.reset(new mixer_impl<float>(&cubeb_downmix_float));
-  } else { // stm->output_desc.mFormatFlags & kAudioFormatFlagIsSignedInteger
-    stm->mixer.reset(new mixer_impl<short>(&cubeb_downmix_short));
-  }
+  // We only handle downmixing for now.
+  // The audio rendering mechanism on OS X will drop the extra channels beyond
+  // the channels that audio device can provide, so we need to downmix the
+  // audio data by ourselves to keep all the information.
+  stm->mixer.reset(cubeb_mixer_create(stm->output_stream_params.format,
+                                      CUBEB_MIXER_DIRECTION_DOWNMIX));
 }
 
 static int
@@ -2452,6 +2436,7 @@ audiounit_setup_stream(cubeb_stream * stm)
 cubeb_stream::cubeb_stream(cubeb * context)
   : context(context)
   , resampler(nullptr, cubeb_resampler_destroy)
+  , mixer(nullptr, cubeb_mixer_destroy)
 {
   PodZero(&input_desc, 1);
   PodZero(&output_desc, 1);
@@ -2515,6 +2500,12 @@ audiounit_stream_init(cubeb * context,
     return r;
   }
 
+  r = audiounit_install_system_changed_callback(stm.get());
+  if (r != CUBEB_OK) {
+    LOG("(%p) Could not install the device change callback.", stm.get());
+    return r;
+  }
+
   *stream = stm.release();
   LOG("(%p) Cubeb stream init successful.", *stream);
   return CUBEB_OK;
@@ -2545,6 +2536,7 @@ audiounit_close_stream(cubeb_stream *stm)
   }
 
   stm->resampler.reset();
+  stm->mixer.reset();
 
   if (stm->aggregate_device_id) {
     audiounit_destroy_aggregate_device(stm->plugin_id, stm->aggregate_device_id);
@@ -2557,6 +2549,11 @@ audiounit_stream_destroy(cubeb_stream * stm)
 {
   stm->shutdown = true;
 
+  int r = audiounit_uninstall_system_changed_callback(stm);
+  if (r != CUBEB_OK) {
+    LOG("(%p) Could not uninstall the device changed callback", stm);
+  }
+
   auto_lock context_lock(stm->context->mutex);
   audiounit_stream_stop_internal(stm);
 
diff --git a/media/libcubeb/src/cubeb_mixer.cpp b/media/libcubeb/src/cubeb_mixer.cpp
index f9ac3e7335a8..573c1947c662 100644
--- a/media/libcubeb/src/cubeb_mixer.cpp
+++ b/media/libcubeb/src/cubeb_mixer.cpp
@@ -356,10 +356,20 @@ downmix_fallback(T const * const in, unsigned long inframes, T * out, unsigned i
 template<typename T>
 void
 cubeb_downmix(T const * const in, long inframes, T * out,
-              unsigned int in_channels, unsigned int out_channels,
-              cubeb_channel_layout in_layout, cubeb_channel_layout out_layout)
+              cubeb_stream_params const * stream_params,
+              cubeb_stream_params const * mixer_params)
 {
-  assert(in_channels >= out_channels && in_layout != CUBEB_LAYOUT_UNDEFINED);
+  assert(in && out);
+  assert(inframes);
+  assert(stream_params->channels >= mixer_params->channels &&
+         mixer_params->channels > 0);
+  assert(stream_params->layout != CUBEB_LAYOUT_UNDEFINED);
+
+  unsigned int in_channels = stream_params->channels;
+  cubeb_channel_layout in_layout = stream_params->layout;
+
+  unsigned int out_channels = mixer_params->channels;
+  cubeb_channel_layout out_layout = mixer_params->layout;
 
   // If the channel number is different from the layout's setting,
   // then we use fallback downmix mechanism.
@@ -395,9 +405,16 @@ mono_to_stereo(T const * in, long insamples, T * out, unsigned int out_channels)
 template<typename T>
 void
 cubeb_upmix(T const * in, long inframes, T * out,
-            unsigned int in_channels, unsigned int out_channels)
+            cubeb_stream_params const * stream_params,
+            cubeb_stream_params const * mixer_params)
 {
-  assert(out_channels >= in_channels && in_channels > 0);
+  assert(in && out);
+  assert(inframes);
+  assert(mixer_params->channels >= stream_params->channels &&
+         stream_params->channels > 0);
+
+  unsigned int in_channels = stream_params->channels;
+  unsigned int out_channels = mixer_params->channels;
 
   /* Either way, if we have 2 or more channels, the first two are L and R. */
   /* If we are playing a mono stream over stereo speakers, copy the data over. */
@@ -453,33 +470,71 @@ cubeb_should_mix(cubeb_stream_params const * stream, cubeb_stream_params const *
   return cubeb_should_upmix(stream, mixer) || cubeb_should_downmix(stream, mixer);
 }
 
-void
-cubeb_downmix_float(float * const in, long inframes, float * out,
-                    unsigned int in_channels, unsigned int out_channels,
-                    cubeb_channel_layout in_layout, cubeb_channel_layout out_layout)
+struct cubeb_mixer {
+  virtual void mix(void * input_buffer, long frames, void * output_buffer,
+                   cubeb_stream_params const * stream_params,
+                   cubeb_stream_params const * mixer_params) = 0;
+  virtual ~cubeb_mixer() {};
+};
+
+template<typename T>
+struct cubeb_mixer_impl : public cubeb_mixer {
+  explicit cubeb_mixer_impl(unsigned int d)
+    : direction(d)
+  {
+  }
+
+  void mix(void * input_buffer, long frames, void * output_buffer,
+           cubeb_stream_params const * stream_params,
+           cubeb_stream_params const * mixer_params)
+  {
+    if (frames <= 0) {
+      return;
+    }
+
+    T * in = static_cast<T*>(input_buffer);
+    T * out = static_cast<T*>(output_buffer);
+
+    if ((direction & CUBEB_MIXER_DIRECTION_DOWNMIX) &&
+        cubeb_should_downmix(stream_params, mixer_params)) {
+      cubeb_downmix(in, frames, out, stream_params, mixer_params);
+    } else if ((direction & CUBEB_MIXER_DIRECTION_UPMIX) &&
+               cubeb_should_upmix(stream_params, mixer_params)) {
+      cubeb_upmix(in, frames, out, stream_params, mixer_params);
+    }
+  }
+
+  ~cubeb_mixer_impl() {};
+
+  unsigned char const direction;
+};
+
+cubeb_mixer * cubeb_mixer_create(cubeb_sample_format format,
+                                 unsigned char direction)
 {
-  cubeb_downmix(in, inframes, out, in_channels, out_channels, in_layout, out_layout);
+  assert(direction & CUBEB_MIXER_DIRECTION_DOWNMIX ||
+         direction & CUBEB_MIXER_DIRECTION_UPMIX);
+  switch(format) {
+    case CUBEB_SAMPLE_S16NE:
+      return new cubeb_mixer_impl<short>(direction);
+    case CUBEB_SAMPLE_FLOAT32NE:
+      return new cubeb_mixer_impl<float>(direction);
+    default:
+      assert(false);
+      return nullptr;
+  }
 }
 
-void
-cubeb_downmix_short(short * const in, long inframes, short * out,
-                    unsigned int in_channels, unsigned int out_channels,
-                    cubeb_channel_layout in_layout, cubeb_channel_layout out_layout)
+void cubeb_mixer_destroy(cubeb_mixer * mixer)
 {
-  cubeb_downmix(in, inframes, out, in_channels, out_channels, in_layout, out_layout);
+  delete mixer;
 }
 
-
-void
-cubeb_upmix_short(short * const in, long inframes, short * out,
-                  unsigned int in_channels, unsigned int out_channels)
+void cubeb_mixer_mix(cubeb_mixer * mixer,
+                     void * const input_buffer, long frames, void * output_buffer,
+                     cubeb_stream_params const * stream_params,
+                     cubeb_stream_params const * mixer_params)
 {
-  cubeb_upmix(in, inframes, out, in_channels, out_channels);
-}
-
-void
-cubeb_upmix_float(float * const in, long inframes, float * out,
-                  unsigned int in_channels, unsigned int out_channels)
-{
-  cubeb_upmix(in, inframes, out, in_channels, out_channels);
+  assert(mixer);
+  mixer->mix(input_buffer, frames, output_buffer, stream_params, mixer_params);
 }
diff --git a/media/libcubeb/src/cubeb_mixer.h b/media/libcubeb/src/cubeb_mixer.h
index 9b6d8c7d62b9..2cb2d1473742 100644
--- a/media/libcubeb/src/cubeb_mixer.h
+++ b/media/libcubeb/src/cubeb_mixer.h
@@ -68,21 +68,19 @@ bool cubeb_should_downmix(cubeb_stream_params const * stream, cubeb_stream_param
 
 bool cubeb_should_mix(cubeb_stream_params const * stream, cubeb_stream_params const * mixer);
 
-void cubeb_downmix_float(float * const in, long inframes, float * out,
-                         unsigned int in_channels, unsigned int out_channels,
-                         cubeb_channel_layout in_layout, cubeb_channel_layout out_layout);
-
-void cubeb_downmix_short(short * const in, long inframes, short * out,
-                         unsigned int in_channels, unsigned int out_channels,
-                         cubeb_channel_layout in_layout, cubeb_channel_layout out_layout);
-
-void cubeb_upmix_float(float * const in, long inframes, float * out,
-                       unsigned int in_channels, unsigned int out_channels);
-
-void cubeb_upmix_short(short * const in, long inframes, short * out,
-                       unsigned int in_channels, unsigned int out_channels);
-
+typedef enum {
+  CUBEB_MIXER_DIRECTION_DOWNMIX = 0x01,
+  CUBEB_MIXER_DIRECTION_UPMIX   = 0x02,
+} cubeb_mixer_direction;
 
+typedef struct cubeb_mixer cubeb_mixer;
+cubeb_mixer * cubeb_mixer_create(cubeb_sample_format format,
+                                 unsigned char direction);
+void cubeb_mixer_destroy(cubeb_mixer * mixer);
+void cubeb_mixer_mix(cubeb_mixer * mixer,
+                     void * input_buffer, long frames, void * output_buffer,
+                     cubeb_stream_params const * stream_params,
+                     cubeb_stream_params const * mixer_params);
 
 #if defined(__cplusplus)
 }
diff --git a/media/libcubeb/src/cubeb_wasapi.cpp b/media/libcubeb/src/cubeb_wasapi.cpp
index 4ba6582ad0c9..e6cf687daf88 100644
--- a/media/libcubeb/src/cubeb_wasapi.cpp
+++ b/media/libcubeb/src/cubeb_wasapi.cpp
@@ -160,45 +160,6 @@ private:
   HRESULT result;
 };
 
-struct mixing_wrapper {
-  virtual void mix(void * const input_buffer, long input_frames, void * output_buffer,
-                   cubeb_stream_params const * stream_params,
-                   cubeb_stream_params const * mixer_params) = 0;
-  virtual ~mixing_wrapper() {};
-};
-
-template <typename T>
-struct mixing_impl : public mixing_wrapper {
-
-  typedef void (*downmix_func)(T * const, long, T *,
-                             unsigned int, unsigned int,
-                             cubeb_channel_layout, cubeb_channel_layout);
-  typedef void (*upmix_func)(T * const, long, T *,
-                             unsigned int, unsigned int);
-
-  mixing_impl(downmix_func dmfunc, upmix_func umfunc) {
-    downmix_wrapper = dmfunc;
-    upmix_wrapper = umfunc;
-  }
-
-  ~mixing_impl() {}
-
-  void mix(void * const input_buffer, long input_frames, void * output_buffer,
-               cubeb_stream_params const * stream_params,
-               cubeb_stream_params const * mixer_params) override {
-    T * const in = static_cast<T *>(input_buffer);
-    T * out = static_cast<T *>(output_buffer);
-    if (cubeb_should_upmix(stream_params, mixer_params)) {
-      upmix_wrapper(in, input_frames, out, stream_params->channels, mixer_params->channels);
-    } else if (cubeb_should_downmix(stream_params, mixer_params)) {
-      downmix_wrapper(in, input_frames, out, stream_params->channels, mixer_params->channels, stream_params->layout, mixer_params->layout);
-    }
-  }
-
-  downmix_func downmix_wrapper;
-  upmix_func upmix_wrapper;
-};
-
 extern cubeb_ops const wasapi_ops;
 
 int wasapi_stream_stop(cubeb_stream * stm);
@@ -303,8 +264,8 @@ struct cubeb_stream {
   uint32_t output_buffer_frame_count = 0;
   /* Resampler instance. Resampling will only happen if necessary. */
   std::unique_ptr<cubeb_resampler, decltype(&cubeb_resampler_destroy)> resampler = { nullptr, cubeb_resampler_destroy };
-  /* Mixing interface */
-  std::unique_ptr<mixing_wrapper> mixing;
+  /* Mixer interface */
+  std::unique_ptr<cubeb_mixer, decltype(&cubeb_mixer_destroy)> mixer = { nullptr, cubeb_mixer_destroy };
   /* A buffer for up/down mixing multi-channel audio. */
   std::vector<BYTE> mix_buffer;
   /* WASAPI input works in "packets". We re-linearize the audio packets
@@ -598,7 +559,8 @@ refill(cubeb_stream * stm, void * input_buffer, long input_frames_count,
   XASSERT(out_frames == output_frames_needed || stm->draining || !has_output(stm));
 
   if (has_output(stm) && cubeb_should_mix(&stm->output_stream_params, &stm->output_mix_params)) {
-    stm->mixing->mix(dest, out_frames, output_buffer, &stm->output_stream_params, &stm->output_mix_params);
+    cubeb_mixer_mix(stm->mixer.get(), dest, out_frames, output_buffer,
+                    &stm->output_stream_params, &stm->output_mix_params);
   }
 
   return out_frames;
@@ -660,10 +622,10 @@ bool get_input_buffer(cubeb_stream * stm)
         bool ok = stm->linear_input_buffer->reserve(stm->linear_input_buffer->length() +
                                                    packet_size * stm->input_stream_params.channels);
         XASSERT(ok);
-        stm->mixing->mix(input_packet, packet_size,
-                         stm->linear_input_buffer->end(),
-                         &stm->input_mix_params,
-                         &stm->input_stream_params);
+        cubeb_mixer_mix(stm->mixer.get(), input_packet, packet_size,
+                        stm->linear_input_buffer->end(),
+                        &stm->input_mix_params,
+                        &stm->input_stream_params);
         stm->linear_input_buffer->set_length(stm->linear_input_buffer->length() + packet_size * stm->input_stream_params.channels);
       } else {
         stm->linear_input_buffer->push(input_packet,
@@ -1803,18 +1765,19 @@ wasapi_stream_init(cubeb * context, cubeb_stream ** stream,
     case CUBEB_SAMPLE_S16NE:
       stm->bytes_per_sample = sizeof(short);
       stm->waveformatextensible_sub_format = KSDATAFORMAT_SUBTYPE_PCM;
-      stm->mixing.reset(new mixing_impl<short>(cubeb_downmix_short, cubeb_upmix_short));
       stm->linear_input_buffer.reset(new auto_array_wrapper_impl<short>);
       break;
     case CUBEB_SAMPLE_FLOAT32NE:
       stm->bytes_per_sample = sizeof(float);
       stm->waveformatextensible_sub_format = KSDATAFORMAT_SUBTYPE_IEEE_FLOAT;
-      stm->mixing.reset(new mixing_impl<float>(cubeb_downmix_float, cubeb_upmix_float));
       stm->linear_input_buffer.reset(new auto_array_wrapper_impl<float>);
       break;
     default:
       return CUBEB_ERROR_INVALID_FORMAT;
   }
+  stm->mixer.reset(cubeb_mixer_create(output_stream_params ? output_stream_params->format :
+                                                             input_stream_params->format,
+                                      CUBEB_MIXER_DIRECTION_DOWNMIX | CUBEB_MIXER_DIRECTION_UPMIX));
 
   stm->latency = latency_frames;
 
@@ -1881,8 +1844,6 @@ void close_wasapi_stream(cubeb_stream * stm)
   stm->resampler.reset();
 
   stm->mix_buffer.clear();
-  stm->mixing.reset();
-  stm->linear_input_buffer.reset();
 }
 
 void wasapi_stream_destroy(cubeb_stream * stm)
@@ -1903,6 +1864,11 @@ void wasapi_stream_destroy(cubeb_stream * stm)
   CloseHandle(stm->refill_event);
   CloseHandle(stm->input_available_event);
 
+  // The variables intialized in wasapi_stream_init,
+  // must be destroyed in wasapi_stream_destroy.
+  stm->mixer.reset();
+  stm->linear_input_buffer.reset();
+
   {
     auto_lock lock(stm->stream_reset_lock);
     close_wasapi_stream(stm);
@@ -2027,6 +1993,10 @@ int wasapi_stream_stop(cubeb_stream * stm)
       delete stm->emergency_bailout.load();
       stm->emergency_bailout = nullptr;
     }
+  } else {
+    // If we could not join the thread, put the stream in error.
+    stm->state_callback(stm, stm->user_ptr, CUBEB_STATE_ERROR);
+    return CUBEB_ERROR;
   }
 
   return CUBEB_OK;
diff --git a/media/webrtc/signaling/src/peerconnection/PeerConnectionImpl.cpp b/media/webrtc/signaling/src/peerconnection/PeerConnectionImpl.cpp
index ca62c420477d..390b3cd6c524 100644
--- a/media/webrtc/signaling/src/peerconnection/PeerConnectionImpl.cpp
+++ b/media/webrtc/signaling/src/peerconnection/PeerConnectionImpl.cpp
@@ -611,7 +611,8 @@ PeerConnectionImpl::Initialize(PeerConnectionObserver& aObserver,
 
   if (RefPtr<Location> location = mWindow->Location()) {
     nsAutoString locationAStr;
-    location->ToString(locationAStr);
+    res = location->ToString(locationAStr);
+    NS_ENSURE_SUCCESS(res, res);
 
     CopyUTF16toUTF8(locationAStr, locationCStr);
   }
diff --git a/mobile/android/base/resources/layout/customtabs_activity.xml b/mobile/android/base/resources/layout/customtabs_activity.xml
index 3ca92b9a3fce..60656eb81eca 100644
--- a/mobile/android/base/resources/layout/customtabs_activity.xml
+++ b/mobile/android/base/resources/layout/customtabs_activity.xml
@@ -44,6 +44,11 @@
                 android:layout_height="match_parent"
                 android:scrollbars="none"/>
 
+            <org.mozilla.gecko.FormAssistPopup android:id="@+id/form_assist_popup"
+                                               android:layout_width="match_parent"
+                                               android:layout_height="match_parent"
+                                               android:visibility="gone"/>
+
         </RelativeLayout>
 
     </view>
diff --git a/mobile/android/chrome/content/browser.js b/mobile/android/chrome/content/browser.js
index d732f0394b4b..3d24a2041e45 100644
--- a/mobile/android/chrome/content/browser.js
+++ b/mobile/android/chrome/content/browser.js
@@ -4530,14 +4530,7 @@ Tab.prototype = {
   },
 
   _stripAboutReaderURL: function (originalURI) {
-    try {
-      let strippedURL = ReaderMode.getOriginalUrl(originalURI.spec);
-      if(strippedURL){
-        // Continue to create exposable uri if original uri is stripped.
-        originalURI = URIFixup.createExposableURI(Services.io.newURI(strippedURL));
-      }
-    } catch (ex) { }
-    return originalURI;
+    return ReaderMode.getOriginalUrlObjectForDisplay(originalURI.spec) || originalURI;
   },
 
   // Properties used to cache security state used to update the UI
diff --git a/modules/libpref/init/all.js b/modules/libpref/init/all.js
index 6ebdee285e4e..39e8e498c0a3 100644
--- a/modules/libpref/init/all.js
+++ b/modules/libpref/init/all.js
@@ -2028,6 +2028,13 @@ pref("network.generic-ntlm-auth.workstation", "WORKSTATION");
 //   2 - allow the cross-origin authentication as well.
 pref("network.auth.subresource-http-auth-allow", 2);
 
+// Sub-resources HTTP-authentication for cross-origin images:
+// true - it is allowed to present http auth. dialog for cross-origin images.
+// false - it is not allowed.
+// If network.auth.subresource-http-auth-allow has values 0 or 1 this pref does not
+// have any effect.
+pref("network.auth.subresource-img-cross-origin-http-auth-allow", true);
+
 // This preference controls whether to allow sending default credentials (SSO) to
 // NTLM/Negotiate servers allowed in the "trusted uri" list when navigating them
 // in a Private Browsing window.
diff --git a/mozglue/linker/ElfLoader.h b/mozglue/linker/ElfLoader.h
index 193476b4eab4..b5263ce017db 100644
--- a/mozglue/linker/ElfLoader.h
+++ b/mozglue/linker/ElfLoader.h
@@ -164,10 +164,10 @@ public:
   bool ReleaseDirectRef()
   {
     const MozRefCountType count = --directRefCnt;
-    mozilla::external::AtomicRefCounted<LibHandle>::Release();
     MOZ_ASSERT(count + 1 > 0);
-    MOZ_ASSERT(count <=
+    MOZ_ASSERT(count + 1 <=
                mozilla::external::AtomicRefCounted<LibHandle>::refCount());
+    mozilla::external::AtomicRefCounted<LibHandle>::Release();
     return !!count;
   }
 
diff --git a/netwerk/base/nsSocketTransport2.cpp b/netwerk/base/nsSocketTransport2.cpp
index 27707abe085b..c86db6dbc3cd 100644
--- a/netwerk/base/nsSocketTransport2.cpp
+++ b/netwerk/base/nsSocketTransport2.cpp
@@ -1046,6 +1046,15 @@ nsSocketTransport::SendStatus(nsresult status)
         switch (status) {
         case NS_NET_STATUS_SENDING_TO:
             progress = mOutput.ByteCount();
+            // If Fast Open is used, we buffer some data in TCPFastOpenLayer,
+            // This data can  be only tls data or application data as well.
+            // socketTransport should send status only if it really has sent
+            // application data. socketTransport cannot query transaction for
+            // that info but it can know if transaction has send data if 
+            // mOutput.ByteCount() is > 0.
+            if (progress == 0) {
+                return;
+            }
             break;
         case NS_NET_STATUS_RECEIVING_FROM:
             progress = mInput.ByteCount();
@@ -1714,7 +1723,8 @@ nsSocketTransport::RecoverFromError()
     bool tryAgain = false;
     if (mFDFastOpenInProgress &&
         ((mCondition == NS_ERROR_CONNECTION_REFUSED) ||
-         (mCondition == NS_ERROR_NET_TIMEOUT))) {
+         (mCondition == NS_ERROR_NET_TIMEOUT) ||
+         (mCondition == NS_ERROR_PROXY_CONNECTION_REFUSED))) {
         // TCP Fast Open can be blocked by middle boxes so we will retry
         // without it.
         tryAgain = true;
diff --git a/netwerk/cookie/nsCookieService.cpp b/netwerk/cookie/nsCookieService.cpp
index 7588097eaf6a..0cd86ec1337d 100644
--- a/netwerk/cookie/nsCookieService.cpp
+++ b/netwerk/cookie/nsCookieService.cpp
@@ -1517,13 +1517,13 @@ nsCookieService::TryInitDB(bool aRecreateDB)
 
   rv = mDefaultDBState->dbConn->CreateAsyncStatement(NS_LITERAL_CSTRING(
     "DELETE FROM moz_cookies "
-    "WHERE name = :name AND host = :host AND path = :path"),
+    "WHERE name = :name AND host = :host AND path = :path AND originAttributes = :originAttributes"),
     getter_AddRefs(mDefaultDBState->stmtDelete));
   NS_ENSURE_SUCCESS(rv, RESULT_RETRY);
 
   rv = mDefaultDBState->dbConn->CreateAsyncStatement(NS_LITERAL_CSTRING(
     "UPDATE moz_cookies SET lastAccessed = :lastAccessed "
-    "WHERE name = :name AND host = :host AND path = :path"),
+    "WHERE name = :name AND host = :host AND path = :path AND originAttributes = :originAttributes"),
     getter_AddRefs(mDefaultDBState->stmtUpdate));
   NS_ENSURE_SUCCESS(rv, RESULT_RETRY);
 
@@ -5004,6 +5004,12 @@ nsCookieService::RemoveCookieFromList(const nsListIter              &aIter,
                                       aIter.Cookie()->Path());
     NS_ASSERT_SUCCESS(rv);
 
+    nsAutoCString suffix;
+    aIter.Cookie()->OriginAttributesRef().CreateSuffix(suffix);
+    rv = params->BindUTF8StringByName(
+      NS_LITERAL_CSTRING("originAttributes"), suffix);
+    NS_ASSERT_SUCCESS(rv);
+
     rv = paramsArray->AddParams(params);
     NS_ASSERT_SUCCESS(rv);
 
@@ -5183,6 +5189,12 @@ nsCookieService::UpdateCookieInList(nsCookie                      *aCookie,
                                       aCookie->Path());
     NS_ASSERT_SUCCESS(rv);
 
+    nsAutoCString suffix;
+    aCookie->OriginAttributesRef().CreateSuffix(suffix);
+    rv = params->BindUTF8StringByName(
+      NS_LITERAL_CSTRING("originAttributes"), suffix);
+    NS_ASSERT_SUCCESS(rv);
+
     // Add our bound parameters to the array.
     rv = aParamsArray->AddParams(params);
     NS_ASSERT_SUCCESS(rv);
diff --git a/netwerk/protocol/http/Http2Session.cpp b/netwerk/protocol/http/Http2Session.cpp
index e1fc3813eed1..c11016291822 100644
--- a/netwerk/protocol/http/Http2Session.cpp
+++ b/netwerk/protocol/http/Http2Session.cpp
@@ -2550,10 +2550,10 @@ Http2Session::ReadSegmentsAgain(nsAHttpSegmentReader *reader,
     *countRead += earlyDataUsed;
   }
 
-  if (mAttemptingEarlyData && !m0RTTStreams.Contains(stream->StreamID())) {
+  if (mAttemptingEarlyData && !m0RTTStreams.Contains(stream)) {
     LOG3(("Http2Session::ReadSegmentsAgain adding stream %d to m0RTTStreams\n",
           stream->StreamID()));
-    m0RTTStreams.AppendElement(stream->StreamID());
+    m0RTTStreams.AppendElement(stream);
   }
 
   // Not every permutation of stream->ReadSegents produces data (and therefore
@@ -3121,9 +3121,8 @@ Http2Session::Finish0RTT(bool aRestart, bool aAlpnChanged)
         aRestart, aAlpnChanged));
 
   for (size_t i = 0; i < m0RTTStreams.Length(); ++i) {
-    Http2Stream *stream = mStreamIDHash.Get(m0RTTStreams[i]);
-    if (stream) {
-      stream->Finish0RTT(aRestart, aAlpnChanged);
+    if (m0RTTStreams[i]) {
+      m0RTTStreams[i]->Finish0RTT(aRestart, aAlpnChanged);
     }
   }
 
@@ -3166,9 +3165,8 @@ Http2Session::SetFastOpenStatus(uint8_t aStatus)
         aStatus, this));
 
   for (size_t i = 0; i < m0RTTStreams.Length(); ++i) {
-    Http2Stream *stream = mStreamIDHash.Get(m0RTTStreams[i]);
-    if (stream) {
-      stream->Transaction()->SetFastOpenStatus(aStatus);
+    if (m0RTTStreams[i]) {
+      m0RTTStreams[i]->Transaction()->SetFastOpenStatus(aStatus);
     }
   }
 }
diff --git a/netwerk/protocol/http/Http2Session.h b/netwerk/protocol/http/Http2Session.h
index b889033ffa7b..80334a6f273f 100644
--- a/netwerk/protocol/http/Http2Session.h
+++ b/netwerk/protocol/http/Http2Session.h
@@ -520,7 +520,7 @@ private:
 
   bool mAttemptingEarlyData;
   // The ID(s) of the stream(s) that we are getting 0RTT data from.
-  nsTArray<uint32_t> m0RTTStreams;
+  nsTArray<WeakPtr<Http2Stream>> m0RTTStreams;
 
   bool RealJoinConnection(const nsACString &hostname, int32_t port, bool jk);
   bool TestOriginFrame(const nsACString &name, int32_t port);
diff --git a/netwerk/protocol/http/Http2Stream.h b/netwerk/protocol/http/Http2Stream.h
index 1ad1fe20c698..4ae6f41a7a6b 100644
--- a/netwerk/protocol/http/Http2Stream.h
+++ b/netwerk/protocol/http/Http2Stream.h
@@ -32,8 +32,10 @@ class Http2Decompressor;
 class Http2Stream
   : public nsAHttpSegmentReader
   , public nsAHttpSegmentWriter
+  , public SupportsWeakPtr<Http2Stream>
 {
 public:
+  MOZ_DECLARE_WEAKREFERENCE_TYPENAME(Http2Stream)
   NS_DECL_NSAHTTPSEGMENTREADER
   NS_DECL_NSAHTTPSEGMENTWRITER
 
diff --git a/netwerk/protocol/http/HttpBaseChannel.cpp b/netwerk/protocol/http/HttpBaseChannel.cpp
index 6c6e0d123578..2f4dac8b952c 100644
--- a/netwerk/protocol/http/HttpBaseChannel.cpp
+++ b/netwerk/protocol/http/HttpBaseChannel.cpp
@@ -3849,7 +3849,7 @@ HttpBaseChannel::GetPerformance()
 
   // There is no point in continuing, since the performance object in the parent
   // isn't the same as the one in the child which will be reporting resource performance.
-  if (XRE_IsParentProcess() && BrowserTabsRemoteAutostart()) {
+  if (XRE_IsE10sParentProcess()) {
     return nullptr;
   }
 
diff --git a/netwerk/protocol/http/nsHttpChannelAuthProvider.cpp b/netwerk/protocol/http/nsHttpChannelAuthProvider.cpp
index 743fda43579c..608b766ea931 100644
--- a/netwerk/protocol/http/nsHttpChannelAuthProvider.cpp
+++ b/netwerk/protocol/http/nsHttpChannelAuthProvider.cpp
@@ -39,10 +39,9 @@ namespace net {
 #define SUBRESOURCE_AUTH_DIALOG_DISALLOW_CROSS_ORIGIN 1
 #define SUBRESOURCE_AUTH_DIALOG_ALLOW_ALL 2
 
-#define HTTP_AUTH_DIALOG_TOP_LEVEL_DOC 0
-#define HTTP_AUTH_DIALOG_SAME_ORIGIN_SUBRESOURCE 1
-#define HTTP_AUTH_DIALOG_CROSS_ORIGIN_SUBRESOURCE 2
-#define HTTP_AUTH_DIALOG_XHR 3
+#define HTTP_AUTH_DIALOG_TOP_LEVEL_DOC 29
+#define HTTP_AUTH_DIALOG_SAME_ORIGIN_SUBRESOURCE 30
+#define HTTP_AUTH_DIALOG_SAME_ORIGIN_XHR 31
 
 #define HTTP_AUTH_BASIC_INSECURE 0
 #define HTTP_AUTH_BASIC_SECURE 1
@@ -53,6 +52,9 @@ namespace net {
 #define HTTP_AUTH_NEGOTIATE_INSECURE 6
 #define HTTP_AUTH_NEGOTIATE_SECURE 7
 
+#define MAX_DISPLAYED_USER_LENGTH 64
+#define MAX_DISPLAYED_HOST_LENGTH 64
+
 static void
 GetOriginAttributesSuffix(nsIChannel* aChan, nsACString &aSuffix)
 {
@@ -92,6 +94,8 @@ nsHttpChannelAuthProvider::~nsHttpChannelAuthProvider()
 uint32_t nsHttpChannelAuthProvider::sAuthAllowPref =
     SUBRESOURCE_AUTH_DIALOG_ALLOW_ALL;
 
+bool nsHttpChannelAuthProvider::sImgCrossOriginAuthAllowPref = true;
+
 void
 nsHttpChannelAuthProvider::InitializePrefs()
 {
@@ -99,6 +103,9 @@ nsHttpChannelAuthProvider::InitializePrefs()
   mozilla::Preferences::AddUintVarCache(&sAuthAllowPref,
                                         "network.auth.subresource-http-auth-allow",
                                         SUBRESOURCE_AUTH_DIALOG_ALLOW_ALL);
+  mozilla::Preferences::AddBoolVarCache(&sImgCrossOriginAuthAllowPref,
+                                        "network.auth.subresource-img-cross-origin-http-auth-allow",
+                                        true);
 }
 
 NS_IMETHODIMP
@@ -909,8 +916,8 @@ nsHttpChannelAuthProvider::GetCredentialsForChallenge(const char *challenge,
             // BlockPrompt will set mCrossOrigin parameter as well.
             if (BlockPrompt()) {
                 LOG(("nsHttpChannelAuthProvider::GetCredentialsForChallenge: "
-                     "Prompt is blocked [this=%p pref=%d]\n",
-                      this, sAuthAllowPref));
+                     "Prompt is blocked [this=%p pref=%d img-pref=%d]\n",
+                      this, sAuthAllowPref, sImgCrossOriginAuthAllowPref));
                 return NS_ERROR_ABORT;
             }
 
@@ -1011,17 +1018,19 @@ nsHttpChannelAuthProvider::BlockPrompt()
 
     if (gHttpHandler->IsTelemetryEnabled()) {
         if (topDoc) {
-            Telemetry::Accumulate(Telemetry::HTTP_AUTH_DIALOG_STATS,
+            Telemetry::Accumulate(Telemetry::HTTP_AUTH_DIALOG_STATS_2,
                                   HTTP_AUTH_DIALOG_TOP_LEVEL_DOC);
-        } else if (xhr) {
-            Telemetry::Accumulate(Telemetry::HTTP_AUTH_DIALOG_STATS,
-                                  HTTP_AUTH_DIALOG_XHR);
         } else if (!mCrossOrigin) {
-            Telemetry::Accumulate(Telemetry::HTTP_AUTH_DIALOG_STATS,
-                                  HTTP_AUTH_DIALOG_SAME_ORIGIN_SUBRESOURCE);
+            if (xhr) {
+                Telemetry::Accumulate(Telemetry::HTTP_AUTH_DIALOG_STATS_2,
+                                      HTTP_AUTH_DIALOG_SAME_ORIGIN_XHR);
+            } else {
+                Telemetry::Accumulate(Telemetry::HTTP_AUTH_DIALOG_STATS_2,
+                                      HTTP_AUTH_DIALOG_SAME_ORIGIN_SUBRESOURCE);
+            }
         } else {
-            Telemetry::Accumulate(Telemetry::HTTP_AUTH_DIALOG_STATS,
-                                  HTTP_AUTH_DIALOG_CROSS_ORIGIN_SUBRESOURCE);
+            Telemetry::Accumulate(Telemetry::HTTP_AUTH_DIALOG_STATS_2,
+                                  loadInfo->GetExternalContentPolicyType());
         }
     }
 
@@ -1035,7 +1044,16 @@ nsHttpChannelAuthProvider::BlockPrompt()
         // the sub-resources only if they are not cross-origin.
         return !topDoc && !xhr && mCrossOrigin;
     case SUBRESOURCE_AUTH_DIALOG_ALLOW_ALL:
-        // Allow the http-authentication dialog.
+        // Allow the http-authentication dialog for subresources.
+        // If pref network.auth.subresource-img-cross-origin-http-auth-allow
+        // is set, http-authentication dialog for image subresources is
+        // blocked.
+        if (!sImgCrossOriginAuthAllowPref &&
+            loadInfo &&
+            ((loadInfo->GetExternalContentPolicyType() == nsIContentPolicy::TYPE_IMAGE) ||
+             (loadInfo->GetExternalContentPolicyType() == nsIContentPolicy::TYPE_IMAGESET))) {
+            return true;
+        }
         return false;
     default:
         // This is an invalid value.
@@ -1543,6 +1561,33 @@ nsHttpChannelAuthProvider::ConfirmAuth(const nsString &bundleKey,
         return true;
 
     NS_ConvertUTF8toUTF16 ucsHost(host), ucsUser(user);
+
+    size_t userLength = ucsUser.Length();
+    if (userLength > MAX_DISPLAYED_USER_LENGTH) {
+      size_t desiredLength = MAX_DISPLAYED_USER_LENGTH;
+      // Don't cut off right before a low surrogate. Just include it.
+      if (NS_IS_LOW_SURROGATE(ucsUser[desiredLength])) {
+        desiredLength++;
+      }
+      ucsUser.Replace(desiredLength, userLength - desiredLength,
+                      nsContentUtils::GetLocalizedEllipsis());
+    }
+
+    size_t hostLen = ucsHost.Length();
+    if (hostLen > MAX_DISPLAYED_HOST_LENGTH) {
+      size_t cutPoint = hostLen - MAX_DISPLAYED_HOST_LENGTH;
+      // Likewise, don't cut off right before a low surrogate here.
+      // Keep the low surrogate
+      if (NS_IS_LOW_SURROGATE(ucsHost[cutPoint])) {
+        cutPoint--;
+      }
+      // It's possible cutPoint was 1 and is now 0. Only insert the ellipsis
+      // if we're actually removing anything.
+      if (cutPoint > 0) {
+        ucsHost.Replace(0, cutPoint, nsContentUtils::GetLocalizedEllipsis());
+      }
+    }
+
     const char16_t *strs[2] = { ucsHost.get(), ucsUser.get() };
 
     nsXPIDLString msg;
diff --git a/netwerk/protocol/http/nsHttpChannelAuthProvider.h b/netwerk/protocol/http/nsHttpChannelAuthProvider.h
index 925746724841..34546a0818af 100644
--- a/netwerk/protocol/http/nsHttpChannelAuthProvider.h
+++ b/netwerk/protocol/http/nsHttpChannelAuthProvider.h
@@ -186,6 +186,7 @@ private:
     // authentication credentials dialogs for sub-resources and cross-origin
     // sub-resources.
     static uint32_t                   sAuthAllowPref;
+    static bool                       sImgCrossOriginAuthAllowPref;
     nsCOMPtr<nsICancelable>           mGenerateCredentialsCancelable;
 };
 
diff --git a/netwerk/protocol/http/nsHttpConnection.cpp b/netwerk/protocol/http/nsHttpConnection.cpp
index 6a26785bd462..702f605e5364 100644
--- a/netwerk/protocol/http/nsHttpConnection.cpp
+++ b/netwerk/protocol/http/nsHttpConnection.cpp
@@ -2347,11 +2347,13 @@ nsHttpConnection::CloseConnectionFastOpenTakesTooLongOrError(bool aCloseSocketTr
 
     mFastOpenStatus = TFO_FAILED;
     RefPtr<nsAHttpTransaction> trans;
+
+    DontReuse();
+
     if (mUsingSpdyVersion) {
         // If we have a http2 connection just restart it as if 0rtt failed.
-        // For http2 we do not nee to do similar thing as for http1 because
+        // For http2 we do not need to do similar thing as for http1 because
         // backup connection will pick immediately all this transaction anyway.
-        DontReuse();
         mUsingSpdyVersion = 0;
         if (mSpdySession) {
             mTransaction->SetFastOpenStatus(TFO_FAILED);
diff --git a/netwerk/protocol/http/nsHttpConnectionMgr.cpp b/netwerk/protocol/http/nsHttpConnectionMgr.cpp
index af7cc204c5b9..1e9dab819291 100644
--- a/netwerk/protocol/http/nsHttpConnectionMgr.cpp
+++ b/netwerk/protocol/http/nsHttpConnectionMgr.cpp
@@ -3445,7 +3445,6 @@ nsHalfOpenSocket::OnOutputStreamReady(nsIAsyncOutputStream *out)
         // listens for  OnOutputStreamReady not HalfOpenSocket. So this stream
         // cannot be mStreamOut.
         MOZ_ASSERT(out == mBackupStreamOut);
-        MOZ_ASSERT(mTransaction->IsNullTransaction());
         // Here the backup, non-TFO connection has connected successfully,
         // before the TFO connection.
         //
@@ -3536,6 +3535,10 @@ nsHalfOpenSocket::StartFastOpen()
     MOZ_ASSERT(mStreamOut);
     MOZ_ASSERT(mEnt && !mBackupTransport);
     mUsingFastOpen = true;
+    // SetupBackupTimer should setup timer which will hold a ref to this
+    // halfOpen. It will failed only if it cannot create timer. Anyway just
+    // to be sure I will add this deleteProtector!!!
+    RefPtr<nsHalfOpenSocket> deleteProtector(this);
     if (mEnt && !mBackupTransport && !mSynTimer) {
         // For Fast Open we will setup backup timer also for NullTransaction.
         // So maybe it is not set and we need to set it here.
@@ -3822,9 +3825,6 @@ nsHalfOpenSocket::SetupConn(nsIAsyncOutputStream *out,
         }
     }
     if (aFastOpen) {
-        // If it is fast open create a new tranaction for backup stream.
-        mTransaction = new NullHttpTransaction(mEnt->mConnInfo,
-                                               callbacks, mCaps);
         mConnectionNegotiatingFastOpen = conn;
     }
 
diff --git a/python/mozbuild/mozbuild/mozconfig_loader b/python/mozbuild/mozbuild/mozconfig_loader
index 6b1e05dce396..dc11d9c6363c 100755
--- a/python/mozbuild/mozbuild/mozconfig_loader
+++ b/python/mozbuild/mozbuild/mozconfig_loader
@@ -10,49 +10,46 @@
 set -e
 
 ac_add_options() {
-  local opt
-  for opt; do
-    case "$opt" in
+  for _mozconfig_opt; do
+    case "$_mozconfig_opt" in
     --target=*)
       echo "------BEGIN_MK_OPTION"
-      echo $opt | sed s/--target/CONFIG_GUESS/
+      echo $_mozconfig_opt | sed s/--target/CONFIG_GUESS/
       echo "------END_MK_OPTION"
       ;;
     esac
     echo "------BEGIN_AC_OPTION"
-    echo $opt
+    echo $_mozconfig_opt
     echo "------END_AC_OPTION"
   done
 }
 
 ac_add_app_options() {
-  local app
-  app=$1
+  _mozconfig_app=$1
   shift
   echo "------BEGIN_AC_APP_OPTION"
-  echo $app
+  echo $_mozconfig_app
   echo "$*"
   echo "------END_AC_APP_OPTION"
 }
 
 mk_add_options() {
-  local opt name op value
-  for opt; do
+  for _mozconfig_opt; do
     echo "------BEGIN_MK_OPTION"
-    echo $opt
+    echo $_mozconfig_opt
     # Remove any leading "export"
-    opt=${opt#export}
-    case "$opt" in
-    *\?=*) op="?=" ;;
-    *:=*) op=":=" ;;
-    *+=*) op="+=" ;;
-    *=*) op="=" ;;
+    opt=${_mozconfig_opt#export}
+    case "$_mozconfig_opt" in
+    *\?=*) _mozconfig_op="?=" ;;
+    *:=*) _mozconfig_op=":=" ;;
+    *+=*) _mozconfig_op="+=" ;;
+    *=*) _mozconfig_op="=" ;;
     esac
     # Remove the operator and the value that follows
-    name=${opt%%${op}*}
-    # Note: $(echo ${name}) strips the variable from any leading and trailing
+    _mozconfig_name=${_mozconfig_opt%%${_mozconfig_op}*}
+    # Note: $(echo ${_mozconfig_name}) strips the variable from any leading and trailing
     # whitespaces.
-    eval "$(echo ${name})_IS_SET=1"
+    eval "$(echo ${_mozconfig_name})_IS_SET=1"
     echo "------END_MK_OPTION"
   done
 }
diff --git a/taskcluster/ci/build/android.yml b/taskcluster/ci/build/android.yml
index e4b2d3662fd9..3801d4e0185b 100644
--- a/taskcluster/ci/build/android.yml
+++ b/taskcluster/ci/build/android.yml
@@ -88,7 +88,7 @@ android-api-15/opt:
         max-run-time: 7200
     run:
         using: mozharness
-        actions: [get-secrets build generate-build-stats multi-l10n update]
+        actions: [get-secrets build generate-build-stats multi-l10n generate-balrog-properties update]
         config:
             - builds/releng_base_android_64_builds.py
             - disable_signing.py
diff --git a/taskcluster/ci/test/test-sets.yml b/taskcluster/ci/test/test-sets.yml
index 8f8c1dcd8888..d50c0e550811 100644
--- a/taskcluster/ci/test/test-sets.yml
+++ b/taskcluster/ci/test/test-sets.yml
@@ -192,6 +192,7 @@ macosx64-tests-talos:
     - talos-other
     - talos-svgr
     - talos-tp5o
+    - talos-perf-reftest
 
 linux32-tests:
     - cppunit
diff --git a/taskcluster/ci/test/tests.yml b/taskcluster/ci/test/tests.yml
index bf1d31662cca..42ec9a1b1dac 100644
--- a/taskcluster/ci/test/tests.yml
+++ b/taskcluster/ci/test/tests.yml
@@ -1169,6 +1169,18 @@ talos-chrome:
             linux64-stylo/.*: ['mozilla-central', 'try']
             default: ['mozilla-beta', 'mozilla-aurora', 'mozilla-central', 'mozilla-inbound', 'autoland', 'try']
     max-run-time: 3600
+    e10s:
+        # Bug 1358562 - remove non-e10s linux64-stylo talos job
+        by-test-platform:
+            linux64-stylo/opt:
+                by-project:
+                    mozilla-beta: false
+                    mozilla-aurora: false
+                    mozilla-central: true
+                    mozilla-inbound: false
+                    autoland: false
+                    try: true
+            default: both
     mozharness:
         script: talos_script.py
         no-read-buildbot-config: true
@@ -1195,6 +1207,18 @@ talos-dromaeojs:
             linux64-stylo/.*: ['mozilla-central', 'try']
             default: ['mozilla-beta', 'mozilla-aurora', 'mozilla-central', 'mozilla-inbound', 'autoland', 'try']
     max-run-time: 3600
+    e10s:
+        # Bug 1358562 - remove non-e10s linux64-stylo talos job
+        by-test-platform:
+            linux64-stylo/opt:
+                by-project:
+                    mozilla-beta: false
+                    mozilla-aurora: false
+                    mozilla-central: true
+                    mozilla-inbound: false
+                    autoland: false
+                    try: true
+            default: both
     mozharness:
         script: talos_script.py
         no-read-buildbot-config: true
@@ -1221,6 +1245,18 @@ talos-g1:
             linux64-stylo/.*: ['mozilla-central', 'try']
             default: ['mozilla-beta', 'mozilla-aurora', 'mozilla-central', 'mozilla-inbound', 'autoland', 'try'] 
     max-run-time: 3600
+    e10s:
+        # Bug 1358562 - remove non-e10s linux64-stylo talos job
+        by-test-platform:
+            linux64-stylo/opt:
+                by-project:
+                    mozilla-beta: false
+                    mozilla-aurora: false
+                    mozilla-central: true
+                    mozilla-inbound: false
+                    autoland: false
+                    try: true
+            default: both
     mozharness:
         script: talos_script.py
         no-read-buildbot-config: true
@@ -1247,6 +1283,18 @@ talos-g2:
         by-test-platform:
             linux64-stylo/.*: ['mozilla-central', 'try']
             default: ['mozilla-beta', 'mozilla-aurora', 'mozilla-central', 'mozilla-inbound', 'autoland', 'try'] 
+    e10s:
+        # Bug 1358562 - remove non-e10s linux64-stylo talos job
+        by-test-platform:
+            linux64-stylo/opt:
+                by-project:
+                    mozilla-beta: false
+                    mozilla-aurora: false
+                    mozilla-central: true
+                    mozilla-inbound: false
+                    autoland: false
+                    try: true
+            default: both
     mozharness:
         script: talos_script.py
         no-read-buildbot-config: true
@@ -1273,6 +1321,18 @@ talos-g3:
             linux64-stylo/.*: ['mozilla-central', 'try']
             default: ['mozilla-beta', 'mozilla-aurora', 'mozilla-central', 'mozilla-inbound', 'autoland', 'try'] 
     max-run-time: 3600
+    e10s:
+        # Bug 1358562 - remove non-e10s linux64-stylo talos job
+        by-test-platform:
+            linux64-stylo/opt:
+                by-project:
+                    mozilla-beta: false
+                    mozilla-aurora: false
+                    mozilla-central: true
+                    mozilla-inbound: false
+                    autoland: false
+                    try: true
+            default: both
     mozharness:
         script: talos_script.py
         no-read-buildbot-config: true
@@ -1299,6 +1359,18 @@ talos-g4:
             linux64-stylo/.*: ['mozilla-central', 'try']
             default: ['mozilla-beta', 'mozilla-aurora', 'mozilla-central', 'mozilla-inbound', 'autoland', 'try'] 
     max-run-time: 3600
+    e10s:
+        # Bug 1358562 - remove non-e10s linux64-stylo talos job
+        by-test-platform:
+            linux64-stylo/opt:
+                by-project:
+                    mozilla-beta: false
+                    mozilla-aurora: false
+                    mozilla-central: true
+                    mozilla-inbound: false
+                    autoland: false
+                    try: true
+            default: both
     mozharness:
         script: talos_script.py
         no-read-buildbot-config: true
@@ -1325,6 +1397,18 @@ talos-other:
             linux64-stylo/.*: ['mozilla-central', 'try']
             default: ['mozilla-beta', 'mozilla-aurora', 'mozilla-central', 'mozilla-inbound', 'autoland', 'try'] 
     max-run-time: 3600
+    e10s:
+        # Bug 1358562 - remove non-e10s linux64-stylo talos job
+        by-test-platform:
+            linux64-stylo/opt:
+                by-project:
+                    mozilla-beta: false
+                    mozilla-aurora: false
+                    mozilla-central: true
+                    mozilla-inbound: false
+                    autoland: false
+                    try: true
+            default: both
     mozharness:
         script: talos_script.py
         no-read-buildbot-config: true
@@ -1351,6 +1435,18 @@ talos-perf-reftest:
             linux64-stylo/.*: ['mozilla-central', 'try']
             default: ['mozilla-central', 'mozilla-inbound', 'autoland', 'try']
     max-run-time: 3600
+    e10s:
+        # Bug 1358562 - remove non-e10s linux64-stylo talos job
+        by-test-platform:
+            linux64-stylo/opt:
+                by-project:
+                    mozilla-beta: false
+                    mozilla-aurora: false
+                    mozilla-central: true
+                    mozilla-inbound: false
+                    autoland: false
+                    try: true
+            default: both
     mozharness:
         script: talos_script.py
         no-read-buildbot-config: true
@@ -1372,6 +1468,18 @@ talos-svgr:
             linux64-stylo/.*: ['mozilla-central', 'try']
             default: ['mozilla-beta', 'mozilla-aurora', 'mozilla-central', 'mozilla-inbound', 'autoland', 'try']
     max-run-time: 3600
+    e10s:
+        # Bug 1358562 - remove non-e10s linux64-stylo talos job
+        by-test-platform:
+            linux64-stylo/opt:
+                by-project:
+                    mozilla-beta: false
+                    mozilla-aurora: false
+                    mozilla-central: true
+                    mozilla-inbound: false
+                    autoland: false
+                    try: true
+            default: both
     mozharness:
         script: talos_script.py
         no-read-buildbot-config: true
@@ -1398,6 +1506,18 @@ talos-tp5o:
             linux64-stylo/.*: ['mozilla-central', 'try']
             default: ['mozilla-beta', 'mozilla-aurora', 'mozilla-central', 'mozilla-inbound', 'autoland', 'try']
     max-run-time: 3600
+    e10s:
+        # Bug 1358562 - remove non-e10s linux64-stylo talos job
+        by-test-platform:
+            linux64-stylo/opt:
+                by-project:
+                    mozilla-beta: false
+                    mozilla-aurora: false
+                    mozilla-central: true
+                    mozilla-inbound: false
+                    autoland: false
+                    try: true
+            default: both
     mozharness:
         script: talos_script.py
         no-read-buildbot-config: true
diff --git a/taskcluster/taskgraph/test/test_optimize.py b/taskcluster/taskgraph/test/test_optimize.py
index 2874c1e03c90..f3e69a7ef0f3 100644
--- a/taskcluster/taskgraph/test/test_optimize.py
+++ b/taskcluster/taskgraph/test/test_optimize.py
@@ -106,14 +106,6 @@ class TestOptimize(unittest.TestCase):
             task3=(False, None)
         )
 
-    def test_annotate_task_graph_taskid_without_optimize(self):
-        "raises exception if kind returns a taskid without optimizing"
-        graph = self.make_graph(self.make_task('task1', ['false-with-taskid']))
-        self.assertRaises(
-            Exception,
-            lambda: annotate_task_graph(graph, {}, set(), graph.graph.named_links_dict(), {}, None)
-        )
-
     def test_annotate_task_graph_optimize_away_dependency(self):
         "raises exception if kind optimizes away a task on which another depends"
         graph = self.make_graph(
diff --git a/testing/mozharness/configs/builds/releng_base_linux_32_builds.py b/testing/mozharness/configs/builds/releng_base_linux_32_builds.py
index c54c6ce17079..f4245938a7c9 100644
--- a/testing/mozharness/configs/builds/releng_base_linux_32_builds.py
+++ b/testing/mozharness/configs/builds/releng_base_linux_32_builds.py
@@ -19,7 +19,8 @@ config = {
         'upload-files',
         'sendchange',
         'check-test',
-        'update',  # decided by query_is_nightly()
+        'generate-balrog-properties',
+        # 'update',  # decided by query_is_nightly()
     ],
     "buildbot_json_path": "buildprops.json",
     'exes': {
diff --git a/testing/mozharness/configs/builds/releng_base_linux_64_builds.py b/testing/mozharness/configs/builds/releng_base_linux_64_builds.py
index faa8c515f27e..7f4470f6e7aa 100644
--- a/testing/mozharness/configs/builds/releng_base_linux_64_builds.py
+++ b/testing/mozharness/configs/builds/releng_base_linux_64_builds.py
@@ -18,7 +18,8 @@ config = {
         'upload-files',
         'sendchange',
         'check-test',
-        'update',  # decided by query_is_nightly()
+        'generate-balrog-properties',
+        # 'update',  # decided by query_is_nightly()
     ],
     "buildbot_json_path": "buildprops.json",
     'exes': {
diff --git a/testing/mozharness/configs/builds/releng_base_mac_64_builds.py b/testing/mozharness/configs/builds/releng_base_mac_64_builds.py
index 6309d1e54e48..d0444e8d8a13 100644
--- a/testing/mozharness/configs/builds/releng_base_mac_64_builds.py
+++ b/testing/mozharness/configs/builds/releng_base_mac_64_builds.py
@@ -15,7 +15,8 @@ config = {
         'upload-files',
         'sendchange',
         'check-test',
-        'update',  # decided by query_is_nightly()
+        'generate-balrog-properties',
+        # 'update',  # decided by query_is_nightly()
     ],
     "buildbot_json_path": "buildprops.json",
     'exes': {
diff --git a/testing/mozharness/configs/builds/releng_base_mac_64_cross_builds.py b/testing/mozharness/configs/builds/releng_base_mac_64_cross_builds.py
index 2adf4646eb07..ddf896990356 100644
--- a/testing/mozharness/configs/builds/releng_base_mac_64_cross_builds.py
+++ b/testing/mozharness/configs/builds/releng_base_mac_64_cross_builds.py
@@ -12,7 +12,8 @@ config = {
         'checkout-sources',
         'build',
         'generate-build-stats',
-        'update',  # decided by query_is_nightly()
+        'generate-balrog-properties',
+        # 'update',  # decided by query_is_nightly()
     ],
     "buildbot_json_path": "buildprops.json",
     'exes': {
diff --git a/testing/mozharness/configs/builds/releng_base_windows_32_builds.py b/testing/mozharness/configs/builds/releng_base_windows_32_builds.py
index ab56666f6a81..a0ac5ffb1a43 100644
--- a/testing/mozharness/configs/builds/releng_base_windows_32_builds.py
+++ b/testing/mozharness/configs/builds/releng_base_windows_32_builds.py
@@ -19,7 +19,8 @@ config = {
         'upload-files',
         'sendchange',
         'check-test',
-        'update',  # decided by query_is_nightly()
+        'generate-balrog-properties',
+        # 'update',  # decided by query_is_nightly()
     ],
     "buildbot_json_path": "buildprops.json",
     'exes': {
diff --git a/testing/mozharness/configs/builds/releng_base_windows_64_builds.py b/testing/mozharness/configs/builds/releng_base_windows_64_builds.py
index 47d0fc1d4de9..dd2447d1b3be 100644
--- a/testing/mozharness/configs/builds/releng_base_windows_64_builds.py
+++ b/testing/mozharness/configs/builds/releng_base_windows_64_builds.py
@@ -19,7 +19,8 @@ config = {
         'upload-files',
         'sendchange',
         'check-test',
-        'update',  # decided by query_is_nightly()
+        'generate-balrog-properties',
+        # 'update',  # decided by query_is_nightly()
     ],
     "buildbot_json_path": "buildprops.json",
     'exes': {
diff --git a/testing/mozharness/mozharness/mozilla/building/buildbase.py b/testing/mozharness/mozharness/mozilla/building/buildbase.py
index 27022485af66..19cbd501c5e9 100755
--- a/testing/mozharness/mozharness/mozilla/building/buildbase.py
+++ b/testing/mozharness/mozharness/mozilla/building/buildbase.py
@@ -2153,6 +2153,24 @@ or run without that action (ie: --no-{action})"
             self.fatal('type: "%s" is unknown for sendchange type. valid '
                        'strings are "unittest" or "talos"' % test_type)
 
+    def generate_balrog_properties(self):
+        """Generate and upload balrog properties file, if appropriate.
+
+        Wrapper around generate_balrog_props
+        """
+        # generate balrog props as artifacts
+        if not self.config.get('taskcluster_nightly'):
+            return
+
+        # grab any props available from this or previous unclobbered runs
+        self.generate_build_props(console_output=False,
+                                  halt_on_failure=False)
+
+        env = self.query_mach_build_env(multiLocale=False)
+        props_path = os.path.join(env["UPLOAD_PATH"],
+                                  'balrog_props.json')
+        self.generate_balrog_props(props_path)
+
     def update(self):
         """ submit balrog update steps. """
         if self.config.get('forced_artifact_build'):
@@ -2166,14 +2184,6 @@ or run without that action (ie: --no-{action})"
         self.generate_build_props(console_output=False,
                                   halt_on_failure=False)
 
-        # generate balrog props as artifacts
-        if self.config.get('taskcluster_nightly'):
-            env = self.query_mach_build_env(multiLocale=False)
-            props_path = os.path.join(env["UPLOAD_PATH"],
-                    'balrog_props.json')
-            self.generate_balrog_props(props_path)
-            return
-
         if self.config.get('skip_balrog_uploads'):
             self.info("Funsize will submit to balrog, skipping submission here.")
             return
diff --git a/testing/mozharness/scripts/fx_desktop_build.py b/testing/mozharness/scripts/fx_desktop_build.py
index 617d963e0a57..9961292d577a 100755
--- a/testing/mozharness/scripts/fx_desktop_build.py
+++ b/testing/mozharness/scripts/fx_desktop_build.py
@@ -47,6 +47,7 @@ class FxDesktopBuild(BuildScript, TryToolsMixin, object):
                 'package-source',
                 'generate-source-signing-manifest',
                 'multi-l10n',
+                'generate-balrog-properties',
                 'update',
             ],
             'require_config_file': True,
diff --git a/toolkit/components/reader/ReaderMode.jsm b/toolkit/components/reader/ReaderMode.jsm
index b659807a7252..c3f00bc39f91 100644
--- a/toolkit/components/reader/ReaderMode.jsm
+++ b/toolkit/components/reader/ReaderMode.jsm
@@ -166,6 +166,24 @@ this.ReaderMode = {
     return originalUrl;
   },
 
+  getOriginalUrlObjectForDisplay(url) {
+    let originalUrl = this.getOriginalUrl(url);
+    if (originalUrl) {
+      let uriObj;
+      try {
+        uriObj = Services.uriFixup.createFixupURI(originalUrl, Services.uriFixup.FIXUP_FLAG_NONE);
+      } catch (ex) {
+        return null;
+      }
+      try {
+        return Services.uriFixup.createExposableURI(uriObj);
+      } catch (ex) {
+        return null;
+      }
+    }
+    return null;
+  },
+
   /**
    * Decides whether or not a document is reader-able without parsing the whole thing.
    *
@@ -208,14 +226,12 @@ this.ReaderMode = {
    * @resolves JS object representing the article, or null if no article is found.
    */
   parseDocument: Task.async(function* (doc) {
-    let documentURI = Services.io.newURI(doc.documentURI);
-    let baseURI = Services.io.newURI(doc.baseURI);
-    if (!this._shouldCheckUri(documentURI) || !this._shouldCheckUri(baseURI, true)) {
+    if (!this._shouldCheckUri(doc.documentURIObject) || !this._shouldCheckUri(doc.baseURIObject, true)) {
       this.log("Reader mode disabled for URI");
       return null;
     }
 
-    return yield this._readerParse(baseURI, doc);
+    return yield this._readerParse(doc);
   }),
 
   /**
@@ -227,13 +243,12 @@ this.ReaderMode = {
    */
   downloadAndParseDocument: Task.async(function* (url) {
     let doc = yield this._downloadDocument(url);
-    let uri = Services.io.newURI(doc.baseURI);
-    if (!this._shouldCheckUri(uri, true)) {
+    if (!this._shouldCheckUri(doc.documentURIObject) || !this._shouldCheckUri(doc.baseURIObject, true)) {
       this.log("Reader mode disabled for URI");
       return null;
     }
 
-    return yield this._readerParse(uri, doc);
+    return yield this._readerParse(doc);
   }),
 
   _downloadDocument(url) {
@@ -416,28 +431,27 @@ this.ReaderMode = {
    * Attempts to parse a document into an article. Heavy lifting happens
    * in readerWorker.js.
    *
-   * @param uri The base URI of the article.
    * @param doc The document to parse.
    * @return {Promise}
    * @resolves JS object representing the article, or null if no article is found.
    */
-  _readerParse: Task.async(function* (uri, doc) {
+  _readerParse: Task.async(function* (doc) {
     let histogram = Services.telemetry.getHistogramById("READER_MODE_PARSE_RESULT");
     if (this.parseNodeLimit) {
       let numTags = doc.getElementsByTagName("*").length;
       if (numTags > this.parseNodeLimit) {
-        this.log("Aborting parse for " + uri.spec + "; " + numTags + " elements found");
+        this.log("Aborting parse for " + doc.baseURIObject.spec + "; " + numTags + " elements found");
         histogram.add(PARSE_ERROR_TOO_MANY_ELEMENTS);
         return null;
       }
     }
 
     let uriParam = {
-      spec: uri.spec,
-      host: uri.host,
-      prePath: uri.prePath,
-      scheme: uri.scheme,
-      pathBase: Services.io.newURI(".", null, uri).spec
+      spec: doc.baseURIObject.spec,
+      host: doc.baseURIObject.host,
+      prePath: doc.baseURIObject.prePath,
+      scheme: doc.baseURIObject.scheme,
+      pathBase: Services.io.newURI(".", null, doc.baseURIObject).spec
     };
 
     let serializer = Cc["@mozilla.org/xmlextras/xmlserializer;1"].
@@ -458,8 +472,10 @@ this.ReaderMode = {
       return null;
     }
 
-    // Readability returns a URI object, but we only care about the URL.
-    article.url = article.uri.spec;
+    // Readability returns a URI object based on the baseURI, but we only care
+    // about the original document's URL from now on. This also avoids spoofing
+    // attempts where the baseURI doesn't match the domain of the documentURI
+    article.url = doc.documentURI;
     delete article.uri;
 
     let flags = Ci.nsIDocumentEncoder.OutputSelectionOnly | Ci.nsIDocumentEncoder.OutputAbsoluteLinks;
diff --git a/toolkit/components/startup/tests/browser/browser.ini b/toolkit/components/startup/tests/browser/browser.ini
index 0c02f73b6882..7131de66077f 100644
--- a/toolkit/components/startup/tests/browser/browser.ini
+++ b/toolkit/components/startup/tests/browser/browser.ini
@@ -4,5 +4,6 @@ support-files =
   beforeunload.html
 
 [browser_bug511456.js]
+skip-if = os == "linux" && !e10s # Bug 1334729
 [browser_bug537449.js]
 [browser_crash_detection.js]
diff --git a/toolkit/components/telemetry/Histograms.json b/toolkit/components/telemetry/Histograms.json
index 5c369c67660b..8f9bc9613b50 100644
--- a/toolkit/components/telemetry/Histograms.json
+++ b/toolkit/components/telemetry/Histograms.json
@@ -2112,11 +2112,13 @@
     "n_values": 4,
     "description": "Whether we raced network with the cache. (0=network & no racing, 1=cache & no racing, 2=network & raced, 3=cache & raced)"
   },
-  "HTTP_AUTH_DIALOG_STATS": {
-    "expires_in_version": "never",
+  "HTTP_AUTH_DIALOG_STATS_2": {
+    "expires_in_version": "61",
+    "alert_emails": ["necko@mozilla.com"],
+    "bug_numbers": [1357835],
     "kind": "enumerated",
-    "n_values": 4,
-    "description": "Stats about what kind of resource requested http authentication. (0=top-level doc, 1=same origin subresources, 2=cross-origin subresources, 3=xhr)"
+    "n_values": 32,
+    "description": "Stats about what kind of resource requested http authentication. (29=top-level doc, 30=same origin subresources, 31=same origin xhr, (nsIContentPolicy type)=cross-origin subresources per nsIContentPolicy type)"
   },
   "HTTP_AUTH_TYPE_STATS": {
     "alert_emails": ["rbarnes@mozilla.com"],
diff --git a/toolkit/components/telemetry/docs/collection/events.rst b/toolkit/components/telemetry/docs/collection/events.rst
index 3c7b6b096ec0..9554d801a72f 100644
--- a/toolkit/components/telemetry/docs/collection/events.rst
+++ b/toolkit/components/telemetry/docs/collection/events.rst
@@ -43,7 +43,7 @@ Where the individual fields are:
 - ``method``: ``String``, identifier. This describes the type of event that occured, e.g. ``click``, ``keydown`` or ``focus``.
 - ``object``: ``String``, identifier. This is the object the event occured on, e.g. ``reload_button`` or ``urlbar``.
 - ``value``: ``String``, optional, may be ``null``. This is a user defined value, providing context for the event.
-- ``extra``: ``Object``, optional, may be ``null``. This is an object of the form ``{"key": "value", ...}``, used for events where additional context is needed.
+- ``extra``: ``Object``, optional, may be ``null``. This is an object of the form ``{"key": "value", ...}``, both keys and values need to be strings. This is used for events where additional richer context is needed.
 
 .. _eventlimits:
 
diff --git a/toolkit/components/telemetry/histogram-whitelists.json b/toolkit/components/telemetry/histogram-whitelists.json
index 3a665408b6cb..3b25c2275573 100644
--- a/toolkit/components/telemetry/histogram-whitelists.json
+++ b/toolkit/components/telemetry/histogram-whitelists.json
@@ -286,7 +286,6 @@
     "HTTPCONNMGR_TOTAL_SPECULATIVE_CONN",
     "HTTPCONNMGR_UNUSED_SPECULATIVE_CONN",
     "HTTPCONNMGR_USED_SPECULATIVE_CONN",
-    "HTTP_AUTH_DIALOG_STATS",
     "HTTP_CACHE_DISPOSITION_2",
     "HTTP_CACHE_DISPOSITION_2_V2",
     "HTTP_CACHE_ENTRY_ALIVE_TIME",
@@ -1012,7 +1011,6 @@
     "HTTPCONNMGR_TOTAL_SPECULATIVE_CONN",
     "HTTPCONNMGR_UNUSED_SPECULATIVE_CONN",
     "HTTPCONNMGR_USED_SPECULATIVE_CONN",
-    "HTTP_AUTH_DIALOG_STATS",
     "HTTP_CACHE_DISPOSITION_2",
     "HTTP_CACHE_DISPOSITION_2_V2",
     "HTTP_CACHE_ENTRY_ALIVE_TIME",
diff --git a/toolkit/content/widgets/button.xml b/toolkit/content/widgets/button.xml
index 683a901a14a6..4c3af08c9fae 100644
--- a/toolkit/content/widgets/button.xml
+++ b/toolkit/content/widgets/button.xml
@@ -227,7 +227,8 @@
                 align="center" pack="center" flex="1" anonid="button-box">
         <children>
           <xul:image class="button-icon" xbl:inherits="src=image"/>
-          <xul:label class="button-text" xbl:inherits="value=label,accesskey,crop"/>
+          <xul:label class="button-text" xbl:inherits="value=label,accesskey,crop,highlightable"/>
+          <xul:label class="button-highlightable-text" xbl:inherits="xbl:text=label,accesskey,crop,highlightable"/>
         </children>
       </xul:hbox>
     </content>
diff --git a/toolkit/content/xul.css b/toolkit/content/xul.css
index 981390b591f3..987a6bbe617f 100644
--- a/toolkit/content/xul.css
+++ b/toolkit/content/xul.css
@@ -1225,3 +1225,8 @@ tabmodalprompt {
   overflow: hidden;
   text-shadow: none;
 }
+
+.button-highlightable-text:not([highlightable="true"]),
+.button-text[highlightable="true"] {
+  display: none;
+}
\ No newline at end of file
diff --git a/toolkit/themes/osx/global/in-content/common.css b/toolkit/themes/osx/global/in-content/common.css
index a987cbfe1f2f..7881936e286c 100644
--- a/toolkit/themes/osx/global/in-content/common.css
+++ b/toolkit/themes/osx/global/in-content/common.css
@@ -28,6 +28,11 @@ html|button {
   margin-right: 4px;
 }
 
+xul|button[dlgtype="help"] {
+  -moz-appearance: none;
+  width: auto;
+}
+
 xul|caption {
   padding-inline-start: 0;
 }
diff --git a/toolkit/xre/nsAppRunner.cpp b/toolkit/xre/nsAppRunner.cpp
index 5e03daba487b..03d12fd3ec52 100644
--- a/toolkit/xre/nsAppRunner.cpp
+++ b/toolkit/xre/nsAppRunner.cpp
@@ -4927,12 +4927,22 @@ XRE_IsGPUProcess()
   return XRE_GetProcessType() == GeckoProcessType_GPU;
 }
 
+/**
+ * Returns true in the e10s parent process and in the main process when e10s
+ * is disabled.
+ */
 bool
 XRE_IsParentProcess()
 {
   return XRE_GetProcessType() == GeckoProcessType_Default;
 }
 
+bool
+XRE_IsE10sParentProcess()
+{
+  return XRE_IsParentProcess() && BrowserTabsRemoteAutostart();
+}
+
 bool
 XRE_IsContentProcess()
 {
diff --git a/tools/profiler/core/ProfileJSONWriter.h b/tools/profiler/core/ProfileJSONWriter.h
index d9e2115f9a48..f05dc8c38387 100644
--- a/tools/profiler/core/ProfileJSONWriter.h
+++ b/tools/profiler/core/ProfileJSONWriter.h
@@ -102,6 +102,13 @@ public:
   void Splice(const ChunkedJSONWriteFunc* aFunc);
   void Splice(const char* aStr);
 
+  // Splice the given JSON directly in, without quoting.
+  void SplicedJSONProperty(const char* aMaybePropertyName,
+                           const char* aJsonValue)
+  {
+    Scalar(aMaybePropertyName, aJsonValue);
+  }
+
   // Takes the chunks from aFunc and write them. If move is not possible
   // (e.g., using OStreamJSONWriteFunc), aFunc's chunks are copied and its
   // storage cleared.
diff --git a/tools/profiler/core/ProfilerMarkerPayload.cpp b/tools/profiler/core/ProfilerMarkerPayload.cpp
index 9d11ca6c2691..4e53c36ff6ae 100644
--- a/tools/profiler/core/ProfilerMarkerPayload.cpp
+++ b/tools/profiler/core/ProfilerMarkerPayload.cpp
@@ -270,3 +270,45 @@ VsyncPayload::StreamPayload(SpliceableJSONWriter& aWriter,
                          (mVsyncTimestamp - aStartTime).ToMilliseconds());
   aWriter.StringProperty("category", "VsyncTimestamp");
 }
+
+void
+GCSliceMarkerPayload::StreamPayload(SpliceableJSONWriter& aWriter,
+                                    const mozilla::TimeStamp& aStartTime,
+                                    UniqueStacks& aUniqueStacks)
+{
+  MOZ_ASSERT(mTimingJSON);
+  streamCommonProps("GCSlice", aWriter, aStartTime, aUniqueStacks);
+  if (mTimingJSON) {
+    aWriter.SplicedJSONProperty("timings", mTimingJSON.get());
+  } else {
+    aWriter.NullProperty("timings");
+  }
+}
+
+void
+GCMajorMarkerPayload::StreamPayload(SpliceableJSONWriter& aWriter,
+                                    const mozilla::TimeStamp& aStartTime,
+                                    UniqueStacks& aUniqueStacks)
+{
+  MOZ_ASSERT(mTimingJSON);
+  streamCommonProps("GCMajor", aWriter, aStartTime, aUniqueStacks);
+  if (mTimingJSON) {
+    aWriter.SplicedJSONProperty("timings", mTimingJSON.get());
+  } else {
+    aWriter.NullProperty("timings");
+  }
+}
+
+void
+GCMinorMarkerPayload::StreamPayload(SpliceableJSONWriter& aWriter,
+                                    const mozilla::TimeStamp& aStartTime,
+                                    UniqueStacks& aUniqueStacks)
+{
+  MOZ_ASSERT(mTimingData);
+  streamCommonProps("GCMinor", aWriter, aStartTime, aUniqueStacks);
+  if (mTimingData) {
+    aWriter.SplicedJSONProperty("nurseryTimings", mTimingData.get());
+  } else {
+    aWriter.NullProperty("nurseryTimings");
+  }
+}
diff --git a/tools/profiler/core/platform.cpp b/tools/profiler/core/platform.cpp
index 8aa37cf59dfd..b6d1b58b9855 100644
--- a/tools/profiler/core/platform.cpp
+++ b/tools/profiler/core/platform.cpp
@@ -44,7 +44,7 @@
 #include "GeckoTaskTracer.h"
 #endif
 
-#if defined(PROFILE_JAVA)
+#if defined(GP_OS_android)
 # include "FennecJNINatives.h"
 # include "FennecJNIWrappers.h"
 #endif
@@ -88,7 +88,7 @@ using namespace mozilla;
 
 mozilla::LazyLogModule gProfilerLog("prof");
 
-#if defined(PROFILE_JAVA)
+#if defined(GP_OS_android)
 class GeckoJavaSampler : public mozilla::java::GeckoJavaSampler::Natives<GeckoJavaSampler>
 {
 private:
@@ -258,7 +258,7 @@ private:
     // Filter out any features unavailable in this platform/configuration.
     aFeatures &= profiler_get_available_features();
 
-#if defined(PROFILE_JAVA)
+#if defined(GP_OS_android)
     if (!mozilla::jni::IsFennec()) {
       aFeatures &= ~ProfilerFeature::Java;
     }
@@ -1459,7 +1459,7 @@ StreamMetaJSCustomObject(PSLockRef aLock, SpliceableJSONWriter& aWriter)
   }
 }
 
-#if defined(PROFILE_JAVA)
+#if defined(GP_OS_android)
 static void
 BuildJavaThreadJSObject(SpliceableJSONWriter& aWriter)
 {
@@ -1564,7 +1564,7 @@ locked_profiler_stream_json_for_this_process(PSLockRef aLock,
                        CorePS::ProcessStartTime(aLock), aSinceTime);
     }
 
-#if defined(PROFILE_JAVA)
+#if defined(GP_OS_android)
     if (ActivePS::FeatureJava(aLock)) {
       java::GeckoJavaSampler::Pause();
 
@@ -2010,7 +2010,7 @@ profiler_init(void* aStackTop)
   MOZ_RELEASE_ASSERT(!CorePS::Exists());
 
   uint32_t features =
-#if defined(PROFILE_JAVA)
+#if defined(GP_OS_android)
                       ProfilerFeature::Java |
 #endif
                       ProfilerFeature::JS |
@@ -2043,7 +2043,7 @@ profiler_init(void* aStackTop)
     mozilla::tasktracer::InitTaskTracer();
 #endif
 
-#if defined(PROFILE_JAVA)
+#if defined(GP_OS_android)
     if (mozilla::jni::IsFennec()) {
       GeckoJavaSampler::Init();
     }
@@ -2262,7 +2262,7 @@ profiler_get_available_features()
   #undef ADD_FEATURE
 
   // Now remove features not supported on this platform/configuration.
-#if !defined(PROFILE_JAVA)
+#if !defined(GP_OS_android)
   ProfilerFeature::ClearJava(features);
 #endif
 #if !defined(HAVE_NATIVE_UNWIND)
@@ -2360,7 +2360,7 @@ locked_profiler_start(PSLockRef aLock, int aEntries, double aInterval,
   }
 #endif
 
-#if defined(PROFILE_JAVA)
+#if defined(GP_OS_android)
   if (ActivePS::FeatureJava(aLock)) {
     int javaInterval = interval;
     // Java sampling doesn't accurately keep up with 1ms sampling.
diff --git a/tools/profiler/core/platform.h b/tools/profiler/core/platform.h
index 2e4acaaf8351..c74af765214c 100644
--- a/tools/profiler/core/platform.h
+++ b/tools/profiler/core/platform.h
@@ -69,10 +69,6 @@ static inline pid_t gettid()
 #endif
 #endif
 
-#if defined(GP_OS_android) && !defined(MOZ_WIDGET_GONK)
-#define PROFILE_JAVA
-#endif
-
 extern mozilla::LazyLogModule gProfilerLog;
 
 // These are for MOZ_LOG="prof:3" or higher. It's the default logging level for
diff --git a/tools/profiler/core/shared-libraries-linux.cc b/tools/profiler/core/shared-libraries-linux.cc
index 4ea6eb8d6072..40c300aa23e4 100644
--- a/tools/profiler/core/shared-libraries-linux.cc
+++ b/tools/profiler/core/shared-libraries-linux.cc
@@ -23,53 +23,22 @@
 
 #include "common/linux/file_id.h"
 #include <algorithm>
-
-
-// There are three different configuration cases:
-//
-// (1) GP_OS_linux
-//       Use dl_iterate_phdr for almost everything and /proc/self/{exe,maps}
-//       to identify the main executable name.
-//
-// (2) GP_OS_android non-GONK
-//       If dl_iterate_phdr doesn't exist, give up immediately.  Otherwise use
-//       dl_iterate_phdr for almost all info and /proc/self/maps to get the
-//       mapping for /dev/ashmem/dalvik-jit-code-cache.
-//
-// (3) GP_OS_android GONK
-//       Use /proc/self/maps for everything.
-
-#undef CONFIG_CASE_1
-#undef CONFIG_CASE_2
-#undef CONFIG_CASE_3
+#include <dlfcn.h>
+#include <features.h>
+#include <sys/types.h>
 
 #if defined(GP_OS_linux)
-# define CONFIG_CASE_1 1
-# include <link.h> // dl_phdr_info
-# include <features.h>
-# include <dlfcn.h>
-# include <sys/types.h>
-
-#elif defined(GP_OS_android) && !defined(MOZ_WIDGET_GONK)
-# define CONFIG_CASE_2 1
+# include <link.h>      // dl_phdr_info
+#elif defined(GP_OS_android)
 # include "ElfLoader.h" // dl_phdr_info
-# include <features.h>
-# include <dlfcn.h>
-# include <sys/types.h>
 extern "C" MOZ_EXPORT __attribute__((weak))
 int dl_iterate_phdr(
           int (*callback)(struct dl_phdr_info *info, size_t size, void *data),
           void *data);
-
-#elif defined(GP_OS_android) && defined(MOZ_WIDGET_GONK)
-# define CONFIG_CASE_3 1
-  // No config-specific includes.
-
 #else
 # error "Unexpected configuration"
 #endif
 
-
 // Get the breakpad Id for the binary file pointed by bin_name
 static std::string getId(const char *bin_name)
 {
@@ -107,8 +76,6 @@ SharedLibraryAtPath(const char* path, unsigned long libStart,
                        "", "");
 }
 
-// Config cases (1) and (2) use dl_iterate_phdr.
-#if defined(CONFIG_CASE_1) || defined(CONFIG_CASE_2)
 static int
 dl_iterate_callback(struct dl_phdr_info *dl_info, size_t size, void *data)
 {
@@ -137,14 +104,12 @@ dl_iterate_callback(struct dl_phdr_info *dl_info, size_t size, void *data)
 
   return 0;
 }
-#endif // config cases (1) and (2)
-
 
 SharedLibraryInfo SharedLibraryInfo::GetInfoForSelf()
 {
   SharedLibraryInfo info;
 
-#if defined(CONFIG_CASE_1)
+#if defined(GP_OS_linux)
   // We need to find the name of the executable (exeName, exeNameLen) and the
   // address of its executable section (exeExeAddr) in the running image.
   char exeName[PATH_MAX];
@@ -165,7 +130,7 @@ SharedLibraryInfo SharedLibraryInfo::GetInfoForSelf()
   unsigned long exeExeAddr = 0;
 #endif
 
-#if defined(CONFIG_CASE_2)
+#if defined(GP_OS_android)
   // If dl_iterate_phdr doesn't exist, we give up immediately.
   if (!dl_iterate_phdr) {
     // On ARM Android, dl_iterate_phdr is provided by the custom linker.
@@ -176,9 +141,7 @@ SharedLibraryInfo SharedLibraryInfo::GetInfoForSelf()
   }
 #endif
 
-  // Read info from /proc/self/maps.  We do this for all config cases, but only
-  // in case (3) are we building the module list from that information.  For
-  // cases (1) and (2) we're just collecting some auxiliary information.
+  // Read info from /proc/self/maps. We ignore most of it.
   pid_t pid = getpid();
   char path[PATH_MAX];
   SprintfLiteral(path, "/proc/%d/maps", pid);
@@ -204,49 +167,30 @@ SharedLibraryInfo SharedLibraryInfo::GetInfoForSelf()
       continue;
     }
 
-#if defined(CONFIG_CASE_1)
+#if defined(GP_OS_linux)
     // Try to establish the main executable's load address.
     if (exeNameLen > 0 && strcmp(modulePath, exeName) == 0) {
       exeExeAddr = start;
     }
-    continue;
-    // NOTREACHED
-#elif defined(CONFIG_CASE_2)
+#elif defined(GP_OS_android)
     // Use /proc/pid/maps to get the dalvik-jit section since it has no
     // associated phdrs.
-    if (0 != strcmp(modulePath, "/dev/ashmem/dalvik-jit-code-cache")) {
-      continue;
-    }
-    // Otherwise proceed to the tail of the loop, so as to record the entry.
-#elif defined(CONFIG_CASE_3)
-    if (strcmp(perm, "r-xp") != 0) {
-      // Ignore entries that are writable and/or shared.
-      // At least one graphics driver uses short-lived "rwxs" mappings
-      // (see bug 926734 comment 5), so just checking for 'x' isn't enough.
-      continue;
-    }
-    // Record all other entries.
-#endif
-
-#if !defined(CONFIG_CASE_1)
-    // This section has to be conditionalised so as to avoid compiler warnings
-    // about dead code in case (1).
-    info.AddSharedLibrary(SharedLibraryAtPath(modulePath, start, end, offset));
-    if (info.GetSize() > 10000) {
-      LOG("SharedLibraryInfo::GetInfoForSelf(): "
-          "implausibly large number of mappings acquired");
-      break;
+    if (0 == strcmp(modulePath, "/dev/ashmem/dalvik-jit-code-cache")) {
+      info.AddSharedLibrary(SharedLibraryAtPath(modulePath, start, end,
+                                                offset));
+      if (info.GetSize() > 10000) {
+        LOG("SharedLibraryInfo::GetInfoForSelf(): "
+            "implausibly large number of mappings acquired");
+        break;
+      }
     }
 #endif
   }
 
-#if defined(CONFIG_CASE_1) || defined(CONFIG_CASE_2)
-  // For config cases (1) and (2), we collect the bulk of the library info using
-  // dl_iterate_phdr.
+  // We collect the bulk of the library info using dl_iterate_phdr.
   dl_iterate_phdr(dl_iterate_callback, &info);
-#endif
 
-#if defined(CONFIG_CASE_1)
+#if defined(GP_OS_linux)
   // Make another pass over the information we just harvested from
   // dl_iterate_phdr.  If we see a nameless object mapped at what we earlier
   // established to be the main executable's load address, attach the
diff --git a/tools/profiler/lul/AutoObjectMapper.cpp b/tools/profiler/lul/AutoObjectMapper.cpp
index daf54a6e28ed..d0b1a4d68481 100644
--- a/tools/profiler/lul/AutoObjectMapper.cpp
+++ b/tools/profiler/lul/AutoObjectMapper.cpp
@@ -16,7 +16,7 @@
 #include "PlatformMacros.h"
 #include "AutoObjectMapper.h"
 
-#if defined(USE_FAULTY_LIB)
+#if defined(GP_OS_android)
 # include <dlfcn.h>
 # include "mozilla/Types.h"
   // FIXME move these out of mozglue/linker/ElfLoader.h into their
@@ -108,7 +108,7 @@ bool AutoObjectMapperPOSIX::Map(/*OUT*/void** start, /*OUT*/size_t* length,
 }
 
 
-#if defined(USE_FAULTY_LIB)
+#if defined(GP_OS_android)
 // A helper function for AutoObjectMapperFaultyLib::Map.  Finds out
 // where the installation's lib directory is, since we'll have to look
 // in there to get hold of libmozglue.so.  Returned C string is heap
@@ -204,4 +204,4 @@ bool AutoObjectMapperFaultyLib::Map(/*OUT*/void** start, /*OUT*/size_t* length,
   }
 }
 
-#endif // defined(USE_FAULTY_LIB)
+#endif // defined(GP_OS_android)
diff --git a/tools/profiler/lul/AutoObjectMapper.h b/tools/profiler/lul/AutoObjectMapper.h
index ac51df631c4f..93a03a7fb59b 100644
--- a/tools/profiler/lul/AutoObjectMapper.h
+++ b/tools/profiler/lul/AutoObjectMapper.h
@@ -12,10 +12,6 @@
 #include "mozilla/Attributes.h"
 #include "PlatformMacros.h"
 
-#if defined(GP_OS_android) && !defined(MOZ_WIDGET_GONK)
-#define USE_FAULTY_LIB
-#endif
-
 // A (nearly-) RAII class that maps an object in and then unmaps it on
 // destruction.  This base class version uses the "normal" POSIX
 // functions: open, fstat, close, mmap, munmap.
@@ -65,7 +61,7 @@ private:
   void  operator delete[](void*);
 };
 
-#if defined(USE_FAULTY_LIB)
+#if defined(GP_OS_android)
 // This is a variant of AutoObjectMapperPOSIX suitable for use in
 // conjunction with faulty.lib on Android.  How it behaves depends on
 // the name of the file to be mapped.  There are three possible cases:
@@ -113,6 +109,6 @@ private:
   void  operator delete[](void*);
 };
 
-#endif // defined(USE_FAULTY_LIB)
+#endif // defined(GP_OS_android)
 
 #endif // AutoObjectMapper_h
diff --git a/tools/profiler/lul/platform-linux-lul.cpp b/tools/profiler/lul/platform-linux-lul.cpp
index c9d85cf16abc..49618f6f7651 100644
--- a/tools/profiler/lul/platform-linux-lul.cpp
+++ b/tools/profiler/lul/platform-linux-lul.cpp
@@ -26,7 +26,7 @@ read_procmaps(lul::LUL* aLUL)
 {
   MOZ_ASSERT(aLUL->CountMappings() == 0);
 
-# if defined(GP_OS_linux) || defined(GP_OS_android) || defined(GP_OS_darwin)
+# if defined(GP_OS_linux) || defined(GP_OS_android)
   SharedLibraryInfo info = SharedLibraryInfo::GetInfoForSelf();
 
   for (size_t i = 0; i < info.GetSize(); i++) {
@@ -34,7 +34,7 @@ read_procmaps(lul::LUL* aLUL)
 
     std::string nativePath = lib.GetNativeDebugPath();
 
-#   if defined(USE_FAULTY_LIB)
+#   if defined(GP_OS_android)
     // We're using faulty.lib.  Use a special-case object mapper.
     AutoObjectMapperFaultyLib mapper(aLUL->mLog);
 #   else
diff --git a/tools/profiler/public/GeckoProfiler.h b/tools/profiler/public/GeckoProfiler.h
index 463b9a74def3..4b3b945b4616 100644
--- a/tools/profiler/public/GeckoProfiler.h
+++ b/tools/profiler/public/GeckoProfiler.h
@@ -452,14 +452,7 @@ void profiler_add_marker(const char *aMarker,
 # define PROFILER_PLATFORM_TRACING(name)
 #endif
 
-// FIXME/bug 789667: memory constraints wouldn't much of a problem for this
-// small a sample buffer size, except that serializing the profile data is
-// extremely, unnecessarily memory intensive.
-#ifdef MOZ_WIDGET_GONK
-# define PROFILER_LIKELY_MEMORY_CONSTRAINED
-#endif
-
-#if !defined(PROFILER_LIKELY_MEMORY_CONSTRAINED) && !defined(ARCH_ARMV6)
+#if !defined(ARCH_ARMV6)
 # define PROFILER_DEFAULT_ENTRIES 1000000
 #else
 # define PROFILER_DEFAULT_ENTRIES 100000
@@ -469,15 +462,7 @@ void profiler_add_marker(const char *aMarker,
 // for a single backtrace.
 #define PROFILER_GET_BACKTRACE_ENTRIES 1000
 
-// A 1ms sampling interval has been shown to be a large perf hit (10fps) on
-// memory-constrained (low-end) platforms, and additionally to yield different
-// results from the profiler. Where this is the important case, b2g, there are
-// also many gecko processes which magnify these effects.
-#if defined(PROFILER_LIKELY_MEMORY_CONSTRAINED)
-# define PROFILER_DEFAULT_INTERVAL 10
-#else
-# define PROFILER_DEFAULT_INTERVAL 1
-#endif
+#define PROFILER_DEFAULT_INTERVAL 1
 
 namespace mozilla {
 
diff --git a/tools/profiler/public/ProfilerMarkerPayload.h b/tools/profiler/public/ProfilerMarkerPayload.h
index 0cd1c8ad27c5..cd17a55db9e7 100644
--- a/tools/profiler/public/ProfilerMarkerPayload.h
+++ b/tools/profiler/public/ProfilerMarkerPayload.h
@@ -11,6 +11,7 @@
 
 #include "GeckoProfiler.h"
 
+#include "js/Utility.h"
 #include "gfxASurface.h"
 
 namespace mozilla {
@@ -235,4 +236,65 @@ private:
   uint64_t mGpuTimeEnd;
 };
 
+class GCSliceMarkerPayload : public ProfilerMarkerPayload
+{
+public:
+  GCSliceMarkerPayload(const mozilla::TimeStamp& aStartTime,
+                       const mozilla::TimeStamp& aEndTime,
+                       JS::UniqueChars&& aTimingJSON)
+   : ProfilerMarkerPayload(aStartTime, aEndTime, nullptr),
+     mTimingJSON(mozilla::Move(aTimingJSON))
+  {}
+
+  virtual ~GCSliceMarkerPayload() {}
+
+  void StreamPayload(SpliceableJSONWriter& aWriter,
+                     const mozilla::TimeStamp& aStartTime,
+                     UniqueStacks& aUniqueStacks) override;
+
+private:
+  JS::UniqueChars mTimingJSON;
+};
+
+class GCMajorMarkerPayload : public ProfilerMarkerPayload
+{
+public:
+  GCMajorMarkerPayload(const mozilla::TimeStamp& aStartTime,
+                       const mozilla::TimeStamp& aEndTime,
+                       JS::UniqueChars&& aTimingJSON)
+   : ProfilerMarkerPayload(aStartTime, aEndTime, nullptr),
+     mTimingJSON(mozilla::Move(aTimingJSON))
+  {}
+
+  virtual ~GCMajorMarkerPayload() {}
+
+  void StreamPayload(SpliceableJSONWriter& aWriter,
+                     const mozilla::TimeStamp& aStartTime,
+                     UniqueStacks& aUniqueStacks) override;
+
+private:
+  JS::UniqueChars mTimingJSON;
+};
+
+class GCMinorMarkerPayload : public ProfilerMarkerPayload
+{
+public:
+  GCMinorMarkerPayload(const mozilla::TimeStamp& aStartTime,
+                       const mozilla::TimeStamp& aEndTime,
+                       JS::UniqueChars&& aTimingData)
+   : ProfilerMarkerPayload(aStartTime, aEndTime, nullptr),
+     mTimingData(mozilla::Move(aTimingData))
+  {}
+
+  virtual ~GCMinorMarkerPayload() {};
+
+  void StreamPayload(SpliceableJSONWriter& aWriter,
+                     const mozilla::TimeStamp& aStartTime,
+                     UniqueStacks& aUniqueStacks) override;
+
+private:
+  JS::UniqueChars mTimingData;
+};
+
+
 #endif // PROFILER_MARKERS_H
diff --git a/widget/android/nsWindow.cpp b/widget/android/nsWindow.cpp
index 56c09503575e..b2571aabfaf1 100644
--- a/widget/android/nsWindow.cpp
+++ b/widget/android/nsWindow.cpp
@@ -428,22 +428,6 @@ public:
     }
 
 public:
-    void AdjustScrollForSurfaceShift(float aX, float aY)
-    {
-        MOZ_ASSERT(AndroidBridge::IsJavaUiThread());
-
-        RefPtr<IAPZCTreeManager> controller;
-
-        if (LockedWindowPtr window{mWindow}) {
-            controller = window->mAPZC;
-        }
-
-        if (controller) {
-            controller->AdjustScrollForSurfaceShift(
-                ScreenPoint(aX, aY));
-        }
-    }
-
     void SetIsLongpressEnabled(bool aIsLongpressEnabled)
     {
         MOZ_ASSERT(AndroidBridge::IsJavaUiThread());
diff --git a/xpcom/base/CycleCollectedJSContext.cpp b/xpcom/base/CycleCollectedJSContext.cpp
index 345fa23bdda6..6e5789b788c0 100644
--- a/xpcom/base/CycleCollectedJSContext.cpp
+++ b/xpcom/base/CycleCollectedJSContext.cpp
@@ -26,6 +26,7 @@
 #include "jsprf.h"
 #include "js/Debug.h"
 #include "js/GCAPI.h"
+#include "js/Utility.h"
 #include "nsContentUtils.h"
 #include "nsCycleCollectionNoteRootCallback.h"
 #include "nsCycleCollectionParticipant.h"
@@ -45,6 +46,10 @@
 #include "nsThreadUtils.h"
 #include "xpcpublic.h"
 
+#ifdef MOZ_GECKO_PROFILER
+#include "ProfilerMarkerPayload.h"
+#endif
+
 using namespace mozilla;
 using namespace mozilla::dom;
 
diff --git a/xpcom/base/CycleCollectedJSRuntime.cpp b/xpcom/base/CycleCollectedJSRuntime.cpp
index bf0b366bfed4..7d4ff858a128 100644
--- a/xpcom/base/CycleCollectedJSRuntime.cpp
+++ b/xpcom/base/CycleCollectedJSRuntime.cpp
@@ -828,6 +828,22 @@ CycleCollectedJSRuntime::GCSliceCallback(JSContext* aContext,
   CycleCollectedJSRuntime* self = CycleCollectedJSRuntime::Get();
   MOZ_ASSERT(CycleCollectedJSContext::Get()->Context() == aContext);
 
+#ifdef MOZ_GECKO_PROFILER
+  if (profiler_is_active()) {
+    if (aProgress == JS::GC_CYCLE_END) {
+      auto payload = new GCSliceMarkerPayload(aDesc.lastSliceStart(aContext),
+                                              aDesc.lastSliceEnd(aContext),
+                                              aDesc.sliceToJSON(aContext));
+      PROFILER_MARKER_PAYLOAD("GCSlice", payload);
+    } else if (aProgress == JS::GC_SLICE_END) {
+      auto payload = new GCMajorMarkerPayload(aDesc.startTime(aContext),
+                                              aDesc.endTime(aContext),
+                                              aDesc.summaryToJSON(aContext));
+      PROFILER_MARKER_PAYLOAD("GCMajor", payload);
+    }
+  }
+#endif
+
   if (aProgress == JS::GC_CYCLE_END) {
     JS::gcreason::Reason reason = aDesc.reason_;
     Unused <<
@@ -906,6 +922,20 @@ CycleCollectedJSRuntime::GCNurseryCollectionCallback(JSContext* aContext,
     timelines->AddMarkerForAllObservedDocShells(abstractMarker);
   }
 
+#ifdef MOZ_GECKO_PROFILER
+  if (aProgress == JS::GCNurseryProgress::GC_NURSERY_COLLECTION_START) {
+    self->mLatestNurseryCollectionStart = TimeStamp::Now();
+  } else if ((aProgress == JS::GCNurseryProgress::GC_NURSERY_COLLECTION_END) &&
+             profiler_is_active())
+  {
+    PROFILER_MARKER_PAYLOAD(
+      "GCMinor",
+      new GCMinorMarkerPayload(self->mLatestNurseryCollectionStart,
+                               TimeStamp::Now(),
+                               JS::MinorGcToJSON(aContext)));
+  }
+#endif
+
   if (self->mPrevGCNurseryCollectionCallback) {
     self->mPrevGCNurseryCollectionCallback(aContext, aProgress, aReason);
   }
diff --git a/xpcom/base/CycleCollectedJSRuntime.h b/xpcom/base/CycleCollectedJSRuntime.h
index 86119dc92c29..7fb976031834 100644
--- a/xpcom/base/CycleCollectedJSRuntime.h
+++ b/xpcom/base/CycleCollectedJSRuntime.h
@@ -302,6 +302,10 @@ private:
   JS::GCSliceCallback mPrevGCSliceCallback;
   JS::GCNurseryCollectionCallback mPrevGCNurseryCollectionCallback;
 
+#ifdef MOZ_GECKO_PROFILER
+  mozilla::TimeStamp mLatestNurseryCollectionStart;
+#endif
+
   nsDataHashtable<nsPtrHashKey<void>, nsScriptObjectTracer*> mJSHolders;
 
   typedef nsDataHashtable<nsFuncPtrHashKey<DeferredFinalizeFunction>, void*>
diff --git a/xpcom/build/nsXULAppAPI.h b/xpcom/build/nsXULAppAPI.h
index a3ee73ed0705..f9141dfc4be6 100644
--- a/xpcom/build/nsXULAppAPI.h
+++ b/xpcom/build/nsXULAppAPI.h
@@ -442,6 +442,17 @@ XRE_API(nsresult,
 XRE_API(GeckoProcessType,
         XRE_GetProcessType, ())
 
+/**
+ * Returns true when called in the e10s parent process.  Does *NOT* return true
+ * when called in the main process if e10s is disabled.
+ */
+XRE_API(bool,
+        XRE_IsE10sParentProcess, ())
+
+/**
+ * Returns true when called in the e10s parent process or called in the main
+ * process when e10s is disabled.
+ */
 XRE_API(bool,
         XRE_IsParentProcess, ())
 
diff --git a/xpcom/io/SlicedInputStream.cpp b/xpcom/io/SlicedInputStream.cpp
index 981e6f5a6b4a..a61ac9277987 100644
--- a/xpcom/io/SlicedInputStream.cpp
+++ b/xpcom/io/SlicedInputStream.cpp
@@ -38,6 +38,8 @@ SlicedInputStream::SlicedInputStream(nsIInputStream* aInputStream,
   , mLength(aLength)
   , mCurPos(0)
   , mClosed(false)
+  , mAsyncWaitFlags(0)
+  , mAsyncWaitRequestedCount(0)
 {
   MOZ_ASSERT(aInputStream);
   SetSourceStream(aInputStream);
@@ -52,6 +54,8 @@ SlicedInputStream::SlicedInputStream()
   , mLength(0)
   , mCurPos(0)
   , mClosed(false)
+  , mAsyncWaitFlags(0)
+  , mAsyncWaitRequestedCount(0)
 {}
 
 SlicedInputStream::~SlicedInputStream()