Backports and patch fixes

comm-release/patches/9999999-offlineappcachehelper-25319.patch

@@ -0,0 +1,90 @@
+# HG changeset patch
+# User Frank-Rainer Grahl <frgrahl@gmx.net>
+# Date 1715417656 -7200
+# Parent  19a55fbac1d4023824761ac161ac721bd6880624
+Bug 9999999 - Use toolkits OfflineAppCacheHelper in sanitizer. r=IanN a=IanN
+
+It was moved into toolkit from browser in Bug 1415342 so we can delete our copy.
+
+diff --git a/suite/components/sanitize/Sanitizer.jsm b/suite/components/sanitize/Sanitizer.jsm
+--- a/suite/components/sanitize/Sanitizer.jsm
++++ b/suite/components/sanitize/Sanitizer.jsm
+@@ -11,16 +11,17 @@ ChromeUtils.import("resource://gre/modul
+ XPCOMUtils.defineLazyModuleGetters(this, {
+   AppConstants: "resource://gre/modules/AppConstants.jsm",
+   console: "resource://gre/modules/Console.jsm",
+   Downloads: "resource://gre/modules/Downloads.jsm",
+   DownloadsCommon: "resource:///modules/DownloadsCommon.jsm",
+   FormHistory: "resource://gre/modules/FormHistory.jsm",
+   PlacesUtils: "resource://gre/modules/PlacesUtils.jsm",
+   setTimeout: "resource://gre/modules/Timer.jsm",
++  OfflineAppCacheHelper: "resource://gre/modules/offlineAppCache.jsm",
+ });
+ 
+ XPCOMUtils.defineLazyServiceGetter(this, "serviceWorkerManager",
+                                    "@mozilla.org/serviceworkers/manager;1",
+                                    "nsIServiceWorkerManager");
+ XPCOMUtils.defineLazyServiceGetter(this, "quotaManagerService",
+                                    "@mozilla.org/dom/quota-manager-service;1",
+                                    "nsIQuotaManagerService");
+@@ -367,18 +368,16 @@ var Sanitizer = {
+         if (seenException) {
+           throw seenException;
+         }
+       },
+     },
+ 
+     offlineApps: {
+       async clear(range) {
+-        // AppCache
+-        ChromeUtils.import("resource:///modules/OfflineAppCacheHelper.jsm");
+         // This doesn't wait for the cleanup to be complete.
+         OfflineAppCacheHelper.clear();
+ 
+         // LocalStorage
+         Services.obs.notifyObservers(null, "extension:purge-localStorage");
+ 
+         // ServiceWorkers
+         let promises = [];
+diff --git a/suite/modules/OfflineAppCacheHelper.jsm b/suite/modules/OfflineAppCacheHelper.jsm
+deleted file mode 100644
+--- a/suite/modules/OfflineAppCacheHelper.jsm
++++ /dev/null
+@@ -1,16 +0,0 @@
+-/* This Source Code Form is subject to the terms of the Mozilla Public
+- * License, v. 2.0. If a copy of the MPL was not distributed with this
+- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+-
+-var EXPORTED_SYMBOLS = ["OfflineAppCacheHelper"];
+-
+-ChromeUtils.import("resource://gre/modules/Services.jsm");
+-
+-var OfflineAppCacheHelper = {
+-  clear() {
+-    var appCacheStorage = Services.cache2.appCacheStorage(Services.loadContextInfo.default, null);
+-    try {
+-      appCacheStorage.asyncEvictStorage(null);
+-    } catch (er) {}
+-  }
+-};
+diff --git a/suite/modules/moz.build b/suite/modules/moz.build
+--- a/suite/modules/moz.build
++++ b/suite/modules/moz.build
+@@ -2,17 +2,16 @@
+ # This Source Code Form is subject to the terms of the Mozilla Public
+ # License, v. 2.0. If a copy of the MPL was not distributed with this
+ # file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ 
+ XPCSHELL_TESTS_MANIFESTS += ['test/unit/xpcshell.ini']
+ 
+ EXTRA_JS_MODULES += [
+     'Feeds.jsm',
+-    'OfflineAppCacheHelper.jsm',
+     'OpenInTabsUtils.jsm',
+     'PermissionUI.jsm',
+     'RecentWindow.jsm',
+     'SitePermissions.jsm',
+     'WindowsPreviewPerTab.jsm',
+ ]
+ 
+ if CONFIG['OS_ARCH'] == 'WINNT':

comm-release/patches/series

@@ -2155,3 +2155,4 @@ TOP-1872623-cancelbookmark-25319.patch
 WIP-NOBUG-implement-about-seamonkey-comm.patch
 1437393-fontsasync-25319.patch
 1896174-checkbox-25319.patch
+9999999-offlineappcachehelper-25319.patch

mozilla-release/patches/1821026-112a1.patch

@@ -0,0 +1,154 @@
+# HG changeset patch
+# User serge-sans-paille <sguelton@mozilla.com>
+# Date 1678295604 0
+#      Wed Mar 08 17:13:24 2023 +0000
+# Node ID bfef4767ae3c18a6f947fab75c3da80951748f47
+# Parent  a2a291040eceb85064ea1825c806586dcc93a6ef
+Bug 1821026 - Vendor brotli using `mach vendor` r=jfkthame
+
+Differential Revision: https://phabricator.services.mozilla.com/D171982
+
+diff --git a/modules/brotli/LICENSE b/modules/brotli/LICENSE
+new file mode 100644
+--- /dev/null
++++ b/modules/brotli/LICENSE
+@@ -0,0 +1,19 @@
++Copyright (c) 2009, 2010, 2013-2016 by the Brotli Authors.
++
++Permission is hereby granted, free of charge, to any person obtaining a copy
++of this software and associated documentation files (the "Software"), to deal
++in the Software without restriction, including without limitation the rights
++to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
++copies of the Software, and to permit persons to whom the Software is
++furnished to do so, subject to the following conditions:
++
++The above copyright notice and this permission notice shall be included in
++all copies or substantial portions of the Software.
++
++THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
++IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
++FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.  IN NO EVENT SHALL THE
++AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
++LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
++OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
++THE SOFTWARE.
+diff --git a/modules/brotli/README.mozilla b/modules/brotli/README.mozilla
+deleted file mode 100644
+--- a/modules/brotli/README.mozilla
++++ /dev/null
+@@ -1,14 +0,0 @@
+-This is the Brotli data compression library from
+-https://github.com/google/brotli.
+-
+-Upstream code can be viewed at
+-  https://github.com/google/brotli/tree/master/dec
+-
+-and cloned by
+-  git clone https://github.com/google/brotli
+-
+-The in-tree copy is updated by running
+-  sh update.sh
+-from within the modules/brotli directory.
+-
+-Current version: [commit e61745a6b7add50d380cfd7d3883dd6c62fc2c71].
+diff --git a/modules/brotli/common/dictionary.bin b/modules/brotli/common/dictionary.bin
+deleted file mode 100644
+index a585c0e292eba19e594ef95f5c4fb38fcb1f7a84..0000000000000000000000000000000000000000
+GIT binary patch
+literal 0
+Hc$@<O00001
+
+diff --git a/modules/brotli/common/dictionary.bin.br b/modules/brotli/common/dictionary.bin.br
+deleted file mode 100644
+index 6a55d420a8186fd40b050a2226ef870a73783a55..0000000000000000000000000000000000000000
+GIT binary patch
+literal 0
+Hc$@<O00001
+
+diff --git a/modules/brotli/moz.yaml b/modules/brotli/moz.yaml
+new file mode 100644
+--- /dev/null
++++ b/modules/brotli/moz.yaml
+@@ -0,0 +1,50 @@
++schema: 1
++
++bugzilla:
++  product: Toolkit
++  component: "General"
++
++origin:
++  name: brotli
++  description: generic-purpose lossless compression algorithm
++
++  url: https://github.com/google/brotli
++
++  release: e61745a6b7add50d380cfd7d3883dd6c62fc2c71 (2020-08-27T14:12:55Z).
++  revision: e61745a6b7add50d380cfd7d3883dd6c62fc2c71
++
++  license: MIT
++
++vendoring:
++  url: https://github.com/google/brotli
++  source-hosting: github
++  tracking: commit
++
++  exclude:
++    - ".*"
++    - "*"
++    - docs
++    - python
++    - scripts
++    - tests
++    - c/enc
++    - c/tools
++
++  include:
++    - c/include/
++    - c/common/
++    - c/dec/
++
++  keep:
++    - LICENSE
++
++  update-actions:
++    - action: move-dir
++      from: '{vendor_dir}/c/include'
++      to: '{vendor_dir}/include'
++    - action: move-dir
++      from: '{vendor_dir}/c/common'
++      to: '{vendor_dir}/common'
++    - action: move-dir
++      from: '{vendor_dir}/c/dec'
++      to: '{vendor_dir}/dec'
+diff --git a/modules/brotli/update.sh b/modules/brotli/update.sh
+deleted file mode 100755
+--- a/modules/brotli/update.sh
++++ /dev/null
+@@ -1,27 +0,0 @@
+-#!/bin/sh
+-
+-# Script to update the mozilla in-tree copy of the Brotli library.
+-# Run this within the /modules/brotli directory of the source tree.
+-
+-MY_TEMP_DIR=`mktemp -d -t brotli_update.XXXXXX` || exit 1
+-
+-git clone https://github.com/google/brotli ${MY_TEMP_DIR}/brotli
+-git -C ${MY_TEMP_DIR}/brotli checkout v1.0.9
+-
+-COMMIT=$(git -C ${MY_TEMP_DIR}/brotli rev-parse HEAD)
+-perl -p -i -e "s/\[commit [0-9a-f]{40}\]/[commit ${COMMIT}]/" README.mozilla;
+-
+-DIRS="common dec include"
+-
+-for d in $DIRS; do
+-	rm -rf $d
+-	mv ${MY_TEMP_DIR}/brotli/c/$d $d
+-done
+-rm -rf ${MY_TEMP_DIR}
+-
+-hg addremove $DIRS
+-
+-echo "###"
+-echo "### Updated brotli to $COMMIT."
+-echo "### Remember to verify and commit the changes to source control!"
+-echo "###"

mozilla-release/patches/mozilla-central_665930.patch → mozilla-release/patches/1835833-115a1.patch

@@ -3,7 +3,7 @@
 # Date 1685465808 0
 #      Tue May 30 16:56:48 2023 +0000
 # Node ID fdae8692c5f724b7209d50201e52c8efac172cd7
-# Parent  3e815af522af15c2069c3dcdeff415ee4fbc77c7
+# Parent  fb9cabb6035a24110c8b3587b3a13b2981c7defe
 Bug 1835833 - Update OTS to 9.1.0. r=jfkthame
 
 Differential Revision: https://phabricator.services.mozilla.com/D179464
@@ -4089,7 +4089,18 @@ deleted file mode 100644
 diff --git a/gfx/tests/gtest/moz.build b/gfx/tests/gtest/moz.build
 --- a/gfx/tests/gtest/moz.build
 +++ b/gfx/tests/gtest/moz.build
-@@ -34,24 +34,18 @@ UNIFIED_SOURCES += [
+@@ -1,9 +1,9 @@
+-# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
++bb# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
+ # vim: set filetype=python:
+ # This Source Code Form is subject to the terms of the Mozilla Public
+ # License, v. 2.0. If a copy of the MPL was not distributed with this
+ # file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ 
+ UNIFIED_SOURCES += [
+     'gfxSurfaceRefCountTest.cpp',
+     'MockWidget.cpp',
+@@ -34,25 +34,19 @@ UNIFIED_SOURCES += [
  UNIFIED_SOURCES += [ '/gfx/2d/unittest/%s' % p for p in [
      'TestBase.cpp',
      'TestBugs.cpp',
@@ -4106,9 +4117,10 @@ diff --git a/gfx/tests/gtest/moz.build b/gfx/tests/gtest/moz.build
 -SOURCES += [ '/gfx/ots/tests/%s' % p for p in [
 -    'cff_charstring_test.cc',
 -    'layout_common_table_test.cc',
-++UNIFIED_SOURCES += [
-++    "/gfx/ots/tests/cff_charstring_test.cc",
- ]]
+-]]
++UNIFIED_SOURCES += [
++    "/gfx/ots/tests/cff_charstring_test.cc",
++]
  
  # ICC profiles used for verifying QCMS transformations. The copyright
  # notice embedded in the profiles should be reviewed to ensure there are
@@ -4116,3 +4128,4 @@ diff --git a/gfx/tests/gtest/moz.build b/gfx/tests/gtest/moz.build
  TEST_HARNESS_FILES.gtest += [
      'icc_profiles/lcms_samsung_syncmaster.icc',
      'icc_profiles/lcms_thinkpad_w540.icc',
+ ]

mozilla-release/patches/1881183-PARTIAL-NOTESTS-11510.patch

@@ -0,0 +1,107 @@
+# HG changeset patch
+# User Kershaw Chang <kershaw@mozilla.com>
+# Date 1712320006 0
+# Node ID 97c5754df7dd0da57e84682d3fc788788ad4c362
+# Parent  327fde4c35892a8a15725bd7a5acd4ff5a7851c5
+Bug 1881183 - Avoid allocating too much memory when receiving CONTINUATION frame,  a=RyanVM
+
+Original Revision: https://phabricator.services.mozilla.com/D205234
+
+Differential Revision: https://phabricator.services.mozilla.com/D206699
+
+diff --git a/netwerk/protocol/http/Http2Session.cpp b/netwerk/protocol/http/Http2Session.cpp
+--- a/netwerk/protocol/http/Http2Session.cpp
++++ b/netwerk/protocol/http/Http2Session.cpp
+@@ -108,16 +108,17 @@ Http2Session::Http2Session(nsISocketTran
+   , mServerSessionWindow(kDefaultRwin)
+   , mInitialRwin(ASpdySession::kInitialRwin)
+   , mOutputQueueSize(kDefaultQueueSize)
+   , mOutputQueueUsed(0)
+   , mOutputQueueSent(0)
+   , mLastReadEpoch(PR_IntervalNow())
+   , mPingSentEpoch(0)
+   , mPreviousUsed(false)
++  , mAggregatedHeaderSize(0)
+   , mWaitingForSettingsAck(false)
+   , mGoAwayOnPush(false)
+   , mUseH2Deps(false)
+   , mAttemptingEarlyData(attemptingEarlyData)
+   , mOriginFrameActivated(false)
+   , mTlsHandshakeFinished(false)
+   , mCheckNetworkStallsWithTFO(false)
+   , mLastRequestBytesSentTime(0)
+@@ -1347,29 +1348,39 @@ Http2Session::RecvHeaders(Http2Session *
+         paddingLength,
+         self->mInputFrameFlags & kFlag_PADDED));
+ 
+   if ((paddingControlBytes + priorityLen + paddingLength) > self->mInputFrameDataSize) {
+     // This is fatal to the session
+     RETURN_SESSION_ERROR(self, PROTOCOL_ERROR);
+   }
+ 
++  uint32_t frameSize = self->mInputFrameDataSize - paddingControlBytes -
++                       priorityLen - paddingLength;
++  if (self->mAggregatedHeaderSize + frameSize >
++      gHttpHandler->MaxHttpResponseHeaderSize()) {
++    LOG(("Http2Session %p header exceeds the limit\n", self));
++    RETURN_SESSION_ERROR(self, PROTOCOL_ERROR);
++  }
++
+   if (!self->mInputFrameDataStream) {
+     // Cannot find stream. We can continue the session, but we need to
+     // uncompress the header block to maintain the correct compression context
+ 
+     LOG3(("Http2Session::RecvHeaders %p lookup mInputFrameID stream "
+           "0x%X failed. NextStreamID = 0x%X\n",
+           self, self->mInputFrameID, self->mNextStreamID));
+ 
+     if (self->mInputFrameID >= self->mNextStreamID)
+       self->GenerateRstStream(PROTOCOL_ERROR, self->mInputFrameID);
+ 
+-    self->mDecompressBuffer.Append(&self->mInputFrameBuffer[kFrameHeaderBytes + paddingControlBytes + priorityLen],
+-                                   self->mInputFrameDataSize - paddingControlBytes - priorityLen - paddingLength);
++    self->mDecompressBuffer.Append(
++        &self->mInputFrameBuffer[kFrameHeaderBytes + paddingControlBytes +
++                                 priorityLen],
++        frameSize);
+ 
+     if (self->mInputFrameFlags & kFlag_END_HEADERS) {
+       rv = self->UncompressAndDiscard(false);
+       if (NS_FAILED(rv)) {
+         LOG3(("Http2Session::RecvHeaders uncompress failed\n"));
+         // this is fatal to the session
+         self->mGoAwayReason = COMPRESSION_ERROR;
+         return rv;
+@@ -1385,26 +1396,28 @@ Http2Session::RecvHeaders(Http2Session *
+       !(self->mInputFrameFlags & kFlag_END_STREAM)) {
+     // Any header block after the first that does *not* end the stream is
+     // illegal.
+     LOG3(("Http2Session::Illegal Extra HeaderBlock %p 0x%X\n", self, self->mInputFrameID));
+     RETURN_SESSION_ERROR(self, PROTOCOL_ERROR);
+   }
+ 
+   // queue up any compression bytes
+-  self->mDecompressBuffer.Append(&self->mInputFrameBuffer[kFrameHeaderBytes + paddingControlBytes + priorityLen],
+-                                 self->mInputFrameDataSize - paddingControlBytes - priorityLen - paddingLength);
++  self->mDecompressBuffer.Append(
++      &self->mInputFrameBuffer[kFrameHeaderBytes + paddingControlBytes +
++                               priorityLen],
++      frameSize);
+ 
+   self->mInputFrameDataStream->UpdateTransportReadEvents(self->mInputFrameDataSize);
+   self->mLastDataReadEpoch = self->mLastReadEpoch;
+ 
+   if (!isContinuation) {
+-    self->mAggregatedHeaderSize = self->mInputFrameDataSize - paddingControlBytes - priorityLen - paddingLength;
++    self->mAggregatedHeaderSize = frameSize;
+   } else {
+-    self->mAggregatedHeaderSize += self->mInputFrameDataSize - paddingControlBytes - priorityLen - paddingLength;
++    self->mAggregatedHeaderSize += frameSize;
+   }
+ 
+   if (!endHeadersFlag) { // more are coming - don't process yet
+     self->ResetDownstreamState();
+     return NS_OK;
+   }
+ 
+   rv = self->ResponseHeadersComplete();

mozilla-release/patches/1883158-11510.patch

@@ -0,0 +1,39 @@
+# HG changeset patch
+# User Andrew Osmond <aosmond@mozilla.com>
+# Date 1710186749 0
+# Node ID cc048f3d96ece30e21eb4c2eb07a5d3d6fb225e6
+# Parent  8848b1128483d5b11448b72d7f46260d0927fb0c
+Bug 1883158. r=media-playback-reviewers,chunmin,azebrowski a=RyanVM
+
+diff --git a/dom/media/MediaData.h b/dom/media/MediaData.h
+--- a/dom/media/MediaData.h
++++ b/dom/media/MediaData.h
+@@ -104,18 +104,26 @@ public:
+   {
+     aOther.mData = nullptr;
+     aOther.mLength = 0;
+     aOther.mCapacity = 0;
+   }
+ 
+   AlignedBuffer& operator=(AlignedBuffer&& aOther)
+   {
+-    this->~AlignedBuffer();
+-    new (this) AlignedBuffer(std::move(aOther));
++    if (&aOther == this) {
++      return *this;
++    }
++    mData = aOther.mData;
++    mLength = aOther.mLength;
++    mBuffer = std::move(aOther.mBuffer);
++    mCapacity = aOther.mCapacity;
++    aOther.mData = nullptr;
++    aOther.mLength = 0;
++    aOther.mCapacity = 0;
+     return *this;
+   }
+ 
+   Type* Data() const { return mData; }
+   size_t Length() const { return mLength; }
+   size_t Size() const { return mLength * sizeof(Type); }
+   Type& operator[](size_t aIndex)
+   {

mozilla-release/patches/1886683-11510.patch

@@ -0,0 +1,67 @@
+# HG changeset patch
+# User Jan de Mooij <jdemooij@mozilla.com>
+# Date 1711465242 0
+# Node ID 9f5ce0bf14f31a9063104a248c2adbfded044e0e
+# Parent  ada98153d0521bf6ba4acadb2eaf8b3e8f6829f6
+Bug 1886683 - Simplify tracing of arguments in TraceThisAndArguments. r=iain, a=RyanVM
+
+Differential Revision: https://phabricator.services.mozilla.com/D205586
+
+diff --git a/js/src/jit/JitFrames.cpp b/js/src/jit/JitFrames.cpp
+--- a/js/src/jit/JitFrames.cpp
++++ b/js/src/jit/JitFrames.cpp
+@@ -869,42 +869,44 @@ TraceThisAndArguments(JSTracer* trc, con
+     // except when the script might have lazy arguments or rest, in which case
+     // we trace them as well. We also have to trace formals if we have a
+     // LazyLink frame or an InterpreterStub frame or a special JSJit to wasm
+     // frame (since wasm doesn't use snapshots).
+ 
+     if (!CalleeTokenIsFunction(layout->calleeToken()))
+         return;
+ 
+-    size_t nargs = layout->numActualArgs();
+-    size_t nformals = 0;
++    JSFunction* fun = CalleeTokenToFunction(layout->calleeToken());
+ 
+-    JSFunction* fun = CalleeTokenToFunction(layout->calleeToken());
++    size_t numFormals = fun->nargs();
++    size_t numArgs = std::max(layout->numActualArgs(), numFormals);
++    size_t firstArg = 0;
++
+     if (frame.type() != JitFrame_JSJitToWasm &&
+         !frame.isExitFrameLayout<CalledFromJitExitFrameLayout>() &&
+         !fun->nonLazyScript()->mayReadFrameArgsDirectly())
+     {
+-        nformals = fun->nargs();
++        firstArg = numFormals;
+     }
+ 
+-    size_t newTargetOffset = Max(nargs, fun->nargs());
+-
+     Value* argv = layout->argv();
+ 
+     // Trace |this|.
+     TraceRoot(trc, argv, "ion-thisv");
+ 
+-    // Trace actual arguments beyond the formals. Note + 1 for thisv.
+-    for (size_t i = nformals + 1; i < nargs + 1; i++)
+-        TraceRoot(trc, &argv[i], "ion-argv");
++    // Trace arguments. Note + 1 for thisv.
++    for (size_t i = firstArg; i < numArgs; i++) {
++      TraceRoot(trc, &argv[i + 1], "ion-argv");
++    }
+ 
+     // Always trace the new.target from the frame. It's not in the snapshots.
+     // +1 to pass |this|
+     if (CalleeTokenIsConstructing(layout->calleeToken()))
+-        TraceRoot(trc, &argv[1 + newTargetOffset], "ion-newTarget");
++      TraceRoot(trc, &argv[1 + numArgs], "ion-newTarget");
++
+ }
+ 
+ #ifdef JS_NUNBOX32
+ static inline void
+ WriteAllocation(const JSJitFrameIter& frame, const LAllocation* a, uintptr_t value)
+ {
+     if (a->isGeneralReg()) {
+         Register reg = a->toGeneralReg()->reg();

mozilla-release/patches/1890514-11511.patch

@@ -0,0 +1,49 @@
+# HG changeset patch
+# User Daniel Holbert <dholbert@cs.stanford.edu>
+# Date 1714223629 0
+# Node ID e038e08823cba03b081e77b4c7d0dedfd60e9cf3
+# Parent  bf2a8f3b644f2896e72acb0f62434554703363e5
+Bug 1890514: Null-check 'view' before using it, in nsTreeBodyFrame::RemoveImageCacheEntry.  a=dmeehan
+
+If it's null, we'll now just take the existing something-failed early-return codepath.
+
+The 'view' local variable here is really just an alias for mView, and we have
+null-checks for mView elsewhere, so it's conceivable that it could be null when
+we get to this point. (And we have a low but nonzero level of crash volume for
+folks hitting a null-deref on this line, which seems to confirm that it is
+occasionally null here.)
+
+I'm not including a test since I'm not sure how to trigger the conditions
+required to crash in this way.  But the change is pretty trivial and clearly
+a step in the direction of safety-against-crashing.
+
+Original Revision: https://phabricator.services.mozilla.com/D207817
+
+Differential Revision: https://phabricator.services.mozilla.com/D208379
+
+diff --git a/layout/xul/tree/nsTreeBodyFrame.cpp b/layout/xul/tree/nsTreeBodyFrame.cpp
+--- a/layout/xul/tree/nsTreeBodyFrame.cpp
++++ b/layout/xul/tree/nsTreeBodyFrame.cpp
+@@ -4506,17 +4506,22 @@ nsTreeBodyFrame::ClearStyleAndImageCache
+   CancelImageRequests();
+   mImageCache.Clear();
+   return NS_OK;
+ }
+ 
+ nsresult
+ nsTreeBodyFrame::RemoveImageCacheEntry(int32_t aRowIndex, nsITreeColumn* aCol)
+ {
++  if (!mView) {
++    return NS_OK;
++  }
++
+   nsAutoString imageSrc;
++  
+   if (NS_SUCCEEDED(mView->GetImageSrc(aRowIndex, aCol, imageSrc))) {
+     nsTreeImageCacheEntry entry;
+     if (mImageCache.Get(imageSrc, &entry)) {
+       nsLayoutUtils::DeregisterImageRequest(PresContext(), entry.request,
+                                             nullptr);
+       entry.request->CancelAndForgetObserver(NS_BINDING_ABORTED);
+       mImageCache.Remove(imageSrc);
+     }

mozilla-release/patches/1893340-11511.patch

@@ -0,0 +1,118 @@
+# HG changeset patch
+# User Dave Townsend <dtownsend@oxymoronical.com>
+# Date 1714766716 0
+# Node ID 30f2b471b2f08adf4835ce240a52e1fdb0c2fffc
+# Parent  c78612e6df17a627ab6d4b02e06e8c696a3afebb
+Bug 1893340: Test nsINIParser for string and section deletion  a=dmeehan
+
+Original Revision: https://phabricator.services.mozilla.com/D208981
+
+Differential Revision: https://phabricator.services.mozilla.com/D209332
+
+diff --git a/xpcom/base/nsINIParser.cpp b/xpcom/base/nsINIParser.cpp
+--- a/xpcom/base/nsINIParser.cpp
++++ b/xpcom/base/nsINIParser.cpp
+@@ -260,17 +260,16 @@ nsINIParser::DeleteString(const char* aS
+   }
+ 
+   // Special case the first result
+   if (strcmp(val->key, aKey) == 0) {
+     if (!val->next) {
+       mSections.Remove(aSection);
+     } else {
+       mSections.Put(aSection, val->next.release());
+-      delete val;
+     }
+     return NS_OK;
+   }
+ 
+   while (val->next) {
+     if (strcmp(val->next->key, aKey) == 0) {
+       val->next = std::move(val->next->next);
+ 
+diff --git a/xpcom/tests/gtest/TestINIParser.cpp b/xpcom/tests/gtest/TestINIParser.cpp
+new file mode 100644
+--- /dev/null
++++ b/xpcom/tests/gtest/TestINIParser.cpp
+@@ -0,0 +1,60 @@
++/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
++/* This Source Code Form is subject to the terms of the Mozilla Public
++ * License, v. 2.0. If a copy of the MPL was not distributed with this
++ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
++
++#include "nsCOMPtr.h"
++#include "gtest/gtest.h"
++#include "mozilla/gtest/MozAssertions.h"
++
++#include "nsINIParser.h"
++
++TEST(INIParser, DeleteString)
++{
++  nsINIParser* parser = new nsINIParser();
++  nsresult rv = parser->InitFromString(
++      "[sec]\r\
++key1=val1\r\
++key2=val2\r\
++key3=val3\r\
++key4=val4"_ns);
++  EXPECT_NS_SUCCEEDED(rv);
++
++  rv = parser->DeleteString("sec", "key3");
++  EXPECT_NS_SUCCEEDED(rv);
++  rv = parser->DeleteString("sec", "key4");
++  EXPECT_NS_SUCCEEDED(rv);
++  rv = parser->DeleteString("sec", "key1");
++  EXPECT_NS_SUCCEEDED(rv);
++  rv = parser->DeleteString("sec", "key2");
++  EXPECT_NS_SUCCEEDED(rv);
++
++  delete parser;
++}
++
++TEST(INIParser, DeleteSection)
++{
++  nsINIParser* parser = new nsINIParser();
++  nsresult rv = parser->InitFromString(
++      "[sec1]\r\
++key=val\r\
++\r\
++[sec2]\r\
++key=val\r\
++[sec3]\r\
++key=val\r\
++[sec4]\r\
++key=val"_ns);
++  EXPECT_NS_SUCCEEDED(rv);
++
++  rv = parser->DeleteSection("sec3");
++  EXPECT_NS_SUCCEEDED(rv);
++  rv = parser->DeleteSection("sec4");
++  EXPECT_NS_SUCCEEDED(rv);
++  rv = parser->DeleteSection("sec1");
++  EXPECT_NS_SUCCEEDED(rv);
++  rv = parser->DeleteSection("sec2");
++  EXPECT_NS_SUCCEEDED(rv);
++
++  delete parser;
++}
+diff --git a/xpcom/tests/gtest/moz.build b/xpcom/tests/gtest/moz.build
+--- a/xpcom/tests/gtest/moz.build
++++ b/xpcom/tests/gtest/moz.build
+@@ -20,16 +20,17 @@ UNIFIED_SOURCES += [
+     'TestEncoding.cpp',
+     'TestEscape.cpp',
+     'TestEventPriorities.cpp',
+     'TestEventTargetQI.cpp',
+     'TestExpirationTracker.cpp',
+     'TestFile.cpp',
+     'TestGCPostBarriers.cpp',
+     'TestID.cpp',
++    "TestINIParser.cpp",
+     'TestMoveString.cpp',
+     'TestMozPromise.cpp',
+     'TestMultiplexInputStream.cpp',
+     'TestNsDeque.cpp',
+     'TestNSPRLogModulesParser.cpp',
+     'TestObserverArray.cpp',
+     'TestObserverService.cpp',
+     'TestPipes.cpp',

mozilla-release/patches/series

@@ -4402,7 +4402,7 @@ NOBUG-20180824-buildsetting-63a1.patch
 1435552-63a1.patch
 1487595-1-63a1.patch
 1487595-2-63a1.patch
-1480552-63a1.patch
+1480552-64a1.patch
 1484611-2ano1-64a1.patch
 1484611-2b-64a1.patch
 1417646-1-64a1.patch
@@ -4714,10 +4714,10 @@ NOBUG-20180824-buildsetting-63a1.patch
 1502159-1-65a1.patch
 1502159-2-65a1.patch
 1504727-65a1.patch
-1489698-1-65a1.patch
-1489698-2-65a1.patch
-1489698-3-65a1.patch
-1489698-4-65a1.patch
+1489698-1-64a1.patch
+1489698-2-64a1.patch
+1489698-3-64a1.patch
+1489698-4-64a1.patch
 1489698-5-65a1.patch
 1489698-6-65a1.patch
 1489698-7-65a1.patch
@@ -6157,7 +6157,7 @@ NOBUG-20190207-crashreporter-67a1.patch
 1662793-82a1.patch
 1664210-82a1.patch
 1627944-83a1.patch
-1658308-1-83a1.patch
+1658308-3no12-83a1.patch
 1667835-83a1.patch
 1667473-1-83a1.patch
 1667473-2-83a1.patch
@@ -6193,7 +6193,7 @@ NOBUG-20190207-crashreporter-67a1.patch
 1680345-85a1.patch
 1679056-85a1.patch
 1680152-1-85a1.patch
-1658308-2-85a1.patch
+1658308-5no4-85a1.patch
 1681372-86a1.patch
 1685381-86a1.patch
 1686287-86a1.patch
@@ -6742,23 +6742,30 @@ TOP-NOBUG-REGEXP-45-final-25318.patch
 TOP-NOBUG-REGEXP-46-fixes-25318.patch
 WIP-NOBUG-seamonkey-credits.patch
 WIP-NOBUG-implement-about-seamonkey-mozilla.patch
-mozilla-central_603605.patch
-mozilla-central_635136.patch
+1717947-1-91a1.patch
+1717947-2-91a1.patch
+1717947-3-91a1.patch
+1748352-97a1.patch
+1789403-2no1-106a1.patch
 1789403-3-106a1.patch
-mozilla-central_635139.patch
-mozilla-central_636122.patch
-mozilla-central_636497.patch
-mozilla-central_637080.patch
-mozilla-central_645670.patch
-mozilla-central_655952.patch
-mozilla-central_665930.patch
-mozilla-central_675504.patch
-mozilla-central_676459.patch
-mozilla-central_692390.patch
-mozilla-central_731979.patch
-mozilla-central_732156.patch
-mozilla-central_732157.patch
-mozilla-central_732158.patch
-mozilla-central_584331.patch
-mozilla-central_584332.patch
-mozilla-central_584333.patch
+1789403-5no4-106a1.patch
+1791017-107a1.patch
+1792214-107a1.patch
+1761233-107a1.patch
+1466443-110a1.patch
+1821011-112a1.patch
+1821026-112a1.patch
+1835833-115a1.patch
+1847959-118a1.patch
+1850314-118a1.patch
+1873636-123a1.patch
+1875367-124a1.patch
+1874489-1-124a1.patch
+1874489-2-124a1.patch
+1874489-3-124a1.patch
+1883158-11510.patch
+1886683-11510.patch
+1881183-PARTIAL-NOTESTS-11510.patch
+1890514-11511.patch
+1893340-11511.patch
+