Compare revisions

da28e525 · c6f81935 · 7f8564b1 · 3a290368 · fbeb3dab · 80d718bc
--- a/.cargo/config.in
+++ b/.cargo/config.in
@@ -70,7 +70,7 @@ rev = "746743227485a83123784df0c53227ab466612ed"
 [source."https://github.com/hsivonen/packed_simd"]
 git = "https://github.com/hsivonen/packed_simd"
 replace-with = "vendored-sources"
-rev = "c149d0a519bf878567c7630096737669ec2ff15f"
+rev = "f38664024b29d44c506431eada7c112629bb1aa9"

 [source."https://github.com/hsivonen/chardetng_c"]
 git = "https://github.com/hsivonen/chardetng_c"

--- a/.cron.yml
+++ b/.cron.yml
@@ -149,19 +149,6 @@ jobs:
      when:
          - {hour: 2, minute: 0}

-    - name: updatebot-cron-job
-      job:
-          type: decision-task
-          treeherder-symbol: updatebot
-          target-tasks-method: updatebot_cron
-      run-on-projects:
-          - mozilla-central
-      when:
-          - {hour: 0, minute: 0}
-          - {hour: 6, minute: 0}
-          - {hour: 12, minute: 0}
-          - {hour: 18, minute: 0}
-
    - name: customv8-update
      job:
          type: decision-task
@@ -196,6 +183,7 @@ jobs:
          - mozilla-beta
          - mozilla-release
          - mozilla-esr91
+          - mozilla-esr102
      when:
          by-project:
              # No default branch
@@ -211,6 +199,9 @@ jobs:
              mozilla-esr91:
                  - {hour: 7, minute: 0}
                  - {hour: 19, minute: 0}
+              mozilla-esr102:
+                  - {hour: 7, minute: 0}
+                  - {hour: 19, minute: 0}

    - name: periodic-update
      job:

--- a/.eslintignore
+++ b/.eslintignore
@@ -147,6 +147,9 @@ js/src/Y.js
 # Fuzzing code for testing only, targeting the JS shell
 js/src/fuzz-tests/

+# uses `#include`
+mobile/android/app/000-tor-browser-android.js
+
 # Uses `#filter substitution`
 mobile/android/app/mobile.js
 mobile/android/app/geckoview-prefs.js

--- a/.gitignore
+++ b/.gitignore
@@ -193,3 +193,6 @@ config/external/icu4x
 # Ignore Storybook generated files
 browser/components/storybook/node_modules/
 browser/components/storybook/storybook-static/
+
+# Ignore binary base of tor browser
+.binaries
--- a/.gitlab/issue_templates/Backport Android Security Fixes.md
+++ b/.gitlab/issue_templates/Backport Android Security Fixes.md
+<details>
+  <summary>Explanation of Variables</summary>
+
+- `$(ESR_VERSION)`: the Mozilla defined ESR version, used in various places for building tor-browser tags, labels, etc
+  - **Example**: `102.8.0`
+- `$(RR_VERSION)`: the Mozilla defined Rapid-Release version; Tor Browser for Android is based off of the `$(ESR_VERSION)`, but Mozilla's Firefox for Android is based off of the `$(RR_VERSION)` so we need to keep track of security vulnerabilities to backport from the monthly Rapid-Release train and our frozen ESR train.
+  - **Example**: `110`
+- `$(PROJECT_NAME)`: the name of the browser project, either `base-browser` or `tor-browser`
+- `$(TOR_BROWSER_MAJOR)`: the Tor Browser major version
+  - **Example**: `12`
+- `$(TOR_BROWSER_MINOR)`: the Tor Browser minor version
+  - **Example**: either `0` or `5`; Alpha's is always `(Stable + 5) % 10`
+- `$(BUILD_N)`: a project's build revision within a its branch; many of the Firefox-related projects have a `$(BUILD_N)` suffix and may differ between projects even when they contribute to the same build.
+  - **Example**: `build1`
+</details>
+
+**NOTE:** It is assumed the `tor-browser` rebases (stable and alpha) have already happened and there exists a `build1` build tags for both `base-browser` and `tor-browser` (stable and alpha)
+
+### **Bookkeeping**
+
+- [ ] Link this issue to the appropriate [Release Prep](https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/?sort=updated_desc&state=opened&label_name%5B%5D=Release%20Prep) issues (stable and alpha).
+
+### **Security Vulnerabilities Report**: https://www.mozilla.org/en-US/security/advisories/
+
+- Potentially Affected Components:
+  - `firefox`/`geckoview`: https://github.com/mozilla/gecko-dev
+  - `application-services`: https://github.com/mozilla/application-services
+  - `android-components` (ESR 102 only): https://github.com/mozilla-mobile/firefox-android
+  - `fenix` (ESR 102 only): https://github.com/mozilla-mobile/firefox-android
+  - `firefox-android`: https://github.com/mozilla-mobile/firefox-android
+
+**NOTE:** `android-components` and `fenix` used to have their own repos, but since November 2022 they have converged to a single `firefox-android` repo. Any backports will require manually porting patches over to our legacy repos until we have transitioned to ESR 115.
+
+- [ ] Go through the `Security Vulnerabilities fixed in Firefox $(RR_VERSION)` report and create a candidate list of CVEs which potentially need to be backported in this issue:
+  - CVEs which are explicitly labeled as 'Android' only
+  - CVEs which are fixed in Rapid Release but not in ESR
+  - 'Memory safety bugs' fixed in Rapid Release but not in ESR
+- [ ] Foreach issue:
+  - Create link to the CVE on [mozilla.org](https://www.mozilla.org/en-US/security/advisories/)
+    - **Example**: https://www.mozilla.org/en-US/security/advisories/mfsa2023-05/#CVE-2023-25740
+  - Create link to the associated Bugzilla issues (found in the CVE description)
+  - Create links to the relevant `gecko-dev`/other commit hashes which need to be backported OR a brief justification for why the fix does not need to be backported
+    - To find the `gecko-dev` version of a `mozilla-central`, search for a unique string in the relevant `mozilla-central` commit message in the `gecko-dev/release` branch log.
+    - **NOTE:** This process is unfortunately somewhat poorly defined/ad-hoc given the general variation in how Bugzilla issues are labeled and resolved. In general this is going to involve a bit of hunting to identify needed commits or determining whether or not the fix is relevant.
+
+### CVEs
+
+<!-- CVE Resolution Template, foreach CVE to investigate add an entry in the form:
+- [ ] https://www.mozilla.org/en-US/security/advisories/mfsaYYYY-NN/#CVE-YYYY-XXXXX // CVE description
+  - https://bugzilla.mozilla.org/show_bug.cgi?id=NNNNNN // Bugzilla issue
+  - **Note**: Any relevant info about this fix, justification for why it is not necessary, etc
+  - **Patches**
+    - firefox-android: https://link.to/relevant/patch
+    - firefox: https://link.to/relevant/patch
+ -->
+
+### **tor-browser**: https://gitlab.torproject.org/tpo/applications/tor-browser.git
+- [ ] Backport any Android-specific security fixes from Firefox rapid-release
+  - [ ] Backport patches to `tor-browser` stable branch
+  - [ ] Open MR
+  - [ ] Merge
+  - [ ] Rebase patches onto:
+    - [ ] `base-browser` stable
+    - [ ] `tor-browser` alpha
+    - [ ] `base-browser` alpha
+  - [ ] Sign/Tag commits:
+    - **Tag**: `$(PROJECT_NAME)-$(ESR_VERSION)-$(TOR_BROWSER_MAJOR).$(TOR_BROWSER_MINOR)-1-$(BUILD_N)`
+    - **Message**: `Tagging $(BUILD_N) for $(ESR_VERSION)-based stable|alpha)`
+    - [ ] `base-browser` stable
+    - [ ] `tor-browser` stable
+    - [ ] `base-browser` alpha
+    - [ ] `tor-browser` alpha
+  - [ ] Push tags to `upstream`
+- **OR**
+- [ ] No backports
+
+### **application-services**: https://gitlab.torproject.org/tpo/applications/application-services
+- **NOTE**: we will need to setup a gitlab copy of this repo and update `tor-browser-build` before we can apply security backports here
+- [ ] Backport any Android-specific security fixes from Firefox rapid-release
+  - [ ] Backport patches to `application-services` stable branch
+  - [ ] Open MR
+  - [ ] Merge
+  - [ ] Rebase patches onto `application-services` alpha
+  - [ ] Sign/Tag commits:
+    - **Tag**: `application-services-$(ESR_VERSION)-$(TOR_BROWSER_MAJOR).$(TOR_BROWSER_MINOR)-1-$(BUILD_N)`
+    - **Message**: `Tagging $(BUILD_N) for $(ESR_VERSION)-based stable|alpha`
+    - [ ] `application-services` stable
+    - [ ] `application-services` alpha
+  - [ ] Push tags to `upstream`
+- **OR**
+- [ ] No backports
+
+
+### **android-components (Optional, ESR 102)**: https://gitlab.torproject.org/tpo/applications/android-components.git
+- [ ] Backport any Android-specific security fixes from Firefox rapid-release
+  - **NOTE**: Since November 2022, this repo has been merged with `fenix` into a singular `firefox-android` repo: https://github.com/mozilla-mobile/firefox-android. Any backport will require a patch rewrite to apply to our legacy `android-components` project.
+  - [ ] Backport patches to `android-components` stable branch
+  - [ ] Open MR
+  - [ ] Merge
+  - [ ] Rebase patches onto `android-components` alpha
+  - [ ] Sign/Tag commits:
+    - **Tag**: `android-components-$(ESR_VERSION)-$(TOR_BROWSER_MAJOR).$(TOR_BROWSER_MINOR)-1-$(BUILD_N)`
+    - **Message**: `Tagging $(BUILD_N) for $(ESR_VERSION)-based stable|alpha)`
+    - [ ] `android-components` stable
+    - [ ] `android-components` alpha
+  - [ ] Push tags to `upstream`
+- **OR**
+- [ ] No backports
+
+
+### **fenix (Optional, ESR 102)**: https://gitlab.torproject.org/tpo/applications/fenix.git
+- [ ] Backport any Android-specific security fixes from Firefox rapid-release
+  - **NOTE**: Since February 2023, this repo has been merged with `android-components` into a singular `firefox-android` repo: https://github.com/mozilla-mobile/firefox-android. Any backport will require a patch rewrite to apply to our legacy `fenix` project.
+  - [ ] Backport patches to `fenix` stable branch
+  - [ ] Open MR
+  - [ ] Merge
+  - [ ] Rebase patches onto `fenix` alpha
+  - [ ] Sign/Tag commits:
+    - **Tag**: `tor-browser-$(ESR_VERSION)-$(TOR_BROWSER_MAJOR).$(TOR_BROWSER_MINOR)-1-$(BUILD_N)`
+    - **Message**: `Tagging $(BUILD_N) for $(ESR_VERSION)-based stable|alpha)`
+    - [ ] `fenix` stable
+    - [ ] `fenix` alpha
+  - [ ] Push tags to `upstream`
+- **OR**
+- [ ] No backports
+
+### **firefox-android**: https://gitlab.torproject.org/tpo/applications/firefox-android
+- [ ] Backport any Android-specific security fixes from Firefox rapid-release
+  - [ ] Backport patches to `firefox-android` stable branch
+  - [ ] Open MR
+  - [ ] Merge
+  - [ ] Rebase patches onto `fenix` alpha
+  - [ ] Sign/Tag commits:
+    - **Tag**: `firefox-android-$(ESR_VERSION)-$(TOR_BROWSER_MAJOR).$(TOR_BROWSER_MINOR)-1-$(BUILD_N)`
+    - **Message**: `Tagging $(BUILD_N) for $(ESR_VERSION)-based stable|alpha)`
+    - [ ] `firefox-android` stable
+    - [ ] `firefox-android` alpha
+  - [ ] Push tags to `upstream`
+- **OR**
+- [ ] No backports
+
+/confidential
--- a/.gitlab/issue_templates/Rebase Browser - Alpha.md
+++ b/.gitlab/issue_templates/Rebase Browser - Alpha.md
+**NOTE:** All examples in this template reference the rebase from 102.7.0esr to 102.8.0esr
+
+<details>
+  <summary>Explanation of Variables</summary>
+
+- `$(ESR_VERSION)`: the Mozilla defined ESR version, used in various places for building tor-browser tags, labels, etc
+  - **Example**: `102.8.0`
+- `$(ESR_TAG)`: the Mozilla defined hg (Mercurial) tag associated with `$(ESR_VERSION)`
+  - **Example**: `FIREFOX_102_8_0esr_RELEASE`
+- `$(ESR_TAG_PREV)`: the Mozilla defined hg (Mercurial) tag associated with the previous ESR version when rebasing (ie, the ESR version we are rebasing from)
+  - **Example**: `FIREFOX_102_7_0esr_BUILD1`
+- `$(BROWSER_MAJOR)`: the browser major version
+  - **Example**: `12`
+- `$(BROWSER_MINOR)`: the browser minor version
+  - **Example**: either `0` or `5`; Alpha's is always `(Stable + 5) % 10`
+- `$(BASE_BROWSER_BRANCH)`: the full name of the current `base-browser` branch
+  - **Example**: `base-browser-102.8.0esr-12.5-1`
+- `$(BASE_BROWSER_BRANCH_PREV)`: the full name of the previous `base-browser` branch
+  - **Example**: `base-browser-102.7.0esr-12.5-1`
+- `$(TOR_BROWSER_BRANCH)`: the full name of the current `tor-browser` branch
+  - **Example**: `tor-browser-102.8.0esr-12.5-1`
+- `$(TOR_BROWSER_BRANCH_PREV)`: the full name of the previous `tor-browser` branch
+  - **Example**: `tor-browser-102.7.0esr-12.5-1`
+</details>
+
+**NOTE:** It is assumed that we've already identified the new ESR branch during the tor-browser stable rebase
+
+### **Bookkeeping**
+
+- [ ] Link this issue to the appropriate [Release Prep](https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/?sort=updated_desc&state=opened&label_name%5B%5D=Release%20Prep) issue.
+
+### Update Branch Protection Rules
+
+- [ ] In [Repository Settings](https://gitlab.torproject.org/tpo/applications/tor-browser/-/settings/repository):
+  - [ ] Remove previous alpha `base-browser` and `tor-browser` branch protection rules (this will prevent pushing new changes to the branches being rebased)
+  - [ ] Create new `base-browser` and `tor-browser` branch protection rule:
+    - **Branch**: `*-$(ESR_VERSION)esr-$(BROWSER_MAJOR).$(BROWSER_MINOR)-1*`
+      - **Example**: `*-102.8.0esr-12.5-1*`
+    - **Allowed to merge**: `Maintainers`
+    - **Allowed to push and merge**: `Maintainers`
+    - **Allowed to force push**: `false`
+
+### **Create New Branches**
+
+- [ ] Create new alpha `base-browser` branch from Firefox mercurial tag (found during the stable rebase)
+  - Branch name in the form: `base-browser-$(ESR_VERSION)esr-$(BROWSER_MAJOR).$(BROWSER_MINOR)-1`
+  - **Example**: `base-browser-102.8.0esr-12.5-1`
+- [ ] Create new alpha `tor-browser` branch from Firefox mercurial tag
+  - Branch name in the form: `tor-browser-$(ESR_VERSION)esr-$(BROWSER_MAJOR).$(BROWSER_MINOR)-1`
+  - **Example**: `tor-browser-102.8.0esr-12.5-1`
+- [ ] Push new `base-browser` branch to `upstream`
+- [ ] Push new `tor-browser` branch to `upstream`
+
+### **Rebase tor-browser**
+
+- [ ] Checkout a new local branch for the `tor-browser` rebase
+  - **Example**: `git branch tor-browser-rebase FIREFOX_102_8_0esr_BUILD1`
+- [ ] **(Optional)** `base-browser` rebase and autosquash
+  - **NOTE** This step may be skipped if the `HEAD` of the previous `base-browser` branch is a `-buildN` tag
+  - [ ] Cherry-pick the previous `base-browser` commits up to `base-browser`'s `buildN` tag onto new `base-browser` rebase branch
+    - **Example**: `git cherry-pick FIREFOX_102_7_0esr_BUILD1..base-browser-102.7.0esr-12.5-1-build1`
+  - [ ] Rebase and autosquash these cherry-picked commits
+    - **Example**: `git rebase --autosquash --interactive FIREFOX_102_8_0esr_BUILD1 HEAD`
+  - [ ] Cherry-pick remainder of patches after the `buildN` tag
+    - **Example**: `git cherry-pick base-browser-102.7.0esr-12.5-1-build1..upstream/base-browser-102.7.0esr-12.5-1`
+
+- [ ] `tor-browser` rebase and autosquash
+  - [ ] Note the current git hash of `HEAD` for `tor-browser` rebase+autosquash step: `git rev-parse HEAD`
+  - [ ] Cherry-pick the appropriate previous `tor-browser` branch's commit range up to the last `tor-browser` `buildN` tag
+    - **Example**: `git cherry-pick base-browser-102.7.0esr-12.5-1-build1..tor-browser-102.7.0esr-12.5-1-build1`
+    - **Example (if separate base-browser rebase was skipped)**: `git cherry-pick FIREFOX_102_7_0esr_BUILD1..tor-browser-102.7.0esr-12.5-1-build1`
+  - [ ] Rebase and autosquash  **ONLY** these newly cherry-picked commits using the commit noted previously: `git rebase --autosquash --interactive $(PREV_HEAD)`
+     - **Example**: `git rebase --autosquash --interactive FIREFOX_102_8_0esr_RELEASE`
+  - [ ] **(Optional)** Patch reordering
+    - **NOTE**: We typically want to do this after new features or bug fix commits which are not !fixups to an existing commit have been merged and are just sitting at the end of the commit history
+    - Relocate new `base-browser` patches in the patch-set to enforce this rough thematic ordering:
+      - **MOZILLA BACKPORTS** - official Firefox patches we have backported to our ESR branch: Android-specific security updates, critical bug fixes, worthwhile features, etc
+      - **MOZILLA REVERTS** - revert commits of official Firefox patches
+      - **UPLIFT CANDIDATES** - patches which stand on their own and should be uplifted to `mozilla-central`
+      - **BUILD CONFIGURATION** - tools/scripts, gitlab templates, etc
+      - **BROWSER CONFIGURATION** - branding, mozconfigs, preference overrides, etc
+      - **SECURITY PATCHES** - security improvements, hardening, etc
+      - **PRIVACY PATCHES** - fingerprinting, linkability, proxy bypass, etc
+      - **FEATURES** - new functionality: updater, UX, letterboxing, security level, add-on
+    - Relocate new `tor-browser` patches in the patch-set to enforce this rough thematic ordering:
+      - **BUILD CONFIGURATION** - tools/scripts, gitlab templates, etc
+      - **BROWSER CONFIGURATION** - branding, mozconfigs, preference overrides, etc
+      - **UPDATER PATCHES** - updater tweaks, signing keys, etc
+      - **SECURITY PATCHES** - non tor-dependent security improvements, hardening, etc
+      - **PRIVACY PATCHES** - non tor-dependent fingerprinting, linkability, proxy bypass, etc
+      - **FEAURES** - non tor-dependent features
+      - **TOR INTEGRATION** - legacy tor-launcher/torbutton, tor modules, bootstrapping, etc
+      - **TOR SECURITY PATCHES** - tor-specific security improvements
+      - **TOR PRIVACY PATCHES** - tor-specific privacy improvements
+      - **TOR FEATURES** - new tor-specific functionality: manual, onion-location, onion service client auth, etc
+  - [ ] Cherry-pick remainder of patches after the last `tor-browser` `buildN` tag
+    - **Example**: `git cherry-pick tor-browser-102.7.0esr-12.5-1-build1..upstream/tor-browser-102.7.0esr-12.5-1`
+  - [ ] Rebase and autosquash again, this time replacing all `fixup` and `squash` commands with `pick`. The goal here is to have all of the `fixup` and `squash` commits beside the commit which they modify, but kept un-squashed for easy debugging/bisecting.
+    - **Example**: `git rebase --autosquash --interactive FIREFOX_102_8_0esr_RELEASE`
+- [ ] Compare patch sets to ensure nothing *weird* happened during conflict resolution:
+  - [ ] diff of diffs:
+    -  Do the diff between `current_patchset.diff` and `rebased_patchset.diff` with your preferred difftool and look at differences on lines that starts with + or -
+    - `git diff $(ESR_TAG_PREV)..$(BROWSER_BRANCH_PREV) > current_patchset.diff`
+    - `git diff $(ESR_TAG)..$(BROWSER_BRANCH) > rebased_patchset.diff`
+    - diff `current_patchset.diff` and `rebased_patchset.diff`
+      - If everything went correctly, the only lines which should differ should be the lines starting with `index abc123...def456` (unless the previous `base-browser` branch includes changes not included in the previous `tor-browser` branch)
+  - [ ] rangediff: `git range-diff $(ESR_TAG_PREV)..$(TOR_BROWSER_BRANCH_PREV) $(ESR_TAG)..HEAD`
+    - **Example**: `git range-dif FIREFOX_102_7_0esr_BUILD1..upstream/tor-browser-102.7.0esr-12.5-1 FIREFOX_102_8_0esr_BUILD1..HEAD`
+- [ ] Open MR for the `tor-browser` rebase
+- [ ] Merge
+- Update and push `base-browser` branch
+  - [ ] Reset the new `base-browser` branch to the appropriate commit in this new `tor-browser` branch
+  - [ ] Push these commits to `upstream`
+
+### **Sign and Tag**
+
+- [ ] Sign/Tag `HEAD` of the merged `tor-browser` branch:
+  - **Tag**: `tor-browser-$(ESR_VERSION)esr-$(BROWSER_MAJOR).$(BROWSER_MINOR)-1-build1`
+  - **Message**: `Tagging build1 for $(ESR_VERSION)esr-based alpha`
+  - [ ] Push tag to `upstream`
+- [ ] Sign/Tag HEAD of the merged `base-browser` branch:
+  - **Tag**: `base-browser-$(ESR_VERSION)esr-$(BROWSER_MAJOR).$(BROWSER_MINOR)-1-build1`
+  - **Message**: `Tagging build1 for $(ESR_VERSION)esr-based alpha`
+  - [ ] Push tag to `upstream`
--- a/.gitlab/issue_templates/Rebase Browser - Stable.md
+++ b/.gitlab/issue_templates/Rebase Browser - Stable.md
+**NOTE:** All examples in this template reference the rebase from 102.7.0esr to 102.8.0esr
+
+<details>
+  <summary>Explanation of Variables</summary>
+
+- `$(ESR_VERSION)`: the Mozilla defined ESR version, used in various places for building tor-browser tags, labels, etc
+  - **Example**: `102.8.0`
+- `$(ESR_TAG)`: the Mozilla defined hg (Mercurial) tag associated with `$(ESR_VERSION)`
+  - **Example**: `FIREFOX_102_8_0esr_RELEASE`
+- `$(ESR_TAG_PREV)`: the Mozilla defined hg (Mercurial) tag associated with the previous ESR version when rebasing (ie, the ESR version we are rebasing from)
+  - **Example**: `FIREFOX_102_7_0esr_BUILD1`
+- `$(BROWSER_MAJOR)`: the browser major version
+  - **Example**: `12`
+- `$(BROWSER_MINOR)`: the browser minor version
+  - **Example**: either `0` or `5`; Alpha's is always `(Stable + 5) % 10`
+- `$(BASE_BROWSER_BRANCH)`: the full name of the current `base-browser` branch
+  - **Example**: `base-browser-102.8.0esr-12.0-1`
+- `$(BASE_BROWSER_BRANCH_PREV)`: the full name of the previous `base-browser` branch
+  - **Example**: `base-browser-102.7.0esr-12.0-1`
+- `$(TOR_BROWSER_BRANCH)`: the full name of the current `tor-browser` branch
+  - **Example**: `tor-browser-102.8.0esr-12.0-1`
+- `$(TOR_BROWSER_BRANCH_PREV)`: the full name of the previous `tor-browser` branch
+  - **Example**: `tor-browser-102.7.0esr-12.0-1`
+</details>
+
+### **Bookkeeping**
+
+- [ ] Link this issue to the appropriate [Release Prep](https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/?sort=updated_desc&state=opened&label_name%5B%5D=Release%20Prep) issue.
+
+### Update Branch Protection Rules
+
+- [ ] In [Repository Settings](https://gitlab.torproject.org/tpo/applications/tor-browser/-/settings/repository):
+  - [ ] Remove previous stable `base-browser` and `tor-browser` branch protection rules (this will prevent pushing new changes to the branches being rebased)
+  - [ ] Create new `base-browser` and `tor-browser` branch protection rule:
+    - **Branch**: `*-$(ESR_VERSION)esr-$(BROWSER_MAJOR).$(BROWSER_MINOR)-1*`
+      - **Example**: `*-102.8.0esr-12.0-1*`
+    - **Allowed to merge**: `Maintainers`
+    - **Allowed to push and merge**: `Maintainers`
+    - **Allowed to force push**: `false`
+
+### **Identify the Firefox Tagged Commit and Create New Branches**
+
+- [ ] Find the Firefox mercurial tag here: https://hg.mozilla.org/releases/mozilla-esr102/tags
+   - **Example**: `FIREFOX_102_8_0esr_BUILD1`
+- [ ] Find the analogous `gecko-dev` commit: https://github.com/mozilla/gecko-dev
+  - **Tip**: Search for unique string (like the Differential Revision ID) found in the mercurial commit in the `gecko-dev/esr102` branch to find the equivalent commit
+  - **Example**: `3a3a96c9eedd02296d6652dd50314fccbc5c4845`
+- [ ] Sign and Tag `gecko-dev` commit
+  - Sign/Tag `gecko-dev` commit :
+    - **Tag**: `$(ESR_TAG)`
+    - **Message**: `Hg tag $(ESR_TAG)`
+- [ ] Create new stable `base-browser` branch from tag
+  - Branch name in the form: `base-browser-$(ESR_VERSION)esr-$(BROWSER_MAJOR).$(BROWSER_MINOR)-1`
+  - **Example**: `base-browser-102.8.0esr-12.0-1`
+- [ ] Create new stable `tor-browser` branch from
+  - Branch name in the form: `tor-browser-$(ESR_VERSION)esr-$(BROWSER_MAJOR).$(BROWSER_MINOR)-1`
+  - **Example**: `tor-browser-102.8.0esr-12.0-1`
+- [ ] Push new `base-browser` branch to `upstream`
+- [ ] Push new `tor-browser` branch to `upstream`
+- [ ] Push new `$(ESR_TAG)` to `upstream`
+
+### **Rebase tor-browser**
+
+- [ ] Checkout a new local branch for the `tor-browser` rebase
+  - **Example**: `git branch tor-browser-rebase FIREFOX_102_8_0esr_BUILD1`
+- [ ] **(Optional)** `base-browser` rebase
+  - **NOTE** This step may be skipped if the `HEAD` of the previous `base-browser` branch is a `-buildN` tag
+  - [ ] Cherry-pick the previous `base-browser` commits up to `base-browser`'s `buildN` tag onto new `base-browser` rebase branch
+    - **Example**: `git cherry-pick FIREFOX_102_7_0esr_BUILD1..base-browser-102.7.0esr-12.0-1-build1`
+  - [ ] Rebase and autosquash these cherry-picked commits
+    - **Example**: `git rebase --autosquash --interactive FIREFOX_102_8_0esr_BUILD1 HEAD`
+  - [ ] Cherry-pick remainder of patches after the `buildN` tag
+    - **Example**: `git cherry-pick base-browser-102.7.0esr-12.0-1-build1..upstream/base-browser-102.7.0esr-12.0-1`
+- [ ] `tor-browser` rebase
+  - [ ] Note the current git hash of `HEAD` for `tor-browser` rebase+autosquash step: `git rev-parse HEAD`
+  - [ ] Cherry-pick the appropriate previous `tor-browser` branch's commit range up to the last `tor-browser` `buildN` tag
+    - **Example**: `git cherry-pick base-browser-102.7.0esr-12.0-1-build1..tor-browser-102.7.0esr-12.0-1-build1`
+    - **Example (if separate base-browser rebase was skipped)**: `git cherry-pick FIREFOX_102_7_0esr_BUILD1..tor-browser-102.7.0esr-12.0-1-build1`
+  - [ ] Rebase and autosquash these newly cherry-picked commits: `git rebase --autosquash --interactive $(PREV_HEAD)`
+     - **Example**: `git rebase --autosquash --interactive FIREFOX_102_8_0esr_RELEASE`
+  - [ ] Cherry-pick remainder of patches after the last `tor-browser` `buildN` tag
+    - **Example**: `git cherry-pick tor-browser-102.7.0esr-12.0-1-build1..upstream/tor-browser-102.7.0esr-12.0-1`
+  - [ ] Rebase and autosquash again, this time replacing all `fixup` and `squash` commands with `pick`. The goal here is to have all of the `fixup` and `squash` commits beside the commit which they modify, but kept un-squashed for easy debugging/bisecting.
+    - **Example**: `git rebase --autosquash --interactive FIREFOX_102_8_0esr_RELEASE`
+- [ ] Compare patch sets to ensure nothing *weird* happened during conflict resolution:
+  - [ ] diff of diffs:
+    -  Do the diff between `current_patchset.diff` and `rebased_patchset.diff` with your preferred difftool and look at differences on lines that starts with + or -
+    - `git diff $(ESR_TAG_PREV)..$(BROWSER_BRANCH_PREV) > current_patchset.diff`
+    - `git diff $(ESR_TAG)..$(BROWSER_BRANCH) > rebased_patchset.diff`
+    - diff `current_patchset.diff` and `rebased_patchset.diff`
+      - If everything went correctly, the only lines which should differ should be the lines starting with `index abc123...def456` (unless the previous `base-browser` branch includes changes not included in the previous `tor-browser` branch)
+  - [ ] rangediff: `git range-diff $(ESR_TAG_PREV)..$(TOR_BROWSER_BRANCH_PREV) $(ESR_TAG)..HEAD`
+    - **Example**: `git range-dif FIREFOX_102_7_0esr_BUILD1..upstream/tor-browser-102.7.0esr-12.0-1 FIREFOX_102_8_0esr_BUILD1..HEAD`
+- [ ] Open MR for the `tor-browser` rebase
+- [ ] Merge
+- Update and push `base-browser` branch
+  - [ ] Reset the new `base-browser` branch to the appropriate commit in this new `tor-browser` branch
+  - [ ] Push these commits to `upstream`
+
+### **Sign and Tag**
+
+- [ ] Sign/Tag `HEAD` of the merged `tor-browser` branch:
+  - **Tag**: `tor-browser-$(ESR_VERSION)esr-$(BROWSER_MAJOR).$(BROWSER_MINOR)-1-build1`
+  - **Message**: `Tagging build1 for $(ESR_VERSION)esr-based stable`
+  - [ ] Push tag to `upstream`
+- [ ] Sign/Tag HEAD of the merged `base-browser` branch:
+  - **Tag**: `base-browser-$(ESR_VERSION)esr-$(BROWSER_MAJOR).$(BROWSER_MINOR)-1-build1`
+  - **Message**: `Tagging build1 for $(ESR_VERSION)esr-based stable`
+  - [ ] Push tag to `upstream`
--- a/.gitlab/issue_templates/UXBug.md
+++ b/.gitlab/issue_templates/UXBug.md
+<!--
+* Use this issue template for reporting a new UX bug.
+-->
+
+### Summary
+**Summarize the bug encountered concisely.**
+
+
+### Steps to reproduce:
+**How one can reproduce the issue - this is very important.**
+
+1. Step 1
+2. Step 2
+3. ...
+
+### What is the current bug behavior?
+**What actually happens.**
+
+
+### What is the expected behavior?
+**What you want to see instead**
+
+
+
+## Relevant logs and/or screenshots
+**Do you have screenshots? Attach them to this ticket please.**
+
+/label ~tor-ux ~needs-investigation ~bug
+/assign @nah
--- a/.gitlab/issue_templates/bug.md
+++ b/.gitlab/issue_templates/bug.md
+<!--
+* Use this issue template for reporting a new bug.
+-->
+
+### Summary
+**Summarize the bug encountered concisely.**
+
+
+### Steps to reproduce:
+**How one can reproduce the issue - this is very important.**
+
+1. Step 1
+2. Step 2
+3. ...
+
+### What is the current bug behavior?
+**What actually happens.**
+
+
+### What is the expected behavior?
+**What you want to see instead**
+
+
+
+### Environment
+**Which operating system are you using? For example: Debian GNU/Linux 10.1, Windows 10, Ubuntu Xenial, FreeBSD 12.2, etc.**
+**Which installation method did you use? Distribution package (apt, pkg, homebrew), from source tarball, from Git, etc.**
+
+### Relevant logs and/or screenshots
+
+
+/label ~bug
--- a/.gitlab/merge_request_templates/default.md
+++ b/.gitlab/merge_request_templates/default.md
+## Merge Info
+
+<!-- Bookkeeping information for release management -->
+
+### Related Issues
+- tor-browser#xxxxx
+- mullvad-browser#xxxxx
+- tor-browser-build#xxxxx
+
+### Backporting
+
+#### Timeline
+- [ ] **Immediate**: patchset needed as soon as possible
+- [ ] **Next Minor Stable Release**: patchset that needs to be verified in nightly before backport
+- [ ] **Eventually**: patchset that needs to be verified in alpha before backport
+- [ ] **No Backport (preferred)**: patchset for the next major stable
+
+#### (Optional) Justification
+- [ ] **Emergency security update**: patchset fixes CVEs, 0-days, etc
+- [ ] **Censorship event**: patchset enables censorship circumvention
+- [ ] **Critical bug-fix**: patchset fixes a bug in core-functionality
+- [ ] **Consistency**: patchset which would make development easier if it were in both the alpha and release branches; developer tools, build system changes, etc
+- [ ] **Sponsor required**: patchset required for sponsor
+- [ ] **Other**: please explain
+
+### Merging
+- [ ] Merge to `tor-browser` - `!fixups` to `tor-browser`-specific commits, new features, security backports
+- [ ] Merge to `base-browser` -`!fixups` to `base-browser`-specific commits, new features to be shared with `mullvad-browser`, and security backports
+  - **NOTE**: if your changeset includes patches to both `base-browser` and `tor-browser` please clearly label in the change description which commits should be cherry-picked to `base-browser` after merging
+
+### Issue Tracking
+- [ ] Link resolved issues with appropriate [Release Prep issue](https://gitlab.torproject.org/groups/tpo/applications/-/issues/?sort=updated_desc&state=opened&label_name%5B%5D=Release%20Prep&first_page_size=20) for changelog generation
+
+## Change Description
+
+<!-- Whatever context the reviewer needs to effectively review the patchset -->
\ No newline at end of file
--- a/.hgtags
+++ b/.hgtags
@@ -3703,3 +3703,35 @@ ac17d3e21f82ce34b2b9f09f8a15b270cf41e91c FIREFOX_RELEASE_102_BASE
 085af07e5cc10082e793203e049ee4d6127a452f FIREFOX_RELEASE_102_BASE
 910517036c968689e4268026543119fcf6628049 FIREFOX_RELEASE_102_BASE
 555c7ef72f772d24616bbb6c1cec6cd756b51685 FIREFOX_RELEASE_101_END
+3ea5c8008221e11b3c674f09968535cd4f6d6efe FIREFOX_ESR_102_BASE
+1ae616302bf7261f95f4f2a5d56e1d7a38ff5d60 FIREFOX_102_0esr_BUILD1
+4180ec744bb748a5fd39e25d122c4b500c3a2a00 FIREFOX_102_0esr_BUILD2
+4180ec744bb748a5fd39e25d122c4b500c3a2a00 FIREFOX_102_0esr_RELEASE
+776aca9b706c13a2597f22b739ecd0c3ab6f1d2e FIREFOX_102_0_1esr_BUILD1
+776aca9b706c13a2597f22b739ecd0c3ab6f1d2e FIREFOX_102_0_1esr_RELEASE
+73db4126165f2a2eded92f48a6c81c8ece6d21ce FIREFOX_102_1_0esr_BUILD1
+73db4126165f2a2eded92f48a6c81c8ece6d21ce FIREFOX_102_1_0esr_RELEASE
+40d1412657291933cc2c9d65c3306927c1b332e1 FIREFOX_102_2_0esr_BUILD1
+3876d5327f44c991c9034c4112f33f147ab10ab9 FIREFOX_102_2_0esr_BUILD2
+3876d5327f44c991c9034c4112f33f147ab10ab9 FIREFOX_102_2_0esr_RELEASE
+c2dd0f1c0adfb1fa1c5d9319fbe023d324c34db6 FIREFOX_102_3_0esr_BUILD1
+c2dd0f1c0adfb1fa1c5d9319fbe023d324c34db6 FIREFOX_102_3_0esr_RELEASE
+52928ba6fd91414091326fe6339bc63e89b593a6 FIREFOX_102_4_0esr_BUILD1
+52928ba6fd91414091326fe6339bc63e89b593a6 FIREFOX_102_4_0esr_RELEASE
+28738f45597b736e5689c199131d5da9ae0a6cec FIREFOX_102_5_0esr_BUILD1
+28738f45597b736e5689c199131d5da9ae0a6cec FIREFOX_102_5_0esr_RELEASE
+72b501d7159eb634a961e27157a3af58360a0b74 FIREFOX_102_6_0esr_BUILD1
+72b501d7159eb634a961e27157a3af58360a0b74 FIREFOX_102_6_0esr_RELEASE
+cff83fd04112a3b0d4091a1982d7219d200f6fa6 FIREFOX_102_7_0esr_BUILD1
+cff83fd04112a3b0d4091a1982d7219d200f6fa6 FIREFOX_102_7_0esr_RELEASE
+291d5baee192abe6f859a6528a9444d6aa24bb8a FIREFOX_102_8_0esr_BUILD1
+6c317d15a0b7dffbbcdbeeeb8ec52b44610124af FIREFOX_102_8_0esr_BUILD2
+6c317d15a0b7dffbbcdbeeeb8ec52b44610124af FIREFOX_102_8_0esr_RELEASE
+a386fc0218e3d4d5147ff6716866198bab0fbaac FIREFOX_102_9_0esr_BUILD1
+e26ff04290d095dac006a3710b07077ee5d20f31 FIREFOX_102_9_0esr_BUILD2
+e26ff04290d095dac006a3710b07077ee5d20f31 FIREFOX_102_9_0esr_RELEASE
+737a5c36e0f939b688ff1d6fb75b139cfdf60ae9 FIREFOX_102_10_0esr_BUILD1
+737a5c36e0f939b688ff1d6fb75b139cfdf60ae9 FIREFOX_102_10_0esr_RELEASE
+350c74fdc5e2ddd6d706908cf7a2e67ea90db887 FIREFOX_102_11_0esr_BUILD1
+77dd215a134a9002bc9058de25328caf37baf636 FIREFOX_102_11_0esr_BUILD2
+77dd215a134a9002bc9058de25328caf37baf636 FIREFOX_102_11_0esr_RELEASE
--- a/.taskcluster.yml
+++ b/.taskcluster.yml
@@ -101,7 +101,7 @@ tasks:
                                description: 'Created by a [cron task](https://firefox-ci-tc.services.mozilla.com/tasks/${cron.task_id}) (${treeherder_link})'

              provisionerId: "${trustDomain}-${repository.level}"
-              workerType: "decision"
+              workerType: "decision-gcp"

              tags:
                  $if: 'tasks_for == "hg-push"'

--- a/CLOBBER
+++ b/CLOBBER
@@ -22,4 +22,4 @@
 # changes to stick? As of bug 928195, this shouldn't be necessary! Please
 # don't change CLOBBER for WebIDL changes any more.

-Merge day clobber 2022-06-20
\ No newline at end of file
+Merge day clobber 2023-05-08
\ No newline at end of file
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -394,8 +394,6 @@ dependencies = [
 [[package]]
 name = "bindgen"
 version = "0.56.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2da379dbebc0b76ef63ca68d8fc6e71c0f13e59432e0987e508c1820e6ab5239"
 dependencies = [
 "bitflags",
 "cexpr",
@@ -1539,8 +1537,6 @@ checksum = "7360491ce676a36bf9bb3c56c1aa791658183a54d2744120f27285738d90465a"
 [[package]]
 name = "fallible_collections"
 version = "0.4.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4ad9169582543d2cfe9961be1e9eaf4fc42f9aa3483f7c485717b8dde36466ea"
 dependencies = [
 "hashbrown",
 ]
@@ -3812,10 +3808,11 @@ dependencies = [

 [[package]]
 name = "packed_simd_2"
-version = "0.3.7"
-source = "git+https://github.com/hsivonen/packed_simd?rev=c149d0a519bf878567c7630096737669ec2ff15f#c149d0a519bf878567c7630096737669ec2ff15f"
+version = "0.3.8"
+source = "git+https://github.com/hsivonen/packed_simd?rev=f38664024b29d44c506431eada7c112629bb1aa9#f38664024b29d44c506431eada7c112629bb1aa9"
 dependencies = [
 "cfg-if 1.0.0",
+ "rustc_version",
 ]

 [[package]]

--- a/Cargo.toml
+++ b/Cargo.toml
@@ -106,6 +106,9 @@ web-sys = { path = "build/rust/dummy-web/web-sys" }
 # Overrides to allow easier use of common internal crates.
 moz_asserts = { path = "mozglue/static/rust/moz_asserts" }

+# Patch bindgen to work around issues with some unsound transmutes when compiling with LLVM 16+.
+bindgen = { path = "third_party/rust/bindgen" }
+
 # Other overrides
 async-task = { git = "https://github.com/smol-rs/async-task", rev="f6488e35beccb26eb6e85847b02aa78a42cd3d0e" }
 chardetng = { git = "https://github.com/hsivonen/chardetng", rev="3484d3e3ebdc8931493aa5df4d7ee9360a90e76b" }
@@ -113,7 +116,7 @@ chardetng_c = { git = "https://github.com/hsivonen/chardetng_c", rev="ed8a4c6f90
 coremidi = { git = "https://github.com/chris-zen/coremidi.git", rev="fc68464b5445caf111e41f643a2e69ccce0b4f83" }
 fog = { path = "toolkit/components/glean/api" }
 libudev-sys = { path = "dom/webauthn/libudev-sys" }
-packed_simd = { package = "packed_simd_2", git = "https://github.com/hsivonen/packed_simd", rev="c149d0a519bf878567c7630096737669ec2ff15f" }
+packed_simd = { package = "packed_simd_2", git = "https://github.com/hsivonen/packed_simd", rev="f38664024b29d44c506431eada7c112629bb1aa9" }
 midir = { git = "https://github.com/mozilla/midir.git", rev = "4c11f0ffb5d6a10de4aff40a7b81218b33b94e6f" }
 minidump_writer_linux = { git = "https://github.com/rust-minidump/minidump-writer.git", rev = "75ada456c92a429704691a85e1cb42fef8cafc0d" }

@@ -121,3 +124,7 @@ minidump_writer_linux = { git = "https://github.com/rust-minidump/minidump-write
 # There is not going to be new version of mio 0.6, mio now being >= 0.7.11.
 [patch.crates-io.mio]
 path = "third_party/rust/mio-0.6.23"
+
+# Patch fallible_collections for issues with rustc 1.65.
+[patch.crates-io.fallible_collections]
+path = "third_party/rust/fallible_collections"
--- a/accessible/aom/AccessibleNode.h
+++ b/accessible/aom/AccessibleNode.h
@@ -101,7 +101,7 @@ class AccessibleNode : public nsISupports, public nsWrapperCache {
  explicit AccessibleNode(nsINode* aNode);

  NS_DECL_CYCLE_COLLECTING_ISUPPORTS;
-  NS_DECL_CYCLE_COLLECTION_SCRIPT_HOLDER_CLASS(AccessibleNode);
+  NS_DECL_CYCLE_COLLECTION_WRAPPERCACHE_CLASS(AccessibleNode);

  JSObject* WrapObject(JSContext* aCx, JS::Handle<JSObject*> aGivenProto) final;
  dom::ParentObject GetParentObject() const;

--- a/accessible/base/ARIAMap.cpp
+++ b/accessible/base/ARIAMap.cpp
@@ -1446,10 +1446,22 @@ uint8_t aria::GetIndexFromRoleMap(const nsRoleMapEntry* aRoleMapEntry) {
  } else if (aRoleMapEntry == &sLandmarkRoleMap) {
    return LANDMARK_ROLE_MAP_ENTRY_INDEX;
  } else {
-    return aRoleMapEntry - sWAIRoleMaps;
+    uint8_t index = aRoleMapEntry - sWAIRoleMaps;
+    MOZ_ASSERT(aria::IsRoleMapIndexValid(index));
+    return index;
  }
 }

+bool aria::IsRoleMapIndexValid(uint8_t aRoleMapIndex) {
+  switch (aRoleMapIndex) {
+    case NO_ROLE_MAP_ENTRY_INDEX:
+    case EMPTY_ROLE_MAP_ENTRY_INDEX:
+    case LANDMARK_ROLE_MAP_ENTRY_INDEX:
+      return true;
+  }
+  return aRoleMapIndex < ArrayLength(sWAIRoleMaps);
+}
+
 uint64_t aria::UniversalStatesFor(mozilla::dom::Element* aElement) {
  uint64_t state = 0;
  uint32_t index = 0;

--- a/accessible/base/ARIAMap.h
+++ b/accessible/base/ARIAMap.h
@@ -258,6 +258,11 @@ const nsRoleMapEntry* GetRoleMapFromIndex(uint8_t aRoleMapIndex);
 */
 uint8_t GetIndexFromRoleMap(const nsRoleMapEntry* aRoleMap);

+/**
+ * Determine whether a role map entry index is valid.
+ */
+bool IsRoleMapIndexValid(uint8_t aRoleMapIndex);
+
 /**
 * Return accessible state from ARIA universal states applied to the given
 * element.

--- a/accessible/ipc/DocAccessibleParent.cpp
+++ b/accessible/ipc/DocAccessibleParent.cpp
@@ -4,6 +4,7 @@
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */

+#include "ARIAMap.h"
 #include "CachedTableAccessible.h"
 #include "DocAccessibleParent.h"
 #include "mozilla/a11y/Platform.h"
@@ -145,6 +146,10 @@ uint32_t DocAccessibleParent::AddSubtree(
    aParent->AddChildAt(aIdxInParent, newProxy);
    newProxy->SetParent(aParent);
  } else {
+    if (!aria::IsRoleMapIndexValid(newChild.RoleMapEntryIndex())) {
+      MOZ_ASSERT_UNREACHABLE("Invalid role map entry index");
+      return 0;
+    }
    newProxy = new RemoteAccessible(
        newChild.ID(), aParent, this, newChild.Role(), newChild.Type(),
        newChild.GenericTypes(), newChild.RoleMapEntryIndex());
@@ -246,8 +251,18 @@ mozilla::ipc::IPCResult DocAccessibleParent::RecvHideEvent(
    return IPC_OK();
  }

+#ifdef XP_WIN
+  WeakPtr<RemoteAccessible> parent = root->RemoteParent();
+#else
  RemoteAccessible* parent = root->RemoteParent();
+#endif
  ProxyShowHideEvent(root, parent, false, aFromUser);
+#ifdef XP_WIN
+  if (!parent) {
+    MOZ_ASSERT(!StaticPrefs::accessibility_cache_enabled_AtStartup());
+    return IPC_FAIL(this, "Parent removed while removing child");
+  }
+#endif

  RefPtr<xpcAccHideEvent> event = nullptr;
  if (nsCoreUtils::AccEventObserversExist()) {
@@ -726,7 +741,12 @@ ipc::IPCResult DocAccessibleParent::AddChildDoc(DocAccessibleParent* aChildDoc,
    return IPC_FAIL(this, "binding to nonexistant proxy!");
  }

+#ifdef XP_WIN
+  WeakPtr<RemoteAccessible> outerDoc = e->mProxy;
+#else
  RemoteAccessible* outerDoc = e->mProxy;
+#endif
+
  MOZ_ASSERT(outerDoc);

  // OuterDocAccessibles are expected to only have a document as a child.
@@ -763,11 +783,13 @@ ipc::IPCResult DocAccessibleParent::AddChildDoc(DocAccessibleParent* aChildDoc,
    if (bridge) {
 #if defined(XP_WIN)
      if (!StaticPrefs::accessibility_cache_enabled_AtStartup()) {
+        RefPtr<DocAccessibleParent> thisDoc = this;
+        RefPtr<DocAccessibleParent> childDoc = aChildDoc;
        // Send a COM proxy for the embedded document to the embedder process
        // hosting the iframe. This will be returned as the child of the
        // embedder OuterDocAccessible.
        RefPtr<IDispatch> docAcc;
-        aChildDoc->GetCOMInterface((void**)getter_AddRefs(docAcc));
+        childDoc->GetCOMInterface((void**)getter_AddRefs(docAcc));
        MOZ_ASSERT(docAcc);
        if (docAcc) {
          RefPtr<IDispatch> docWrapped(
@@ -777,27 +799,39 @@ ipc::IPCResult DocAccessibleParent::AddChildDoc(DocAccessibleParent* aChildDoc,
          IDispatchHolder docHolder(std::move(docPtr));
          if (bridge->SendSetEmbeddedDocAccessibleCOMProxy(docHolder)) {
 #  if defined(MOZ_SANDBOX)
-            aChildDoc->mDocProxyStream = docHolder.GetPreservedStream();
+            childDoc->mDocProxyStream = docHolder.GetPreservedStream();
 #  endif  // defined(MOZ_SANDBOX)
          }
        }
+        if (!outerDoc) {
+          return IPC_FAIL(this, "OuterDoc removed while adding child doc");
+        }
+        if (childDoc->IsShutdown()) {
+          return IPC_FAIL(this, "Child doc removed while adding it");
+        }
        // Send a COM proxy for the embedder OuterDocAccessible to the embedded
        // document process. This will be returned as the parent of the
        // embedded document.
-        aChildDoc->SendParentCOMProxy(outerDoc);
+        childDoc->SendParentCOMProxy(outerDoc);
+        if (childDoc->IsShutdown()) {
+          return IPC_FAIL(this, "Child doc removed while adding it");
+        }
        if (nsWinUtils::IsWindowEmulationStarted()) {
          // The embedded document should use the same emulated window handle as
          // its embedder. It will return the embedder document (not a window
          // accessible) as the parent accessible, so we pass a null accessible
          // when sending the window to the embedded document.
-          Unused << aChildDoc->SendEmulatedWindow(
+          Unused << childDoc->SendEmulatedWindow(
              reinterpret_cast<uintptr_t>(mEmulatedWindowHandle), nullptr);
        }
+        if (thisDoc->IsShutdown()) {
+          return IPC_FAIL(this, "Parent doc removed while adding child doc");
+        }
        // Send a COM proxy for the top level document to the embedded document
        // process. This will be returned when the client calls QueryService
        // with SID_IAccessibleContentDocument on an accessible in the embedded
        // document.
-        DocAccessibleParent* topDoc = this;
+        DocAccessibleParent* topDoc = thisDoc;
        while (DocAccessibleParent* parentDoc = topDoc->ParentDoc()) {
          topDoc = parentDoc;
        }
@@ -811,13 +845,19 @@ ipc::IPCResult DocAccessibleParent::AddChildDoc(DocAccessibleParent* aChildDoc,
          IAccessibleHolder::COMPtrType topDocPtr(
              mscom::ToProxyUniquePtr(std::move(topDocWrapped)));
          IAccessibleHolder topDocHolder(std::move(topDocPtr));
-          if (aChildDoc->SendTopLevelDocCOMProxy(topDocHolder)) {
+          if (childDoc->SendTopLevelDocCOMProxy(topDocHolder)) {
 #  if defined(MOZ_SANDBOX)
            aChildDoc->mTopLevelDocProxyStream =
                topDocHolder.GetPreservedStream();
 #  endif  // defined(MOZ_SANDBOX)
          }
        }
+        if (!outerDoc) {
+          return IPC_FAIL(this, "OuterDoc removed while adding child doc");
+        }
+        if (childDoc->IsShutdown()) {
+          return IPC_FAIL(this, "Child doc removed while adding it");
+        }
      }
      if (nsWinUtils::IsWindowEmulationStarted()) {
        aChildDoc->SetEmulatedWindowHandle(mEmulatedWindowHandle);

--- a/accessible/ipc/RemoteAccessibleBase.h
+++ b/accessible/ipc/RemoteAccessibleBase.h
@@ -11,6 +11,7 @@
 #include "mozilla/a11y/CacheConstants.h"
 #include "mozilla/a11y/HyperTextAccessibleBase.h"
 #include "mozilla/a11y/Role.h"
+#include "mozilla/WeakPtr.h"
 #include "AccAttributes.h"
 #include "nsIAccessibleText.h"
 #include "nsIAccessibleTypes.h"
@@ -27,7 +28,13 @@ class RemoteAccessible;
 enum class RelationType;

 template <class Derived>
+#ifdef XP_WIN
+class RemoteAccessibleBase : public Accessible,
+                             public HyperTextAccessibleBase,
+                             public SupportsWeakPtr {
+#else
 class RemoteAccessibleBase : public Accessible, public HyperTextAccessibleBase {
+#endif
 public:
  virtual ~RemoteAccessibleBase() { MOZ_ASSERT(!mWrapper); }
No results found