dom/base/nsDOMWindowUtils.cpp

@@ -4257,10 +4257,8 @@ nsDOMWindowUtils::LeaveChaosMode() {
 
 NS_IMETHODIMP
 nsDOMWindowUtils::TriggerDeviceReset() {
-  ContentChild* cc = ContentChild::GetSingleton();
-  if (cc) {
-    cc->SendDeviceReset();
-    return NS_OK;
+  if (!XRE_IsParentProcess()) {
+    return NS_ERROR_NOT_AVAILABLE;
   }
 
   GPUProcessManager* pm = GPUProcessManager::Get();

dom/ipc/ContentParent.cpp

@@ -6331,15 +6331,6 @@ bool ContentParent::DeallocPSessionStorageObserverParent(
   return mozilla::dom::DeallocPSessionStorageObserverParent(aActor);
 }
 
-mozilla::ipc::IPCResult ContentParent::RecvDeviceReset() {
-  GPUProcessManager* pm = GPUProcessManager::Get();
-  if (pm) {
-    pm->SimulateDeviceReset();
-  }
-
-  return IPC_OK();
-}
-
 mozilla::ipc::IPCResult ContentParent::RecvBHRThreadHang(
     const HangDetails& aDetails) {
   nsCOMPtr<nsIObserverService> obs = mozilla::services::GetObserverService();

dom/ipc/PContent.ipdl

@@ -1226,8 +1226,6 @@ parent:
     // Tell the parent that the child has gone idle for the first time.
     async FirstIdle();
 
-    async DeviceReset();
-
     async CopyFavicon(nsIURI oldURI, nsIURI newURI, bool isPrivate);
 
     async FindImageText(ShmemImage image) returns (TextRecognitionResultOrError result);

dom/media/webrtc/libwebrtcglue/WebrtcCallWrapper.cpp

@@ -53,7 +53,7 @@ webrtc::Call* WebrtcCallWrapper::Call() const {
 
 void WebrtcCallWrapper::UnsetRemoteSSRC(uint32_t aSsrc) {
   MOZ_ASSERT(mCallThread->IsOnCurrentThread());
-  for (auto conduit : mConduits) {
+  for (const auto& conduit : mConduits) {
     conduit->UnsetRemoteSSRC(aSsrc);
   }
 }

dom/media/webrtc/libwebrtcglue/WebrtcCallWrapper.h

@@ -91,7 +91,7 @@ class WebrtcCallWrapper {
 
   // Allows conduits to know about one another, to avoid remote SSRC
   // collisions.
-  std::set<MediaSessionConduit*> mConduits;
+  std::set<RefPtr<MediaSessionConduit>> mConduits;
   RTCStatsTimestampMakerRealtimeClock mClock;
   UniquePtr<media::ShutdownBlockingTicket> mShutdownTicket;
 

dom/webauthn/AuthenticatorAssertionResponse.cpp

@@ -55,11 +55,15 @@ JSObject* AuthenticatorAssertionResponse::WrapObject(
 }
 
 void AuthenticatorAssertionResponse::GetAuthenticatorData(
-    JSContext* aCx, JS::MutableHandle<JSObject*> aRetVal) {
+    JSContext* aCx, JS::MutableHandle<JSObject*> aValue, ErrorResult& aRv) {
   if (!mAuthenticatorDataCachedObj) {
     mAuthenticatorDataCachedObj = mAuthenticatorData.ToArrayBuffer(aCx);
+    if (!mAuthenticatorDataCachedObj) {
+      aRv.NoteJSContextException(aCx);
+      return;
+    }
   }
-  aRetVal.set(mAuthenticatorDataCachedObj);
+  aValue.set(mAuthenticatorDataCachedObj);
 }
 
 nsresult AuthenticatorAssertionResponse::SetAuthenticatorData(
@@ -71,11 +75,15 @@ nsresult AuthenticatorAssertionResponse::SetAuthenticatorData(
 }
 
 void AuthenticatorAssertionResponse::GetSignature(
-    JSContext* aCx, JS::MutableHandle<JSObject*> aRetVal) {
+    JSContext* aCx, JS::MutableHandle<JSObject*> aValue, ErrorResult& aRv) {
   if (!mSignatureCachedObj) {
     mSignatureCachedObj = mSignature.ToArrayBuffer(aCx);
+    if (!mSignatureCachedObj) {
+      aRv.NoteJSContextException(aCx);
+      return;
+    }
   }
-  aRetVal.set(mSignatureCachedObj);
+  aValue.set(mSignatureCachedObj);
 }
 
 nsresult AuthenticatorAssertionResponse::SetSignature(CryptoBuffer& aBuffer) {
@@ -86,17 +94,21 @@ nsresult AuthenticatorAssertionResponse::SetSignature(CryptoBuffer& aBuffer) {
 }
 
 void AuthenticatorAssertionResponse::GetUserHandle(
-    JSContext* aCx, JS::MutableHandle<JSObject*> aRetVal) {
+    JSContext* aCx, JS::MutableHandle<JSObject*> aValue, ErrorResult& aRv) {
   // Per
   // https://w3c.github.io/webauthn/#ref-for-dom-authenticatorassertionresponse-userhandle%E2%91%A0
   // this should return null if the handle is unset.
   if (mUserHandle.IsEmpty()) {
-    aRetVal.set(nullptr);
+    aValue.set(nullptr);
   } else {
     if (!mUserHandleCachedObj) {
       mUserHandleCachedObj = mUserHandle.ToArrayBuffer(aCx);
+      if (!mUserHandleCachedObj) {
+        aRv.NoteJSContextException(aCx);
+        return;
+      }
     }
-    aRetVal.set(mUserHandleCachedObj);
+    aValue.set(mUserHandleCachedObj);
   }
 }
 

dom/webauthn/AuthenticatorAssertionResponse.h

@@ -32,16 +32,18 @@ class AuthenticatorAssertionResponse final : public AuthenticatorResponse {
   virtual JSObject* WrapObject(JSContext* aCx,
                                JS::Handle<JSObject*> aGivenProto) override;
 
-  void GetAuthenticatorData(JSContext* aCx,
-                            JS::MutableHandle<JSObject*> aRetVal);
+  void GetAuthenticatorData(JSContext* aCx, JS::MutableHandle<JSObject*> aValue,
+                            ErrorResult& aRv);
 
   nsresult SetAuthenticatorData(CryptoBuffer& aBuffer);
 
-  void GetSignature(JSContext* aCx, JS::MutableHandle<JSObject*> aRetVal);
+  void GetSignature(JSContext* aCx, JS::MutableHandle<JSObject*> aValue,
+                    ErrorResult& aRv);
 
   nsresult SetSignature(CryptoBuffer& aBuffer);
 
-  void GetUserHandle(JSContext* aCx, JS::MutableHandle<JSObject*> aRetVal);
+  void GetUserHandle(JSContext* aCx, JS::MutableHandle<JSObject*> aValue,
+                     ErrorResult& aRv);
 
   nsresult SetUserHandle(CryptoBuffer& aUserHandle);
 

dom/webauthn/AuthenticatorAttestationResponse.cpp

@@ -51,11 +51,15 @@ JSObject* AuthenticatorAttestationResponse::WrapObject(
 }
 
 void AuthenticatorAttestationResponse::GetAttestationObject(
-    JSContext* aCx, JS::MutableHandle<JSObject*> aRetVal) {
+    JSContext* aCx, JS::MutableHandle<JSObject*> aValue, ErrorResult& aRv) {
   if (!mAttestationObjectCachedObj) {
     mAttestationObjectCachedObj = mAttestationObject.ToArrayBuffer(aCx);
+    if (!mAttestationObjectCachedObj) {
+      aRv.NoteJSContextException(aCx);
+      return;
+    }
   }
-  aRetVal.set(mAttestationObjectCachedObj);
+  aValue.set(mAttestationObjectCachedObj);
 }
 
 nsresult AuthenticatorAttestationResponse::SetAttestationObject(

dom/webauthn/AuthenticatorAttestationResponse.h

@@ -32,8 +32,8 @@ class AuthenticatorAttestationResponse final : public AuthenticatorResponse {
   virtual JSObject* WrapObject(JSContext* aCx,
                                JS::Handle<JSObject*> aGivenProto) override;
 
-  void GetAttestationObject(JSContext* aCx,
-                            JS::MutableHandle<JSObject*> aRetVal);
+  void GetAttestationObject(JSContext* aCx, JS::MutableHandle<JSObject*> aValue,
+                            ErrorResult& aRv);
 
   nsresult SetAttestationObject(CryptoBuffer& aBuffer);
 

dom/webauthn/AuthenticatorResponse.cpp

@@ -34,11 +34,15 @@ AuthenticatorResponse::~AuthenticatorResponse() {
 nsISupports* AuthenticatorResponse::GetParentObject() const { return mParent; }
 
 void AuthenticatorResponse::GetClientDataJSON(
-    JSContext* aCx, JS::MutableHandle<JSObject*> aRetVal) {
+    JSContext* aCx, JS::MutableHandle<JSObject*> aValue, ErrorResult& aRv) {
   if (!mClientDataJSONCachedObj) {
     mClientDataJSONCachedObj = mClientDataJSON.ToArrayBuffer(aCx);
+    if (!mClientDataJSONCachedObj) {
+      aRv.NoteJSContextException(aCx);
+      return;
+    }
   }
-  aRetVal.set(mClientDataJSONCachedObj);
+  aValue.set(mClientDataJSONCachedObj);
 }
 
 nsresult AuthenticatorResponse::SetClientDataJSON(CryptoBuffer& aBuffer) {

dom/webauthn/AuthenticatorResponse.h

@@ -9,6 +9,7 @@
 
 #include "js/TypeDecls.h"
 #include "mozilla/Attributes.h"
+#include "mozilla/ErrorResult.h"
 #include "mozilla/dom/BindingDeclarations.h"
 #include "mozilla/dom/CryptoBuffer.h"
 #include "nsCycleCollectionParticipant.h"
@@ -33,7 +34,8 @@ class AuthenticatorResponse : public nsISupports, public nsWrapperCache {
 
   void GetFormat(nsString& aRetVal) const;
 
-  void GetClientDataJSON(JSContext* aCx, JS::MutableHandle<JSObject*> aRetVal);
+  void GetClientDataJSON(JSContext* aCx, JS::MutableHandle<JSObject*> aValue,
+                         ErrorResult& aRv);
 
   nsresult SetClientDataJSON(CryptoBuffer& aBuffer);
 

dom/webauthn/PublicKeyCredential.cpp

@@ -54,11 +54,16 @@ JSObject* PublicKeyCredential::WrapObject(JSContext* aCx,
 }
 
 void PublicKeyCredential::GetRawId(JSContext* aCx,
-                                   JS::MutableHandle<JSObject*> aRetVal) {
+                                   JS::MutableHandle<JSObject*> aValue,
+                                   ErrorResult& aRv) {
   if (!mRawIdCachedObj) {
     mRawIdCachedObj = mRawId.ToArrayBuffer(aCx);
+    if (!mRawIdCachedObj) {
+      aRv.NoteJSContextException(aCx);
+      return;
+    }
   }
-  aRetVal.set(mRawIdCachedObj);
+  aValue.set(mRawIdCachedObj);
 }
 
 already_AddRefed<AuthenticatorResponse> PublicKeyCredential::Response() const {

dom/webauthn/PublicKeyCredential.h

@@ -32,7 +32,8 @@ class PublicKeyCredential final : public Credential {
   virtual JSObject* WrapObject(JSContext* aCx,
                                JS::Handle<JSObject*> aGivenProto) override;
 
-  void GetRawId(JSContext* cx, JS::MutableHandle<JSObject*> aRetVal);
+  void GetRawId(JSContext* aCx, JS::MutableHandle<JSObject*> aValue,
+                ErrorResult& aRv);
 
   already_AddRefed<AuthenticatorResponse> Response() const;
 

dom/webidl/WebAuthentication.webidl

@@ -12,7 +12,7 @@
 [SecureContext, Pref="security.webauth.webauthn",
  Exposed=Window]
 interface PublicKeyCredential : Credential {
-    [SameObject] readonly attribute ArrayBuffer              rawId;
+    [SameObject, Throws] readonly attribute ArrayBuffer      rawId;
     [SameObject] readonly attribute AuthenticatorResponse    response;
     AuthenticationExtensionsClientOutputs getClientExtensionResults();
 };
@@ -27,21 +27,21 @@ partial interface PublicKeyCredential {
 [SecureContext, Pref="security.webauth.webauthn",
  Exposed=Window]
 interface AuthenticatorResponse {
-    [SameObject] readonly attribute ArrayBuffer clientDataJSON;
+    [SameObject, Throws] readonly attribute ArrayBuffer clientDataJSON;
 };
 
 [SecureContext, Pref="security.webauth.webauthn",
  Exposed=Window]
 interface AuthenticatorAttestationResponse : AuthenticatorResponse {
-    [SameObject] readonly attribute ArrayBuffer attestationObject;
+    [SameObject, Throws] readonly attribute ArrayBuffer attestationObject;
 };
 
 [SecureContext, Pref="security.webauth.webauthn",
  Exposed=Window]
 interface AuthenticatorAssertionResponse : AuthenticatorResponse {
-    [SameObject] readonly attribute ArrayBuffer      authenticatorData;
-    [SameObject] readonly attribute ArrayBuffer      signature;
-    [SameObject] readonly attribute ArrayBuffer?     userHandle;
+    [SameObject, Throws] readonly attribute ArrayBuffer      authenticatorData;
+    [SameObject, Throws] readonly attribute ArrayBuffer      signature;
+    [SameObject, Throws] readonly attribute ArrayBuffer?     userHandle;
 };
 
 dictionary PublicKeyCredentialParameters {

gfx/2d/DrawTarget.cpp

@@ -189,6 +189,11 @@ void DrawTarget::StrokeGlyphs(ScaledFont* aFont, const GlyphBuffer& aBuffer,
 
 already_AddRefed<SourceSurface> DrawTarget::IntoLuminanceSource(
     LuminanceType aMaskType, float aOpacity) {
+  // The default IntoLuminanceSource implementation needs a format of B8G8R8A8.
+  if (mFormat != SurfaceFormat::B8G8R8A8) {
+    return nullptr;
+  }
+
   RefPtr<SourceSurface> surface = Snapshot();
   if (!surface) {
     return nullptr;

gfx/2d/DrawTargetCairo.cpp

@@ -1646,7 +1646,7 @@ void DrawTargetCairo::PushLayerWithBlend(bool aOpaque, Float aOpacity,
 }
 
 void DrawTargetCairo::PopLayer() {
-  MOZ_ASSERT(!mPushedLayers.empty());
+  MOZ_RELEASE_ASSERT(!mPushedLayers.empty());
 
   cairo_set_operator(mContext, CAIRO_OPERATOR_OVER);
 

gfx/2d/DrawTargetSkia.cpp

@@ -1971,9 +1971,10 @@ void DrawTargetSkia::PushLayerWithBlend(bool aOpaque, Float aOpacity,
 }
 
 void DrawTargetSkia::PopLayer() {
+  MOZ_RELEASE_ASSERT(!mPushedLayers.empty());
+
   MarkChanged();
 
-  MOZ_ASSERT(!mPushedLayers.empty());
   const PushedLayer& layer = mPushedLayers.back();
 
   mCanvas->restore();

gfx/2d/FilterNodeD2D1.cpp

@@ -663,7 +663,6 @@ void FilterNodeD2D1::InitUnmappedProperties() {
 void FilterNodeD2D1::SetInput(uint32_t aIndex, SourceSurface* aSurface) {
   UINT32 input = GetD2D1InputForInput(mType, aIndex);
   ID2D1Effect* effect = InputEffect();
-  MOZ_ASSERT(input < effect->GetInputCount());
 
   if (mType == FilterType::COMPOSITE) {
     UINT32 inputCount = effect->GetInputCount();
@@ -675,10 +674,11 @@ void FilterNodeD2D1::SetInput(uint32_t aIndex, SourceSurface* aSurface) {
     }
   }
 
-  MOZ_ASSERT(input < effect->GetInputCount());
+  auto inputCount = effect->GetInputCount();
+  MOZ_RELEASE_ASSERT(input < inputCount);
 
-  mInputSurfaces.resize(effect->GetInputCount());
-  mInputFilters.resize(effect->GetInputCount());
+  mInputSurfaces.resize(inputCount);
+  mInputFilters.resize(inputCount);
 
   // In order to convert aSurface into an ID2D1Image, we need to know what
   // DrawTarget we paint into. However, the same FilterNode object can be
@@ -708,7 +708,8 @@ void FilterNodeD2D1::SetInput(uint32_t aIndex, FilterNode* aFilter) {
     }
   }
 
-  MOZ_ASSERT(input < effect->GetInputCount());
+  auto inputCount = effect->GetInputCount();
+  MOZ_RELEASE_ASSERT(input < inputCount);
 
   if (aFilter && aFilter->GetBackendType() != FILTER_BACKEND_DIRECT2D1_1) {
     gfxWarning() << "Unknown input FilterNode set on effect.";
@@ -718,8 +719,8 @@ void FilterNodeD2D1::SetInput(uint32_t aIndex, FilterNode* aFilter) {
 
   FilterNodeD2D1* filter = static_cast<FilterNodeD2D1*>(aFilter);
 
-  mInputSurfaces.resize(effect->GetInputCount());
-  mInputFilters.resize(effect->GetInputCount());
+  mInputSurfaces.resize(inputCount);
+  mInputFilters.resize(inputCount);
 
   // We hold on to the FilterNode object so that we can call WillDraw() on it.
   mInputSurfaces[input] = nullptr;

gfx/2d/InlineTranslator.h

@@ -100,7 +100,8 @@ class InlineTranslator : public Translator {
     mPaths.InsertOrUpdate(aRefPtr, RefPtr{aPath});
   }
 
-  void AddSourceSurface(ReferencePtr aRefPtr, SourceSurface* aSurface) final {
+  void AddSourceSurface(ReferencePtr aRefPtr,
+                        SourceSurface* aSurface) override {
     mSourceSurfaces.InsertOrUpdate(aRefPtr, RefPtr{aSurface});
   }
 

gfx/2d/PathRecording.cpp

@@ -63,6 +63,69 @@ bool PathOps::StreamToSink(PathSink& aPathSink) const {
   return true;
 }
 
+#define CHECKED_NEXT_PARAMS(_type)      \
+  if (nextByte + sizeof(_type) > end) { \
+    return false;                       \
+  }                                     \
+  NEXT_PARAMS(_type)
+
+bool PathOps::CheckedStreamToSink(PathSink& aPathSink) const {
+  if (mPathData.empty()) {
+    return true;
+  }
+
+  const uint8_t* nextByte = mPathData.data();
+  const uint8_t* end = nextByte + mPathData.size();
+  while (true) {
+    if (nextByte == end) {
+      break;
+    }
+
+    if (nextByte + sizeof(OpType) > end) {
+      return false;
+    }
+
+    const OpType opType = *reinterpret_cast<const OpType*>(nextByte);
+    nextByte += sizeof(OpType);
+    switch (opType) {
+      case OpType::OP_MOVETO: {
+        CHECKED_NEXT_PARAMS(Point)
+        aPathSink.MoveTo(params);
+        break;
+      }
+      case OpType::OP_LINETO: {
+        CHECKED_NEXT_PARAMS(Point)
+        aPathSink.LineTo(params);
+        break;
+      }
+      case OpType::OP_BEZIERTO: {
+        CHECKED_NEXT_PARAMS(ThreePoints)
+        aPathSink.BezierTo(params.p1, params.p2, params.p3);
+        break;
+      }
+      case OpType::OP_QUADRATICBEZIERTO: {
+        CHECKED_NEXT_PARAMS(TwoPoints)
+        aPathSink.QuadraticBezierTo(params.p1, params.p2);
+        break;
+      }
+      case OpType::OP_ARC: {
+        CHECKED_NEXT_PARAMS(ArcParams)
+        aPathSink.Arc(params.origin, params.radius, params.startAngle,
+                      params.endAngle, params.antiClockwise);
+        break;
+      }
+      case OpType::OP_CLOSE:
+        aPathSink.Close();
+        break;
+      default:
+        return false;
+    }
+  }
+
+  return true;
+}
+#undef CHECKED_NEXT_PARAMS
+
 PathOps PathOps::TransformedCopy(const Matrix& aTransform) const {
   PathOps newPathOps;
   const uint8_t* nextByte = mPathData.data();