diff --git a/Makefile.in b/Makefile.in index 07ba7452b048..81efdde551ff 100644 --- a/Makefile.in +++ b/Makefile.in @@ -203,6 +203,21 @@ codesighs: # defined in package-name.mk export MOZ_SOURCE_STAMP +#XXX: this is a hack, since we don't want to clobber for MSVC +# PGO support, but we can't do this test in client.mk +ifneq ($(OS_ARCH)_$(GNU_CC), WINNT_) +# No point in clobbering if PGO has been explicitly disabled. +ifndef NO_PROFILE_GUIDED_OPTIMIZE +maybe_clobber_profiledbuild: clean +else +maybe_clobber_profiledbuild: +endif +else +maybe_clobber_profiledbuild: +endif + +.PHONY: maybe_clobber_profiledbuild + # Look for R_386_PC32 relocations in shared libs, these # break x86_64 builds and SELinux users. ifeq ($(OS_TARGET)_$(TARGET_XPCOM_ABI),Linux_x86-gcc3) diff --git a/browser/app/profile/firefox.js b/browser/app/profile/firefox.js index e40fe2b63d7d..86facf7900e9 100644 --- a/browser/app/profile/firefox.js +++ b/browser/app/profile/firefox.js @@ -881,7 +881,7 @@ pref("browser.privatebrowsing.dont_prompt_on_enter", false); pref("browser.bookmarks.editDialog.firstEditField", "namePicker"); // base url for the wifi geolocation network provider -pref("geo.wifi.uri", "https://www.google.com/loc/json"); +pref("geo.wifi.uri", "https://maps.googleapis.com/maps/api/browserlocation/json"); pref("geo.wifi.protocol", 0); // Whether to use a panel that looks like an OS X sheet for customization diff --git a/browser/base/content/domplate.jsm b/browser/base/content/domplate.jsm index 1493d9ec585c..1f6e5b67cf0c 100644 --- a/browser/base/content/domplate.jsm +++ b/browser/base/content/domplate.jsm @@ -1631,7 +1631,7 @@ BaseTemplates.AttrTag = " ", domplate.SPAN({"class": "nodeName editable"}, "$attr.nodeName"), "="", - domplate.SPAN({"class": "nodeValue editable"}, "$attr.nodeValue"), + domplate.SPAN({"class": "nodeValue editable", "data-attributeName": "$attr.nodeName"}, "$attr.nodeValue"), """); BaseTemplates.TextTag = diff --git a/browser/base/content/inspector.html b/browser/base/content/inspector.html index f37a7f610b1b..3322ca53614b 100644 --- a/browser/base/content/inspector.html +++ b/browser/base/content/inspector.html @@ -7,5 +7,8 @@ +
+ +
diff --git a/browser/base/content/inspector.js b/browser/base/content/inspector.js index c1790a80455c..b017e57c0749 100644 --- a/browser/base/content/inspector.js +++ b/browser/base/content/inspector.js @@ -26,6 +26,7 @@ * Mihai Șucan * Julian Viereck * Paul Rouget + * Kyle Simpson * * Alternatively, the contents of this file may be used under the terms of * either the GNU General Public License Version 2 or later (the "GPL"), or @@ -70,6 +71,11 @@ const INSPECTOR_NOTIFICATIONS = { // Fires once the Inspector is closed. CLOSED: "inspector-closed", + + // Event notifications for the attribute-value editor + EDITOR_OPENED: "inspector-editor-opened", + EDITOR_CLOSED: "inspector-editor-closed", + EDITOR_SAVED: "inspector-editor-saved", }; /////////////////////////////////////////////////////////////////////////// @@ -591,6 +597,8 @@ var InspectorUI = { this.ioBox = new InsideOutBox(this, this.treePanelDiv); this.ioBox.createObjectBox(this.win.document.documentElement); this.treeLoaded = true; + this.editingContext = null; + this.editingEvents = {}; // initialize the highlighter this.initializeHighlighter(); @@ -614,6 +622,7 @@ var InspectorUI = { this.treeIFrame.setAttribute("flex", "1"); this.treeIFrame.setAttribute("type", "content"); this.treeIFrame.setAttribute("onclick", "InspectorUI.onTreeClick(event)"); + this.treeIFrame.setAttribute("ondblclick", "InspectorUI.onTreeDblClick(event);"); this.treeIFrame = this.treePanel.insertBefore(this.treeIFrame, resizerBox); } @@ -817,6 +826,11 @@ var InspectorUI = { */ closeInspectorUI: function IUI_closeInspectorUI(aKeepStore) { + // if currently editing an attribute value, closing the + // highlighter/HTML panel dismisses the editor + if (this.editingContext) + this.closeEditor(); + if (this.closing || !this.win || !this.browser) { return; } @@ -854,8 +868,11 @@ var InspectorUI = { delete this.treeBrowserDocument; } - if (this.treeIFrame) + if (this.treeIFrame) { + let parent = this.treeIFrame.parentNode; + parent.removeChild(this.treeIFrame); delete this.treeIFrame; + } delete this.ioBox; if (this.domplate) { @@ -879,6 +896,8 @@ var InspectorUI = { this.treeLoaded = false; this.treePanel.addEventListener("popuphidden", function treePanelHidden() { + this.removeEventListener("popuphidden", treePanelHidden, false); + InspectorUI.closing = false; Services.obs.notifyObservers(null, INSPECTOR_NOTIFICATIONS.CLOSED, null); }, false); @@ -893,6 +912,11 @@ var InspectorUI = { */ startInspecting: function IUI_startInspecting() { + // if currently editing an attribute value, starting + // "live inspection" mode closes the editor + if (this.editingContext) + this.closeEditor(); + document.getElementById("inspector-inspect-toolbutton").checked = true; this.attachPageListeners(); this.inspecting = true; @@ -933,6 +957,11 @@ var InspectorUI = { */ select: function IUI_select(aNode, forceUpdate, aScroll) { + // if currently editing an attribute value, using the + // highlighter dismisses the editor + if (this.editingContext) + this.closeEditor(); + if (!aNode) aNode = this.defaultSelection; @@ -1044,6 +1073,17 @@ var InspectorUI = { */ onTreeClick: function IUI_onTreeClick(aEvent) { + // if currently editing an attribute value, clicking outside + // the editor dismisses the editor + if (this.editingContext) { + this.closeEditor(); + + // clicking outside the editor ONLY closes the editor + // so, cancel the rest of the processing of this event + aEvent.preventDefault(); + return; + } + let node; let target = aEvent.target; let hitTwisty = false; @@ -1068,6 +1108,220 @@ var InspectorUI = { } }, + /** + * Handle double-click events in the html tree panel. + * (double-clicking an attribute value allows it to be edited) + * @param aEvent + * The mouse event. + */ + onTreeDblClick: function IUI_onTreeDblClick(aEvent) + { + // if already editing an attribute value, double-clicking elsewhere + // in the tree is the same as a click, which dismisses the editor + if (this.editingContext) + this.closeEditor(); + + let target = aEvent.target; + + if (this.hasClass(target, "nodeValue")) { + let repObj = this.getRepObject(target); + let attrName = target.getAttribute("data-attributeName"); + let attrVal = target.innerHTML; + + this.editAttributeValue(target, repObj, attrName, attrVal); + } + }, + + /** + * Starts the editor for an attribute value. + * @param aAttrObj + * The DOM object representing the attribute value in the HTML Tree + * @param aRepObj + * The original DOM (target) object being inspected/edited + * @param aAttrName + * The name of the attribute being edited + * @param aAttrVal + * The current value of the attribute being edited + */ + editAttributeValue: + function IUI_editAttributeValue(aAttrObj, aRepObj, aAttrName, aAttrVal) + { + let editor = this.treeBrowserDocument.getElementById("attribute-editor"); + let editorInput = + this.treeBrowserDocument.getElementById("attribute-editor-input"); + let attrDims = aAttrObj.getBoundingClientRect(); + // figure out actual viewable viewport dimensions (sans scrollbars) + let viewportWidth = this.treeBrowserDocument.documentElement.clientWidth; + let viewportHeight = this.treeBrowserDocument.documentElement.clientHeight; + + // saves the editing context for use when the editor is saved/closed + this.editingContext = { + attrObj: aAttrObj, + repObj: aRepObj, + attrName: aAttrName + }; + + // highlight attribute-value node in tree while editing + this.addClass(aAttrObj, "editingAttributeValue"); + + // show the editor + this.addClass(editor, "editing"); + + // offset the editor below the attribute-value node being edited + let editorVeritcalOffset = 2; + + // keep the editor comfortably within the bounds of the viewport + let editorViewportBoundary = 5; + + // outer editor is sized based on the box inside it + editorInput.style.width = Math.min(attrDims.width, viewportWidth - + editorViewportBoundary) + "px"; + editorInput.style.height = Math.min(attrDims.height, viewportHeight - + editorViewportBoundary) + "px"; + let editorDims = editor.getBoundingClientRect(); + + // calculate position for the editor according to the attribute node + let editorLeft = attrDims.left + this.treeIFrame.contentWindow.scrollX - + // center the editor against the attribute value + ((editorDims.width - attrDims.width) / 2); + let editorTop = attrDims.top + this.treeIFrame.contentWindow.scrollY + + attrDims.height + editorVeritcalOffset; + + // but, make sure the editor stays within the visible viewport + editorLeft = Math.max(0, Math.min( + (this.treeIFrame.contentWindow.scrollX + + viewportWidth - editorDims.width), + editorLeft) + ); + editorTop = Math.max(0, Math.min( + (this.treeIFrame.contentWindow.scrollY + + viewportHeight - editorDims.height), + editorTop) + ); + + // position the editor + editor.style.left = editorLeft + "px"; + editor.style.top = editorTop + "px"; + + // set and select the text + editorInput.value = aAttrVal; + editorInput.select(); + + // listen for editor specific events + this.bindEditorEvent(editor, "click", function(aEvent) { + aEvent.stopPropagation(); + }); + this.bindEditorEvent(editor, "dblclick", function(aEvent) { + aEvent.stopPropagation(); + }); + this.bindEditorEvent(editor, "keypress", + this.handleEditorKeypress.bind(this)); + + // event notification + Services.obs.notifyObservers(null, INSPECTOR_NOTIFICATIONS.EDITOR_OPENED, + null); + }, + + /** + * Handle binding an event handler for the editor. + * (saves the callback for easier unbinding later) + * @param aEditor + * The DOM object for the editor + * @param aEventName + * The name of the event to listen for + * @param aEventCallback + * The callback to bind to the event (and also to save for later + * unbinding) + */ + bindEditorEvent: + function IUI_bindEditorEvent(aEditor, aEventName, aEventCallback) + { + this.editingEvents[aEventName] = aEventCallback; + aEditor.addEventListener(aEventName, aEventCallback, false); + }, + + /** + * Handle unbinding an event handler from the editor. + * (unbinds the previously bound and saved callback) + * @param aEditor + * The DOM object for the editor + * @param aEventName + * The name of the event being listened for + */ + unbindEditorEvent: function IUI_unbindEditorEvent(aEditor, aEventName) + { + aEditor.removeEventListener(aEventName, this.editingEvents[aEventName], + false); + this.editingEvents[aEventName] = null; + }, + + /** + * Handle keypress events in the editor. + * @param aEvent + * The keyboard event. + */ + handleEditorKeypress: function IUI_handleEditorKeypress(aEvent) + { + if (aEvent.which == KeyEvent.DOM_VK_RETURN) { + this.saveEditor(); + } else if (aEvent.keyCode == KeyEvent.DOM_VK_ESCAPE) { + this.closeEditor(); + } + }, + + /** + * Close the editor and cleanup. + */ + closeEditor: function IUI_closeEditor() + { + let editor = this.treeBrowserDocument.getElementById("attribute-editor"); + let editorInput = + this.treeBrowserDocument.getElementById("attribute-editor-input"); + + // remove highlight from attribute-value node in tree + this.removeClass(this.editingContext.attrObj, "editingAttributeValue"); + + // hide editor + this.removeClass(editor, "editing"); + + // stop listening for editor specific events + this.unbindEditorEvent(editor, "click"); + this.unbindEditorEvent(editor, "dblclick"); + this.unbindEditorEvent(editor, "keypress"); + + // clean up after the editor + editorInput.value = ""; + editorInput.blur(); + this.editingContext = null; + this.editingEvents = {}; + + // event notification + Services.obs.notifyObservers(null, INSPECTOR_NOTIFICATIONS.EDITOR_CLOSED, + null); + }, + + /** + * Commit the edits made in the editor, then close it. + */ + saveEditor: function IUI_saveEditor() + { + let editorInput = + this.treeBrowserDocument.getElementById("attribute-editor-input"); + + // set the new attribute value on the original target DOM element + this.editingContext.repObj.setAttribute(this.editingContext.attrName, + editorInput.value); + + // update the HTML tree attribute value + this.editingContext.attrObj.innerHTML = editorInput.value; + + // event notification + Services.obs.notifyObservers(null, INSPECTOR_NOTIFICATIONS.EDITOR_SAVED, + null); + + this.closeEditor(); + }, + /** * Attach event listeners to content window and child windows to enable * highlighting and click to stop inspection. diff --git a/browser/base/content/nsContextMenu.js b/browser/base/content/nsContextMenu.js index 627d80154227..b4f9aacc043c 100644 --- a/browser/base/content/nsContextMenu.js +++ b/browser/base/content/nsContextMenu.js @@ -79,7 +79,8 @@ nsContextMenu.prototype = { this.hasPageMenu = false; if (!aIsShift) { - this.hasPageMenu = PageMenu.init(this.target, aXulMenu); + this.hasPageMenu = PageMenu.maybeBuildAndAttachMenu(this.target, + aXulMenu); } this.isFrameImage = document.getElementById("isFrameImage"); diff --git a/browser/base/content/tabview/content.js b/browser/base/content/tabview/content.js new file mode 100644 index 000000000000..223a5661d998 --- /dev/null +++ b/browser/base/content/tabview/content.js @@ -0,0 +1,46 @@ +/* ***** BEGIN LICENSE BLOCK ***** + * Version: MPL 1.1/GPL 2.0/LGPL 2.1 + * + * The contents of this file are subject to the Mozilla Public License Version + * 1.1 (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * http://www.mozilla.org/MPL/ + * + * Software distributed under the License is distributed on an "AS IS" basis, + * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License + * for the specific language governing rights and limitations under the + * License. + * + * The Original Code is content.js. + * + * The Initial Developer of the Original Code is the Mozilla Foundation. + * Portions created by the Initial Developer are Copyright (C) 2011 + * the Initial Developer. All Rights Reserved. + * + * Contributor(s): + * Tim Taubert + * + * Alternatively, the contents of this file may be used under the terms of + * either the GNU General Public License Version 2 or later (the "GPL"), or + * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), + * in which case the provisions of the GPL or the LGPL are applicable instead + * of those above. If you wish to allow use of your version of this file only + * under the terms of either the GPL or the LGPL, and not to allow others to + * use your version of this file under the terms of the MPL, indicate your + * decision by deleting the provisions above and replace them with the notice + * and other provisions required by the GPL or the LGPL. If you do not delete + * the provisions above, a recipient may use your version of this file under + * the terms of any one of the MPL, the GPL or the LGPL. + * + * ***** END LICENSE BLOCK ***** */ + +addEventListener("DOMWillOpenModalDialog", function (event) { + // (event.isTrusted == true) when the event is generated by a user action + // and does not originate from a script. + if (event.isTrusted) { + // we're intentionally sending a synchronous message to handle this event + // as quick as possible, switch the selected tab and hide the tabview + // before the modal dialog is shown + sendSyncMessage("Panorama:DOMWillOpenModalDialog"); + } +}, true); diff --git a/browser/base/content/tabview/groupitems.js b/browser/base/content/tabview/groupitems.js index 8b0578d8120d..f991bcd09ce3 100644 --- a/browser/base/content/tabview/groupitems.js +++ b/browser/base/content/tabview/groupitems.js @@ -231,7 +231,7 @@ function GroupItem(listOfEls, options) { .appendTo(appTabTrayContainer); AllTabs.tabs.forEach(function(xulTab) { - if (xulTab.pinned && xulTab.ownerDocument.defaultView == gWindow) + if (xulTab.pinned) self.addAppTab(xulTab, {dontAdjustTray: true}); }); @@ -744,9 +744,13 @@ GroupItem.prototype = Utils.extend(new Item(), new Subscribable(), { // ---------- // Function: _unhide // Shows the hidden group. - _unhide: function GroupItem__unhide() { - let self = this; - + // + // Parameters: + // options - various options (see below) + // + // Possible options: + // immediately - true when no animations should be used + _unhide: function GroupItem__unhide(options) { this._cancelFadeAwayUndoButtonTimer(); this.hidden = false; this.$undoContainer.remove(); @@ -754,20 +758,31 @@ GroupItem.prototype = Utils.extend(new Item(), new Subscribable(), { this.droppable(true); this.setTrenches(this.bounds); - iQ(this.container).show().animate({ - "-moz-transform": "scale(1)", - "opacity": 1 - }, { - duration: 170, - complete: function() { - self._children.forEach(function(child) { - iQ(child.container).show(); - }); + let self = this; - UI.setActive(self); - self._sendToSubscribers("groupShown", { groupItemId: self.id }); - } - }); + let finalize = function () { + self._children.forEach(function(child) { + iQ(child.container).show(); + }); + + UI.setActive(self); + self._sendToSubscribers("groupShown", { groupItemId: self.id }); + }; + + let $container = iQ(this.container).show(); + + if (!options || !options.immediately) { + $container.animate({ + "-moz-transform": "scale(1)", + "opacity": 1 + }, { + duration: 170, + complete: finalize + }); + } else { + $container.css({"-moz-transform": "none", opacity: 1}); + finalize(); + } GroupItems.updateGroupCloseButtons(); }, @@ -785,15 +800,29 @@ GroupItem.prototype = Utils.extend(new Item(), new Subscribable(), { let remainingGroups = GroupItems.groupItems.filter(function (groupItem) { return (groupItem != self && groupItem.getChildren().length); }); + + let tab = null; + if (!gBrowser._numPinnedTabs && !remainingGroups.length) { let emptyGroups = GroupItems.groupItems.filter(function (groupItem) { return (groupItem != self && !groupItem.getChildren().length); }); let group = (emptyGroups.length ? emptyGroups[0] : GroupItems.newGroup()); - group.newTab(null, { closedLastTab: true }); + tab = group.newTab(null, {dontZoomIn: true}); } - this.destroy(); + let closed = this.destroy(); + + if (!tab) + return; + + if (closed) { + // Let's make the new tab the selected tab. + UI.goToTab(tab); + } else { + // Remove the new tab and group, if this group is no longer closed. + tab._tabViewTabItem.parent.destroy({immediately: true}); + } }, // ---------- @@ -806,6 +835,10 @@ GroupItem.prototype = Utils.extend(new Item(), new Subscribable(), { // // Options: // immediately - (bool) if true, no animation will be used + // + // Returns true if the groupItem has been closed, or false otherwise. A group + // could not have been closed due to a tab with an onUnload handler (that + // waits for user interaction). destroy: function GroupItem_destroy(options) { let self = this; @@ -814,14 +847,11 @@ GroupItem.prototype = Utils.extend(new Item(), new Subscribable(), { // In other words, the group "close" event is fired before all browser // tabs in the group are closed. The below code would fire the group "close" // event only after all browser tabs in that group are closed. - let shouldRemoveTabItems = []; - let toClose = this._children.concat(); - toClose.forEach(function(child) { + this._children.concat().forEach(function(child) { child.removeSubscriber("close", self._onChildClose); - let removed = child.close(true); - if (removed) { - shouldRemoveTabItems.push(child); + if (child.close(true)) { + self.remove(child, { dontArrange: true }); } else { // child.removeSubscriber() must be called before child.close(), // therefore we call child.addSubscriber() if the tab is not removed. @@ -829,15 +859,14 @@ GroupItem.prototype = Utils.extend(new Item(), new Subscribable(), { } }); - if (shouldRemoveTabItems.length != toClose.length) { - // remove children without the assiciated tab and show the group item - shouldRemoveTabItems.forEach(function(child) { - self.remove(child, { dontArrange: true }); - }); + if (this._children.length) { + if (this.hidden) + this.$undoContainer.fadeOut(function() { self._unhide() }); - this.$undoContainer.fadeOut(function() { self._unhide() }); + return false; } else { this.close(options); + return true; } }, @@ -1818,13 +1847,16 @@ GroupItem.prototype = Utils.extend(new Item(), new Subscribable(), { // Parameters: // url - the new tab should open this url as well // options - the options object + // dontZoomIn - set to true to not zoom into the newly created tab // closedLastTab - boolean indicates the last tab has just been closed newTab: function GroupItem_newTab(url, options) { if (options && options.closedLastTab) UI.closedLastTabInTabView = true; UI.setActive(this, { dontSetActiveTabInGroup: true }); - gBrowser.loadOneTab(url || "about:blank", { inBackground: false }); + + let dontZoomIn = !!(options && options.dontZoomIn); + return gBrowser.loadOneTab(url || "about:blank", { inBackground: dontZoomIn }); }, // ---------- @@ -1926,13 +1958,13 @@ let GroupItems = { let self = this; // setup attr modified handler, and prepare for its uninit - function handleAttrModified(xulTab) { - self._handleAttrModified(xulTab); + function handleAttrModified(event) { + self._handleAttrModified(event.target); } // make sure any closed tabs are removed from the delay update list - function handleClose(xulTab) { - let idx = self._delayedModUpdates.indexOf(xulTab); + function handleClose(event) { + let idx = self._delayedModUpdates.indexOf(event.target); if (idx != -1) self._delayedModUpdates.splice(idx, 1); } @@ -2040,7 +2072,7 @@ let GroupItems = { // Function: _updateAppTabIcons // Update images of any apptab icons that point to passed in xultab _updateAppTabIcons: function GroupItems__updateAppTabIcons(xulTab) { - if (xulTab.ownerDocument.defaultView != gWindow || !xulTab.pinned) + if (!xulTab.pinned) return; let iconUrl = this.getAppTabFavIconUrl(xulTab); diff --git a/browser/base/content/tabview/modules/AllTabs.jsm b/browser/base/content/tabview/modules/AllTabs.jsm deleted file mode 100644 index 3c8285348111..000000000000 --- a/browser/base/content/tabview/modules/AllTabs.jsm +++ /dev/null @@ -1,183 +0,0 @@ -/* ***** BEGIN LICENSE BLOCK ***** - * Version: MPL 1.1/GPL 2.0/LGPL 2.1 - * - * The contents of this file are subject to the Mozilla Public License Version - * 1.1 (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * http://www.mozilla.org/MPL/ - * - * Software distributed under the License is distributed on an "AS IS" basis, - * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License - * for the specific language governing rights and limitations under the - * License. - * - * The Original Code is TabView AllTabs. - * - * The Initial Developer of the Original Code is - * Mozilla Foundation. - * Portions created by the Initial Developer are Copyright (C) 2010 - * the Initial Developer. All Rights Reserved. - * - * Contributor(s): - * Edward Lee - * - * Alternatively, the contents of this file may be used under the terms of - * either the GNU General Public License Version 2 or later (the "GPL"), or - * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), - * in which case the provisions of the GPL or the LGPL are applicable instead - * of those above. If you wish to allow use of your version of this file only - * under the terms of either the GPL or the LGPL, and not to allow others to - * use your version of this file under the terms of the MPL, indicate your - * decision by deleting the provisions above and replace them with the notice - * and other provisions required by the GPL or the LGPL. If you do not delete - * the provisions above, a recipient may use your version of this file under - * the terms of any one of the MPL, the GPL or the LGPL. - * - * ***** END LICENSE BLOCK ***** */ - -"use strict"; - -const Cu = Components.utils; -Cu.import("resource://gre/modules/Services.jsm"); - -let EXPORTED_SYMBOLS = ["AllTabs"]; - -let AllTabs = { - // ---------- - // Function: toString - // Prints [AllTabs] for debug use - toString: function AllTabs_toString() { - return "[AllTabs]"; - }, - - /** - * Get an array of all tabs from all tabbrowser windows. - * - * @usage let numAllTabs = AllTabs.tabs.length; - * AllTabs.tabs.forEach(handleAllTabs); - */ - get tabs() { - // Get tabs from each browser window and flatten them into one array - return Array.concat.apply(null, browserWindows.map(function(browserWindow) { - return Array.filter(browserWindow.gBrowser.tabs, function (tab) !tab.closing); - })); - }, - - /** - * Attach a callback for a given tab event. - * - * @param eventName - * Name of the corresponding Tab* Event; one of "attrModified", - * "close", "move", "open", "select", "pinned", "unpinned". - * @param callback - * Callback that gets called with the tab as the first argument and - * the event as the second argument. - * @usage AllTabs.register("change", function handleChange(tab, event) {}); - */ - register: function register(eventName, callback) { - // Either add additional callbacks or create the first entry - let listeners = eventListeners[events[eventName]]; - if (listeners) - listeners.push(callback); - else - eventListeners[events[eventName]] = [callback]; - }, - - /** - * Remove a callback for a given tab event. - * - * @param eventName - * Name of the corresponding Tab* Event; one of "attrModified", - * "close", "move", "open", "select", "pinned", "unpinned". - * @param callback - * The callback given for the original AllTabs.register call. - * @usage AllTabs.unregister("close", handleClose); - */ - unregister: function unregister(eventName, callback) { - // Nothing to remove for this event - let listeners = eventListeners[events[eventName]]; - if (!listeners) - return; - - // Can only remove a callback if we have it - let index = listeners.indexOf(callback); - if (index == -1) - return; - - listeners.splice(index, 1); - } -}; - -__defineGetter__("browserWindows", function browserWindows() { - let browserWindows = []; - let windows = Services.wm.getEnumerator("navigator:browser"); - while (windows.hasMoreElements()) - browserWindows.push(windows.getNext()); - return browserWindows; -}); - -let events = { - attrModified: "TabAttrModified", - close: "TabClose", - move: "TabMove", - open: "TabOpen", - select: "TabSelect", - pinned: "TabPinned", - unpinned: "TabUnpinned" -}; -let eventListeners = {}; - -function registerBrowserWindow(browserWindow) { - for each (let event in events) - browserWindow.addEventListener(event, tabEventListener, true); - - browserWindow.addEventListener("unload", unregisterBrowserWindow, false); -} - -function unregisterBrowserWindow(unloadEvent) { - let browserWindow = unloadEvent.currentTarget; - - for each (let event in events) - browserWindow.removeEventListener(event, tabEventListener, true); - - browserWindow.removeEventListener("unload", unregisterBrowserWindow, false); -} - -function tabEventListener(event) { - // Make sure we've gotten listeners before trying to call - let listeners = eventListeners[event.type]; - if (!listeners) - return; - - let tab = event.target; - - // Make a copy of the listeners, so it can't change as we call back - listeners.slice().forEach(function (callback) { - try { - callback(tab, event); - } - // Don't let failing callbacks stop us but report the failure - catch (ex) { - Cu.reportError(ex); - } - }); -} - -function observer(subject, topic, data) { - switch (topic) { - case "domwindowopened": - subject.addEventListener("load", function onLoad() { - subject.removeEventListener("load", onLoad, false); - - // Now that the window has loaded, only register on browser windows - let doc = subject.document.documentElement; - if (doc.getAttribute("windowtype") == "navigator:browser") - registerBrowserWindow(subject); - }, false); - break; - } -} - -// Register listeners on all browser windows and future ones -browserWindows.forEach(registerBrowserWindow); -Services.obs.addObserver(observer, "domwindowopened", false); diff --git a/browser/base/content/tabview/search.js b/browser/base/content/tabview/search.js index 8968531b7e10..f96d9202277e 100644 --- a/browser/base/content/tabview/search.js +++ b/browser/base/content/tabview/search.js @@ -520,6 +520,9 @@ function createSearchTabMacher() { } function hideSearch(event) { + if (!isSearchEnabled()) + return; + iQ("#searchbox").val(""); iQ("#searchshade").hide(); iQ("#search").hide(); diff --git a/browser/base/content/tabview/storage.js b/browser/base/content/tabview/storage.js index 5af35d22f7a2..c9bf74ea9e29 100644 --- a/browser/base/content/tabview/storage.js +++ b/browser/base/content/tabview/storage.js @@ -79,9 +79,6 @@ let Storage = { // ___ Tabs AllTabs.tabs.forEach(function(tab) { - if (tab.ownerDocument.defaultView != gWindow) - return; - self.saveTab(tab, null); }); diff --git a/browser/base/content/tabview/tabitems.js b/browser/base/content/tabview/tabitems.js index f5fd925cc211..d98974a9e82d 100644 --- a/browser/base/content/tabview/tabitems.js +++ b/browser/base/content/tabview/tabitems.js @@ -478,29 +478,22 @@ TabItem.prototype = Utils.extend(new Item(), new Subscribable(), { // closing tab doesn't belong to a group and no empty group, create a new // one for the new tab. if (!groupClose && gBrowser.tabs.length == 1) { - let group; - if (this.tab._tabViewTabItem.parent) { - group = this.tab._tabViewTabItem.parent; - } else { - let emptyGroups = GroupItems.groupItems.filter(function (groupItem) { - return (!groupItem.getChildren().length); - }); - group = (emptyGroups.length ? emptyGroups[0] : GroupItems.newGroup()); - } + let group = this.tab._tabViewTabItem.parent; group.newTab(null, { closedLastTab: true }); } + // when "TabClose" event is fired, the browser tab is about to close and our // item "close" is fired before the browser tab actually get closed. // Therefore, we need "tabRemoved" event below. gBrowser.removeTab(this.tab); - let tabNotClosed = - Array.some(gBrowser.tabs, function(tab) { return tab == this.tab; }, this); - if (!tabNotClosed) + let tabClosed = !this.tab; + + if (tabClosed) this._sendToSubscribers("tabRemoved"); // No need to explicitly delete the tab data, becasue sessionstore data // associated with the tab will automatically go away - return !tabNotClosed; + return tabClosed; }, // ---------- @@ -746,27 +739,26 @@ let TabItems = { this.tempCanvas.height = 112; // When a tab is opened, create the TabItem - this._eventListeners["open"] = function(tab) { - if (tab.ownerDocument.defaultView != gWindow || tab.pinned) - return; + this._eventListeners.open = function (event) { + let tab = event.target; - self.link(tab); + if (!tab.pinned) + self.link(tab); } // When a tab's content is loaded, show the canvas and hide the cached data // if necessary. - this._eventListeners["attrModified"] = function(tab) { - if (tab.ownerDocument.defaultView != gWindow || tab.pinned) - return; + this._eventListeners.attrModified = function (event) { + let tab = event.target; - self.update(tab); + if (!tab.pinned) + self.update(tab); } // When a tab is closed, unlink. - this._eventListeners["close"] = function(tab) { - if (tab.ownerDocument.defaultView != gWindow || tab.pinned) - return; + this._eventListeners.close = function (event) { + let tab = event.target; // XXX bug #635975 - don't unlink the tab if the dom window is closing. - if (!UI.isDOMWindowClosing) + if (!tab.pinned && !UI.isDOMWindowClosing) self.unlink(tab); } for (let name in this._eventListeners) { @@ -774,8 +766,8 @@ let TabItems = { } // For each tab, create the link. - AllTabs.tabs.forEach(function(tab) { - if (tab.ownerDocument.defaultView != gWindow || tab.pinned) + AllTabs.tabs.forEach(function (tab) { + if (tab.pinned) return; self.link(tab, {immediately: true}); diff --git a/browser/base/content/tabview/tabview.js b/browser/base/content/tabview/tabview.js index 15a5c9380c6f..fca551fd64e1 100644 --- a/browser/base/content/tabview/tabview.js +++ b/browser/base/content/tabview/tabview.js @@ -5,7 +5,6 @@ const Ci = Components.interfaces; const Cu = Components.utils; const Cr = Components.results; -Cu.import("resource:///modules/tabview/AllTabs.jsm"); Cu.import("resource:///modules/tabview/utils.jsm"); Cu.import("resource://gre/modules/Services.jsm"); Cu.import("resource://gre/modules/XPCOMUtils.jsm"); @@ -44,6 +43,30 @@ var gTabViewDeck = gWindow.document.getElementById("tab-view-deck"); var gBrowserPanel = gWindow.document.getElementById("browser-panel"); var gTabViewFrame = gWindow.document.getElementById("tab-view"); +let AllTabs = { + _events: { + attrModified: "TabAttrModified", + close: "TabClose", + move: "TabMove", + open: "TabOpen", + select: "TabSelect", + pinned: "TabPinned", + unpinned: "TabUnpinned" + }, + + get tabs() { + return Array.filter(gBrowser.tabs, function (tab) !tab.closing); + }, + + register: function AllTabs_register(eventName, callback) { + gBrowser.tabContainer.addEventListener(this._events[eventName], callback, false); + }, + + unregister: function AllTabs_unregister(eventName, callback) { + gBrowser.tabContainer.removeEventListener(this._events[eventName], callback, false); + } +}; + # NB: Certain files need to evaluate before others #include iq.js diff --git a/browser/base/content/tabview/ui.js b/browser/base/content/tabview/ui.js index b0b1071fddf7..97783df5d96d 100644 --- a/browser/base/content/tabview/ui.js +++ b/browser/base/content/tabview/ui.js @@ -26,6 +26,7 @@ * Raymond Lee * Sean Dunn * Tim Taubert + * Mihai Sucan * * Alternatively, the contents of this file may be used under the terms of * either the GNU General Public License Version 2 or later (the "GPL"), or @@ -80,6 +81,10 @@ let UI = { // If true, a closed tab has just been restored. restoredClosedTab: false, + // Variable: _isChangingVisibility + // Tracks whether we're currently in the process of showing/hiding the tabview. + _isChangingVisibility: false, + // Variable: _reorderTabItemsOnShow // Keeps track of the s which their tab items' tabs have been moved // and re-orders the tab items when switching to TabView. @@ -234,6 +239,15 @@ let UI = { self.uninit(); }); + // ___ setup DOMWillOpenModalDialog message handler + let mm = gWindow.messageManager; + let callback = this._onDOMWillOpenModalDialog.bind(this); + mm.addMessageListener("Panorama:DOMWillOpenModalDialog", callback); + + this._cleanupFunctions.push(function () { + mm.removeMessageListener("Panorama:DOMWillOpenModalDialog", callback); + }); + // ___ setup key handlers this._setTabViewFrameKeyHandlers(); @@ -276,6 +290,10 @@ let UI = { self._save(); }, false); + // ___ load frame script + let frameScript = "chrome://browser/content/tabview-content.js"; + gWindow.messageManager.loadFrameScript(frameScript, true); + // ___ Done this._frameInitialized = true; this._save(); @@ -481,9 +499,11 @@ let UI = { // Parameters: // zoomOut - true for zoom out animation, false for nothing. showTabView: function UI_showTabView(zoomOut) { - if (this.isTabViewVisible()) + if (this.isTabViewVisible() || this._isChangingVisibility) return; + this._isChangingVisibility = true; + // initialize the direction of the page this._initPageDirection(); @@ -526,6 +546,7 @@ let UI = { self.setActive(item); self._resize(true); + self._isChangingVisibility = false; dispatchEvent(event); // Flush pending updates @@ -535,6 +556,7 @@ let UI = { }); } else { self.clearActiveTab(); + self._isChangingVisibility = false; dispatchEvent(event); // Flush pending updates @@ -551,9 +573,11 @@ let UI = { // Function: hideTabView // Hides TabView and shows the main browser UI. hideTabView: function UI_hideTabView() { - if (!this.isTabViewVisible()) + if (!this.isTabViewVisible() || this._isChangingVisibility) return; + this._isChangingVisibility = true; + // another tab might be select if user decides to stay on a page when // a onclose confirmation prompts. GroupItems.removeHiddenGroups(); @@ -580,6 +604,8 @@ let UI = { #endif Storage.saveVisibilityData(gWindow, "false"); + this._isChangingVisibility = false; + let event = document.createEvent("Events"); event.initEvent("tabviewhidden", true, false); dispatchEvent(event); @@ -685,6 +711,7 @@ let UI = { } } else if (topic == "private-browsing-change-granted") { if (data == "enter" || data == "exit") { + hideSearch(); self._privateBrowsing.transitionMode = data; self.storageBusy(); } @@ -710,9 +737,8 @@ let UI = { }); // TabOpen - this._eventListeners.open = function(tab) { - if (tab.ownerDocument.defaultView != gWindow) - return; + this._eventListeners.open = function (event) { + let tab = event.target; // if it's an app tab, add it to all the group items if (tab.pinned) @@ -722,9 +748,8 @@ let UI = { }; // TabClose - this._eventListeners.close = function(tab) { - if (tab.ownerDocument.defaultView != gWindow) - return; + this._eventListeners.close = function (event) { + let tab = event.target; // if it's an app tab, remove it from all the group items if (tab.pinned) @@ -756,21 +781,14 @@ let UI = { groupItem._children.length == 1 && groupItem._children[0].tab == tab); - // 2) Take care of the case where you've closed the last tab in - // an un-named groupItem, which means that the groupItem is gone (null) and - // there are no visible tabs. - let closingUnnamedGroup = (groupItem == null && - gBrowser.visibleTabs.length <= 1); - - // 3) When a blank tab is active while restoring a closed tab the + // 2) When a blank tab is active while restoring a closed tab the // blank tab gets removed. The active group is not closed as this is // where the restored tab goes. So do not show the TabView. let tabItem = tab && tab._tabViewTabItem; let closingBlankTabAfterRestore = (tabItem && tabItem.isRemovedAfterRestore); - if ((closingLastOfGroup || closingUnnamedGroup) && - !closingBlankTabAfterRestore) { + if (closingLastOfGroup && !closingBlankTabAfterRestore) { // for the tab focus event to pick up. self._closedLastVisibleTab = true; self.showTabView(); @@ -780,9 +798,8 @@ let UI = { }; // TabMove - this._eventListeners.move = function(tab) { - if (tab.ownerDocument.defaultView != gWindow) - return; + this._eventListeners.move = function (event) { + let tab = event.target; if (GroupItems.groupItems.length > 0) { if (tab.pinned) { @@ -797,26 +814,21 @@ let UI = { }; // TabSelect - this._eventListeners.select = function(tab) { - if (tab.ownerDocument.defaultView != gWindow) - return; - - self.onTabSelect(tab); + this._eventListeners.select = function (event) { + self.onTabSelect(event.target); }; // TabPinned - this._eventListeners.pinned = function(tab) { - if (tab.ownerDocument.defaultView != gWindow) - return; + this._eventListeners.pinned = function (event) { + let tab = event.target; TabItems.handleTabPin(tab); GroupItems.addAppTab(tab); }; // TabUnpinned - this._eventListeners.unpinned = function(tab) { - if (tab.ownerDocument.defaultView != gWindow) - return; + this._eventListeners.unpinned = function (event) { + let tab = event.target; TabItems.handleTabUnpin(tab); GroupItems.removeAppTab(tab); @@ -890,8 +902,14 @@ let UI = { // if TabView is visible but we didn't just close the last tab or // selected tab, show chrome. - if (this.isTabViewVisible()) + if (this.isTabViewVisible()) { + // Unhide the group of the tab the user is activating. + if (tab && tab._tabViewTabItem && tab._tabViewTabItem.parent && + tab._tabViewTabItem.parent.hidden) + tab._tabViewTabItem.parent._unhide({immediately: true}); + this.hideTabView(); + } // another tab might be selected when hideTabView() is invoked so a // validation is needed. @@ -925,6 +943,27 @@ let UI = { } }, + // ---------- + // Function: _onDOMWillOpenModalDialog + // Called when a web page is about to show a modal dialog. + _onDOMWillOpenModalDialog: function UI__onDOMWillOpenModalDialog(cx) { + if (!this.isTabViewVisible()) + return; + + let index = gBrowser.browsers.indexOf(cx.target); + if (index == -1) + return; + + let tab = gBrowser.tabs[index]; + + // When TabView is visible, we need to call onTabSelect to make sure that + // TabView is hidden and that the correct group is activated. When a modal + // dialog is shown for currently selected tab the onTabSelect event handler + // is not called, so we need to do it. + if (gBrowser.selectedTab == tab && this._currentTab == tab) + this.onTabSelect(tab); + }, + // ---------- // Function: setReorderTabsOnHide // Sets the groupItem which the tab items' tabs should be re-ordered when diff --git a/browser/base/content/test/Makefile.in b/browser/base/content/test/Makefile.in index 4cc801b13d3f..e643dab3c974 100644 --- a/browser/base/content/test/Makefile.in +++ b/browser/base/content/test/Makefile.in @@ -177,6 +177,7 @@ _BROWSER_FILES = \ browser_bug647886.js \ browser_bug655584.js \ browser_bug664672.js \ + browser_canonizeURL.js \ browser_findbarClose.js \ browser_keywordBookmarklets.js \ browser_contextSearchTabPosition.js \ diff --git a/browser/base/content/test/browser_canonizeURL.js b/browser/base/content/test/browser_canonizeURL.js new file mode 100644 index 000000000000..b544416f96fa --- /dev/null +++ b/browser/base/content/test/browser_canonizeURL.js @@ -0,0 +1,54 @@ +function test() { + waitForExplicitFinish(); + testNext(); +} + +var pairs = [ + ["example", "http://www.example.net/"], + ["ex-ample", "http://www.ex-ample.net/"], + [" example ", "http://www.example.net/"], + [" example/foo ", "http://www.example.net/foo"], + [" example/foo bar ", "http://www.example.net/foo%20bar"], + ["example.net", "http://example.net/"], + ["http://example", "http://example/"], + ["example:8080", "http://example:8080/"], + ["ex-ample.foo", "http://ex-ample.foo/"], + ["example.foo/bar ", "http://example.foo/bar"], + ["1.1.1.1", "http://1.1.1.1/"], + ["ftp://example", "ftp://example/"], + ["ftp.example.bar", "ftp://ftp.example.bar/"], + ["ex ample", Services.search.originalDefaultEngine.getSubmission("ex ample").uri.spec], +]; + +function testNext() { + if (!pairs.length) { + finish(); + return; + } + + let [inputValue, expectedURL] = pairs.shift(); + + gBrowser.addProgressListener({ + onStateChange: function onStateChange(aWebProgress, aRequest, aStateFlags, aStatus) { + if (aStateFlags & Ci.nsIWebProgressListener.STATE_START && + aStateFlags & Ci.nsIWebProgressListener.STATE_IS_NETWORK) { + is(aRequest.originalURI.spec, expectedURL, + "entering '" + inputValue + "' loads expected URL"); + + gBrowser.removeProgressListener(this); + gBrowser.stop(); + + executeSoon(testNext); + } + } + }); + + gURLBar.addEventListener("focus", function onFocus() { + gURLBar.removeEventListener("focus", onFocus); + EventUtils.synthesizeKey("VK_RETURN", { shiftKey: true }); + }); + + gBrowser.selectedBrowser.focus(); + gURLBar.inputField.value = inputValue; + gURLBar.focus(); +} diff --git a/browser/base/content/test/inspector/Makefile.in b/browser/base/content/test/inspector/Makefile.in index 2d7537c6b012..1fb25b8436f6 100644 --- a/browser/base/content/test/inspector/Makefile.in +++ b/browser/base/content/test/inspector/Makefile.in @@ -56,6 +56,7 @@ _BROWSER_FILES = \ browser_inspector_treePanel_result.html \ browser_inspector_registertools.js \ browser_inspector_bug_665880.js \ + browser_inspector_editor.js \ $(NULL) libs:: $(_BROWSER_FILES) diff --git a/browser/base/content/test/inspector/browser_inspector_editor.js b/browser/base/content/test/inspector/browser_inspector_editor.js new file mode 100644 index 000000000000..ca2378f80c4e --- /dev/null +++ b/browser/base/content/test/inspector/browser_inspector_editor.js @@ -0,0 +1,233 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=2 et sw=2 tw=80: */ +/* ***** BEGIN LICENSE BLOCK ***** +/* Any copyright is dedicated to the Public Domain. + * http://creativecommons.org/publicdomain/zero/1.0/ + * + * Contributor(s): + * Rob Campbell + * Mihai Sucan + * Kyle Simpson + * + * ***** END LICENSE BLOCK ***** */ + +let doc; +let div; +let editorTestSteps; + +function doNextStep() { + editorTestSteps.next(); +} + +function setupEditorTests() +{ + div = doc.createElement("div"); + div.setAttribute("id", "foobar"); + div.setAttribute("class", "barbaz"); + doc.body.appendChild(div); + + Services.obs.addObserver(runEditorTests, INSPECTOR_NOTIFICATIONS.OPENED, false); + InspectorUI.toggleInspectorUI(); +} + +function runEditorTests() +{ + Services.obs.removeObserver(runEditorTests, INSPECTOR_NOTIFICATIONS.OPENED, false); + InspectorUI.stopInspecting(); + + // setup generator for async test steps + editorTestSteps = doEditorTestSteps(); + + // add step listeners + Services.obs.addObserver(doNextStep, INSPECTOR_NOTIFICATIONS.EDITOR_OPENED, false); + Services.obs.addObserver(doNextStep, INSPECTOR_NOTIFICATIONS.EDITOR_CLOSED, false); + Services.obs.addObserver(doNextStep, INSPECTOR_NOTIFICATIONS.EDITOR_SAVED, false); + + // start the tests + doNextStep(); +} + +function doEditorTestSteps() +{ + let editor = InspectorUI.treeBrowserDocument.getElementById("attribute-editor"); + let editorInput = InspectorUI.treeBrowserDocument.getElementById("attribute-editor-input"); + + // Step 1: grab and test the attribute-value nodes in the HTML panel, then open editor + let attrValNode_id = InspectorUI.treeBrowserDocument.querySelectorAll(".nodeValue.editable[data-attributeName='id']")[0]; + let attrValNode_class = InspectorUI.treeBrowserDocument.querySelectorAll(".nodeValue.editable[data-attributeName='class']")[0]; + + is(attrValNode_id.innerHTML, "foobar", "Step 1: we have the correct `id` attribute-value node in the HTML panel"); + is(attrValNode_class.innerHTML, "barbaz", "we have the correct `class` attribute-value node in the HTML panel"); + + // double-click the `id` attribute-value node to open the editor + executeSoon(function() { + // firing 2 clicks right in a row to simulate a double-click + EventUtils.synthesizeMouse(attrValNode_id, 2, 2, {clickCount: 2}, attrValNode_id.ownerDocument.defaultView); + }); + + yield; // End of Step 1 + + + // Step 2: validate editing session, enter new attribute value into editor, and save input + ok(InspectorUI.editingContext, "Step 2: editor session started"); + + let editorVisible = editor.classList.contains("editing"); + ok(editorVisible, "editor popup visible"); + + // check if the editor popup is "near" the correct position + let editorDims = editor.getBoundingClientRect(); + let attrValNodeDims = attrValNode_id.getBoundingClientRect(); + let editorPositionOK = (editorDims.left >= (attrValNodeDims.left - editorDims.width - 5)) && + (editorDims.right <= (attrValNodeDims.right + editorDims.width + 5)) && + (editorDims.top >= (attrValNodeDims.top - editorDims.height - 5)) && + (editorDims.bottom <= (attrValNodeDims.bottom + editorDims.height + 5)); + + ok(editorPositionOK, "editor position acceptable"); + + // check to make sure the attribute-value node being edited is properly highlighted + let attrValNodeHighlighted = attrValNode_id.classList.contains("editingAttributeValue"); + ok(attrValNodeHighlighted, "`id` attribute-value node is editor-highlighted"); + + is(InspectorUI.editingContext.repObj, div, "editor session has correct reference to div"); + is(InspectorUI.editingContext.attrObj, attrValNode_id, "editor session has correct reference to `id` attribute-value node in HTML panel"); + is(InspectorUI.editingContext.attrName, "id", "editor session knows correct attribute-name"); + + editorInput.value = "Hello World"; + editorInput.focus(); + + // hit to save the inputted value + executeSoon(function() { + EventUtils.synthesizeKey("VK_RETURN", {}, attrValNode_id.ownerDocument.defaultView); + }); + + // two `yield` statements, to trap both the "SAVED" and "CLOSED" events that will be triggered + yield; + yield; // End of Step 2 + + + // Step 3: validate that the previous editing session saved correctly, then open editor on `class` attribute value + ok(!InspectorUI.editingContext, "Step 3: editor session ended"); + editorVisible = editor.classList.contains("editing"); + ok(!editorVisible, "editor popup hidden"); + attrValNodeHighlighted = attrValNode_id.classList.contains("editingAttributeValue"); + ok(!attrValNodeHighlighted, "`id` attribute-value node is no longer editor-highlighted"); + is(div.getAttribute("id"), "Hello World", "`id` attribute-value successfully updated"); + is(attrValNode_id.innerHTML, "Hello World", "attribute-value node in HTML panel successfully updated"); + + // double-click the `class` attribute-value node to open the editor + executeSoon(function() { + // firing 2 clicks right in a row to simulate a double-click + EventUtils.synthesizeMouse(attrValNode_class, 2, 2, {clickCount: 2}, attrValNode_class.ownerDocument.defaultView); + }); + + yield; // End of Step 3 + + + // Step 4: enter value into editor, then hit to discard it + ok(InspectorUI.editingContext, "Step 4: editor session started"); + editorVisible = editor.classList.contains("editing"); + ok(editorVisible, "editor popup visible"); + + is(InspectorUI.editingContext.attrObj, attrValNode_class, "editor session has correct reference to `class` attribute-value node in HTML panel"); + is(InspectorUI.editingContext.attrName, "class", "editor session knows correct attribute-name"); + + editorInput.value = "Hello World"; + editorInput.focus(); + + // hit to discard the inputted value + executeSoon(function() { + EventUtils.synthesizeKey("VK_ESCAPE", {}, attrValNode_class.ownerDocument.defaultView); + }); + + yield; // End of Step 4 + + + // Step 5: validate that the previous editing session discarded correctly, then open editor on `id` attribute value again + ok(!InspectorUI.editingContext, "Step 5: editor session ended"); + editorVisible = editor.classList.contains("editing"); + ok(!editorVisible, "editor popup hidden"); + is(div.getAttribute("class"), "barbaz", "`class` attribute-value *not* updated"); + is(attrValNode_class.innerHTML, "barbaz", "attribute-value node in HTML panel *not* updated"); + + // double-click the `id` attribute-value node to open the editor + executeSoon(function() { + // firing 2 clicks right in a row to simulate a double-click + EventUtils.synthesizeMouse(attrValNode_id, 2, 2, {clickCount: 2}, attrValNode_id.ownerDocument.defaultView); + }); + + yield; // End of Step 5 + + + // Step 6: validate that editor opened again, then test double-click inside of editor (should do nothing) + ok(InspectorUI.editingContext, "Step 6: editor session started"); + editorVisible = editor.classList.contains("editing"); + ok(editorVisible, "editor popup visible"); + + // double-click on the editor input box + executeSoon(function() { + // firing 2 clicks right in a row to simulate a double-click + EventUtils.synthesizeMouse(editorInput, 2, 2, {clickCount: 2}, editorInput.ownerDocument.defaultView); + + // since the previous double-click is supposed to do nothing, + // wait a brief moment, then move on to the next step + executeSoon(function() { + doNextStep(); + }); + }); + + yield; // End of Step 6 + + + // Step 7: validate that editing session is still correct, then enter a value and try a click + // outside of editor (should cancel the editing session) + ok(InspectorUI.editingContext, "Step 7: editor session still going"); + editorVisible = editor.classList.contains("editing"); + ok(editorVisible, "editor popup still visible"); + + editorInput.value = "all your base are belong to us"; + + // single-click the `class` attribute-value node + executeSoon(function() { + EventUtils.synthesizeMouse(attrValNode_class, 2, 2, {}, attrValNode_class.ownerDocument.defaultView); + }); + + yield; // End of Step 7 + + + // Step 8: validate that the editor was closed and that the editing was not saved + ok(!InspectorUI.editingContext, "Step 8: editor session ended"); + editorVisible = editor.classList.contains("editing"); + ok(!editorVisible, "editor popup hidden"); + is(div.getAttribute("id"), "Hello World", "`id` attribute-value *not* updated"); + is(attrValNode_id.innerHTML, "Hello World", "attribute-value node in HTML panel *not* updated"); + + // End of Step 8 + + // end of all steps, so clean up + Services.obs.removeObserver(doNextStep, INSPECTOR_NOTIFICATIONS.EDITOR_OPENED, false); + Services.obs.removeObserver(doNextStep, INSPECTOR_NOTIFICATIONS.EDITOR_CLOSED, false); + Services.obs.removeObserver(doNextStep, INSPECTOR_NOTIFICATIONS.EDITOR_SAVED, false); + + executeSoon(finishUp); +} + +function finishUp() { + doc = div = null; + InspectorUI.closeInspectorUI(); + gBrowser.removeCurrentTab(); + finish(); +} + +function test() +{ + waitForExplicitFinish(); + gBrowser.selectedTab = gBrowser.addTab(); + gBrowser.selectedBrowser.addEventListener("load", function() { + gBrowser.selectedBrowser.removeEventListener("load", arguments.callee, true); + doc = content.document; + waitForFocus(setupEditorTests, content); + }, true); + + content.location = "data:text/html,basic tests for html panel attribute-value editor"; +} + diff --git a/browser/base/content/test/inspector/browser_inspector_treePanel_result.html b/browser/base/content/test/inspector/browser_inspector_treePanel_result.html index 1156a1f251ed..9dcaf41e71ef 100644 --- a/browser/base/content/test/inspector/browser_inspector_treePanel_result.html +++ b/browser/base/content/test/inspector/browser_inspector_treePanel_result.html @@ -1,8 +1,8 @@ - \ No newline at end of file diff --git a/browser/base/content/test/tabview/Makefile.in b/browser/base/content/test/tabview/Makefile.in index b823ab23352a..e25825362bc1 100644 --- a/browser/base/content/test/tabview/Makefile.in +++ b/browser/base/content/test/tabview/Makefile.in @@ -111,6 +111,7 @@ _BROWSER_FILES = \ browser_tabview_bug625269.js \ browser_tabview_bug625424.js \ browser_tabview_bug626368.js \ + browser_tabview_bug626455.js \ browser_tabview_bug626525.js \ browser_tabview_bug626791.js \ browser_tabview_bug627239.js \ @@ -139,6 +140,7 @@ _BROWSER_FILES = \ browser_tabview_bug649006.js \ browser_tabview_bug649307.js \ browser_tabview_bug649319.js \ + browser_tabview_bug650280.js \ browser_tabview_bug650573.js \ browser_tabview_bug651311.js \ browser_tabview_bug654721.js \ diff --git a/browser/base/content/test/tabview/browser_tabview_alltabs.js b/browser/base/content/test/tabview/browser_tabview_alltabs.js index a4a627f30281..5d783219c8d1 100644 --- a/browser/base/content/test/tabview/browser_tabview_alltabs.js +++ b/browser/base/content/test/tabview/browser_tabview_alltabs.js @@ -1,15 +1,16 @@ /* Any copyright is dedicated to the Public Domain. http://creativecommons.org/publicdomain/zero/1.0/ */ -Cu.import("resource:///modules/tabview/AllTabs.jsm"); - function test() { waitForExplicitFinish(); + let AllTabs; let newTab = gBrowser.addTab(); // TabPinned - let pinned = function(tab) { + let pinned = function (event) { + let tab = event.target; + is(tab, newTab, "The tabs are the same after the tab is pinned"); ok(tab.pinned, "The tab gets pinned"); @@ -17,7 +18,9 @@ function test() { }; // TabUnpinned - let unpinned = function(tab) { + let unpinned = function (event) { + let tab = event.target; + AllTabs.unregister("pinned", pinned); AllTabs.unregister("unpinned", unpinned); @@ -26,13 +29,17 @@ function test() { // clean up and finish gBrowser.removeTab(tab); - finish(); + hideTabView(finish); }; - AllTabs.register("pinned", pinned); - AllTabs.register("unpinned", unpinned); + showTabView(function () { + AllTabs = TabView.getContentWindow().AllTabs; - ok(!newTab.pinned, "The tab is not pinned"); - gBrowser.pinTab(newTab); + AllTabs.register("pinned", pinned); + AllTabs.register("unpinned", unpinned); + + ok(!newTab.pinned, "The tab is not pinned"); + gBrowser.pinTab(newTab); + }); } diff --git a/browser/base/content/test/tabview/browser_tabview_bug597248.js b/browser/base/content/test/tabview/browser_tabview_bug597248.js index 1def8ee014d9..e106441d82c6 100644 --- a/browser/base/content/test/tabview/browser_tabview_bug597248.js +++ b/browser/base/content/test/tabview/browser_tabview_bug597248.js @@ -22,7 +22,7 @@ function setupOne(win) { afterAllTabsLoaded(function () setupTwo(win), win); } -let restoreWin; +let restoredWin; function setupTwo(win) { let contentWindow = win.TabView.getContentWindow(); diff --git a/browser/base/content/test/tabview/browser_tabview_bug597980.js b/browser/base/content/test/tabview/browser_tabview_bug597980.js index 7a828c9b5f9c..28be1ca8ea28 100644 --- a/browser/base/content/test/tabview/browser_tabview_bug597980.js +++ b/browser/base/content/test/tabview/browser_tabview_bug597980.js @@ -10,7 +10,7 @@ function test() { function part1(win) { registerCleanupFunction(function() win.close()); - let contentWindow = win.document.getElementById("tab-view").contentWindow; + let contentWindow = win.TabView.getContentWindow(); is(contentWindow.GroupItems.groupItems.length, 1, "Has only one group"); let originalTab = win.gBrowser.selectedTab; @@ -71,15 +71,12 @@ function part2(win) { // switch the selected tab to new tab win.gBrowser.selectedTab = newTab; - whenTabViewIsHidden(function () { - is(win.gBrowser.selectedTab, newTab, "The seleted tab should be the same as before (new tab)"); - win.close(); - finish(); - }); - - // show tabview - EventUtils.synthesizeKey("e", { accelKey: true, shiftKey: true }, win); - // hide tabview - EventUtils.synthesizeKey("e", { accelKey: true, shiftKey: true }, win); - }) + showTabView(function () { + hideTabView(function () { + is(win.gBrowser.selectedTab, newTab, + "The selected tab should be the same as before (new tab)"); + waitForFocus(finish); + }, win); + }, win); + }, win); } diff --git a/browser/base/content/test/tabview/browser_tabview_bug599626.js b/browser/base/content/test/tabview/browser_tabview_bug599626.js index 8699fcf94545..b1008cbe85de 100644 --- a/browser/base/content/test/tabview/browser_tabview_bug599626.js +++ b/browser/base/content/test/tabview/browser_tabview_bug599626.js @@ -21,9 +21,7 @@ function onTabViewShown() { function testStayOnPage(contentWindow, groupItemOne, groupItemTwo) { whenDialogOpened(function (dialog) { - groupItemTwo.addSubscriber("groupShown", function onShown() { - groupItemTwo.removeSubscriber("groupShown", onShown); - + executeSoon(function () { is(gBrowser.tabs.length, 2, "The total number of tab is 2 when staying on the page"); is(contentWindow.TabItems.getItems().length, 2, diff --git a/browser/base/content/test/tabview/browser_tabview_bug604098.js b/browser/base/content/test/tabview/browser_tabview_bug604098.js index 4ec5e1931258..2cc0717d4fe3 100644 --- a/browser/base/content/test/tabview/browser_tabview_bug604098.js +++ b/browser/base/content/test/tabview/browser_tabview_bug604098.js @@ -25,6 +25,7 @@ function test1() { is(groupItems.length, 1, "there is one groupItem"); whenTabViewIsHidden(function() { + gBrowser.selectedTab = gBrowser.tabs[0]; is(groupItems.length, 2, "there are two groupItems"); closeGroupItem(groupItems[1], finish); }); diff --git a/browser/base/content/test/tabview/browser_tabview_bug624953.js b/browser/base/content/test/tabview/browser_tabview_bug624953.js index 5a11cfc5a5e1..3e6fd2e1077c 100644 --- a/browser/base/content/test/tabview/browser_tabview_bug624953.js +++ b/browser/base/content/test/tabview/browser_tabview_bug624953.js @@ -18,6 +18,6 @@ function test() { cw.GroupItems.resumeArrange(); ok(groupItem.isStacked(), 'groupItem is now stacked'); - closeGroupItem(groupItem, finish); + closeGroupItem(groupItem, function () hideTabView(finish)); }); } diff --git a/browser/base/content/test/tabview/browser_tabview_bug625195.js b/browser/base/content/test/tabview/browser_tabview_bug625195.js index 1b87ef7e8dcd..657c48e1fd39 100644 --- a/browser/base/content/test/tabview/browser_tabview_bug625195.js +++ b/browser/base/content/test/tabview/browser_tabview_bug625195.js @@ -34,7 +34,7 @@ function test() { ok(!document.getElementById("context_openTabInWindow").disabled, "The 'Move to New Window' menu item is enabled"); let newTabTwo = gBrowser.selectedTab; - gBrowser.selected = originalTab; + gBrowser.selectedTab = originalTab; gBrowser.removeTab(newTabOne); gBrowser.removeTab(newTabTwo); diff --git a/browser/base/content/test/tabview/browser_tabview_bug626455.js b/browser/base/content/test/tabview/browser_tabview_bug626455.js new file mode 100644 index 000000000000..0b08374a7394 --- /dev/null +++ b/browser/base/content/test/tabview/browser_tabview_bug626455.js @@ -0,0 +1,127 @@ +/* + * Any copyright is dedicated to the Public Domain. + * http://creativecommons.org/publicdomain/zero/1.0/ + * + * Contributor(s): + * Mihai Sucan + * Raymond Lee + */ + +const TEST_URL = 'data:text/html,'; + +let contentWindow; +let activeGroup; + +function test() { + waitForExplicitFinish(); + + showTabView(function () { + contentWindow = TabView.getContentWindow(); + activeGroup = contentWindow.GroupItems.getActiveGroupItem(); + + gBrowser.browsers[0].contentWindow.location = + "data:text/html,

test for bug 626455, tab1"; + gBrowser.addTab(TEST_URL); + + afterAllTabsLoaded(testStayOnPage); + }); +} + +function testStayOnPage() { + whenDialogOpened(function (dialog) { + // stay on page + dialog.cancelDialog(); + + executeSoon(function () { + showTabView(function () { + is(gBrowser.tabs.length, 1, + "The total number of tab is 1 when staying on the page"); + + let location = gBrowser.browsers[0].contentWindow.location.toString(); + isnot(location.indexOf("onbeforeunload"), -1, + "The open tab is the expected one"); + + is(contentWindow.GroupItems.getActiveGroupItem(), activeGroup, + "Active group is still the same"); + + is(contentWindow.GroupItems.groupItems.length, 1, + "Only one group is open"); + + // start the next test + testLeavePage(); + }); + }); + }); + + closeGroupItem(activeGroup); +} + +function testLeavePage() { + let dialogsAccepted = 0; + + whenDialogOpened(function onDialogOpened(dialog) { + if (++dialogsAccepted < 3) + whenDialogOpened(onDialogOpened); + + // Leave page + dialog.acceptDialog(); + }); + + whenGroupClosed(activeGroup, finishTest); + closeGroupItem(activeGroup); +} + +function finishTest() { + is(gBrowser.tabs.length, 1, + "The total number of tab is 1 after leaving the page"); + is(contentWindow.TabItems.getItems().length, 1, + "The total number of tab items is 1 after leaving the page"); + + let location = gBrowser.browsers[0].contentWindow.location.toString(); + is(location, "about:blank", "The open tab is the expected one"); + + isnot(contentWindow.GroupItems.getActiveGroupItem(), activeGroup, + "Active group is no longer the same"); + + is(contentWindow.GroupItems.groupItems.length, 1, + "Only one group is open"); + + finish(); +} + +// ---------- +function whenGroupClosed(group, callback) { + group.addSubscriber("close", function onClose() { + group.removeSubscriber("close", onClose); + callback(); + }); +} + +// ---------- +function whenDialogOpened(callback) { + let wm = Cc["@mozilla.org/appshell/window-mediator;1"] + .getService(Ci.nsIWindowMediator); + + let listener = { + onCloseWindow: function () {}, + onWindowTitleChange: function () {}, + + onOpenWindow: function (xulWin) { + let domWin = xulWin.QueryInterface(Ci.nsIInterfaceRequestor) + .getInterface(Ci.nsIDOMWindow); + + whenWindowLoaded(domWin, function () { + let dialog = domWin.document.querySelector("dialog"); + if (dialog) { + wm.removeListener(listener); + callback(dialog); + } + }); + } + }; + + wm.addListener(listener); +} diff --git a/browser/base/content/test/tabview/browser_tabview_bug642793.js b/browser/base/content/test/tabview/browser_tabview_bug642793.js index bb8b1df20cf2..e8788819a4b8 100644 --- a/browser/base/content/test/tabview/browser_tabview_bug642793.js +++ b/browser/base/content/test/tabview/browser_tabview_bug642793.js @@ -15,7 +15,7 @@ function loadTabs (win) { function testTopOfStack(win) { registerCleanupFunction(function () { win.close(); }); let cw = win.TabView.getContentWindow(); - groupItem = cw.GroupItems.getActiveGroupItem(); + let groupItem = cw.GroupItems.getActiveGroupItem(); ok(!groupItem.isStacked(), 'groupItem is not stacked'); groupItem.setSize(150, 150); groupItem.setUserSize(); diff --git a/browser/base/content/test/tabview/browser_tabview_bug650280.js b/browser/base/content/test/tabview/browser_tabview_bug650280.js new file mode 100644 index 000000000000..0689738ca886 --- /dev/null +++ b/browser/base/content/test/tabview/browser_tabview_bug650280.js @@ -0,0 +1,67 @@ +/* Any copyright is dedicated to the Public Domain. + http://creativecommons.org/publicdomain/zero/1.0/ */ + +let pb = Cc["@mozilla.org/privatebrowsing;1"]. + getService(Ci.nsIPrivateBrowsingService); + +function test() { + let cw; + + registerCleanupFunction(function() { + if (cw) + cw.hideSearch(); + + TabView.hide(); + pb.privateBrowsingEnabled = false; + }); + + let enableSearch = function (callback) { + if (cw.isSearchEnabled()) { + callback(); + return; + } + + cw.addEventListener("tabviewsearchenabled", function onSearchEnabled() { + cw.removeEventListener("tabviewsearchenabled", onSearchEnabled, false); + executeSoon(callback); + }, false); + + cw.ensureSearchShown(); + }; + + let getSearchboxValue = function () { + return cw.iQ("#searchbox").val(); + }; + + let prepareSearchbox = function (callback) { + ok(!cw.isSearchEnabled(), "search is disabled"); + + enableSearch(function () { + cw.iQ("#searchbox").val("moz"); + callback(); + }); + }; + + let searchAndSwitchPBMode = function (callback) { + prepareSearchbox(function () { + togglePrivateBrowsing(function () { + showTabView(function () { + ok(!cw.isSearchEnabled(), "search is disabled"); + is(getSearchboxValue(), "", "search box is empty"); + callback(); + }); + }); + }); + }; + + waitForExplicitFinish(); + + showTabView(function () { + cw = TabView.getContentWindow(); + searchAndSwitchPBMode(function () { + searchAndSwitchPBMode(function () { + hideTabView(finish); + }); + }); + }); +} diff --git a/browser/base/content/test/tabview/browser_tabview_bug663421.js b/browser/base/content/test/tabview/browser_tabview_bug663421.js index 0e2c752938a1..365cbff8a73d 100644 --- a/browser/base/content/test/tabview/browser_tabview_bug663421.js +++ b/browser/base/content/test/tabview/browser_tabview_bug663421.js @@ -67,7 +67,7 @@ function test() { EventUtils.synthesizeMouse(target, 600, 5, {type: "mouseup"}, cw); checkNumberOfGroupItems(2); - next(); + closeGroupItem(cw.GroupItems.groupItems[1], next); }, win); } diff --git a/browser/base/content/test/tabview/browser_tabview_dragdrop.js b/browser/base/content/test/tabview/browser_tabview_dragdrop.js index 19ce8466d0dd..7d63501cabc3 100644 --- a/browser/base/content/test/tabview/browser_tabview_dragdrop.js +++ b/browser/base/content/test/tabview/browser_tabview_dragdrop.js @@ -3,49 +3,32 @@ function test() { waitForExplicitFinish(); - - window.addEventListener("tabviewshown", onTabViewWindowLoaded, false); - TabView.toggle(); + showTabView(onTabViewShown); } -function onTabViewWindowLoaded() { - window.removeEventListener("tabviewshown", onTabViewWindowLoaded, false); - +function onTabViewShown() { ok(TabView.isVisible(), "Tab View is visible"); - let contentWindow = document.getElementById("tab-view").contentWindow; + let contentWindow = TabView.getContentWindow(); let [originalTab] = gBrowser.visibleTabs; + let createGroupItem = function (left, top, width, height) { + let box = new contentWindow.Rect(left, top, width, height); + let groupItem = new contentWindow.GroupItem([], {bounds: box, immediately: true}); + + contentWindow.UI.setActive(groupItem); + gBrowser.loadOneTab("about:blank", {inBackground: true}); + + return groupItem; + }; + // create group one and two - let boxOne = new contentWindow.Rect(20, 20, 300, 300); - let groupOne = new contentWindow.GroupItem([], { bounds: boxOne }); - ok(groupOne.isEmpty(), "This group is empty"); + let groupOne = createGroupItem(20, 20, 300, 300); + let groupTwo = createGroupItem(20, 400, 300, 300); - let boxTwo = new contentWindow.Rect(20, 400, 300, 300); - let groupTwo = new contentWindow.GroupItem([], { bounds: boxTwo }); - - groupOne.addSubscriber("childAdded", function onChildAdded() { - groupOne.removeSubscriber("childAdded", onChildAdded); - groupTwo.newTab(); + waitForFocus(function () { + addTest(contentWindow, groupOne.id, groupTwo.id, originalTab); }); - - let count = 0; - let onTabViewShown = function() { - if (count == 2) { - window.removeEventListener("tabviewshown", onTabViewShown, false); - addTest(contentWindow, groupOne.id, groupTwo.id, originalTab); - } - }; - let onTabViewHidden = function() { - TabView.toggle(); - if (++count == 2) - window.removeEventListener("tabviewhidden", onTabViewHidden, false); - }; - window.addEventListener("tabviewshown", onTabViewShown, false); - window.addEventListener("tabviewhidden", onTabViewHidden, false); - - // open tab in group - groupOne.newTab(); } function addTest(contentWindow, groupOneId, groupTwoId, originalTab) { @@ -74,24 +57,13 @@ function addTest(contentWindow, groupOneId, groupTwoId, originalTab) { "The number of children in group one is decreased by 1"); is(groupTwo.getChildren().length, ++groupTwoTabItemCount, "The number of children in group two is increased by 1"); - - let onTabViewHidden = function() { - window.removeEventListener("tabviewhidden", onTabViewHidden, false); - groupTwo.closeAll(); - // close undo group - let closeButton = groupTwo.$undoContainer.find(".close"); - EventUtils.sendMouseEvent( - { type: "click" }, closeButton[0], contentWindow); - }; - groupTwo.addSubscriber("close", function onClose() { - groupTwo.removeSubscriber("close", onClose); - finish(); + + closeGroupItem(groupOne, function () { + closeGroupItem(groupTwo, function () hideTabView(finish)); }); - window.addEventListener("tabviewhidden", onTabViewHidden, false); - gBrowser.selectedTab = originalTab; } + groupTwo.addSubscriber("childAdded", endGame); - simulateDragDrop(tabItem.container, offsetX, offsetY, contentWindow); } diff --git a/browser/base/content/test/tabview/browser_tabview_launch.js b/browser/base/content/test/tabview/browser_tabview_launch.js index 03dddbcfcb45..d17b0de19b2c 100644 --- a/browser/base/content/test/tabview/browser_tabview_launch.js +++ b/browser/base/content/test/tabview/browser_tabview_launch.js @@ -1,15 +1,18 @@ /* Any copyright is dedicated to the Public Domain. http://creativecommons.org/publicdomain/zero/1.0/ */ -let timerId; let newWin; // ---------- function test() { waitForExplicitFinish(); - // launch tab view for the first time - newWindowWithTabView(function() {}, function(win) { + let panelSelected = false; + registerCleanupFunction(function () ok(panelSelected, "panel is selected")); + + let onLoad = function (win) { + registerCleanupFunction(function () win.close()); + newWin = win; let onSelect = function(event) { @@ -21,27 +24,26 @@ function test() { return; deck.removeEventListener("select", onSelect, true); - - whenTabViewIsShown(function() { - executeSoon(function() { - testMethodToHideAndShowTabView(function() { - newWin.document.getElementById("menu_tabview").doCommand(); - }, function() { - testMethodToHideAndShowTabView(function() { - EventUtils.synthesizeKey("e", { accelKey: true, shiftKey: true }, newWin); - }, finish); - }); - }); - }, win); + panelSelected = true; }; let deck = win.document.getElementById("tab-view-deck"); deck.addEventListener("select", onSelect, true); - }); + }; - registerCleanupFunction(function () { - newWin.close(); - }); + let onShow = function (win) { + executeSoon(function() { + testMethodToHideAndShowTabView(function() { + newWin.document.getElementById("menu_tabview").doCommand(); + }, function() { + testMethodToHideAndShowTabView(function() { + EventUtils.synthesizeKey("E", { accelKey: true, shiftKey: true }, newWin); + }, finish); + }); + }); + }; + + newWindowWithTabView(onShow, onLoad); } function testMethodToHideAndShowTabView(executeFunc, callback) { diff --git a/browser/base/content/test/test_contextmenu.html b/browser/base/content/test/test_contextmenu.html index cc43f1f0a021..b7b3e6586a42 100644 --- a/browser/base/content/test/test_contextmenu.html +++ b/browser/base/content/test/test_contextmenu.html @@ -49,9 +49,10 @@ function executeCopyCommand(command, expectedValue) is(input.value, expectedValue, "paste for command " + command); } -function invokeItemAction(ident) +function invokeItemAction(generatedItemId) { - var item = contextMenu.getElementsByAttribute("ident", ident)[0]; + var item = contextMenu.getElementsByAttribute("generateditemid", + generatedItemId)[0]; ok(item, "Got generated XUL menu item"); item.doCommand(); is(pagemenu.hasAttribute("hopeless"), false, "attribute got removed"); @@ -69,7 +70,7 @@ function getVisibleMenuItems(aMenu, aData) { if (key) key = key.toLowerCase(); - var isGenerated = item.hasAttribute("generated"); + var isGenerated = item.hasAttribute("generateditemid"); if (item.nodeName == "menuitem") { var isSpellSuggestion = item.className == "spell-suggestion"; diff --git a/browser/base/content/urlbarBindings.xml b/browser/base/content/urlbarBindings.xml index 2278e5f7b5c6..641e750a43b5 100644 --- a/browser/base/content/urlbarBindings.xml +++ b/browser/base/content/urlbarBindings.xml @@ -367,7 +367,7 @@ // Only add the suffix when the URL bar value isn't already "URL-like", // and only if we get a keyboard event, to match user expectations. - if (!/^\s*(www|https?)\b|\/\s*$/i.test(url) && + if (/^\s*[^.:\/\s]+(?:\/.*|\s*)$/i.test(url) && (aTriggeringEvent instanceof KeyEvent)) { #ifdef XP_MACOSX let accel = aTriggeringEvent.metaKey; @@ -402,24 +402,15 @@ // Tack www. and suffix on. If user has appended directories, insert // suffix before them (bug 279035). Be careful not to get two slashes. - // Also, don't add the suffix if it's in the original url (bug 233853). let firstSlash = url.indexOf("/"); - let existingSuffix = url.indexOf(suffix.substring(0, suffix.length - 1)); - - // * Logic for slash and existing suffix (example) - // No slash, no suffix: Add suffix (mozilla) - // No slash, yes suffix: Add slash (mozilla.com) - // Yes slash, no suffix: Insert suffix (mozilla/stuff) - // Yes slash, suffix before slash: Do nothing (mozilla.com/stuff) - // Yes slash, suffix after slash: Insert suffix (mozilla/?stuff=.com) if (firstSlash >= 0) { - if (existingSuffix == -1 || existingSuffix > firstSlash) - url = url.substring(0, firstSlash) + suffix + - url.substring(firstSlash + 1); - } else - url = url + (existingSuffix == -1 ? suffix : "/"); + url = url.substring(0, firstSlash) + suffix + + url.substring(firstSlash + 1); + } else { + url = url + suffix; + } url = "http://www." + url; } diff --git a/browser/base/jar.mn b/browser/base/jar.mn index 406bdc7e0173..9d287cf2ed0f 100644 --- a/browser/base/jar.mn +++ b/browser/base/jar.mn @@ -53,6 +53,7 @@ browser.jar: content/browser/tabview.css (content/tabview/tabview.css) * content/browser/tabview.js (content/tabview/tabview.js) content/browser/tabview.html (content/tabview/tabview.html) + content/browser/tabview-content.js (content/tabview/content.js) * content/browser/urlbarBindings.xml (content/urlbarBindings.xml) * content/browser/utilityOverlay.js (content/utilityOverlay.js) * content/browser/web-panels.js (content/web-panels.js) diff --git a/browser/components/build/nsModule.cpp b/browser/components/build/nsModule.cpp index 4a557e612a8c..5dd5efc68d1f 100644 --- a/browser/components/build/nsModule.cpp +++ b/browser/components/build/nsModule.cpp @@ -53,7 +53,6 @@ #if !defined(XP_OS2) #include "nsOperaProfileMigrator.h" #endif -#include "nsSeamonkeyProfileMigrator.h" #if defined(XP_WIN) && !defined(__MINGW32__) #include "nsIEProfileMigrator.h" #elif defined(XP_MACOSX) @@ -85,7 +84,6 @@ NS_GENERIC_FACTORY_CONSTRUCTOR_INIT(nsGNOMEShellService, Init) NS_GENERIC_FACTORY_CONSTRUCTOR(nsOperaProfileMigrator) #endif NS_GENERIC_FACTORY_CONSTRUCTOR(nsProfileMigrator) -NS_GENERIC_FACTORY_CONSTRUCTOR(nsSeamonkeyProfileMigrator) #if defined(XP_WIN) && !defined(__MINGW32__) NS_GENERIC_FACTORY_CONSTRUCTOR(nsIEProfileMigrator) #elif defined(XP_MACOSX) @@ -114,7 +112,6 @@ NS_DEFINE_NAMED_CID(NS_SAFARIPROFILEMIGRATOR_CID); #if !defined(XP_OS2) NS_DEFINE_NAMED_CID(NS_OPERAPROFILEMIGRATOR_CID); #endif -NS_DEFINE_NAMED_CID(NS_SEAMONKEYPROFILEMIGRATOR_CID); NS_DEFINE_NAMED_CID(NS_PRIVATE_BROWSING_SERVICE_WRAPPER_CID); static const mozilla::Module::CIDEntry kBrowserCIDs[] = { @@ -136,7 +133,6 @@ static const mozilla::Module::CIDEntry kBrowserCIDs[] = { #if !defined(XP_OS2) { &kNS_OPERAPROFILEMIGRATOR_CID, false, NULL, nsOperaProfileMigratorConstructor }, #endif - { &kNS_SEAMONKEYPROFILEMIGRATOR_CID, false, NULL, nsSeamonkeyProfileMigratorConstructor }, { &kNS_PRIVATE_BROWSING_SERVICE_WRAPPER_CID, false, NULL, nsPrivateBrowsingServiceWrapperConstructor }, { NULL } }; @@ -173,7 +169,6 @@ static const mozilla::Module::ContractIDEntry kBrowserContracts[] = { #if !defined(XP_OS2) { NS_BROWSERPROFILEMIGRATOR_CONTRACTID_PREFIX "opera", &kNS_OPERAPROFILEMIGRATOR_CID }, #endif - { NS_BROWSERPROFILEMIGRATOR_CONTRACTID_PREFIX "seamonkey", &kNS_SEAMONKEYPROFILEMIGRATOR_CID }, { NS_PRIVATE_BROWSING_SERVICE_CONTRACTID, &kNS_PRIVATE_BROWSING_SERVICE_WRAPPER_CID }, { NULL } }; diff --git a/browser/components/feeds/src/FeedWriter.js b/browser/components/feeds/src/FeedWriter.js index 4f4040cad5ea..e858fa09eabd 100644 --- a/browser/components/feeds/src/FeedWriter.js +++ b/browser/components/feeds/src/FeedWriter.js @@ -256,7 +256,8 @@ FeedWriter.prototype = { __contentSandbox: null, get _contentSandbox() { if (!this.__contentSandbox) - this.__contentSandbox = new Cu.Sandbox(this._window); + this.__contentSandbox = new Cu.Sandbox(this._window, + {sandboxName: 'FeedWriter'}); return this.__contentSandbox; }, diff --git a/browser/components/migration/content/migration.js b/browser/components/migration/content/migration.js index 34688b7c81ca..30f86d0fe9ad 100644 --- a/browser/components/migration/content/migration.js +++ b/browser/components/migration/content/migration.js @@ -340,9 +340,6 @@ var MigrationWizard = { case "safari": source = "sourceNameSafari"; break; - case "seamonkey": - source = "sourceNameSeamonkey"; - break; } // semi-wallpaper for crash when multiple profiles exist, since we haven't initialized mSourceProfile in places diff --git a/browser/components/migration/content/migration.xul b/browser/components/migration/content/migration.xul index 7ec730cc0028..91b0fdc3bbfb 100644 --- a/browser/components/migration/content/migration.xul +++ b/browser/components/migration/content/migration.xul @@ -70,19 +70,14 @@ browser/components/migration/src/nsProfileMigrator.cpp --> #ifdef XP_MACOSX - #elifdef XP_UNIX - #elifdef XP_WIN #ifndef NO_IE_MIGRATOR #endif - -#else - #endif

bug 660784 - test the SourceEditor"; - + testWin = Services.ww.openWindow(null, windowUrl, "_blank", windowFeatures, null); + testWin.addEventListener("load", function onWindowLoad() { + testWin.removeEventListener("load", onWindowLoad, false); + waitForFocus(initEditor, testWin); + }, false); } function initEditor() { - testWin.removeEventListener("load", initEditor, false); testDoc = testWin.document; let hbox = testDoc.querySelector("hbox"); @@ -327,10 +321,7 @@ function editorLoaded() testWin = testDoc = editor = null; - waitForFocus(function() { - gBrowser.removeCurrentTab(); - finish(); - }, content); + waitForFocus(finish, window); } function testBackspaceKey() diff --git a/browser/devtools/webconsole/HUDService.jsm b/browser/devtools/webconsole/HUDService.jsm index edb27ca053bd..581ed2b22b27 100644 --- a/browser/devtools/webconsole/HUDService.jsm +++ b/browser/devtools/webconsole/HUDService.jsm @@ -2708,6 +2708,12 @@ HUD_SERVICE.prototype = let _browser = gBrowser. getBrowserForDocument(aContentWindow.top.document); + + // ignore newly created documents that don't belong to a tab's browser + if (!_browser) { + return; + } + let nBox = gBrowser.getNotificationBox(_browser); let nBoxId = nBox.getAttribute("id"); let hudId = "hud_" + nBoxId; diff --git a/browser/devtools/webconsole/test/browser/Makefile.in b/browser/devtools/webconsole/test/browser/Makefile.in index a65596ac6663..edad7719b014 100644 --- a/browser/devtools/webconsole/test/browser/Makefile.in +++ b/browser/devtools/webconsole/test/browser/Makefile.in @@ -144,6 +144,7 @@ _BROWSER_TEST_FILES = \ browser_webconsole_bug_651501_document_body_autocomplete.js \ browser_webconsole_bug_653531_highlighter_console_helper.js \ browser_webconsole_bug_659907_console_dir.js \ + browser_webconsole_bug_678816.js \ head.js \ $(NULL) @@ -212,6 +213,7 @@ _BROWSER_TEST_PAGES = \ test-bug-644419-log-limits.html \ test-bug-632275-getters.html \ test-bug-646025-console-file-location.html \ + test-bug-678816-content.js \ test-file-location.js \ $(NULL) diff --git a/browser/devtools/webconsole/test/browser/browser_webconsole_bug_678816.js b/browser/devtools/webconsole/test/browser/browser_webconsole_bug_678816.js new file mode 100644 index 000000000000..8f8008491419 --- /dev/null +++ b/browser/devtools/webconsole/test/browser/browser_webconsole_bug_678816.js @@ -0,0 +1,62 @@ +/* Any copyright is dedicated to the Public Domain. + http://creativecommons.org/publicdomain/zero/1.0/ */ + +const TEST_URI = "http://example.com/browser/browser/devtools/webconsole/test/browser/test-console.html"; +const FRAME_SCRIPT_URI ="chrome://mochitests/content/browser/browser/devtools/webconsole/test/browser/test-bug-678816-content.js"; + +let HUD; +let outputItem; + +function tabLoad1(aEvent) { + browser.removeEventListener(aEvent.type, arguments.callee, true); + + openConsole(); + HUD = HUDService.getHudByWindow(content); + + browser.addEventListener("load", tabLoad2, true); + + // Reload so we get some output in the console. + browser.contentWindow.location.reload(); +} + +function tabLoad2(aEvent) { + browser.removeEventListener(aEvent.type, tabLoad2, true); + + outputItem = HUD.outputNode.querySelector(".hud-networkinfo .hud-clickable"); + ok(outputItem, "found a network message"); + document.addEventListener("popupshown", networkPanelShown, false); + + // Click the network message to open the network panel. + EventUtils.synthesizeMouseAtCenter(outputItem, {}); +} + +function networkPanelShown(aEvent) { + document.removeEventListener(aEvent.type, networkPanelShown, false); + + executeSoon(function() { + aEvent.target.addEventListener("popuphidden", networkPanelHidden, false); + aEvent.target.hidePopup(); + }); +} + +function networkPanelHidden(aEvent) { + this.removeEventListener(aEvent.type, networkPanelHidden, false); + + is(HUD.contentWindow, browser.contentWindow, + "console has not been re-attached to the wrong window"); + + finishTest(); +} + +function test() { + messageManager.loadFrameScript(FRAME_SCRIPT_URI, true); + + registerCleanupFunction(function () { + // There's no way to unload a frameScript so send a kill signal to + // unregister the frame script's webProgressListener + messageManager.sendAsyncMessage("bug-678816-kill-webProgressListener"); + }); + + addTab(TEST_URI); + browser.addEventListener("load", tabLoad1, true); +} diff --git a/browser/devtools/webconsole/test/browser/test-bug-678816-content.js b/browser/devtools/webconsole/test/browser/test-bug-678816-content.js new file mode 100644 index 000000000000..e4f0d28deec2 --- /dev/null +++ b/browser/devtools/webconsole/test/browser/test-bug-678816-content.js @@ -0,0 +1,28 @@ +(function () { + let ifaceReq = docShell.QueryInterface(Ci.nsIInterfaceRequestor); + let webProgress = ifaceReq.getInterface(Ci.nsIWebProgress); + + let WebProgressListener = { + onStateChange: function WebProgressListener_onStateChange( + webProgress, request, flag, status) { + + if (flag & Ci.nsIWebProgressListener.STATE_START && + flag & Ci.nsIWebProgressListener.STATE_IS_WINDOW) { + // ensure the dom window is the top one + return (webProgress.DOMWindow.parent == webProgress.DOMWindow); + } + }, + + // ---------- + // Implements progress listener interface. + QueryInterface: XPCOMUtils.generateQI([Ci.nsIWebProgressListener, + Ci.nsISupportsWeakReference]) + }; + + // add web progress listener + webProgress.addProgressListener(WebProgressListener, Ci.nsIWebProgress.NOTIFY_STATE_ALL); + + addMessageListener("bug-678816-kill-webProgressListener", function () { + webProgress.removeProgressListener(WebProgressListener); + }); +})(); diff --git a/browser/locales/en-US/chrome/browser/places/places.properties b/browser/locales/en-US/chrome/browser/places/places.properties index cafcd4e5ad34..3bdcb6005e3f 100644 --- a/browser/locales/en-US/chrome/browser/places/places.properties +++ b/browser/locales/en-US/chrome/browser/places/places.properties @@ -42,6 +42,7 @@ view.sortBy.tags.accesskey=T searchBookmarks=Search Bookmarks searchHistory=Search History +searchDownloads=Search Downloads searchCurrentDefault=Search in '%S' findInPrefix=Find in '%S'… diff --git a/browser/themes/gnomestripe/browser/inspector.css b/browser/themes/gnomestripe/browser/inspector.css index 1bcb4e810f7b..a6402f775a0c 100644 --- a/browser/themes/gnomestripe/browser/inspector.css +++ b/browser/themes/gnomestripe/browser/inspector.css @@ -375,3 +375,26 @@ code { .nodeBox.highlighted > .nodeLabel { border-color: #3875d7 !important; } + +.editingAttributeValue { + background-color: #492; +} + +#attribute-editor { + visibility: hidden; + position: absolute; + z-index: 5000; + background-color: #fff; + border: 1px solid #000; +} + +#attribute-editor.editing { + visibility: visible; +} + +#attribute-editor-input { + border: none; + padding: 2px 5px; + font-family: Menlo, Andale Mono, monospace; + font-size: 11px; +} diff --git a/browser/themes/pinstripe/browser/inspector.css b/browser/themes/pinstripe/browser/inspector.css index b8477d2735a8..88594a9129da 100644 --- a/browser/themes/pinstripe/browser/inspector.css +++ b/browser/themes/pinstripe/browser/inspector.css @@ -363,3 +363,26 @@ code { .nodeBox.highlighted > .nodeLabel { border-color: #3875d7 !important; } + +.editingAttributeValue { + background-color: #492; +} + +#attribute-editor { + visibility: hidden; + position: absolute; + z-index: 5000; + background-color: #fff; + border: 1px solid #000; +} + +#attribute-editor.editing { + visibility: visible; +} + +#attribute-editor-input { + border: none; + padding: 2px 5px; + font-family: Menlo, Andale Mono, monospace; + font-size: 11px; +} diff --git a/browser/themes/winstripe/browser/inspector.css b/browser/themes/winstripe/browser/inspector.css index f27c1aee7477..2e87e93bc5e9 100644 --- a/browser/themes/winstripe/browser/inspector.css +++ b/browser/themes/winstripe/browser/inspector.css @@ -348,3 +348,25 @@ code { background-image: url("chrome://global/skin/tree/twisty-open.png") !important; } +.editingAttributeValue { + background-color: #492; +} + +#attribute-editor { + visibility: hidden; + position: absolute; + z-index: 5000; + background-color: #fff; + border: 1px solid #000; +} + +#attribute-editor.editing { + visibility: visible; +} + +#attribute-editor-input { + border: none; + padding: 2px 5px; + font-family: Menlo, Andale Mono, monospace; + font-size: 11px; +} diff --git a/build/mobile/devicemanagerADB.py b/build/mobile/devicemanagerADB.py index 819bdec99172..f98fcbd4bc45 100644 --- a/build/mobile/devicemanagerADB.py +++ b/build/mobile/devicemanagerADB.py @@ -5,12 +5,17 @@ import os class DeviceManagerADB(DeviceManager): - def __init__(self, host = None, port = 20701, retrylimit = 5, packageName = "org.mozilla.fennec_unofficial"): + def __init__(self, host = None, port = 20701, retrylimit = 5, packageName = None): self.host = host self.port = port self.retrylimit = retrylimit self.retries = 0 self._sock = None + if packageName == None: + if os.getenv('USER'): + packageName = 'org.mozilla.fennec_' + os.getenv('USER') + else: + packageName = 'org.mozilla.fennec_' self.Init(packageName) def Init(self, packageName): @@ -27,7 +32,11 @@ class DeviceManagerADB(DeviceManager): self.tmpDir = None try: # a test to see if we have root privs - self.checkCmd(["shell", "ls", "/sbin"]) + files = self.listFiles("/data/data") + if (len(files) == 1): + if (files[0].find("Permission denied") != -1): + print "NOT running as root" + raise Exception("not running as root") except: try: self.checkCmd(["root"]) @@ -98,7 +107,7 @@ class DeviceManagerADB(DeviceManager): try: if (not self.dirExists(remoteDir)): self.mkDirs(remoteDir+"/x") - for root, dirs, files in os.walk(localDir): + for root, dirs, files in os.walk(localDir, followlinks='true'): relRoot = os.path.relpath(root, localDir) for file in files: localFile = os.path.join(root, file) @@ -134,8 +143,12 @@ class DeviceManagerADB(DeviceManager): # success: True # failure: False def fileExists(self, filepath): - self.checkCmd(["shell", "ls", filepath]) - return True + p = self.runCmd(["shell", "ls", "-a", filepath]) + data = p.stdout.readlines() + if (len(data) == 1): + if (data[0].rstrip() == filepath): + return True + return False def removeFile(self, filename): return self.runCmd(["shell", "rm", filename]).stdout.read() @@ -381,18 +394,11 @@ class DeviceManagerADB(DeviceManager): return devroot + '/fennec' elif (self.dirExists(devroot + '/firefox')): return devroot + '/firefox' - elif (self.dirExists('/data/data/org.mozilla.fennec')): - return '/data/data/org.mozilla.fennec' - elif (self.dirExists('/data/data/org.mozilla.firefox')): - return '/data/data/org.mozilla.firefox' - elif (self.dirExists('/data/data/org.mozilla.fennec_unofficial')): - return '/data/data/org.mozilla.fennec_unofficial' - elif (self.dirExists('/data/data/org.mozilla.fennec_aurora')): - return '/data/data/org.mozilla.fennec_aurora' - elif (self.dirExists('/data/data/org.mozilla.firefox_beta')): - return '/data/data/org.mozilla.firefox_beta' + elif (self.packageName and self.dirExists('/data/data/' + self.packageName)): + return '/data/data/' + self.packageName # Failure (either not installed or not a recognized platform) + print "devicemanagerADB: getAppRoot failed" return None # Gets the directory location on the device for a specific test type diff --git a/build/mobile/sutagent/android/watcher/WatcherService.java b/build/mobile/sutagent/android/watcher/WatcherService.java index 2eac1b7a01c9..2b1e4c8695ac 100644 --- a/build/mobile/sutagent/android/watcher/WatcherService.java +++ b/build/mobile/sutagent/android/watcher/WatcherService.java @@ -107,7 +107,6 @@ public class WatcherService extends Service private IWatcherService.Stub stub = new IWatcherService.Stub() { - @Override public int UpdateApplication(String sAppName, String sFileName, String sOutFile, int bReboot) throws RemoteException { return UpdtApp(sAppName, sFileName, sOutFile, bReboot); @@ -874,7 +873,6 @@ public class WatcherService extends Service runner.start(); } - @Override public void run() { bInstalling = true; UpdtApp(msPkgName, msPkgFileName, msOutFile, mbReboot); diff --git a/caps/src/nsScriptSecurityManager.cpp b/caps/src/nsScriptSecurityManager.cpp index 423b23590955..4c0e084801e6 100644 --- a/caps/src/nsScriptSecurityManager.cpp +++ b/caps/src/nsScriptSecurityManager.cpp @@ -1737,7 +1737,8 @@ nsScriptSecurityManager::CheckFunctionAccess(JSContext *aCx, void *aFunObj, { #ifdef DEBUG { - JSFunction *fun = GET_FUNCTION_PRIVATE(cx, (JSObject *)aFunObj); + JS_ASSERT(JS_ObjectIsFunction(aCx, (JSObject *)aFunObj)); + JSFunction *fun = (JSFunction *)JS_GetPrivate(aCx, (JSObject *)aFunObj); JSScript *script = JS_GetFunctionScript(aCx, fun); NS_ASSERTION(!script, "Null principal for non-native function!"); @@ -2218,7 +2219,7 @@ nsScriptSecurityManager::GetFunctionObjectPrincipal(JSContext *cx, return result; } - JSFunction *fun = GET_FUNCTION_PRIVATE(cx, obj); + JSFunction *fun = (JSFunction *)JS_GetPrivate(cx, obj); JSScript *script = JS_GetFunctionScript(cx, fun); if (!script) @@ -2284,7 +2285,7 @@ nsScriptSecurityManager::GetFramePrincipal(JSContext *cx, #ifdef DEBUG if (NS_SUCCEEDED(*rv) && !result) { - JSFunction *fun = GET_FUNCTION_PRIVATE(cx, obj); + JSFunction *fun = (JSFunction *)JS_GetPrivate(cx, obj); JSScript *script = JS_GetFunctionScript(cx, fun); NS_ASSERTION(!script, "Null principal for non-native function!"); diff --git a/client.mk b/client.mk index 0e22371c63b5..ad6f4b09a1e5 100644 --- a/client.mk +++ b/client.mk @@ -212,6 +212,7 @@ profiledbuild:: $(MAKE) -f $(TOPSRCDIR)/client.mk realbuild MOZ_PROFILE_GENERATE=1 $(MAKE) -C $(PGO_OBJDIR) package OBJDIR=${PGO_OBJDIR} JARLOG_DIR=${PGO_OBJDIR}/jarlog/en-US $(PROFILE_GEN_SCRIPT) + $(MAKE) -f $(TOPSRCDIR)/client.mk maybe_clobber_profiledbuild $(MAKE) -f $(TOPSRCDIR)/client.mk realbuild MOZ_PROFILE_USE=1 ##################################################### @@ -253,7 +254,7 @@ endif # loop through them. ifeq (,$(MOZ_CURRENT_PROJECT)$(if $(MOZ_BUILD_PROJECTS),,1)) -configure depend realbuild install export libs clean realclean distclean alldep preflight postflight upload sdk:: +configure depend realbuild install export libs clean realclean distclean alldep preflight postflight maybe_clobber_profiledbuild upload sdk:: set -e; \ for app in $(MOZ_BUILD_PROJECTS); do \ $(MAKE) -f $(TOPSRCDIR)/client.mk $@ MOZ_CURRENT_PROJECT=$$app; \ @@ -353,7 +354,7 @@ realbuild:: $(OBJDIR)/Makefile $(OBJDIR)/config.status # Other targets # Pass these target onto the real build system -install export libs clean realclean distclean alldep upload sdk:: $(OBJDIR)/Makefile $(OBJDIR)/config.status +install export libs clean realclean distclean alldep maybe_clobber_profiledbuild upload sdk:: $(OBJDIR)/Makefile $(OBJDIR)/config.status $(MOZ_MAKE) $@ #################################### @@ -412,4 +413,4 @@ echo-variable-%: # in parallel. .NOTPARALLEL: -.PHONY: checkout real_checkout depend realbuild build profiledbuild export libs alldep install clean realclean distclean cleansrcdir pull_all build_all clobber clobber_all pull_and_build_all everything configure preflight_all preflight postflight postflight_all upload sdk +.PHONY: checkout real_checkout depend realbuild build profiledbuild maybe_clobber_profiledbuild export libs alldep install clean realclean distclean cleansrcdir pull_all build_all clobber clobber_all pull_and_build_all everything configure preflight_all preflight postflight postflight_all upload sdk diff --git a/config/autoconf.mk.in b/config/autoconf.mk.in index 6c94cda7cc92..9a2e4c88f3cb 100644 --- a/config/autoconf.mk.in +++ b/config/autoconf.mk.in @@ -223,7 +223,6 @@ MOZ_XUL = @MOZ_XUL@ MOZ_RDF = @MOZ_RDF@ NECKO_PROTOCOLS = @NECKO_PROTOCOLS@ -NECKO_DISK_CACHE = @NECKO_DISK_CACHE@ NECKO_COOKIES = @NECKO_COOKIES@ NECKO_WIFI = @NECKO_WIFI@ MOZ_AUTH_EXTENSION = @MOZ_AUTH_EXTENSION@ diff --git a/config/gtscc.c b/config/gtscc.c deleted file mode 100644 index 638d7d6ee7f5..000000000000 --- a/config/gtscc.c +++ /dev/null @@ -1,2809 +0,0 @@ -/* -*- Mode: C; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ -/* ***** BEGIN LICENSE BLOCK ***** - * Version: MPL 1.1/GPL 2.0/LGPL 2.1 - * - * The contents of this file are subject to the Mozilla Public License Version - * 1.1 (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * http://www.mozilla.org/MPL/ - * - * Software distributed under the License is distributed on an "AS IS" basis, - * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License - * for the specific language governing rights and limitations under the - * License. - * - * The Original Code is mozilla.org code. - * - * The Initial Developer of the Original Code is - * Netscape Communications Corporation. - * Portions created by the Initial Developer are Copyright (C) 1998 - * the Initial Developer. All Rights Reserved. - * - * Contributor(s): - * - * Alternatively, the contents of this file may be used under the terms of - * either of the GNU General Public License Version 2 or later (the "GPL"), - * or the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), - * in which case the provisions of the GPL or the LGPL are applicable instead - * of those above. If you wish to allow use of your version of this file only - * under the terms of either the GPL or the LGPL, and not to allow others to - * use your version of this file under the terms of the MPL, indicate your - * decision by deleting the provisions above and replace them with the notice - * and other provisions required by the GPL or the LGPL. If you do not delete - * the provisions above, a recipient may use your version of this file under - * the terms of any one of the MPL, the GPL or the LGPL. - * - * ***** END LICENSE BLOCK ***** */ -/* */ -/* - *-------------------------------------------------------------------------- - * - * - * - *-------------------------------------------------------------------------- - * - * gtscc - Global To Static C/C++ compiler driver. - * - * Syntax: - * - * gtscc [options] -c file.cpp ... - * gtscc [options] file.o ... libxx.a ... - * - * gtscc is a compiler and linker driver/wrapper for Irix only. - * gtscc takes all compiler options and passes them onto the Irix - * cc/CC compiler/linker. - * Typically, gtscc is used in two phases. Phase one is during compilation. - * gtscc, the compiler, converts all inline globals to statics, and records - * the existence of other globals and how to compile the file in the gtscc - * database file. - * During linking, globals dependencies are analyzed, and a list of - * "convertable" globals is determined. Globals that are not referenced - * globally, but are referenced locally are considered convertable. - * The linker then recompiles the files that those symbols are in, and - * converts them to statics. It also calls the archiver to install - * the converted objects into libraries. - * Finally the linker is called. - * - * Created: David Williams, djw@netscape.com, 13-Feb-1997 - * - *-------------------------------------------------------------------------- - */ -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#if defined(LINUX) && defined(__GLIBC__) -#include -#else -#include -#endif - -#include -#include -#include - -#define DEFAULT_MAX_GLOBALS 15500 - -#define ELFSYM_IS_DEFINED(x) ((x).st_shndx != SHN_UNDEF) -#define ELFSYM_IS_UNDEFINED(x) ((x).st_shndx == SHN_UNDEF) - -#ifdef IRIX -#define CC_COMMAND "cc" -#define CCC_COMMAND "CC" -#define AS_COMMAND "cc" -#define LD_COMMAND "CC" -#define AR_COMMAND "ar" -#define AR_OPTIONS "cr" -#else -#define HANDLES_DASHSO -#define CC_COMMAND "gcc" -#define CCC_COMMAND "g++" -#define AS_COMMAND "gcc" -#define LD_COMMAND "g++" -#define AR_COMMAND "ar" -#define AR_OPTIONS "cr" -#endif - -#define EH_NEW(type) (type*)malloc(sizeof(type)) - -#define TRUE 1 -#define FALSE 0 - -#define EH_TAG_FILE 'F' -#define EH_TAG_GLOBAL 'G' -#define EH_TAG_ZAPPED 'Z' -#define EH_TAG_INLINE 'I' -#define EH_TAG_UNDEFINED 'U' - -#define VERBOSITY_USER(x) ((x) > 0) -#define VERBOSITY_DEBUG(x) ((x) > 1) -#define VERBOSITY_MAJOR(x) ((x) > 2) - -static char eh_unnamed_object[] = ""; - -typedef struct { - char* name; /* archive */ -} EhArchive; - -typedef struct { - char* name; /* name of C/C++ file, relative to rootdir */ - char* directory;/* must compile in this directory */ - char** cc_args; /* cc -I ..... */ - char* as_savefile; - time_t compile_time; - char* target_object; -} EhSource; - -typedef struct EhObject { - struct EhObject* _recompile; /* used for recompilation link list */ - unsigned _needs_unzap; - char* name; /* name of .o */ - EhArchive* archive; /* it is stored in */ - EhSource* source; - char* pathname; - unsigned nusers; -} EhObject; - -typedef enum { - EH_SYM_UNDEFINED, - EH_SYM_DEFINED, - EH_SYM_ZAPPED, - EH_SYM_INLINE /* are treated special - they belong to no file */ -} EhSymState; - -typedef struct EhSym { - struct EhSym* _next; /* used for link list */ - char* name; /* name of symbol */ - EhObject* object; /* if symbol is undefined == NULL */ - unsigned ngusers; /* number of global users */ - unsigned nlusers; /* number of local file users */ - -#if 0 - unsigned section; /* section in elf file */ - unsigned index; /* index into symbol table */ - unsigned char info; - unsigned dirty; -#endif - EhSymState state; -} EhSym; - -#define EHSYM_ISDEFINED(x) ((x)->object!=NULL && (x)->state==EH_SYM_DEFINED) -#define EHSYM_ISZAPPED(x) ((x)->object!=NULL && (x)->state==EH_SYM_ZAPPED) -#define EHSYM_ISUNDEFINED(x) ((x)->object == NULL) -#define EHSYM_ISUSED(x) ((x)->nusers != 0) -#define EHSYM_ISINLINE(x) ((x)->state == EH_SYM_INLINE) - -#define EH_OBJECT_CANBUILD(x) \ -((x)->source != NULL && (x)->name != eh_unnamed_object) - -#define USE_HASHING - -typedef struct { -#ifdef USE_HASHING - EhSym** heads; - unsigned size; -#else - EhSym* head; -#endif - unsigned nentries; -} EhSymTable; - -static char* -make_relative_pathname(char* buf, char* filename, char* rootdir) -{ - char buf1[MAXPATHLEN]; - char buf2[MAXPATHLEN]; - char* p; - char* q; - - if (rootdir == NULL) { - strcpy(buf, filename); - return filename; - } - - if (filename[0] != '/') { - if (getcwd(buf2, sizeof(buf2)) == NULL) { - fprintf(stderr, "cannot get pwd\n"); - return NULL; - } - - strcat(buf2, "/"); - strcat(buf2, filename); - - filename = buf2; - } - - if (realpath(filename, buf1) == NULL) { - fprintf(stderr, "realpath(%s,..) failed\n", filename); - return NULL; - } - - if (realpath(rootdir, buf2) == NULL) { - fprintf(stderr, "realpath(%s,..) failed\n", rootdir); - return NULL; - } - - strcat(buf2, "/"); - - for (p = buf1, q = buf2; *p == *q; p++, q++) - ; - - strcpy(buf, p); - - return buf; -} - -static EhArchive* -EhArchiveNew(char* name, char* rootdir) -{ - EhArchive* archive = EH_NEW(EhArchive); - char pathbuf[MAXPATHLEN]; - - make_relative_pathname(pathbuf, name, rootdir); - - archive->name = strdup(pathbuf); - - return archive; -} - -#if 0 -/* - * This is evil, we should never free anything, because it messes up - * interning. - */ -static void -EhSourceDelete(EhSource* source) -{ - unsigned n; - if (source->name != NULL) - free(source->name); - if (source->directory != NULL) - free(source->directory); - if (source->cc_args != NULL) { - for (n = 0; source->cc_args[n] != NULL; n++) - free(source->cc_args[n]); - free(source->cc_args); - } - if (source->as_savefile != NULL) - free(source->as_savefile); -} -#endif - -static EhSource* -EhSourceNew(char* name, char** cc_args, char* directory) -{ - EhSource* source = EH_NEW(EhSource); - unsigned n; - unsigned m; - - source->name = strdup(name); - source->directory = (directory != NULL)? strdup(directory): NULL; - source->as_savefile = NULL; - source->compile_time = 0; - source->target_object = NULL; - source->cc_args = NULL; - - if (cc_args != NULL) { - - for (n = 0; cc_args[n] != NULL; n++) - ; - - source->cc_args = (char**)malloc(sizeof(char*) * (n+1)); - - for (m = 0, n = 0; cc_args[n] != NULL;) { - if (strcmp(cc_args[n], "-o") == 0 && cc_args[n+1] != NULL) { - source->target_object = strdup(cc_args[n+1]); - n += 2; - } else { - source->cc_args[m++] = strdup(cc_args[n++]); - } - } - - source->cc_args[m] = NULL; - } - - return source; -} - -static EhObject* -EhObjectNewArchiveObject(EhArchive* archive, char* name) -{ - EhObject* object = EH_NEW(EhObject); - - if (name == eh_unnamed_object) - object->name = name; - else - object->name = strdup(name); - object->archive = archive; - object->source = NULL; - object->_recompile = NULL; - object->_needs_unzap = 0; - object->pathname = NULL; - object->nusers = 0; - - return object; -} - -static EhObject* -EhObjectNew(char* name, char* rootdir) -{ - EhObject* object = EhObjectNewArchiveObject(NULL, name); - char pathname[MAXPATHLEN]; - - make_relative_pathname(pathname, name, rootdir); - object->pathname = strdup(pathname); - - return object; -} - -static EhObject* -EhObjectNewFromSource(EhSource* source) -{ - EhObject* object = EhObjectNewArchiveObject(NULL, eh_unnamed_object); - - object->source = source; - - return object; -} - -static char* -EhObjectGetFilename(EhObject* object, char* buf) -{ - if (object->archive) { - strcpy(buf, object->archive->name); - strcat(buf, ":"); - strcat(buf, object->name); - return buf; - } else { - return object->name; - } -} - -static EhSym* -EhSymNewDefined(char* name, EhObject* object) -{ - EhSym* sym = EH_NEW(EhSym); - - sym->name = strdup(name); - sym->object = object; - sym->state = EH_SYM_DEFINED; - sym->ngusers = 0; - sym->nlusers = 0; - - return sym; -} - -static EhSym* -EhSymNewInline(char* name) -{ - EhSym* sym = EhSymNewDefined(name, NULL); - sym->state = EH_SYM_INLINE; - - return sym; -} - -static EhSym* -EhSymNewUndefined(char* name) -{ - EhSym* sym = EhSymNewDefined(name, NULL); - sym->state = EH_SYM_UNDEFINED; - - return sym; -} - -static EhSym* -EhSymNewZapped(char* name, EhObject* object) -{ - EhSym* sym = EhSymNewDefined(name, object); - sym->state = EH_SYM_ZAPPED; - - return sym; -} - -static EhSym* -EhSymNewRandomZap(char* name) -{ - EhSym* sym = EhSymNewZapped(name, NULL); - - return sym; -} - -EhSymTable* -EhSymTableNew(unsigned p_size) -{ - EhSymTable* table = EH_NEW(EhSymTable); - -#ifdef USE_HASHING - unsigned size; - for (size = 0x1; size < (16*1024); size <<= 1) { - if (size >= p_size) - break; - } - table->size = size; - table->heads = (EhSym**)calloc(size, sizeof(EhSym*)); -#else - table->head = NULL; -#endif - table->nentries = 0; - - return table; -} - -EhSym* -EhSymTableInsert(EhSymTable* table, EhSym* sym) -{ -#ifdef USE_HASHING - unsigned long hash = elf_hash(sym->name); - unsigned long mask = table->size - 1; - unsigned index = (hash & mask); - - sym->_next = table->heads[index]; - table->heads[index] = sym; -#else - sym->_next = table->head; - table->head = sym; -#endif - table->nentries++; - - return sym; -} - -EhSym* -EhSymTableFind(EhSymTable* table, char* name) -{ - EhSym* sym; - EhSym* head; - -#ifdef USE_HASHING - unsigned long hash = elf_hash(name); - unsigned long mask = table->size - 1; - unsigned index = (hash & mask); - head = table->heads[index]; -#else - head = table->head; -#endif - - for (sym = head; sym != NULL; sym = sym->_next) { - if (strcmp(name, sym->name) == 0) - break; - } - - return sym; -} - -typedef int (*eh_dump_mappee_t)(EhSym* sym, void* arg); - -static int -EhSymTableMap(EhSymTable* table, eh_dump_mappee_t func, void* arg) -{ - EhSym* sym; - EhSym* head; - -#ifdef USE_HASHING - unsigned n; - for (n = 0; n < table->size; n++) { - head = table->heads[n]; -#else - head = table->head; { -#endif - for (sym = head; sym != NULL; sym = sym->_next) { - if ((func)(sym, arg) == -1) - return -1; - } - } - - return 0; -} - -typedef struct { - EhObject* o_old; - EhObject* o_new; -} fixup_info; - -static int -fixup_mappee(EhSym* sym, void* arg) -{ - fixup_info* info = (fixup_info*)arg; - - if (sym->object == info->o_old) - sym->object = info->o_new; - - return 0; -} - -static EhObject* -EhSymTableObjectFixup(EhSymTable* table, EhObject* o_old, EhObject* o_new) -{ - fixup_info info; - - /* - * Now visit every sym that pointed to tmp, and point it - * at object. - */ - info.o_old = o_old; - info.o_new = o_new; - EhSymTableMap(table, fixup_mappee, &info); - - return o_new; -} - - - -static char* -safe_fgets(char* buf, unsigned size, FILE* fp) -{ - unsigned nread = 0; - - if (buf == NULL) - buf = (char*)malloc(size); - - for (;;) { - - if (fgets(&buf[nread], size - nread, fp) == NULL) { - free(buf); - return NULL; - } - - if (strchr(buf, '\n') != NULL) - return buf; - - /* - * fgets returns n-1 characters and \0 - */ - nread += (size - nread) - 1; - size += 1024; - buf = (char*)realloc(buf, size); - } -} - -static int -EhSymTableSetSymbolState(EhSymTable* table, char* name, EhSymState new_state) -{ - EhSym* sym = EhSymTableFind(table, name); - - if (sym == NULL) { - sym = EhSymNewDefined(name, NULL); - - EhSymTableInsert(table, sym); - } - - /* new_state must be EH_SYM_DEFINED || EH_SYM_ZAPPED */ - if (sym->state == EH_SYM_DEFINED || sym->state == EH_SYM_ZAPPED) { - sym->state = new_state; - } else if (sym->state == EH_SYM_INLINE) { - char* state_name; - if (new_state == EH_SYM_DEFINED) - state_name = "global"; - else - state_name = "static"; - fprintf(stderr, - "WARNING: Symbol %s is an inline.\n" - " Forcing the symbol %s will be ignored.\n", - name, - state_name); - } else { /* EH_SYM_UNDEFINED */ - /* - * This call is being made after objects have started being - * read. This is too late. I'm not sure I care though. - */ - return -1; - } - - return 0; -} - -static int -EhSymTableFpLoad(EhSymTable* table, FILE* fp) -{ - char* buf = NULL; /* I hope this is big enough */ - char* p; - char* name; - char* state; - EhSym* sym; - EhSource* source = NULL; - EhObject* object = NULL; - char* cc_args[512]; - unsigned n; - unsigned line_n = 0; - char* ctime = NULL; - char* directory; - char* savefile; - - while ((buf = safe_fgets(buf, 1024, fp)) != NULL) { - - if ((p = strchr(buf, '\n')) == NULL) { - fprintf(stderr, "line to long: %d\n", line_n); - return -1; - } - *p = '\0'; - - line_n++; - - if (buf[0] == '!') /* comment */ - continue; - - for (p = buf; isspace(*p); p++) - ; - - name = p; - for (; !isspace(*p); p++) - ; - *p++ = '\0'; - - if (name[0] == '\0') - continue; - - for (; isspace(*p); p++) - ; - - state = p; - for (; !isspace(*p) && *p != '\0'; p++) - ; - *p++ = '\0'; - - if (state[0] == EH_TAG_GLOBAL - || - state[0] == EH_TAG_ZAPPED - || - state[0] == EH_TAG_INLINE) { - sym = EhSymTableFind(table, name); - if (sym == NULL) { /* install a new one */ - - if (source == NULL && state[0] != EH_TAG_INLINE) { - fprintf(stderr, - "[%d] found new style symbol (%s) but no source\n", - line_n, name); - } - - if (state[0] == EH_TAG_GLOBAL) - sym = EhSymNewDefined(name, object); - else if (state[0] == EH_TAG_INLINE) - sym = EhSymNewInline(name); - else - sym = EhSymNewZapped(name, object); - - EhSymTableInsert(table, sym); - } else { - if (state[0] == EH_TAG_GLOBAL) { - if (sym->state != EH_SYM_DEFINED) { - fprintf(stderr, - "out of sync defined symbol: %s, fixing\n", - sym->name); - sym->state = EH_SYM_DEFINED; - } - } else if (state[0] == EH_TAG_INLINE) { - if (sym->state != EH_SYM_INLINE) { - fprintf(stderr, - "out of sync inlined symbol: %s, fixing\n", - sym->name); - sym->state = EH_SYM_INLINE; - } - } else { - if (sym->state != EH_SYM_ZAPPED) { - fprintf(stderr, - "out of sync zapped symbol: %s, fixing\n", - sym->name); - sym->state = EH_SYM_ZAPPED; - } - } - -#if 0 - /* these are probably "special" symbols like .div */ - if (sym->object != object) { - fprintf(stderr, - "out of sync object for symbol: %s, ignoring\n", - sym->name); - } -#endif - } - - continue; /* no more fields we care about */ - } else if (state[0] == EH_TAG_FILE) { - - directory = p; - for (; !isspace(*p) && *p != '\0'; p++) - ; - *p++ = '\0'; - - savefile = p; - for (; !isspace(*p) && *p != '\0'; p++) - ; - *p++ = '\0'; - - ctime = p; - for (; !isspace(*p) && *p != '\0'; p++) - ; - *p++ = '\0'; - - for (n = 0; *p != '\0';) { - - for (; isspace(*p); p++) - ; - - cc_args[n++] = p++; - - for (; !isspace(*p) && *p != '\0'; p++) - ; - - if (*p == '\0') - break; - - *p++ = '\0'; - } - cc_args[n] = NULL; - - if (strcmp(directory, ".") == 0) - directory = NULL; - source = EhSourceNew(name, cc_args, directory); - if (ctime != NULL) - source->compile_time = (time_t)atoi(ctime); - object = EhObjectNewFromSource(source); - - } else { /* old style symbol list */ - sym = EhSymTableFind(table, name); - if (sym != NULL) { - if (sym->state != EH_SYM_ZAPPED) { - fprintf(stderr, - "out of sync random zapped symbol: %s, fixing\n", - sym->name); - sym->state = EH_SYM_ZAPPED; - } - } else { - sym = EhSymNewRandomZap(name); - } - } - } - - return line_n; -} - -typedef struct { - EhSym** vector; - unsigned index; -} flush_info; - -static int -flush_mappee(EhSym* sym, void* arg) -{ - flush_info* info = (flush_info*)arg; - - if (sym->state == EH_SYM_INLINE - || - (sym->object != NULL && sym->state == EH_SYM_DEFINED) - || - (sym->object != NULL && sym->state == EH_SYM_ZAPPED)) { - if (info->vector != NULL) - info->vector[info->index] = sym; - info->index++; - } - - return 0; -} - -static int -flush_compare(const void* ap, const void* bp) -{ - EhSym** ax = (EhSym**)ap; - EhSym** bx = (EhSym**)bp; - EhSym* a = *ax; - EhSym* b = *bx; - EhObject* oa = a->object; - EhObject* ob = b->object; - int foo; - - if (oa == NULL && ob != NULL) - return -1; - if (oa != NULL && ob == NULL) - return 1; - if (oa == NULL && ob == NULL) { - foo = strcmp(a->name, b->name); - if (foo < 0) - return -1; - else if (foo > 0) - return 1; - return 0; - } - - if (oa->source == NULL && ob->source != NULL) - return -1; - if (oa->source != NULL && ob->source == NULL) - return 1; - if (oa->source == ob->source) - return 0; - if (oa->source < ob->source) - return -1; - if (oa->source > ob->source) - return 1; - foo = strcmp(a->name, b->name); - if (foo < 0) - return -1; - else if (foo > 0) - return 1; - return 0; -} - -static void -EhSourceFpWrite(EhSource* source, FILE* fp) -{ - unsigned n = 0; - - fputs(source->name, fp); - fputc(' ', fp); - fputc(EH_TAG_FILE, fp); - - fputc(' ', fp); - if (source->directory != NULL) - fprintf(fp, "%s", source->directory); - else - fputc('.', fp); - - fputc(' ', fp); - if (source->as_savefile != NULL) - fprintf(fp, "%s", source->as_savefile); - else - fputc('.', fp); - - fputc(' ', fp); - fprintf(fp, "%d", source->compile_time); - - if (source->target_object != NULL) { - fputs(" -o ", fp); - fputs(source->target_object, fp); - } - - if (source->cc_args != NULL) { - for (n = 0; source->cc_args[n] != NULL; n++) { - fputc(' ', fp); - fputs(source->cc_args[n], fp); - } - } - - if (n < 1) - fprintf(stderr, "WARNING: %s has no args\n", source->name); - - fputc('\n', fp); -} - -static int -EhSymTableFpDump(EhSymTable* table, FILE* fp) -{ - flush_info info; - unsigned n; - EhObject* object = NULL; - EhSym** syms; - EhSym* sym; - unsigned size; - - info.index = 0; - info.vector = NULL; - EhSymTableMap(table, flush_mappee, (void*)&info); - size = info.index; - - syms = (EhSym**)malloc(sizeof(EhSym*) * size); - info.index = 0; - info.vector = syms; - EhSymTableMap(table, flush_mappee, (void*)&info); - - /* sort */ - qsort(syms, size, sizeof(EhSym*), flush_compare); - - /* dump */ - for (n = 0; n < size; n++) { - sym = syms[n]; - - if (sym->object != object) { - object = sym->object; - - if (object->source != NULL) { - EhSourceFpWrite(object->source, fp); - } - } - - if (sym->state == EH_SYM_INLINE) { - fprintf(fp, "%s %c\n", sym->name, EH_TAG_INLINE); - } else if (object->source != NULL && sym->state == EH_SYM_ZAPPED) { - fprintf(fp, "%s %c\n", sym->name, EH_TAG_ZAPPED); - } else if (object->source != NULL && sym->state == EH_SYM_DEFINED) { - fprintf(fp, "%s %c\n", sym->name, EH_TAG_GLOBAL); - } - } - - free(syms); - - return n; -} - -int djw_debug; -char* djw_test_name; - -int -eh_process_object(Elf* elf, EhObject* object, EhSymTable* table) -{ - Elf32_Shdr * shdr; - Elf32_Ehdr * ehdr; - Elf_Scn * scn; - Elf_Data * shstr_data; - Elf_Data* sym_data = NULL; - Elf_Data* str_data = NULL; - Elf_Data* rel_data[4]; - int nrel_data = 0; - Elf32_Rel* rel_entries; - Elf_Data* rela_data[10]; - int nrela_data = 0; - Elf32_Rela* rela_entries; - unsigned int cnt; - Elf32_Sym* elf_sym; - int i; - int j; - int k; - char* name; - EhSym* sym; - char buf[MAXPATHLEN]; - - /* Obtain the .shstrtab data buffer */ - if (((ehdr = elf32_getehdr(elf)) == NULL) || - ((scn = elf_getscn(elf, ehdr->e_shstrndx)) == NULL) || - ((shstr_data = elf_getdata(scn, NULL)) == NULL)) { - fprintf(stderr, "problems on %s\n", EhObjectGetFilename(object, buf)); - return -1; - } - - /* get the string table */ - for (cnt = 1, scn = NULL; (scn = elf_nextscn(elf, scn)); cnt++) { - if ((shdr = elf32_getshdr(scn)) == NULL) { - fprintf(stderr, "problems on %s, section %d\n", - EhObjectGetFilename(object, buf), cnt); - return -1; - } - -#if 0 - fprintf(stderr, "%s: section %d type %d name %s\n", - EhObjectGetFilename(object, buf), - cnt, - shdr->sh_type, - (char*)shstr_data->d_buf + shdr->sh_name); -#endif - - /* - * Get the string table. - */ - if (shdr->sh_type == SHT_STRTAB && -#ifdef sun - strcmp((char*)shstr_data->d_buf + shdr->sh_name, ".strtab") == 0 && -#endif - cnt != ehdr->e_shstrndx) { - if (str_data != NULL) { - fprintf(stderr, "multiple string tables for %s - bailing\n", - EhObjectGetFilename(object, buf)); - return -1; - } - str_data = elf_getdata(scn, NULL); - } else if (shdr->sh_type == SHT_SYMTAB) { /* look into sym table */ - if (sym_data != NULL) { - fprintf(stderr, "multiple symbol tables for %s - bailing\n", - EhObjectGetFilename(object, buf)); - return -1; - } - sym_data = elf_getdata(scn, NULL); - } else if (shdr->sh_type == SHT_REL) { /* look into rel table */ - if (nrel_data >= 4) { - fprintf(stderr, "too many relocation tables for %s bailing\n", - EhObjectGetFilename(object, buf)); - return -1; - } - rel_data[nrel_data++] = elf_getdata(scn, NULL); - } else if (shdr->sh_type == SHT_RELA) { /* look into rela table */ - if (nrela_data >= 10) { - fprintf(stderr, "too many RELA tables for %s bailing\n", - EhObjectGetFilename(object, buf)); - return -1; - } - rela_data[nrela_data++] = elf_getdata(scn, NULL); - } - } - - if (sym_data == NULL) { - fprintf(stderr, "could not load sym table for %s\n", - EhObjectGetFilename(object, buf)); - return -1; - } - - if (str_data == NULL) { - fprintf(stderr, "could not load string table for %s\n", - EhObjectGetFilename(object, buf)); - return -1; - } - - elf_sym = (Elf32_Sym*)sym_data->d_buf; - - for (i = 0; i < (sym_data->d_size/sizeof(Elf32_Sym)); i++) { - - /* - * We are only interested in globals. - */ - if (ELF32_ST_BIND(elf_sym[i].st_info) != STB_GLOBAL) - continue; - - name = (char *)str_data->d_buf + elf_sym[i].st_name; - - if (djw_test_name != NULL - && strcmp(djw_test_name, name) == 0) { - printf("found %s\n", name); - } - - sym = EhSymTableFind(table, name); - - /* - * Treat inlines as non-globals - */ - if (sym != NULL && sym->state == EH_SYM_INLINE) - continue; - -#if 0 - printf("name = %s value = %d type = %d, info = %d," - " other = %d, size = %d\n", - name, - elf_sym[i].st_value, - ELF32_ST_TYPE(elf_sym[i].st_info), - elf_sym[i].st_info, - elf_sym[i].st_other, - elf_sym[i].st_size); -#endif - - /* defined */ - if (ELFSYM_IS_DEFINED(elf_sym[i])) { - - if (sym != NULL) { - - if (sym->object == NULL) { /* object undefined */ - sym->object = object; - } else if (sym->object->name==eh_unnamed_object) { - - if (object->source != NULL - && - object->source != sym->object->source) { - - fprintf(stderr, - "warning: symbol %s defined in more than one source file\n" - "last time: %s\n" - "this time: %s (ignored)\n", - sym->name, - object->source->name, - sym->object->source->name); - } else { - object->source = sym->object->source; - /* - * Do a global: sym->object = object; - */ - EhSymTableObjectFixup(table, - sym->object, /*old*/ - object); /*new*/ - - } - - } else if (sym->object != object) { - fprintf(stderr, - "warning: symbol %s define in multiple object files\n" - "last time: %s\n" - "this time: %s (ignored)\n", - sym->name, - object->name, - sym->object->name); - } - - sym->state = EH_SYM_DEFINED; - - } else { - sym = EhSymNewDefined(name, object); - EhSymTableInsert(table, sym); - } - - for (k = 0; k < nrel_data; k++) { - int nentries = rel_data[k]->d_size/sizeof(Elf32_Rel); - - rel_entries = (Elf32_Rel*)rel_data[k]->d_buf; - - for (j = 0; j < nentries; j++) { - if (ELF32_R_SYM(rel_entries[j].r_info) == i) { - /* locally referenced */ - sym->nlusers++; - } - } - } - for (k = 0; k < nrela_data; k++) { - int nentries = rela_data[k]->d_size/sizeof(Elf32_Rela); - - rela_entries = (Elf32_Rela*)rela_data[k]->d_buf; - - for (j = 0; j < nentries; j++) { - if (ELF32_R_SYM(rela_entries[j].r_info) == i) { - /* locally referenced */ - sym->nlusers++; - } - } - } - } - - /* Undefined. */ - else if (ELFSYM_IS_UNDEFINED(elf_sym[i])) { - - if (sym == NULL) { - sym = EhSymNewUndefined(name); - EhSymTableInsert(table, sym); - } - sym->ngusers++; - } else { - -#if 1 - printf("what is this: " - "name = %s value = %d type = %d, " - "info = %d, other = %d, size = %d\n", - name, - elf_sym[i].st_value, - ELF32_ST_TYPE(elf_sym[i].st_info), - elf_sym[i].st_info, - elf_sym[i].st_other, - elf_sym[i].st_size); -#endif - ; - }/* type ==... */ - } /* for each symbol */ - - return 0; -} - -int -eh_process_file(char* filename, EhSymTable* table, char* rootdir) -{ - Elf* elf; - Elf* arf; - int fd; - Elf_Cmd cmd; - Elf_Kind e_kind; - EhObject* object; - EhArchive* archive; - Elf_Arhdr* arhdr; - char* name; - int rv = 0; - - if ((fd = open(filename, O_RDONLY)) == -1) { - fprintf(stderr, "error opening %s\n", filename); - return -1; - } - - elf_version(EV_CURRENT); - if ((arf = elf_begin(fd, ELF_C_READ, NULL)) == NULL) { - return -1; - } - - e_kind = elf_kind(arf); - if (e_kind == ELF_K_ELF) { - object = EhObjectNew(filename, rootdir); - rv = eh_process_object(arf, object, table); - - } else if (e_kind == ELF_K_AR) { - - archive = EhArchiveNew(filename, rootdir); - cmd = ELF_C_READ; - -#if 0 - arsyms = elf_getarsym(arf, &narsyms); - - for (i = 0; i < narsyms && arsyms[i].as_name != NULL; i++) { - printf("%s - %d\n", arsyms[i].as_name, arsyms[i].as_off); - } - - arhdr = elf_getarhdr(arf); - for (i = 0; arhdr[i].ar_rawname != NULL; i++) { - - if (arhdr[i].ar_name != NULL) - printf("%s\n", arhdr[i].ar_name); - else - printf("[%s]\n", arhdr[i].ar_rawname); - } -#endif - - rv = 0; - - while ((elf = elf_begin(fd, cmd, arf)) != 0) { - - e_kind = elf_kind(elf); - - if (e_kind != ELF_K_ELF) - continue; - - arhdr = elf_getarhdr(elf); - - if (arhdr != NULL) { - if (arhdr->ar_name != NULL) - name = arhdr->ar_name; - else - name = arhdr->ar_rawname; - } else { - name = eh_unnamed_object; - } - - object = EhObjectNewArchiveObject(archive, name); - rv = eh_process_object(elf, object, table); - - if (rv == -1) - break; - - cmd = elf_next(elf); - elf_end(elf); - } - } - - elf_end(arf); - - close(fd); - - return rv; -} - -static int -eh_dump_unused(EhSym* sym, void* arg) -{ - char buf[MAXPATHLEN]; - - printf(/*"0x%x "*/ "%s %d %d ", /*sym,*/ - sym->name, sym->ngusers, sym->nlusers); - - if (EHSYM_ISINLINE(sym)) - printf("%c ", EH_TAG_INLINE); - else if (EHSYM_ISZAPPED(sym)) - printf("%c ", EH_TAG_ZAPPED); - else if (EHSYM_ISDEFINED(sym)) - printf("%c ", EH_TAG_GLOBAL); - else - printf("%c ", EH_TAG_UNDEFINED); - - if (sym->object != NULL) { - printf("%s ", EhObjectGetFilename(sym->object, buf)); - if (sym->object->source != NULL) { - printf("%s recompilable\n", sym->object->source->name); - } else { - printf("nosource notrecompilable\n"); - } - } else { - printf("noobject nosource notrecompilable\n"); - } - - return 0; -} - -static void -print_dump(EhSymTable* table) -{ - printf("everything\n"); - EhSymTableMap(table, eh_dump_unused, NULL); -} - -typedef struct { - unsigned ndefined; - unsigned nused; /* globally */ - unsigned nundefined; - unsigned nzapped; - unsigned nzapped_nowused; - unsigned ninlined; - unsigned nunlinked; - unsigned ndeadcode; -} SummaryInfo; - -static int -eh_summary_mappee(EhSym* sym, void* arg) { - SummaryInfo* info = (SummaryInfo*)arg; - - if (EHSYM_ISDEFINED(sym)) { - if (sym->ngusers != 0) - info->nused++; - else if (sym->object != NULL && sym->object->nusers == 0) - info->nunlinked++; - else if (sym->nlusers != 0) - info->ndefined++; - else - info->ndeadcode++; - - } else if (EHSYM_ISZAPPED(sym)) { /* one of ours */ - if (sym->ngusers != 0) - info->nzapped_nowused++; - else - info->nzapped++; - } else if (EHSYM_ISINLINE(sym)) { /* one of ours */ - info->ninlined++; - } else { - info->nundefined++; - } - - return 0; -} - -static void -get_summary(EhSymTable* table, SummaryInfo* info) -{ - info->ndefined = 0; - info->nused = 0; - info->nundefined = 0; - info->nzapped = 0; - info->nzapped_nowused = 0; - info->ninlined = 0; - info->nunlinked = 0; - info->ndeadcode = 0; - - EhSymTableMap(table, eh_summary_mappee, info); -} - -static void -print_summary(EhSymTable* table) -{ - SummaryInfo info; - - get_summary(table, &info); - - printf("summary:\n" - "defined and used: %d\n" - "defined but unused globally: %d\n" - "total globals in target: %d\n" - "--------------------------------\n" - "global to statics *: %d\n" - "global to statics (now used): %d\n" - "inlined to statics *: %d\n" - "defined in unlinked objects: %d\n" - "defined but unused (deadcode):%d\n" - "undefined but used: %d\n", - info.nused, - info.ndefined, - (info.nused + info.ndefined), - info.nzapped, - info.nzapped_nowused, - info.ninlined, - info.nunlinked, - info.ndeadcode, - info.nundefined); -} - -typedef struct EhDirMapEntree { - char* dirname; - struct EhDirMapEntree* _next; -} EhDirMapEntree; - -typedef struct EhDirMap { - EhDirMapEntree* head; -} EhDirMap; - -static EhDirMap* -EhDirMapNew(void) -{ - EhDirMap* dm = EH_NEW(EhDirMap); - dm->head = NULL; - return dm; -} - -static void -EhDirMapAddDirectory(EhDirMap* map, char* dirname) -{ - EhDirMapEntree* entree = EH_NEW(EhDirMapEntree); - EhDirMapEntree* foo; - - entree->dirname = strdup(dirname); - entree->_next = NULL; - - if (map->head == NULL) { - map->head = entree; - } else { - for (foo = map->head; foo->_next != NULL; foo = foo->_next) - ; - - foo->_next = entree; - } -} - -static char* -EhDirMapGetLibName(EhDirMap* map, char* name, char* libbuf) -{ - EhDirMapEntree* foo; - struct stat buf; - - for (foo = map->head; foo != NULL; foo = foo->_next) { - sprintf(libbuf, "%s/lib%s.a", foo->dirname, name); - - if (stat(libbuf, &buf) != -1) - return libbuf; - } - - return NULL; -} - -static char* -test_for_global(char* buf) -{ -#ifdef IRIX - if (strncmp(buf, "\t.globl\t", 8) == 0) - return &buf[8]; -#else - if (strncmp(buf, "\t.global ", 9) == 0) - return &buf[9]; -#endif - return NULL; -} - -static char* -test_for_file(char* foo, char* buf) -{ -#ifdef IRIX - char* p; - char* q; - if (strncmp(buf, "\t.file\t", 6) == 0) { - for (p = &buf[6]; *p != '"' && *p != '\0'; p++) - ; - if (*p == '\0') - return NULL; - p++; /* quote */ - q = strchr(p, '"'); - if (q == NULL) - return NULL; - memcpy(foo, p, q - p); - foo[q - p] = '\0'; - return foo; - } -#else - printf("test_for_file() not implemented\n"); -#endif - return NULL; -} - -static int -EhSourceZapFp(EhSource* source, EhSymTable* table, FILE* fpi, FILE* fpo, - unsigned verbosity, unsigned cplusplus) -{ - char* buf = NULL; - char* p; - int nzap = 0; - char* name; - EhSym* sym; - int i_zapped; - EhObject* object = EhObjectNewFromSource(source); - char* filename = source->name; - char* tmp_name; - char foo[256]; - unsigned line_n = 0; - - if (VERBOSITY_DEBUG(verbosity)) - fputs("gts: ", stderr); - - while ((buf = safe_fgets(buf, 4192, fpi)) != NULL) { - - i_zapped = 0; - for (p = buf; *p != '\0' && *p != '\n'; p++) - ; - *p = '\0'; - - if ((tmp_name = test_for_file(foo, buf)) != NULL) { - if (strcmp(tmp_name, filename) != 0) /* not the same file */ - filename = "non local file"; - else - filename = source->name; - } - - else if ((name = test_for_global(buf)) != NULL) { - - sym = EhSymTableFind(table, name); - - /* an inline, we have to treat specially */ - if ((filename != source->name && cplusplus != 0) /* inline now */ - || - (sym != NULL && sym->state == EH_SYM_INLINE)) {/* was inline */ - - if (!sym) { - - sym = EhSymNewInline(name); - - EhSymTableInsert(table, sym); - } - sym->state = EH_SYM_INLINE; /* just make sure */ - - if (fpo != NULL) /* always zap inlines we see */ - fputs(" # gts", fpo); - - } else { /* a real global */ - - if (fpo != NULL && sym != NULL && EHSYM_ISZAPPED(sym)) { - if (VERBOSITY_DEBUG(verbosity)) { - fprintf(stderr, "%s ", &buf[8]); - } - nzap++; - - if (fpo != NULL) - fputs(" # gts", fpo); - } - - if (sym != NULL) { - if (sym->object == NULL) { - sym->object = object; - } else if (sym->object != object) { - sym->object->source = source; - EhSymTableObjectFixup(table, object, sym->object); - object = sym->object; - } - } else { /* install a new one */ - - sym = EhSymNewDefined(name, object); - - EhSymTableInsert(table, sym); - } - - } - } - - if (fpo != NULL) { - fputs(buf, fpo); - fputc('\n', fpo); - } - line_n++; - } - - if (VERBOSITY_DEBUG(verbosity)) - fputc('\n', stderr); - - return nzap; -} - -static void -print_command(char* command, char** args, unsigned verbosity) -{ - int i; - FILE* fp = stderr; - if (!VERBOSITY_USER(verbosity)) - return; - - fprintf(fp, "%s: ", command); - for (i = 0; args[i]; i++) { - fprintf(fp, "%s ", args[i]); - } - fprintf(fp, "\n"); -} - -static int -do_command(char* label, char** args, unsigned verbosity) -{ - int status; - pid_t child_pid; - char* file = args[0]; - - print_command(label, args, verbosity); - - if ((child_pid = fork()) == -1) { - fprintf(stderr, "could not fork: "); - perror(NULL); - return -1; - } - - if (child_pid == 0) { /* i am the child */ - if (execvp(file, args) == -1) { - fprintf(stderr, "could not exec %s: ", file); - perror(NULL); - exit(3); - } - /*NOTREACHED*/ - } - - if (waitpid(child_pid, &status, 0) == -1) { - fprintf(stderr, "wait on %s failed: ", file); - perror(NULL); - return -1; - } - - return WEXITSTATUS(status); -} - -static char* -suffix_name(char* s) -{ - char* p; - - if ((p = strrchr(s, '.')) != NULL) - return p; - else - return ""; -} - -static char base_name_buf[MAXPATHLEN]; - -static char* -base_name(char* s) -{ - char* p; - - if ((p = strrchr(s, '.')) != NULL) { - memcpy(base_name_buf, s, p - s); - base_name_buf[p - s] = '\0'; - s = base_name_buf; - } - return s; -} - -static char* -file_base_name(char *s) -{ - char* p; - - s = base_name(s); - - if ((p = strrchr(s, '/')) != NULL) - s = &p[1]; - - return s; -} -static int -EhSourceCompile(EhSource* source, - EhSymTable* table, - unsigned verbosity, - unsigned do_compile, - unsigned do_zap, - unsigned do_assem) -{ - char* filename = source->name; - char** opts = source->cc_args; - char asname[MAXPATHLEN]; - char o_asname[MAXPATHLEN]; - char* cc_opts[256]; - unsigned i = 0; - unsigned j = 0; - FILE* in_fp; - FILE* out_fp; - int status; - int nzap = 0; - char* save_prefix = NULL; - unsigned do_dash_s = (do_zap != 0 || save_prefix != NULL); - char* cc_command; - char* use_savefile = NULL; - struct timeval start_time; - struct timeval end_time; -#ifdef DEBUG_djw - char savebuf[1024]; -#endif - unsigned is_cplusplus = 0; - -#ifdef LINUX - gettimeofday(&start_time,NULL); -#else - gettimeofday(&start_time); -#endif - - /* munge file */ -#ifdef HANDLES_DASHSO - if (source->target_object != NULL) - strcpy(asname, base_name(source->target_object)); - else -#endif - strcpy(asname, file_base_name(filename)); - strcat(asname, ".s"); - - strcpy(o_asname, asname); - strcat(o_asname, ".gts_tmp"); - - if (strcmp(suffix_name(filename), ".cpp") == 0) { - cc_command = CCC_COMMAND; - is_cplusplus = 1; - } else if (strcmp(suffix_name(filename), ".s") == 0) { - do_compile = FALSE; - cc_command = CC_COMMAND; - } else { - cc_command = CC_COMMAND; - } - - if (do_compile) { - - j = 0; - cc_opts[j++] = cc_command; - cc_opts[j++] = "-c"; - - if (do_dash_s) { - cc_opts[j++] = "-S"; -#ifdef HANDLES_DASHSO - if (source->target_object != NULL) { - cc_opts[j++] = "-o"; - cc_opts[j++] = asname; - } -#endif - } else if (source->target_object != NULL) { - cc_opts[j++] = "-o"; - cc_opts[j++] = source->target_object; - } - - i = 0; - while (opts[i] != NULL) - cc_opts[j++] = opts[i++]; - - cc_opts[j++] = filename; - cc_opts[j] = NULL; - - if ((status = do_command("compile", cc_opts, verbosity)) != 0) { - fprintf(stderr, "compile failed (returned %d)\n", status); - return -1; - } - - if (!do_dash_s) - return 0; - } - - /* - * Now we have a foo.s file, what do we do with it? - */ - if (do_zap > 1) { - - if (use_savefile == NULL) - use_savefile = asname; - - if ((in_fp = fopen(use_savefile, "r")) == NULL) { - fprintf(stderr, "could not open %s for reading\n", asname); - return -1; - } - - if ((out_fp = fopen(o_asname, "w")) == NULL) { - fprintf(stderr, "could not open %s for writing\n", o_asname); - return -1; - } - - j = 0; - cc_opts[j++] = "gts"; - cc_opts[j++] = asname; - cc_opts[j++] = o_asname; - cc_opts[j++] = NULL; - print_command("gts", cc_opts, verbosity); - - nzap = EhSourceZapFp(source, table, in_fp, out_fp, verbosity, is_cplusplus); - - fclose(in_fp); - fclose(out_fp); - - j = 0; - cc_opts[j++] = "rename"; - cc_opts[j++] = o_asname; - cc_opts[j++] = asname; - cc_opts[j++] = NULL; - print_command("rename", cc_opts, verbosity); - -#ifdef DEBUG_djw - strcpy(savebuf, "gts_pre_"); - strcat(savebuf, asname); - rename(asname, savebuf); -#endif - - if (rename(o_asname, asname) == -1) { - fprintf(stderr, "could not rename %s\n", o_asname); - return -1; - } - - } else if (do_zap > 0) { /* audit only */ - - if ((in_fp = fopen(asname, "r")) == NULL) { - fprintf(stderr, "could not open %s for reading\n", asname); - return -1; - } - - j = 0; - cc_opts[j++] = "audit"; - cc_opts[j++] = asname; - cc_opts[j++] = NULL; - print_command("audit", cc_opts, verbosity); - - nzap = EhSourceZapFp(source, table, in_fp, NULL, verbosity, is_cplusplus); - - fclose(in_fp); - } - - if (do_assem) { - i = 0; - j = 0; - cc_opts[j++] = AS_COMMAND; - cc_opts[j++] = "-c"; - - if (source->target_object != NULL) { - cc_opts[j++] = "-o"; - cc_opts[j++] = source->target_object; - } - - while (opts[i] != NULL) - cc_opts[j++] = opts[i++]; - - cc_opts[j++] = asname; - cc_opts[j] = NULL; - - if ((status = do_command("assemble", cc_opts, verbosity)) != 0) { - - unlink(asname); - - fprintf(stderr, - "gtscc of %s failed (exit status = %d), reverting to %s:\n", - filename, - status, - cc_command); - - i = 0; - j = 0; - cc_opts[j++] = cc_command; - cc_opts[j++] = "-c"; - - if (source->target_object != NULL) { - cc_opts[j++] = "-o"; - cc_opts[j++] = source->target_object; - } - - for (; opts[i]; i++, j++) - cc_opts[j] = opts[i]; - - cc_opts[j++] = filename; - cc_opts[j] = NULL; - - if ((status = do_command("fix-compile", cc_opts, verbosity)) != 0) - return -1; - - return 0; - } - } - - if (save_prefix != NULL && save_prefix[0] != '\0') { - - sprintf(o_asname, save_prefix, file_base_name(filename)); - - j = 0; - cc_opts[j++] = "rename"; - cc_opts[j++] = asname; - cc_opts[j++] = o_asname; - cc_opts[j++] = NULL; - print_command("savefile", cc_opts, verbosity); - - if (rename(asname, o_asname) == -1) { - fprintf(stderr, "could not rename %s to %s - sorry\n", - asname, o_asname); - return -1; - } - - if (source->as_savefile != NULL) - free(source->as_savefile); - source->as_savefile = strdup(o_asname); - } else { - - j = 0; - cc_opts[j++] = "unlink"; - cc_opts[j++] = asname; - cc_opts[j++] = NULL; - print_command("unlink", cc_opts, verbosity); - -#ifdef DEBUG_djw - strcpy(savebuf, "gts_post_"); - strcat(savebuf, asname); - rename(asname, savebuf); -#else - unlink(asname); -#endif - } - -#ifdef LINUX - gettimeofday(&end_time,NULL); -#else - gettimeofday(&end_time); -#endif - - source->compile_time = ((end_time.tv_sec - start_time.tv_sec) * 1000) + - ((end_time.tv_usec - start_time.tv_usec) / 1000); - - return nzap; -} - -static char target_buf[MAXPATHLEN]; /* this will go away with rel source */ - -static char* -EhSourceGetTarget(EhSource* source) -{ - if (source->target_object != NULL) - return source->target_object; - - strcpy(target_buf, base_name(source->name)); - strcat(target_buf, ".o"); - - return target_buf; -} - -static int -EhArchiveUpdate(EhArchive* archive, char* target, char* rootdir, - unsigned verbosity) -{ - char* args[8]; - unsigned nargs; - int status; - char pathname[MAXPATHLEN]; - - pathname[0] = '\0'; - if (rootdir != NULL) { - strcat(pathname, rootdir); - strcat(pathname, "/"); - } - strcat(pathname, archive->name); - -#if 0 - nargs = 0; - args[nargs++] = AR_COMMAND; - args[nargs++] = "dc"; - args[nargs++] = pathname; - args[nargs++] = target; - args[nargs++] = NULL; - - if ((status = do_command("delete from archive", args, verbosity)) != 0) { - fprintf(stderr, "archive: %s delete %s failed (status = %d)\n", - pathname, - target); - return -1; - } -#endif - - nargs = 0; - args[nargs++] = AR_COMMAND; - args[nargs++] = AR_OPTIONS; - args[nargs++] = pathname; - args[nargs++] = target; - args[nargs++] = NULL; - - if ((status = do_command("archive", args, verbosity)) != 0) { - fprintf(stderr, "archive: %s <- %s failed (status = %d)\n", - pathname, - target); - return -1; - } - - return 0; -} - -static int -EhObjectRebuild(EhObject* object, - EhSymTable* table, - unsigned verbosity, - char* rootdir) -{ - EhSource* source = object->source; - char cwd[MAXPATHLEN]; - char fullpath[MAXPATHLEN]; - int rv = 0; - int do_chdir = 0; - - if (!source) { - fprintf(stderr, - "wanted to recompile %s, but I don't how\n", - object->name); - return -1; - } - -#if 0 - if (VERBOSITY_USER(verbosity)) -#endif - fprintf(stderr, "recompiling %s\n", source->name); - - /* - * Check to see if we need to chdir - */ - if (source->directory != NULL) { - if (getcwd(cwd, sizeof(cwd)) == NULL) { - fprintf(stderr, "cannot get pwd: cannot compile\n"); - return -1; - } - - make_relative_pathname(fullpath, cwd, rootdir); - - if (strcmp(fullpath, source->directory) != 0) { - fullpath[0] = '\0'; - if (rootdir != NULL) { - strcat(fullpath, rootdir); - strcat(fullpath, "/"); - } - strcat(fullpath, source->directory); - - if (chdir(fullpath) == -1) { - fprintf(stderr, "cannot chdir - can't compile\n"); - return -1; - } - do_chdir++; - } - } - - rv = EhSourceCompile(source, - table, - verbosity, - TRUE, /* compile */ - 2, /* do zap */ - TRUE); /* do assem */ - - if (do_chdir) { - if (chdir(cwd) == -1) { - fprintf(stderr, "cannot chdir - this will be very confused\n"); - return -1; - } - } - - if (rv == -1) { - fprintf(stderr, "recompiling %s failed\n", source->name); - return -1; - } - - /* do archive */ - fullpath[0] = '\0'; - if (rootdir != NULL) { - strcat(fullpath, rootdir); - strcat(fullpath, "/"); - } - - if (source->directory != NULL) - strcat(fullpath, source->directory); - - strcat(fullpath, "/"); - strcat(fullpath, EhSourceGetTarget(source)); - - if (object->archive != NULL) { - if (EhArchiveUpdate(object->archive, fullpath, rootdir, - verbosity) == -1) - return -1; - } - - /* do install */ -#if 0 - if (rv != -1) { - } -#endif - - return rv; -} - -static int -object_nusers_mappee(EhSym* sym, void* arg) -{ - if (sym->object != NULL) - sym->object->nusers += sym->ngusers; - return 0; -} - -typedef struct { - EhObject* recompile_list; - unsigned recompile_count; - unsigned recompile_wish_count; - unsigned unzap_count; - unsigned zap_count; -} RecompileInfo; - -static int -recompile_init_mappee(EhSym* sym, void* arg) -{ - RecompileInfo* info = (RecompileInfo*)arg; - - if (EHSYM_ISZAPPED(sym) && sym->ngusers != 0) { - if (EH_OBJECT_CANBUILD(sym->object)) { - sym->state = EH_SYM_DEFINED; - if (sym->object->_recompile == NULL) { - sym->object->_recompile = info->recompile_list; - info->recompile_list = sym->object; - info->recompile_count++; - } - info->unzap_count++; - sym->object->_needs_unzap++; - } - info->recompile_wish_count++; - } - else if (EHSYM_ISDEFINED(sym) /* it's defined */ - && sym->ngusers == 0 /* there are no global users */ - && sym->nlusers != 0 /* BUT, ther are local users */ - && sym->object->nusers != 0) { /* object is linked */ - - if (EH_OBJECT_CANBUILD(sym->object)) { - sym->state = EH_SYM_ZAPPED; - if (sym->object->_recompile == NULL) { - sym->object->_recompile = info->recompile_list; - info->recompile_list = sym->object; - info->recompile_count++; - } - info->zap_count++; - } - info->recompile_wish_count++; - } - - return 0; -} - -static char** recompile_compare_prefs; -static char** recompile_compare_unprefs; - -static unsigned -match_prefs(char* candidate, char** prefs) -{ - unsigned n; - - for (n = 0; prefs[n] != NULL; n++) { - char* pref = prefs[n]; - unsigned len = strlen(pref); - if (strncmp(pref, candidate, len) == 0) - return n; /* cool */ - } - return (unsigned)-1; /* big! */ -} - -static int -recompile_compare(const void* ap, const void* bp) -{ - EhObject** ax = (EhObject**)ap; - EhObject** bx = (EhObject**)bp; - EhObject* obj_a = *ax; - EhObject* obj_b = *bx; - EhSource* src_a = obj_a->source; - EhSource* src_b = obj_b->source; - unsigned matcha; - unsigned matchb; - int foo; - - if (obj_a->_needs_unzap == 0 && obj_b->_needs_unzap != 0) - return -1; - if (obj_a->_needs_unzap != 0 && obj_b->_needs_unzap == 0) - return 1; - - if (src_a == NULL && src_b != NULL) - return 1; - if (src_a != NULL && src_b == NULL) - return -1; - if (src_a == src_b) - return 0; - - if (recompile_compare_unprefs != NULL - && src_a->directory != NULL && src_b->directory != NULL) { - - matcha = match_prefs(src_a->directory, recompile_compare_unprefs); - matchb = match_prefs(src_b->directory, recompile_compare_unprefs); - - if (matcha > matchb) /* greater is good */ - return -1; - if (matcha < matchb) - return 1; - } - - if (recompile_compare_prefs != NULL - && src_a->directory != NULL && src_b->directory != NULL) { - - matcha = match_prefs(src_a->directory, recompile_compare_prefs); - matchb = match_prefs(src_b->directory, recompile_compare_prefs); - - if (matcha > matchb) /* greater is bad */ - return 1; - if (matcha < matchb) - return -1; - } - - /* else same directory probably */ - foo = strcmp(src_a->name, src_b->name); - - if (foo < 0) - return -1; - if (foo > 0) - return 1; - - return 0; -} - -static int -do_recompilation(EhSymTable* table, char* gts_file, unsigned max_globals, - char** prefs, char** unprefs, - char* rootdir, unsigned verbosity) -{ - SummaryInfo s_info; - RecompileInfo info; - unsigned size; - unsigned n; - EhObject* object; - EhObject** recompiles; - unsigned delta; - int rv; - unsigned nzaps; - EhObject dummy; /* just marks the end of the recomp list */ - time_t eta; - - get_summary(table, &s_info); - - if ((s_info.nused + s_info.ndefined) <= max_globals) { - if (VERBOSITY_USER(verbosity)) - fprintf(stderr, - "number of globals <= requested max, skipping recompilation\n"); - return 0; - } - - /* Init recompilation. */ - info.recompile_list = &dummy; /* cannot use NULL, because syms test that */ - info.recompile_count = 0; - info.recompile_wish_count = 0; - info.unzap_count = 0; - info.zap_count = 0; - EhSymTableMap(table, recompile_init_mappee, (void*)&info); - size = info.recompile_count; - - recompiles = (EhObject**)malloc(sizeof(EhObject*) * size); - - /* install */ - n = 0; - for (object = info.recompile_list; - object != &dummy; - object = object->_recompile) { - recompiles[n++] = object; - } - - /* sort */ - recompile_compare_prefs = prefs; - recompile_compare_unprefs = unprefs; - qsort(recompiles, size, sizeof(EhObject*), recompile_compare); - - /* - * sorted ! - * less recompile the first n, n = ndefined - max - */ - delta = (s_info.nused + s_info.ndefined) - max_globals; - - if (delta > info.zap_count) { - fprintf(stderr, - "WARNING: there too many globals (%d/%d fixables).\n" - " I don't think I can fix this, but I'll try.\n" - " You might get lucky.\n", - info.zap_count, - delta); - } - - if (VERBOSITY_USER(verbosity)) - fprintf(stderr, "scheduling recompilation targets:\n"); - - eta = 0; - for (n = 0; n < size; n++) { - char* cname = "unknown"; - object = recompiles[n]; - if (object->source != NULL) { - cname = object->source->name; - eta += object->source->compile_time; - } - - if (VERBOSITY_DEBUG(verbosity)) - fprintf(stderr, "object %s from source %s\n", object->name, cname); - } - -#if 0 - if (VERBOSITY_USER(verbosity)) -#endif - fprintf(stderr, "gts-ing %d symbols, eta = %d minutes\n", delta, - eta/(60*1000)); - - if (gts_file != NULL) { - FILE* zap_fp; - if ((zap_fp = fopen(gts_file, "w")) == NULL) { - perror(0); - fprintf(stderr, - "WARNING: could not open the gtscc db file %s.\n" - " I will continue with the recompilation, but\n" - " if you recompile any of the files I touched\n" - " I'll have to recompile them after you!\n", - gts_file); - } else { - - EhSymTableFpDump(table, zap_fp); - - fclose(zap_fp); - } - } - - for (n = 0, nzaps = 0; n < size && nzaps < delta; n++) { - - object = recompiles[n]; - rv = EhObjectRebuild(object, table, verbosity, rootdir); - - if (rv == -1) - return -1; - - nzaps += rv; - - object->_recompile = NULL; /* clean up now */ - } - - if (nzaps < delta) { - fprintf(stderr, - "WARNING: I wanted to gts %d symbols, but only managed\n" - " to get %d of them.\n" - " Your link may fail with GOT errors.\n", - delta, - nzaps); - } - - free(recompiles); - - return n; -} - -typedef struct FileList -{ - char* name; - struct FileList* next; -} FileList; - -static FileList* -fileListFind(FileList* list, char* name) -{ - FileList* foo; - - for (foo = list; foo != NULL; foo = foo->next) { - if (strcmp(name, foo->name) == 0) - return foo; - } - return NULL; -} - -static FileList* -fileListAppend(FileList** list_a, char* name) -{ - FileList* list = *list_a; - FileList* foo; - FileList* last; - - for (foo = list, last = NULL; foo != NULL; last = foo, foo = foo->next) - ; - - if (last == NULL) { - foo = EH_NEW(FileList); - foo->next = NULL; - foo->name = strdup(name); - *list_a = foo; - } else { - foo = EH_NEW(FileList); - foo->next = NULL; - foo->name = strdup(name); - last->next = foo; - } - - return *list_a; -} - -#if 0 -static FileList* c_list; -#endif -static FileList* o_list; - -#if 0 -static char* -EhSourceAdjustPathname(EhSource* source, char* rootdir) -{ - char buf[MAXPATHLEN]; - char buf2[MAXPATHLEN]; - char* p; - char* q; - char* filename = source->name; - - if (getcwd(buf, sizeof(buf)) == NULL) { - fprintf(stderr, "cannot get pwd\n"); - return NULL; - } - - strcat(buf, "/"); - strcat(buf, filename); - - if (rootdir == NULL) { - filename = buf; - } else { - if (realpath(buf, buf2) == NULL) { - fprintf(stderr, "realpath() failed: %s\n", buf2); - return NULL; - } - - if (realpath(rootdir, buf) == NULL) { - fprintf(stderr, "realpath() failed: %s\n", buf); - return NULL; - } - strcat(buf, "/"); - - for (p = buf, q = buf2; *p == *q; p++, q++) - ; - - filename = q; - } - - free(source->name); - source->name = strdup(filename); - - return source->name; -} -#endif - -static unsigned -katoi(char *buf) -{ - unsigned base = 1; - char* s; - - for (s = buf; isdigit(*s); s++) - ; - - if (*s == 'k' || *s == 'K') - base = 1024; - - *s = '\0'; - - return base * atoi(buf); -} - -static void -usage(void) -{ - fprintf(stderr, - "Usage:\n" - "as a compiler:\n" - "gtscc [gtscc_options] [compiler_options] -c file.c file.cpp ...\n" - "gtscc_options:\n" - "-gtsfile the gts database file (use this)\n" - "-gtszapsymbol convert symbol \n" - "-gtsnozapsymbol don't convert symbol \n" - "-gtsrootdir the root for the tree (use this)\n" - "-gtsverbose be more verbose (3 levels)\n" - "-gtsnozap don't convert globals to statics\n" - "-gtsnoupdate don't update the database file\n" - "as a linker:\n" - "gtscc [gtscc_options] [linker_options] file.o ... libxx.a ...\n" - "gtscc_options:\n" - "-gtsfile the gts database file (use this)\n" - "-gtszapsymbol convert symbol \n" - "-gtsnozapsymbol don't convert symbol \n" - "-gtsrootdir the root for the tree (use this)\n" - "-gtspref please recompile these paths first\n" - "-gtsunpref please try to avoid recompiling these\n" - "-gtsverbose be more verbose (3 levels)\n" - "-gtssummary print a summary of global usage\n" - "-gtsdump print a detailed listing of all symbols\n" - "-gtsmaxglobals [k] maximum globals allowed in target\n" - "-gtsnorecompile don't do the normal recompilation\n" - "-gtsnolink don't call linker after recompilation\n" - "-gtsnoupdate don't update the database file\n" - "-help print this\n" - ); -} - -int -main(int argc, char** argv) -{ - EhSymTable* table = EhSymTableNew(1000); - EhSym* sym; - FILE* zap_fp; - unsigned n = 0; - unsigned verbosity = 0; - char* arg_buf[256]; - unsigned nargs = 0; - EhDirMap* dmap = EhDirMapNew(); - unsigned do_dump = 0; - unsigned do_summary = 0; - unsigned do_link = 1; - unsigned in_link = 1; - unsigned do_audit = 1; - unsigned do_zap = 1; - unsigned do_assem = 1; - unsigned do_recompile = 1; - unsigned do_collect = 1; - char* name; - char* saveprefix = NULL; - char* rootdir = NULL; - int rv; - EhSource* source = NULL; - char* gts_file = NULL; - char* path_prefs[32]; - unsigned npath_prefs = 0; - char* path_un_prefs[32]; - unsigned npath_un_prefs = 0; - char* suffix; - unsigned max_globals = DEFAULT_MAX_GLOBALS; - FileList* list; - - if (elf_version(EV_CURRENT) == EV_NONE) { - fprintf(stderr, "something losing about your elf lib - sorry!\n"); - return 3; - /* library out of date */ - /* recover from error */ - } - - arg_buf[nargs] = NULL; - - for (n = 1; n < argc; n++) { - - if (strcmp(argv[n], "-help") == 0) { - usage(); - return 0; - } else if (strcmp(argv[n], "-gtssummary") == 0) { - do_summary = 1; - } else if (strcmp(argv[n], "-gtsdump") == 0) { - do_dump = 1; - } else if (strcmp(argv[n], "-gtsnorecompile") == 0) { - do_recompile = 0; - } else if (strcmp(argv[n], "-gtsnolink") == 0) { - do_link = 0; - } else if (strcmp(argv[n], "-gtsverbose") == 0) { - verbosity++; - } else if (strcmp(argv[n], "-gtsnoupdate") == 0) { - do_collect = 0; - } else if (strcmp(argv[n], "-gtsnoaudit") == 0) { - do_audit = 0; - } else if (strcmp(argv[n], "-gtsnozap") == 0) { - do_zap = 0; - } else if (strcmp(argv[n], "-gtsrootdir") == 0) { - if (argc < n+2) { - fprintf(stderr, "-gtsrootdir requires an argument\n"); - usage(); - return 2; - } - rootdir = argv[n+1]; - n++; - } else if (strcmp(argv[n], "-gtsdebugsym") == 0) { - if (argc < n+2) { - fprintf(stderr, "-gtsdebugsym requires an argument\n"); - usage(); - return 2; - } - djw_test_name = argv[n+1]; - n++; - } else if (strcmp(argv[n], "-gtsmaxglobals") == 0) { - if (argc < n+2) { - fprintf(stderr, "-gtsmaxglobals requires an argument\n"); - usage(); - return 2; - } - max_globals = katoi(argv[n+1]); - n++; - - } else if (strcmp(argv[n], "-gtspref") == 0) { - if (argc < n+2) { - fprintf(stderr, "-gtspref requires an argument\n"); - usage(); - return 2; - } - path_prefs[npath_prefs++] = argv[n+1]; - path_prefs[npath_prefs] = NULL; - n++; - - } else if (strcmp(argv[n], "-gtsunpref") == 0) { - if (argc < n+2) { - fprintf(stderr, "-gtsunpref requires an argument\n"); - usage(); - return 2; - } - path_un_prefs[npath_un_prefs++] = argv[n+1]; - path_un_prefs[npath_un_prefs] = NULL; - n++; - - } else if (strcmp(argv[n], "-gtssaveprefix") == 0) { - if (argc < n+2) { - fprintf(stderr, "-gtssaveprefix requires an argument\n"); - usage(); - return 2; - } - saveprefix = argv[n+1]; - n++; - - } else if (strcmp(argv[n], "-gtsfile") == 0) { - - struct stat sbuf; - - if (argc < n+2) { - fprintf(stderr, "-gtsfile requires an argument\n"); - usage(); - return 2; - } - - gts_file = argv[n+1]; - - if (stat(gts_file, &sbuf) == -1) { - fprintf(stderr, - "warning: %s does not exist, will be created\n", - gts_file); - } else { - - if ((zap_fp = fopen(gts_file, "r")) == NULL) { - fprintf(stderr, "you lose cannot open %s\n", gts_file); - usage(); - return 2; - } - - if (EhSymTableFpLoad(table, zap_fp) == -1) { - fprintf(stderr, - "error: failed reading symbols from gtsfile %s\n", - argv[n+1]); - usage(); - return 2; - } - - fclose(zap_fp); - } - - n++; - - } else if (strcmp(argv[n], "-gtszapsymbol") == 0) { - if (argc < n+2) { - fprintf(stderr, "-gtszapsymbol requires an argument\n"); - usage(); - return 2; - } - - EhSymTableSetSymbolState(table, argv[n+1], EH_SYM_ZAPPED); - n++; - - } else if (strcmp(argv[n], "-gtsnozapsymbol") == 0) { - if (argc < n+2) { - fprintf(stderr, "-gtsnozapsymbol requires an argument\n"); - usage(); - return 2; - } - - EhSymTableSetSymbolState(table, argv[n+1], EH_SYM_DEFINED); - n++; - - } else if (strcmp(argv[n], "-gtsname") == 0) { - if (argc < n+2) { - fprintf(stderr, "-gtsname requires an argument\n"); - usage(); - return 2; - } - - sym = EhSymTableFind(table, argv[n+1]); - if (!sym) - sym = EhSymNewRandomZap(argv[n+1]); - n++; - do_audit = 1; - - } else if (strcmp(argv[n], "-c") == 0) { /* do not link */ - in_link = 0; - do_link = 0; - } else if (strcmp(argv[n], "-S") == 0) { /* do not assem */ - do_assem = 0; - } else if (strcmp(argv[n], "-o") == 0) { /* parse through */ - arg_buf[nargs++] = argv[n++]; - arg_buf[nargs++] = argv[n]; - arg_buf[nargs] = NULL; - } else if (strcmp((suffix = suffix_name(argv[n])), ".cpp") == 0 - || - strcmp(suffix, ".c") == 0 - || - strcmp(suffix, ".s") == 0) { - char pathname[MAXPATHLEN]; - - make_relative_pathname(pathname, ".", rootdir); - - source = EhSourceNew(argv[n], arg_buf, pathname); - - rv = EhSourceCompile(source, - table, - verbosity, - TRUE, /* compile, .s files ignore anyway */ - (do_audit + do_zap), - do_assem); - if (rv == -1) - return 1; - -#if 0 - EhSourceAdjustPathname(source, rootdir); -#endif - - } else if (strcmp(suffix, ".o") == 0 || strcmp(suffix, ".a") == 0) { - - if (fileListFind(o_list, argv[n]) == NULL) { - fileListAppend(&o_list, argv[n]); - } else { - fprintf(stderr, - "%s repeated on command line - ignored\n", - argv[n]); - } - arg_buf[nargs++] = argv[n]; - arg_buf[nargs] = NULL; - - } else if (strncmp(argv[n], "-L", 2) == 0) { - EhDirMapAddDirectory(dmap, &argv[n][2]); - } else if (strncmp(argv[n], "-l", 2) == 0) { - char pathbuf[MAXPATHLEN]; - name = EhDirMapGetLibName(dmap, &argv[n][2], pathbuf); - if (name != NULL) { - if (fileListFind(o_list, name) == NULL) { - fileListAppend(&o_list, name); - } else { - fprintf(stderr, - "%s repeated on command line - ignored\n", - name); - } - } else { - fprintf(stderr, - "unable to resolve library reference %s - ignoring\n", - argv[n]); - } - arg_buf[nargs++] = argv[n]; - arg_buf[nargs] = NULL; - } else { - arg_buf[nargs++] = argv[n]; - arg_buf[nargs] = NULL; - } - } - - /* - * Analyse objects. - */ - if (o_list != NULL) { - for (list = o_list; list != NULL; list = list->next) { - - if (eh_process_file(list->name, table, rootdir)) { - fprintf(stderr, "oops we died around %s\n", list->name); - return 1; - } - } - - /* look for unused objects */ - EhSymTableMap(table, object_nusers_mappee, 0); - } - - if (do_summary) { - print_summary(table); - } - - if (do_dump) { - print_dump(table); - } - - if (!in_link && gts_file != NULL) { - FILE* zap_fp; - if ((zap_fp = fopen(gts_file, "w")) == NULL) { - perror(0); - usage(); - return 2; - } - - EhSymTableFpDump(table, zap_fp); - fclose(zap_fp); - return 0; - } - - /* - * Now the fun really starts. - */ - if (do_recompile) { - char** pp = NULL; - char** up = NULL; - - if (npath_prefs > 0) - pp = path_prefs; - - if (npath_un_prefs > 0) - up = path_un_prefs; - - if (!do_collect) - gts_file = NULL; - - rv = do_recompilation(table, gts_file, max_globals, pp, up, rootdir, - verbosity); - if (rv == -1) - return 1; - } - - /* - * Finally. - */ - if (do_link) { - - int status; - - arg_buf[nargs+1] = NULL; - for (n = nargs; n > 0; n--) - arg_buf[n] = arg_buf[n-1]; - arg_buf[0] = LD_COMMAND; - - status = do_command("link", arg_buf, verbosity); - - if (status == -1) - return 3; - else - return status; - } - - return 0; -} diff --git a/config/rules.mk b/config/rules.mk index 0d80aea302dd..d2bf49060f8d 100644 --- a/config/rules.mk +++ b/config/rules.mk @@ -153,6 +153,20 @@ xpcshell-tests: $(LIBXUL_DIST)/bin/xpcshell \ $(foreach dir,$(XPCSHELL_TESTS),$(testxpcobjdir)/$(relativesrcdir)/$(dir)) +xpcshell-tests-remote: DM_TRANS?=adb +xpcshell-tests-remote: + $(PYTHON) -u $(topsrcdir)/config/pythonpath.py \ + -I$(topsrcdir)/build \ + -I$(topsrcdir)/build/mobile \ + $(topsrcdir)/testing/xpcshell/remotexpcshelltests.py \ + --symbols-path=$(DIST)/crashreporter-symbols \ + --build-info-json=$(DEPTH)/mozinfo.json \ + $(EXTRA_TEST_ARGS) \ + --dm_trans=$(DM_TRANS) \ + --deviceIP=${TEST_DEVICE} \ + --objdir=$(DEPTH) \ + $(foreach dir,$(XPCSHELL_TESTS),$(testxpcobjdir)/$(relativesrcdir)/$(dir)) + # Execute a single test, specified in $(SOLO_FILE), but don't automatically # start the test. Instead, present the xpcshell prompt so the user can # attach a debugger and then start the test. @@ -182,6 +196,23 @@ check-one: $(LIBXUL_DIST)/bin/xpcshell \ $(foreach dir,$(XPCSHELL_TESTS),$(testxpcobjdir)/$(relativesrcdir)/$(dir)) +check-one-remote: DM_TRANS?=adb +check-one-remote: + $(PYTHON) -u $(topsrcdir)/config/pythonpath.py \ + -I$(topsrcdir)/build \ + -I$(topsrcdir)/build/mobile \ + $(testxpcsrcdir)/remotexpcshelltests.py \ + --symbols-path=$(DIST)/crashreporter-symbols \ + --build-info-json=$(DEPTH)/mozinfo.json \ + --test-path=$(SOLO_FILE) \ + --profile-name=$(MOZ_APP_NAME) \ + --verbose \ + $(EXTRA_TEST_ARGS) \ + --dm_trans=$(DM_TRANS) \ + --deviceIP=${TEST_DEVICE} \ + --objdir=$(DEPTH) \ + --noSetup \ + $(foreach dir,$(XPCSHELL_TESTS),$(testxpcobjdir)/$(relativesrcdir)/$(dir)) endif # XPCSHELL_TESTS ifdef CPP_UNIT_TESTS @@ -898,9 +929,6 @@ ifdef SHARED_LIBRARY $(SHARED_LIBRARY_NAME) $(DIST)/$(MOZ_APP_NAME) endif endif # SHARED_LIBRARY || PROGRAM -else # ! WINNT_ -# Force rebuilding all objects on the second pass -$(OBJS): FORCE endif # WINNT_ endif # MOZ_PROFILE_USE ifdef MOZ_PROFILE_GENERATE diff --git a/configure.in b/configure.in index 76c18469ff83..4590a18a7028 100644 --- a/configure.in +++ b/configure.in @@ -970,6 +970,7 @@ if test -n "$_WIN32_MSVC"; then AC_DEFINE(HAVE_IO_H) AC_DEFINE(HAVE_SETBUF) AC_DEFINE(HAVE_ISATTY) + AC_DEFINE(HAVE_STDCALL) fi fi # COMPILE_ENVIRONMENT @@ -2107,6 +2108,8 @@ case "$target" in # logging code in nsObjCExceptions.h. Currently we only use that in debug # builds. MOZ_DEBUG_LDFLAGS="$MOZ_DEBUG_LDFLAGS -framework ExceptionHandling" + # Debug builds should always have frame pointers + MOZ_DEBUG_FLAGS="-g -fno-omit-frame-pointer" if test "x$lto_is_enabled" = "xyes"; then echo "Skipping -dead_strip because lto is enabled." @@ -2253,6 +2256,8 @@ ia64*-hpux*) else MOZ_OPTIMIZE_FLAGS="-Os -freorder-blocks -fno-reorder-functions -fno-omit-frame-pointer" fi + # Debug builds should always have frame pointers + MOZ_DEBUG_FLAGS="-g -fno-omit-frame-pointer" ;; *-*linux*) @@ -2278,7 +2283,8 @@ ia64*-hpux*) fi MOZ_PGO_OPTIMIZE_FLAGS="-O3 $MOZ_FRAMEPTR_FLAGS" MOZ_OPTIMIZE_FLAGS="-Os -freorder-blocks $MOZ_OPTIMIZE_SIZE_TWEAK $MOZ_FRAMEPTR_FLAGS" - MOZ_DEBUG_FLAGS="-g" + # Debug builds should always have frame pointers + MOZ_DEBUG_FLAGS="-g -fno-omit-frame-pointer" fi TARGET_NSPR_MDCPUCFG='\"md/_linux.cfg\"' @@ -2371,7 +2377,8 @@ ia64*-hpux*) CFLAGS="$CFLAGS -we4553" CXXFLAGS="$CXXFLAGS -we4553" LIBS="$LIBS kernel32.lib user32.lib gdi32.lib winmm.lib wsock32.lib advapi32.lib" - MOZ_DEBUG_FLAGS='-Zi' + # Debug builds should always have frame pointers + MOZ_DEBUG_FLAGS='-Zi -Oy-' MOZ_DEBUG_LDFLAGS='-DEBUG -DEBUGTYPE:CV' WARNINGS_AS_ERRORS='-WX' # If we're building with --enable-profiling, we need -Oy-, which forces a frame pointer. @@ -3588,53 +3595,6 @@ then LDFLAGS="${_PTHREAD_LDFLAGS} ${LDFLAGS}" fi -dnl ======================================================== -dnl See if mmap sees writes -dnl For cross compiling, just define it as no, which is a safe default -dnl ======================================================== -AC_MSG_CHECKING(whether mmap() sees write()s) - -changequote(,) -mmap_test_prog=' - #include - #include - #include - #include - #include - #include - - char fname[] = "conftest.file"; - char zbuff[1024]; /* Fractional page is probably worst case */ - - int main() { - char *map; - int fd; - int i; - unlink(fname); - fd = open(fname, O_RDWR | O_CREAT, 0660); - if(fd<0) return 1; - unlink(fname); - write(fd, zbuff, sizeof(zbuff)); - lseek(fd, 0, SEEK_SET); - map = (char*)mmap(0, sizeof(zbuff), PROT_READ, MAP_SHARED, fd, 0); - if(map==(char*)-1) return 2; - for(i=0; fname[i]; i++) { - int rc = write(fd, &fname[i], 1); - if(map[i]!=fname[i]) return 4; - } - return 0; - } -' -changequote([,]) - -AC_TRY_RUN($mmap_test_prog , result="yes", result="no", result="yes") - -AC_MSG_RESULT("$result") - -if test "$result" = "no"; then - AC_DEFINE(MMAP_MISSES_WRITES) -fi - dnl Checks for library functions. dnl ======================================================== @@ -4778,7 +4738,6 @@ MOZ_DISABLE_DOMCRYPTO= NSS_DISABLE_DBM= NECKO_WIFI=1 NECKO_COOKIES=1 -NECKO_DISK_CACHE=1 NECKO_PROTOCOLS_DEFAULT="about data file ftp http res viewsource websocket wyciwyg" USE_ARM_KUSER= BUILD_CTYPES=1 @@ -5194,7 +5153,7 @@ incorrect]) fi MOZ_ENABLE_QTMOBILITY= - PKG_CHECK_MODULES(_QTMOBILITY, QtSensors QtFeedback, + PKG_CHECK_MODULES(_QTMOBILITY, QtSensors QtFeedback QtLocation, MOZ_ENABLE_QTMOBILITY=1, MOZ_ENABLE_QTMOBILITY=) if test "$MOZ_ENABLE_QTMOBILITY"; then @@ -5202,12 +5161,13 @@ incorrect]) MOZ_QT_CFLAGS="$MOZ_QT_CFLAGS $_QTMOBILITY_CFLAGS" MOZ_QT_LIBS="$MOZ_QT_LIBS $_QTMOBILITY_LIBS" else - AC_CHECK_LIB(QtSensors QtFeedback, main, [ + AC_CHECK_LIB(QtSensors QtFeedback QtLocation, main, [ MOZ_ENABLE_QTMOBILITY=1 MOZ_QT_CFLAGS="$MOZ_QT_CFLAGS -I/usr/include/qt4/QtMobility" MOZ_QT_CFLAGS="$MOZ_QT_CFLAGS -I/usr/include/qt4/QtSensors" MOZ_QT_CFLAGS="$MOZ_QT_CFLAGS -I/usr/include/qt4/QtFeedback" - MOZ_QT_LIBS="$MOZ_QT_LIBS -lQtSensors -lQtFeedback" + MOZ_QT_CFLAGS="$MOZ_QT_CFLAGS -I/usr/include/qt4/QtLocation" + MOZ_QT_LIBS="$MOZ_QT_LIBS -lQtSensors -lQtFeedback -lQtLocation" ]) fi if test "$MOZ_ENABLE_QTMOBILITY"; then @@ -8764,19 +8724,6 @@ for p in $NECKO_PROTOCOLS; do AC_DEFINE_UNQUOTED(NECKO_PROTOCOL_$p) done -dnl -dnl option to disable necko's disk cache -dnl -MOZ_ARG_DISABLE_BOOL(necko-disk-cache, -[ --disable-necko-disk-cache - Disable necko disk cache], - NECKO_DISK_CACHE=, - NECKO_DISK_CACHE=1) -AC_SUBST(NECKO_DISK_CACHE) -if test "$NECKO_DISK_CACHE"; then - AC_DEFINE(NECKO_DISK_CACHE) -fi - dnl dnl option to disable necko's wifi scanner dnl diff --git a/content/base/public/nsIFrameMessageManager.idl b/content/base/public/nsIFrameMessageManager.idl index c428d7be43d7..9cbbf16d570e 100644 --- a/content/base/public/nsIFrameMessageManager.idl +++ b/content/base/public/nsIFrameMessageManager.idl @@ -118,8 +118,15 @@ interface nsIInProcessContentFrameMessageManager : nsIContentFrameMessageManager [notxpcom] nsIContent getOwnerContent(); }; -[scriptable, uuid(ed6522fd-ffb6-4920-b50d-cf629309616b)] -interface nsIChromeFrameMessageManager : nsIFrameMessageManager +[scriptable, uuid(6331bbca-2c9f-4766-b3c7-ae75554bf1ec)] +interface nsITreeItemFrameMessageManager : nsIFrameMessageManager +{ + readonly attribute unsigned long childCount; + nsITreeItemFrameMessageManager getChildAt(in unsigned long aIndex); +}; + +[scriptable, uuid(23e6ef7b-8cc5-4e8b-9391-453440a3b858)] +interface nsIChromeFrameMessageManager : nsITreeItemFrameMessageManager { /* * Load a script in the (remote) frame. aURL must be the absolute URL. diff --git a/content/base/src/Makefile.in b/content/base/src/Makefile.in index 82ac31748466..688b787baeab 100644 --- a/content/base/src/Makefile.in +++ b/content/base/src/Makefile.in @@ -95,6 +95,7 @@ CPPSRCS = \ nsDOMAttribute.cpp \ nsDOMAttributeMap.cpp \ nsDOMBlobBuilder.cpp \ + nsDOMCaretPosition.cpp \ nsDOMDocumentType.cpp \ nsDOMEventTargetWrapperCache.cpp \ nsDOMFile.cpp \ diff --git a/content/base/src/nsDOMCaretPosition.cpp b/content/base/src/nsDOMCaretPosition.cpp new file mode 100644 index 000000000000..830d381e1941 --- /dev/null +++ b/content/base/src/nsDOMCaretPosition.cpp @@ -0,0 +1,77 @@ +/* ***** BEGIN LICENSE BLOCK ***** + * Version: MPL 1.1/GPL 2.0/LGPL 2.1 + * + * The contents of this file are subject to the Mozilla Public License Version + * 1.1 (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * http://www.mozilla.org/MPL/ + * + * Software distributed under the License is distributed on an "AS IS" basis, + * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License + * for the specific language governing rights and limitations under the + * License. + * + * The Original Code is mozilla.org. + * + * The Initial Developer of the Original Code is + * the Mozilla Foundation. + * Portions created by the Initial Developer are Copyright (C) 2011 + * the Initial Developer. All Rights Reserved. + * + * Contributor(s): + * Brad Lassey + * + * Alternatively, the contents of this file may be used under the terms of + * either the GNU General Public License Version 2 or later (the "GPL"), or + * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), + * in which case the provisions of the GPL or the LGPL are applicable instead + * of those above. If you wish to allow use of your version of this file only + * under the terms of either the GPL or the LGPL, and not to allow others to + * use your version of this file under the terms of the MPL, indicate your + * decision by deleting the provisions above and replace them with the notice + * and other provisions required by the GPL or the LGPL. If you do not delete + * the provisions above, a recipient may use your version of this file under + * the terms of any one of the MPL, the GPL or the LGPL. + * + * ***** END LICENSE BLOCK ***** */ + +#include "nsDOMCaretPosition.h" +#include "nsDOMClassInfoID.h" +#include "nsIDOMClassInfo.h" + +NS_INTERFACE_MAP_BEGIN_CYCLE_COLLECTION(nsDOMCaretPosition) + NS_INTERFACE_MAP_ENTRY(nsIDOMCaretPosition) + NS_INTERFACE_MAP_ENTRY_AMBIGUOUS(nsISupports, nsIDOMCaretPosition) + NS_DOM_INTERFACE_MAP_ENTRY_CLASSINFO(CaretPosition) +NS_INTERFACE_MAP_END + +NS_IMPL_CYCLE_COLLECTION_1(nsDOMCaretPosition, mNode) + +NS_IMPL_CYCLE_COLLECTING_ADDREF(nsDOMCaretPosition) +NS_IMPL_CYCLE_COLLECTING_RELEASE(nsDOMCaretPosition) + +DOMCI_DATA(CaretPosition, nsDOMCaretPosition) + + +nsDOMCaretPosition::nsDOMCaretPosition(nsIDOMNode* aNode, PRUint32 aOffset) + : mNode(aNode), mOffset(aOffset) +{ +} + +nsDOMCaretPosition::~nsDOMCaretPosition() +{ +} + +NS_IMETHODIMP nsDOMCaretPosition::GetOffsetNode(nsIDOMNode** aOffsetNode) +{ + nsCOMPtr node = mNode; + node.forget(aOffsetNode); + return NS_OK; +} + +NS_IMETHODIMP nsDOMCaretPosition::GetOffset(PRUint32* aOffset) +{ + *aOffset = mOffset; + return NS_OK; +} + diff --git a/content/base/src/nsDOMCaretPosition.h b/content/base/src/nsDOMCaretPosition.h new file mode 100644 index 000000000000..63520bf856bf --- /dev/null +++ b/content/base/src/nsDOMCaretPosition.h @@ -0,0 +1,59 @@ +/* ***** BEGIN LICENSE BLOCK ***** + * Version: MPL 1.1/GPL 2.0/LGPL 2.1 + * + * The contents of this file are subject to the Mozilla Public License Version + * 1.1 (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * http://www.mozilla.org/MPL/ + * + * Software distributed under the License is distributed on an "AS IS" basis, + * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License + * for the specific language governing rights and limitations under the + * License. + * + * The Original Code is mozilla.org. + * + * The Initial Developer of the Original Code is + * the Mozilla Foundation. + * Portions created by the Initial Developer are Copyright (C) 2011 + * the Initial Developer. All Rights Reserved. + * + * Contributor(s): + * Brad Lassey + * + * Alternatively, the contents of this file may be used under the terms of + * either the GNU General Public License Version 2 or later (the "GPL"), or + * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), + * in which case the provisions of the GPL or the LGPL are applicable instead + * of those above. If you wish to allow use of your version of this file only + * under the terms of either the GPL or the LGPL, and not to allow others to + * use your version of this file under the terms of the MPL, indicate your + * decision by deleting the provisions above and replace them with the notice + * and other provisions required by the GPL or the LGPL. If you do not delete + * the provisions above, a recipient may use your version of this file under + * the terms of any one of the MPL, the GPL or the LGPL. + * + * ***** END LICENSE BLOCK ***** */ + +#ifndef nsDOMCaretPosition_h +#define nsDOMCaretPosition_h + +#include "nsIDOMCaretPosition.h" +#include "nsCycleCollectionParticipant.h" +#include "nsCOMPtr.h" + +class nsDOMCaretPosition : public nsIDOMCaretPosition +{ +public: + NS_DECL_CYCLE_COLLECTING_ISUPPORTS + NS_DECL_CYCLE_COLLECTION_CLASS(nsDOMCaretPosition) + NS_DECL_NSIDOMCARETPOSITION + + nsDOMCaretPosition(nsIDOMNode* aNode, PRUint32 aOffset); + +protected: + virtual ~nsDOMCaretPosition(); + PRUint32 mOffset; + nsCOMPtr mNode; +}; +#endif diff --git a/content/base/src/nsDocument.cpp b/content/base/src/nsDocument.cpp index dac6cab89fdc..9cf806b669cb 100644 --- a/content/base/src/nsDocument.cpp +++ b/content/base/src/nsDocument.cpp @@ -202,9 +202,13 @@ #include "nsDOMTouchEvent.h" #include "mozilla/Preferences.h" +#include "nsFrame.h" #include "imgILoader.h" +#include "nsDOMCaretPosition.h" +#include "nsIDOMHTMLTextAreaElement.h" + using namespace mozilla; using namespace mozilla::dom; @@ -8394,6 +8398,58 @@ nsDocument::CreateTouchList(nsIVariant* aPoints, return NS_OK; } +NS_IMETHODIMP +nsDocument::CaretPositionFromPoint(float aX, float aY, nsIDOMCaretPosition** aCaretPos) +{ + NS_ENSURE_ARG_POINTER(aCaretPos); + *aCaretPos = nsnull; + + nscoord x = nsPresContext::CSSPixelsToAppUnits(aX); + nscoord y = nsPresContext::CSSPixelsToAppUnits(aY); + nsPoint pt(x, y); + + nsIPresShell *ps = GetShell(); + if (!ps) { + return NS_OK; + } + + nsIFrame *rootFrame = ps->GetRootFrame(); + + // XUL docs, unlike HTML, have no frame tree until everything's done loading + if (!rootFrame) { + return NS_OK; // return null to premature XUL callers as a reminder to wait + } + + nsIFrame *ptFrame = nsLayoutUtils::GetFrameForPoint(rootFrame, pt, PR_TRUE, + PR_FALSE); + if (!ptFrame) { + return NS_OK; + } + + nsFrame::ContentOffsets offsets = ptFrame->GetContentOffsetsFromPoint(pt); + nsCOMPtr node = do_QueryInterface(offsets.content); + nsIContent* ptContent = offsets.content; + PRInt32 offset = offsets.offset; + if (ptContent && ptContent->IsInNativeAnonymousSubtree()) { + nsIContent* nonanon = ptContent->FindFirstNonNativeAnonymous(); + nsCOMPtr input = do_QueryInterface(nonanon); + nsCOMPtr textArea = do_QueryInterface(nonanon); + PRBool isText; + if (textArea || (input && + NS_SUCCEEDED(input->MozIsTextField(PR_FALSE, &isText)) && + isText)) { + node = do_QueryInterface(nonanon); + } else { + node = nsnull; + offset = 0; + } + } + + *aCaretPos = new nsDOMCaretPosition(node, offset); + NS_ADDREF(*aCaretPos); + return NS_OK; +} + PRInt64 nsIDocument::SizeOf() const { diff --git a/content/base/src/nsFrameLoader.cpp b/content/base/src/nsFrameLoader.cpp index 2f4bd5a05443..89721ddd7e85 100644 --- a/content/base/src/nsFrameLoader.cpp +++ b/content/base/src/nsFrameLoader.cpp @@ -1791,7 +1791,7 @@ nsFrameLoader::TryRemoteBrowser() return false; } - ContentParent* parent = ContentParent::GetSingleton(); + ContentParent* parent = ContentParent::GetNewOrUsed(); NS_ASSERTION(parent->IsAlive(), "Process parent should be alive; something is very wrong!"); mRemoteBrowser = parent->CreateTab(chromeFlags); if (mRemoteBrowser) { diff --git a/content/base/src/nsFrameMessageManager.cpp b/content/base/src/nsFrameMessageManager.cpp index c3fdd79a8c7d..a922b45208b6 100644 --- a/content/base/src/nsFrameMessageManager.cpp +++ b/content/base/src/nsFrameMessageManager.cpp @@ -98,6 +98,8 @@ NS_INTERFACE_MAP_BEGIN_CYCLE_COLLECTION(nsFrameMessageManager) !mChrome && !mIsProcessManager) /* Message managers in child process support nsISyncMessageSender. */ NS_INTERFACE_MAP_ENTRY_CONDITIONAL(nsISyncMessageSender, !mChrome) + /* Message managers in chrome process support nsITreeItemFrameMessageManager. */ + NS_INTERFACE_MAP_ENTRY_CONDITIONAL(nsITreeItemFrameMessageManager, mChrome) /* Process message manager doesn't support nsIChromeFrameMessageManager. */ NS_INTERFACE_MAP_ENTRY_CONDITIONAL(nsIChromeFrameMessageManager, mChrome && !mIsProcessManager) @@ -323,6 +325,24 @@ nsFrameMessageManager::GetDocShell(nsIDocShell** aDocShell) return NS_OK; } +NS_IMETHODIMP +nsFrameMessageManager::GetChildCount(PRUint32* aChildCount) +{ + *aChildCount = static_cast(mChildManagers.Count()); + return NS_OK; +} + +NS_IMETHODIMP +nsFrameMessageManager::GetChildAt(PRUint32 aIndex, + nsITreeItemFrameMessageManager** aMM) +{ + *aMM = nsnull; + nsCOMPtr mm = + do_QueryInterface(mChildManagers.SafeObjectAt(static_cast(aIndex))); + mm.swap(*aMM); + return NS_OK; +} + NS_IMETHODIMP nsFrameMessageManager::Btoa(const nsAString& aBinaryData, nsAString& aAsciiBase64String) @@ -823,7 +843,7 @@ bool SendAsyncMessageToChildProcess(void* aCallbackData, const nsAString& aJSON) { mozilla::dom::ContentParent* cp = - mozilla::dom::ContentParent::GetSingleton(PR_FALSE); + static_cast(aCallbackData); NS_WARN_IF_FALSE(cp, "No child process!"); if (cp) { return cp->SendAsyncMessage(nsString(aMessage), nsString(aJSON)); @@ -857,6 +877,7 @@ bool SendAsyncMessageToParentProcess(void* aCallbackData, return true; } +// This creates the global parent process message manager. nsresult NS_NewParentProcessMessageManager(nsIFrameMessageManager** aResult) { @@ -865,9 +886,9 @@ NS_NewParentProcessMessageManager(nsIFrameMessageManager** aResult) NS_ENSURE_TRUE(IsChromeProcess(), NS_ERROR_NOT_AVAILABLE); nsFrameMessageManager* mm = new nsFrameMessageManager(PR_TRUE, nsnull, - SendAsyncMessageToChildProcess, nsnull, - &nsFrameMessageManager::sParentProcessManager, + nsnull, + nsnull, nsnull, nsnull, PR_FALSE, @@ -877,6 +898,25 @@ NS_NewParentProcessMessageManager(nsIFrameMessageManager** aResult) return CallQueryInterface(mm, aResult); } +nsFrameMessageManager* +nsFrameMessageManager::NewProcessMessageManager(mozilla::dom::ContentParent* aProcess) +{ + if (!nsFrameMessageManager::sParentProcessManager) { + nsCOMPtr dummy; + NS_NewParentProcessMessageManager(getter_AddRefs(dummy)); + } + + nsFrameMessageManager* mm = new nsFrameMessageManager(PR_TRUE, + nsnull, + SendAsyncMessageToChildProcess, + nsnull, + aProcess, + nsFrameMessageManager::sParentProcessManager, + nsnull, + PR_FALSE, + PR_TRUE); + return mm; +} nsresult NS_NewChildProcessMessageManager(nsISyncMessageSender** aResult) diff --git a/content/base/src/nsFrameMessageManager.h b/content/base/src/nsFrameMessageManager.h index f2c9f751231f..b35892f4697b 100644 --- a/content/base/src/nsFrameMessageManager.h +++ b/content/base/src/nsFrameMessageManager.h @@ -52,6 +52,12 @@ #include "mozilla/Services.h" #include "nsIObserverService.h" +namespace mozilla { +namespace dom { +class ContentParent; +} +} + class nsAXPCNativeCallContext; struct JSContext; struct JSObject; @@ -125,6 +131,10 @@ public: NS_DECL_NSISYNCMESSAGESENDER NS_DECL_NSICONTENTFRAMEMESSAGEMANAGER NS_DECL_NSICHROMEFRAMEMESSAGEMANAGER + NS_DECL_NSITREEITEMFRAMEMESSAGEMANAGER + + static nsFrameMessageManager* + NewProcessMessageManager(mozilla::dom::ContentParent* aProcess); nsresult ReceiveMessage(nsISupports* aTarget, const nsAString& aMessage, PRBool aSync, const nsAString& aJSON, diff --git a/content/base/src/nsGenericElement.cpp b/content/base/src/nsGenericElement.cpp index e90b8a6e9c85..61ef8cd76792 100644 --- a/content/base/src/nsGenericElement.cpp +++ b/content/base/src/nsGenericElement.cpp @@ -1059,8 +1059,9 @@ nsINode::AddEventListener(const nsAString& aType, nsEventListenerManager* listener_manager = GetListenerManager(PR_TRUE); NS_ENSURE_STATE(listener_manager); - return listener_manager->AddEventListener(aType, aListener, aUseCapture, - aWantsUntrusted); + listener_manager->AddEventListener(aType, aListener, aUseCapture, + aWantsUntrusted); + return NS_OK; } NS_IMETHODIMP diff --git a/content/base/src/nsGkAtomList.h b/content/base/src/nsGkAtomList.h index bc4a6dcc706c..54c193d630e8 100644 --- a/content/base/src/nsGkAtomList.h +++ b/content/base/src/nsGkAtomList.h @@ -70,6 +70,7 @@ GK_ATOM(mozeditorbogusnode, "_moz_editor_bogus_node") GK_ATOM(mozgeneratedcontentbefore, "_moz_generated_content_before") GK_ATOM(mozgeneratedcontentafter, "_moz_generated_content_after") GK_ATOM(mozgeneratedcontentimage, "_moz_generated_content_image") +GK_ATOM(_moz_original_size, "_moz_original_size") GK_ATOM(_moz_target, "_moz_target") GK_ATOM(_moz_type, "_moz-type") GK_ATOM(menuactive, "_moz-menuactive") @@ -1873,6 +1874,7 @@ GK_ATOM(images_in_menus, "images-in-menus") GK_ATOM(images_in_buttons, "images-in-buttons") GK_ATOM(windows_default_theme, "windows-default-theme") GK_ATOM(mac_graphite_theme, "mac-graphite-theme") +GK_ATOM(mac_lion_theme, "mac-lion-theme") GK_ATOM(windows_compositor, "windows-compositor") GK_ATOM(touch_enabled, "touch-enabled") GK_ATOM(maemo_classic, "maemo-classic") @@ -1898,6 +1900,7 @@ GK_ATOM(_moz_images_in_menus, "-moz-images-in-menus") GK_ATOM(_moz_images_in_buttons, "-moz-images-in-buttons") GK_ATOM(_moz_windows_default_theme, "-moz-windows-default-theme") GK_ATOM(_moz_mac_graphite_theme, "-moz-mac-graphite-theme") +GK_ATOM(_moz_mac_lion_theme, "-moz-mac-lion-theme") GK_ATOM(_moz_windows_compositor, "-moz-windows-compositor") GK_ATOM(_moz_windows_classic, "-moz-windows-classic") GK_ATOM(_moz_windows_theme, "-moz-windows-theme") diff --git a/content/base/test/Makefile.in b/content/base/test/Makefile.in index 3f3fc099b6ee..e60957c82f82 100644 --- a/content/base/test/Makefile.in +++ b/content/base/test/Makefile.in @@ -503,6 +503,7 @@ _TEST_FILES2 = \ test_bug666604.html \ test_bug675121.html \ file_bug675121.sjs \ + test_bug654352.html \ $(NULL) _CHROME_FILES = \ diff --git a/content/base/test/test_bug654352.html b/content/base/test/test_bug654352.html new file mode 100644 index 000000000000..0cfa0dcc68b7 --- /dev/null +++ b/content/base/test/test_bug654352.html @@ -0,0 +1,50 @@ + + + + + Test for Bug 654352 + + + + + +Mozilla Bug 654352 +

+ +
+
+
+ + 
test text
+ +
+
+ + + + + diff --git a/content/base/test/test_copypaste.html b/content/base/test/test_copypaste.html index 448f40af97bf..256b9dc4d782 100644 --- a/content/base/test/test_copypaste.html +++ b/content/base/test/test_copypaste.html @@ -53,8 +53,8 @@ function testCopyPaste () { function copySelectionToClipboard() { documentViewer.copySelection(); - is(clipboard.hasDataMatchingFlavors(["text/unicode"], 1,1), true); - is(clipboard.hasDataMatchingFlavors(["text/html"], 1,1), true); + ok(clipboard.hasDataMatchingFlavors(["text/unicode"], 1,1), "check text/unicode"); + ok(clipboard.hasDataMatchingFlavors(["text/html"], 1,1), "check text/html"); } function copyToClipboard(node) { textarea.blur(); diff --git a/content/events/src/nsDOMEventTargetHelper.cpp b/content/events/src/nsDOMEventTargetHelper.cpp index fe9f7a47de4f..e72de6201d7c 100644 --- a/content/events/src/nsDOMEventTargetHelper.cpp +++ b/content/events/src/nsDOMEventTargetHelper.cpp @@ -126,7 +126,8 @@ nsDOMEventTargetHelper::AddEventListener(const nsAString& aType, nsEventListenerManager* elm = GetListenerManager(PR_TRUE); NS_ENSURE_STATE(elm); - return elm->AddEventListener(aType, aListener, aUseCapture, aWantsUntrusted); + elm->AddEventListener(aType, aListener, aUseCapture, aWantsUntrusted); + return NS_OK; } NS_IMETHODIMP diff --git a/content/events/src/nsDOMMessageEvent.cpp b/content/events/src/nsDOMMessageEvent.cpp index a90066458ecd..d6923be05054 100644 --- a/content/events/src/nsDOMMessageEvent.cpp +++ b/content/events/src/nsDOMMessageEvent.cpp @@ -103,9 +103,11 @@ nsDOMMessageEvent::UnrootData() } NS_IMETHODIMP -nsDOMMessageEvent::GetData(jsval* aData) +nsDOMMessageEvent::GetData(JSContext* aCx, jsval* aData) { *aData = mData; + if (!JS_WrapValue(aCx, aData)) + return NS_ERROR_FAILURE; return NS_OK; } diff --git a/content/events/src/nsEventListenerManager.cpp b/content/events/src/nsEventListenerManager.cpp index 546d7bcf3065..87bbf3ff43b5 100644 --- a/content/events/src/nsEventListenerManager.cpp +++ b/content/events/src/nsEventListenerManager.cpp @@ -209,14 +209,17 @@ nsEventListenerManager::GetInnerWindowForTarget() return nsnull; } -nsresult +void nsEventListenerManager::AddEventListener(nsIDOMEventListener *aListener, PRUint32 aType, nsIAtom* aTypeAtom, PRInt32 aFlags) { - NS_ENSURE_TRUE(aListener, NS_ERROR_FAILURE); - NS_ENSURE_TRUE(aType, NS_ERROR_FAILURE); + NS_ABORT_IF_FALSE(aType && aTypeAtom, "Missing type"); + + if (!aListener) { + return; + } nsRefPtr kungFuDeathGrip = aListener; @@ -226,7 +229,7 @@ nsEventListenerManager::AddEventListener(nsIDOMEventListener *aListener, ls = &mListeners.ElementAt(i); if (ls->mListener == aListener && ls->mFlags == aFlags && EVENT_TYPE_EQUALS(ls, aType, aTypeAtom)) { - return NS_OK; + return; } } @@ -291,8 +294,6 @@ nsEventListenerManager::AddEventListener(nsIDOMEventListener *aListener, if (window) window->SetHasTouchEventListeners(); } - - return NS_OK; } void @@ -334,14 +335,14 @@ ListenerCanHandle(nsListenerStruct* aLs, nsEvent* aEvent) (aLs->mEventType == aEvent->message); } -nsresult +void nsEventListenerManager::AddEventListenerByType(nsIDOMEventListener *aListener, const nsAString& aType, PRInt32 aFlags) { nsCOMPtr atom = do_GetAtom(NS_LITERAL_STRING("on") + aType); PRUint32 type = nsContentUtils::GetEventId(atom); - return AddEventListener(aListener, type, atom, aFlags); + AddEventListener(aListener, type, atom, aFlags); } void @@ -943,8 +944,7 @@ nsEventListenerManager::Disconnect() RemoveAllListeners(); } -// nsIDOMEventTarget interface -nsresult +void nsEventListenerManager::AddEventListener(const nsAString& aType, nsIDOMEventListener* aListener, PRBool aUseCapture, diff --git a/content/events/src/nsEventListenerManager.h b/content/events/src/nsEventListenerManager.h index 506fea2a80dd..84f9186ddc93 100644 --- a/content/events/src/nsEventListenerManager.h +++ b/content/events/src/nsEventListenerManager.h @@ -84,10 +84,10 @@ public: NS_DECL_CYCLE_COLLECTION_NATIVE_CLASS(nsEventListenerManager) - nsresult AddEventListener(const nsAString& aType, - nsIDOMEventListener* aListener, - PRBool aUseCapture, - PRBool aWantsUntrusted); + void AddEventListener(const nsAString& aType, + nsIDOMEventListener* aListener, + PRBool aUseCapture, + PRBool aWantsUntrusted); void RemoveEventListener(const nsAString& aType, nsIDOMEventListener* aListener, PRBool aUseCapture); @@ -96,9 +96,9 @@ public: * Sets events listeners of all types. * @param an event listener */ - nsresult AddEventListenerByType(nsIDOMEventListener *aListener, - const nsAString& type, - PRInt32 aFlags); + void AddEventListenerByType(nsIDOMEventListener *aListener, + const nsAString& type, + PRInt32 aFlags); void RemoveEventListenerByType(nsIDOMEventListener *aListener, const nsAString& type, PRInt32 aFlags); @@ -210,10 +210,10 @@ protected: void *aScopeGlobal, nsIAtom* aName, PRBool aIsString, PRBool aPermitUntrustedEvents); - nsresult AddEventListener(nsIDOMEventListener *aListener, - PRUint32 aType, - nsIAtom* aTypeAtom, - PRInt32 aFlags); + void AddEventListener(nsIDOMEventListener *aListener, + PRUint32 aType, + nsIAtom* aTypeAtom, + PRInt32 aFlags); void RemoveEventListener(nsIDOMEventListener *aListener, PRUint32 aType, nsIAtom* aUserType, diff --git a/content/events/src/nsEventListenerService.cpp b/content/events/src/nsEventListenerService.cpp index 6ed73f56ce85..5336ff95a281 100644 --- a/content/events/src/nsEventListenerService.cpp +++ b/content/events/src/nsEventListenerService.cpp @@ -280,7 +280,8 @@ nsEventListenerService::AddSystemEventListener(nsIDOMEventTarget *aTarget, NS_EVENT_FLAG_SYSTEM_EVENT : NS_EVENT_FLAG_BUBBLE | NS_EVENT_FLAG_SYSTEM_EVENT; - return manager->AddEventListenerByType(aListener, aType, flags); + manager->AddEventListenerByType(aListener, aType, flags); + return NS_OK; } NS_IMETHODIMP diff --git a/content/events/test/Makefile.in b/content/events/test/Makefile.in index 1a07b15ae0c8..299fb0f4804f 100644 --- a/content/events/test/Makefile.in +++ b/content/events/test/Makefile.in @@ -107,6 +107,8 @@ _TEST_FILES = \ test_bug662678.html \ test_bug667919-1.html \ test_bug667919-2.html \ + test_bug667612.html \ + empty.js \ $(NULL) #bug 585630 @@ -135,6 +137,8 @@ _CHROME_FILES = \ test_bug602962.xul \ test_bug617528.xul \ window_bug617528.xul \ + test_bug679494.xul \ + file_bug679494.html \ $(NULL) libs:: $(_TEST_FILES) diff --git a/content/events/test/empty.js b/content/events/test/empty.js new file mode 100644 index 000000000000..e69de29bb2d1 diff --git a/content/events/test/file_bug679494.html b/content/events/test/file_bug679494.html new file mode 100644 index 000000000000..a2e47916c571 --- /dev/null +++ b/content/events/test/file_bug679494.html @@ -0,0 +1,8 @@ + + + Test for Bug 679494 + + + There and back again. + + diff --git a/content/events/test/test_bug667612.html b/content/events/test/test_bug667612.html new file mode 100644 index 000000000000..b5d4fe88b7fd --- /dev/null +++ b/content/events/test/test_bug667612.html @@ -0,0 +1,39 @@ + + + + + Test for Bug 667612 + + + + + +Mozilla Bug 667612 +

+ +
+
+
+ + diff --git a/content/events/test/test_bug679494.xul b/content/events/test/test_bug679494.xul new file mode 100644 index 000000000000..059c2580d5e3 --- /dev/null +++ b/content/events/test/test_bug679494.xul @@ -0,0 +1,37 @@ + + + + + + + Test for Bug 67949 + + + diff --git a/content/html/content/src/nsHTMLTableCellElement.cpp b/content/html/content/src/nsHTMLTableCellElement.cpp index 314d77080ff9..bdf3bb8acd6f 100644 --- a/content/html/content/src/nsHTMLTableCellElement.cpp +++ b/content/html/content/src/nsHTMLTableCellElement.cpp @@ -36,6 +36,7 @@ * ***** END LICENSE BLOCK ***** */ #include "nsIDOMHTMLTableCellElement.h" #include "nsIDOMHTMLTableRowElement.h" +#include "nsHTMLTableElement.h" #include "nsIDOMHTMLCollection.h" #include "nsIDOMEventTarget.h" #include "nsMappedAttributes.h" @@ -44,6 +45,7 @@ #include "nsStyleConsts.h" #include "nsPresContext.h" #include "nsRuleData.h" +#include "nsRuleWalker.h" #include "nsIDocument.h" #include "celldata.h" @@ -203,19 +205,15 @@ nsHTMLTableCellElement::WalkContentStyleRules(nsRuleWalker* aRuleWalker) nsresult rv = nsGenericHTMLElement::WalkContentStyleRules(aRuleWalker); NS_ENSURE_SUCCESS(rv, rv); - // Add style information from the mapped attributes of the table - // element. This depends on the strange behavior of the - // |MapAttributesIntoRule| in nsHTMLTableElement.cpp, which is - // technically incorrect since it's violating the nsIStyleRule - // contract. However, things are OK (except for the incorrect - // dependence on display type rather than tag) since tables and cells - // match different, less specific, rules. - nsIContent* table = GetTable(); - if (table) { - rv = table->WalkContentStyleRules(aRuleWalker); + nsIContent* node = GetTable(); + if (node && node->IsHTML() && node->NodeInfo()->Equals(nsGkAtoms::table)) { + nsHTMLTableElement* table = static_cast(node); + nsMappedAttributes* tableInheritedAttributes = + table->GetAttributesMappedForCell(); + if (tableInheritedAttributes) + aRuleWalker->Forward(tableInheritedAttributes); } - - return rv; + return NS_OK; } diff --git a/content/html/content/src/nsHTMLTableElement.cpp b/content/html/content/src/nsHTMLTableElement.cpp index 1066f40fe673..24139269aa98 100644 --- a/content/html/content/src/nsHTMLTableElement.cpp +++ b/content/html/content/src/nsHTMLTableElement.cpp @@ -34,14 +34,13 @@ * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -#include "nsIDOMHTMLTableElement.h" +#include "nsHTMLTableElement.h" #include "nsIDOMHTMLTableCaptionElem.h" #include "nsIDOMHTMLTableSectionElem.h" #include "nsCOMPtr.h" #include "nsIDOMEventTarget.h" #include "nsDOMError.h" #include "nsContentList.h" -#include "nsMappedAttributes.h" #include "nsGenericHTMLElement.h" #include "nsGkAtoms.h" #include "nsStyleConsts.h" @@ -56,59 +55,7 @@ #include "nsGenericHTMLElement.h" #include "nsIHTMLCollection.h" /* end for collections */ - -class TableRowsCollection; - -class nsHTMLTableElement : public nsGenericHTMLElement, - public nsIDOMHTMLTableElement -{ -public: - nsHTMLTableElement(already_AddRefed aNodeInfo); - virtual ~nsHTMLTableElement(); - - // nsISupports - NS_DECL_ISUPPORTS_INHERITED - - // nsIDOMNode - NS_FORWARD_NSIDOMNODE(nsGenericHTMLElement::) - - // nsIDOMElement - NS_FORWARD_NSIDOMELEMENT(nsGenericHTMLElement::) - - // nsIDOMHTMLElement - NS_FORWARD_NSIDOMHTMLELEMENT(nsGenericHTMLElement::) - - // nsIDOMHTMLTableElement - NS_DECL_NSIDOMHTMLTABLEELEMENT - - virtual PRBool ParseAttribute(PRInt32 aNamespaceID, - nsIAtom* aAttribute, - const nsAString& aValue, - nsAttrValue& aResult); - virtual nsMapRuleToAttributesFunc GetAttributeMappingFunction() const; - NS_IMETHOD_(PRBool) IsAttributeMapped(const nsIAtom* aAttribute) const; - - virtual nsresult Clone(nsINodeInfo *aNodeInfo, nsINode **aResult) const; - - virtual nsXPCClassInfo* GetClassInfo(); - - NS_DECL_CYCLE_COLLECTION_CLASS_INHERITED_NO_UNLINK(nsHTMLTableElement, - nsGenericHTMLElement) - - already_AddRefed GetTHead() { - return GetSection(nsGkAtoms::thead); - } - already_AddRefed GetTFoot() { - return GetSection(nsGkAtoms::tfoot); - } - nsContentList* TBodies(); -protected: - already_AddRefed GetSection(nsIAtom *aTag); - - nsRefPtr mTBodies; - nsRefPtr mRows; -}; - +#include "nsHTMLStyleSheet.h" /* ------------------------------ TableRowsCollection -------------------------------- */ /** @@ -367,7 +314,8 @@ NS_IMPL_NS_NEW_HTML_ELEMENT(Table) nsHTMLTableElement::nsHTMLTableElement(already_AddRefed aNodeInfo) - : nsGenericHTMLElement(aNodeInfo) + : nsGenericHTMLElement(aNodeInfo), + mTableInheritedAttributes(TABLE_ATTRS_DIRTY) { } @@ -376,6 +324,7 @@ nsHTMLTableElement::~nsHTMLTableElement() if (mRows) { mRows->ParentDestroyed(); } + ReleaseInheritedAttributes(); } @@ -1030,219 +979,155 @@ MapAttributesIntoRule(const nsMappedAttributes* aAttributes, nsCompatibility mode = presContext->CompatibilityMode(); if (aData->mSIDs & NS_STYLE_INHERIT_BIT(TableBorder)) { - const nsStyleDisplay* readDisplay = aData->mStyleContext->GetStyleDisplay(); - if (readDisplay->mDisplay != NS_STYLE_DISPLAY_TABLE_CELL) { - // cellspacing - const nsAttrValue* value = aAttributes->GetAttr(nsGkAtoms::cellspacing); - nsCSSValue* borderSpacing = aData->ValueForBorderSpacing(); - if (value && value->Type() == nsAttrValue::eInteger) { - if (borderSpacing->GetUnit() == eCSSUnit_Null) - borderSpacing-> - SetFloatValue((float)value->GetIntegerValue(), eCSSUnit_Pixel); + // cellspacing + const nsAttrValue* value = aAttributes->GetAttr(nsGkAtoms::cellspacing); + nsCSSValue* borderSpacing = aData->ValueForBorderSpacing(); + if (value && value->Type() == nsAttrValue::eInteger) { + if (borderSpacing->GetUnit() == eCSSUnit_Null) { + borderSpacing-> + SetFloatValue((float)value->GetIntegerValue(), eCSSUnit_Pixel); } - else if (value && value->Type() == nsAttrValue::ePercent && - eCompatibility_NavQuirks == mode) { - // in quirks mode, treat a % cellspacing value a pixel value. - if (borderSpacing->GetUnit() == eCSSUnit_Null) - borderSpacing-> - SetFloatValue(100.0f * value->GetPercentValue(), eCSSUnit_Pixel); + } + else if (value && value->Type() == nsAttrValue::ePercent && + eCompatibility_NavQuirks == mode) { + // in quirks mode, treat a % cellspacing value a pixel value. + if (borderSpacing->GetUnit() == eCSSUnit_Null) { + borderSpacing-> + SetFloatValue(100.0f * value->GetPercentValue(), eCSSUnit_Pixel); } } } if (aData->mSIDs & NS_STYLE_INHERIT_BIT(Table)) { - const nsStyleDisplay* readDisplay = aData->mStyleContext->GetStyleDisplay(); - if (readDisplay->mDisplay != NS_STYLE_DISPLAY_TABLE_CELL) { - const nsAttrValue* value; - // layout - nsCSSValue* tableLayout = aData->ValueForTableLayout(); - if (tableLayout->GetUnit() == eCSSUnit_Null) { - value = aAttributes->GetAttr(nsGkAtoms::layout); - if (value && value->Type() == nsAttrValue::eEnum) - tableLayout->SetIntValue(value->GetEnumValue(), eCSSUnit_Enumerated); - } - - // cols - value = aAttributes->GetAttr(nsGkAtoms::cols); - if (value) { - nsCSSValue* cols = aData->ValueForCols(); - if (value->Type() == nsAttrValue::eInteger) - cols->SetIntValue(value->GetIntegerValue(), eCSSUnit_Integer); - else // COLS had no value, so it refers to all columns - cols->SetIntValue(NS_STYLE_TABLE_COLS_ALL, eCSSUnit_Enumerated); - } + const nsAttrValue* value; + // layout + nsCSSValue* tableLayout = aData->ValueForTableLayout(); + if (tableLayout->GetUnit() == eCSSUnit_Null) { + value = aAttributes->GetAttr(nsGkAtoms::layout); + if (value && value->Type() == nsAttrValue::eEnum) + tableLayout->SetIntValue(value->GetEnumValue(), eCSSUnit_Enumerated); + } + // cols + value = aAttributes->GetAttr(nsGkAtoms::cols); + if (value) { + nsCSSValue* cols = aData->ValueForCols(); + if (value->Type() == nsAttrValue::eInteger) + cols->SetIntValue(value->GetIntegerValue(), eCSSUnit_Integer); + else // COLS had no value, so it refers to all columns + cols->SetIntValue(NS_STYLE_TABLE_COLS_ALL, eCSSUnit_Enumerated); } } if (aData->mSIDs & NS_STYLE_INHERIT_BIT(Margin)) { const nsStyleDisplay* readDisplay = aData->mStyleContext->GetStyleDisplay(); - - if (readDisplay->mDisplay != NS_STYLE_DISPLAY_TABLE_CELL) { - // align; Check for enumerated type (it may be another type if - // illegal) - const nsAttrValue* value = aAttributes->GetAttr(nsGkAtoms::align); + // align; Check for enumerated type (it may be another type if + // illegal) + const nsAttrValue* value = aAttributes->GetAttr(nsGkAtoms::align); - if (value && value->Type() == nsAttrValue::eEnum) { - if (value->GetEnumValue() == NS_STYLE_TEXT_ALIGN_CENTER || - value->GetEnumValue() == NS_STYLE_TEXT_ALIGN_MOZ_CENTER) { - nsCSSValue* marginLeft = aData->ValueForMarginLeftValue(); - if (marginLeft->GetUnit() == eCSSUnit_Null) - marginLeft->SetAutoValue(); - nsCSSValue* marginRight = aData->ValueForMarginRightValue(); - if (marginRight->GetUnit() == eCSSUnit_Null) - marginRight->SetAutoValue(); - } - } - - // hspace is mapped into left and right margin, - // vspace is mapped into top and bottom margins - // - *** Quirks Mode only *** - if (eCompatibility_NavQuirks == mode) { - value = aAttributes->GetAttr(nsGkAtoms::hspace); - - if (value && value->Type() == nsAttrValue::eInteger) { - nsCSSValue* marginLeft = aData->ValueForMarginLeftValue(); - if (marginLeft->GetUnit() == eCSSUnit_Null) - marginLeft->SetFloatValue((float)value->GetIntegerValue(), eCSSUnit_Pixel); - nsCSSValue* marginRight = aData->ValueForMarginRightValue(); - if (marginRight->GetUnit() == eCSSUnit_Null) - marginRight->SetFloatValue((float)value->GetIntegerValue(), eCSSUnit_Pixel); - } - - value = aAttributes->GetAttr(nsGkAtoms::vspace); - - if (value && value->Type() == nsAttrValue::eInteger) { - nsCSSValue* marginTop = aData->ValueForMarginTop(); - if (marginTop->GetUnit() == eCSSUnit_Null) - marginTop->SetFloatValue((float)value->GetIntegerValue(), eCSSUnit_Pixel); - nsCSSValue* marginBottom = aData->ValueForMarginBottom(); - if (marginBottom->GetUnit() == eCSSUnit_Null) - marginBottom->SetFloatValue((float)value->GetIntegerValue(), eCSSUnit_Pixel); - } + if (value && value->Type() == nsAttrValue::eEnum) { + if (value->GetEnumValue() == NS_STYLE_TEXT_ALIGN_CENTER || + value->GetEnumValue() == NS_STYLE_TEXT_ALIGN_MOZ_CENTER) { + nsCSSValue* marginLeft = aData->ValueForMarginLeftValue(); + if (marginLeft->GetUnit() == eCSSUnit_Null) + marginLeft->SetAutoValue(); + nsCSSValue* marginRight = aData->ValueForMarginRightValue(); + if (marginRight->GetUnit() == eCSSUnit_Null) + marginRight->SetAutoValue(); } } - } - if (aData->mSIDs & NS_STYLE_INHERIT_BIT(Padding)) { - const nsStyleDisplay* readDisplay = aData->mStyleContext->GetStyleDisplay(); - if (readDisplay->mDisplay == NS_STYLE_DISPLAY_TABLE_CELL) { - const nsAttrValue* value = aAttributes->GetAttr(nsGkAtoms::cellpadding); - if (value) { - nsAttrValue::ValueType valueType = value->Type(); - if (valueType == nsAttrValue::eInteger || valueType == nsAttrValue::ePercent) { - // We have cellpadding. This will override our padding values if we don't - // have any set. - nsCSSValue padVal; - if (valueType == nsAttrValue::eInteger) - padVal.SetFloatValue((float)value->GetIntegerValue(), eCSSUnit_Pixel); - else { - // when we support % cellpadding in standard mode, uncomment the following - float pctVal = value->GetPercentValue(); - //if (eCompatibility_NavQuirks == mode) { - // in quirks mode treat a pct cellpadding value as a pixel value - padVal.SetFloatValue(100.0f * pctVal, eCSSUnit_Pixel); - //} - //else { - // padVal.SetPercentValue(pctVal); - //} - } - nsCSSValue* paddingLeft = aData->ValueForPaddingLeftValue(); - if (paddingLeft->GetUnit() == eCSSUnit_Null) - *paddingLeft = padVal; - nsCSSValue* paddingRight = aData->ValueForPaddingRightValue(); - if (paddingRight->GetUnit() == eCSSUnit_Null) - *paddingRight = padVal; - nsCSSValue* paddingTop = aData->ValueForPaddingTop(); - if (paddingTop->GetUnit() == eCSSUnit_Null) - *paddingTop = padVal; - nsCSSValue* paddingBottom = aData->ValueForPaddingBottom(); - if (paddingBottom->GetUnit() == eCSSUnit_Null) - *paddingBottom = padVal; - } + + // hspace is mapped into left and right margin, + // vspace is mapped into top and bottom margins + // - *** Quirks Mode only *** + if (eCompatibility_NavQuirks == mode) { + value = aAttributes->GetAttr(nsGkAtoms::hspace); + + if (value && value->Type() == nsAttrValue::eInteger) { + nsCSSValue* marginLeft = aData->ValueForMarginLeftValue(); + if (marginLeft->GetUnit() == eCSSUnit_Null) + marginLeft->SetFloatValue((float)value->GetIntegerValue(), eCSSUnit_Pixel); + nsCSSValue* marginRight = aData->ValueForMarginRightValue(); + if (marginRight->GetUnit() == eCSSUnit_Null) + marginRight->SetFloatValue((float)value->GetIntegerValue(), eCSSUnit_Pixel); + } + + value = aAttributes->GetAttr(nsGkAtoms::vspace); + + if (value && value->Type() == nsAttrValue::eInteger) { + nsCSSValue* marginTop = aData->ValueForMarginTop(); + if (marginTop->GetUnit() == eCSSUnit_Null) + marginTop->SetFloatValue((float)value->GetIntegerValue(), eCSSUnit_Pixel); + nsCSSValue* marginBottom = aData->ValueForMarginBottom(); + if (marginBottom->GetUnit() == eCSSUnit_Null) + marginBottom->SetFloatValue((float)value->GetIntegerValue(), eCSSUnit_Pixel); } } } if (aData->mSIDs & NS_STYLE_INHERIT_BIT(Position)) { - const nsStyleDisplay* readDisplay = aData->mStyleContext->GetStyleDisplay(); - - if (readDisplay->mDisplay != NS_STYLE_DISPLAY_TABLE_CELL) { - // width: value - nsCSSValue* width = aData->ValueForWidth(); - if (width->GetUnit() == eCSSUnit_Null) { - const nsAttrValue* value = aAttributes->GetAttr(nsGkAtoms::width); - if (value && value->Type() == nsAttrValue::eInteger) - width->SetFloatValue((float)value->GetIntegerValue(), eCSSUnit_Pixel); - else if (value && value->Type() == nsAttrValue::ePercent) - width->SetPercentValue(value->GetPercentValue()); - } - - // height: value - nsCSSValue* height = aData->ValueForHeight(); - if (height->GetUnit() == eCSSUnit_Null) { - const nsAttrValue* value = aAttributes->GetAttr(nsGkAtoms::height); - if (value && value->Type() == nsAttrValue::eInteger) - height->SetFloatValue((float)value->GetIntegerValue(), eCSSUnit_Pixel); - else if (value && value->Type() == nsAttrValue::ePercent) - height->SetPercentValue(value->GetPercentValue()); - } + // width: value + nsCSSValue* width = aData->ValueForWidth(); + if (width->GetUnit() == eCSSUnit_Null) { + const nsAttrValue* value = aAttributes->GetAttr(nsGkAtoms::width); + if (value && value->Type() == nsAttrValue::eInteger) + width->SetFloatValue((float)value->GetIntegerValue(), eCSSUnit_Pixel); + else if (value && value->Type() == nsAttrValue::ePercent) + width->SetPercentValue(value->GetPercentValue()); + } + + // height: value + nsCSSValue* height = aData->ValueForHeight(); + if (height->GetUnit() == eCSSUnit_Null) { + const nsAttrValue* value = aAttributes->GetAttr(nsGkAtoms::height); + if (value && value->Type() == nsAttrValue::eInteger) + height->SetFloatValue((float)value->GetIntegerValue(), eCSSUnit_Pixel); + else if (value && value->Type() == nsAttrValue::ePercent) + height->SetPercentValue(value->GetPercentValue()); } - } - if (aData->mSIDs & NS_STYLE_INHERIT_BIT(Visibility)) { - const nsStyleDisplay* readDisplay = aData->mStyleContext->GetStyleDisplay(); - - if (readDisplay->mDisplay != NS_STYLE_DISPLAY_TABLE_CELL) - nsGenericHTMLElement::MapCommonAttributesInto(aAttributes, aData); } if (aData->mSIDs & NS_STYLE_INHERIT_BIT(Border)) { - const nsStyleDisplay* readDisplay = aData->mStyleContext->GetStyleDisplay(); - if (readDisplay->mDisplay != NS_STYLE_DISPLAY_TABLE_CELL) { - // bordercolor - const nsAttrValue* value = aAttributes->GetAttr(nsGkAtoms::bordercolor); - nscolor color; - if (value && presContext->UseDocumentColors() && - value->GetColorValue(color)) { - nsCSSValue* borderLeftColor = aData->ValueForBorderLeftColorValue(); - if (borderLeftColor->GetUnit() == eCSSUnit_Null) - borderLeftColor->SetColorValue(color); - nsCSSValue* borderRightColor = aData->ValueForBorderRightColorValue(); - if (borderRightColor->GetUnit() == eCSSUnit_Null) - borderRightColor->SetColorValue(color); - nsCSSValue* borderTopColor = aData->ValueForBorderTopColor(); - if (borderTopColor->GetUnit() == eCSSUnit_Null) - borderTopColor->SetColorValue(color); - nsCSSValue* borderBottomColor = aData->ValueForBorderBottomColor(); - if (borderBottomColor->GetUnit() == eCSSUnit_Null) - borderBottomColor->SetColorValue(color); - } + // bordercolor + const nsAttrValue* value = aAttributes->GetAttr(nsGkAtoms::bordercolor); + nscolor color; + if (value && presContext->UseDocumentColors() && + value->GetColorValue(color)) { + nsCSSValue* borderLeftColor = aData->ValueForBorderLeftColorValue(); + if (borderLeftColor->GetUnit() == eCSSUnit_Null) + borderLeftColor->SetColorValue(color); + nsCSSValue* borderRightColor = aData->ValueForBorderRightColorValue(); + if (borderRightColor->GetUnit() == eCSSUnit_Null) + borderRightColor->SetColorValue(color); + nsCSSValue* borderTopColor = aData->ValueForBorderTopColor(); + if (borderTopColor->GetUnit() == eCSSUnit_Null) + borderTopColor->SetColorValue(color); + nsCSSValue* borderBottomColor = aData->ValueForBorderBottomColor(); + if (borderBottomColor->GetUnit() == eCSSUnit_Null) + borderBottomColor->SetColorValue(color); + } - // border - const nsAttrValue* borderValue = aAttributes->GetAttr(nsGkAtoms::border); - if (borderValue) { - // border = 1 pixel default - PRInt32 borderThickness = 1; + // border + const nsAttrValue* borderValue = aAttributes->GetAttr(nsGkAtoms::border); + if (borderValue) { + // border = 1 pixel default + PRInt32 borderThickness = 1; - if (borderValue->Type() == nsAttrValue::eInteger) - borderThickness = borderValue->GetIntegerValue(); + if (borderValue->Type() == nsAttrValue::eInteger) + borderThickness = borderValue->GetIntegerValue(); - // by default, set all border sides to the specified width - nsCSSValue* borderLeftWidth = aData->ValueForBorderLeftWidthValue(); - if (borderLeftWidth->GetUnit() == eCSSUnit_Null) - borderLeftWidth->SetFloatValue((float)borderThickness, eCSSUnit_Pixel); - nsCSSValue* borderRightWidth = aData->ValueForBorderRightWidthValue(); - if (borderRightWidth->GetUnit() == eCSSUnit_Null) - borderRightWidth->SetFloatValue((float)borderThickness, eCSSUnit_Pixel); - nsCSSValue* borderTopWidth = aData->ValueForBorderTopWidth(); - if (borderTopWidth->GetUnit() == eCSSUnit_Null) - borderTopWidth->SetFloatValue((float)borderThickness, eCSSUnit_Pixel); - nsCSSValue* borderBottomWidth = aData->ValueForBorderBottomWidth(); - if (borderBottomWidth->GetUnit() == eCSSUnit_Null) - borderBottomWidth->SetFloatValue((float)borderThickness, eCSSUnit_Pixel); - } + // by default, set all border sides to the specified width + nsCSSValue* borderLeftWidth = aData->ValueForBorderLeftWidthValue(); + if (borderLeftWidth->GetUnit() == eCSSUnit_Null) + borderLeftWidth->SetFloatValue((float)borderThickness, eCSSUnit_Pixel); + nsCSSValue* borderRightWidth = aData->ValueForBorderRightWidthValue(); + if (borderRightWidth->GetUnit() == eCSSUnit_Null) + borderRightWidth->SetFloatValue((float)borderThickness, eCSSUnit_Pixel); + nsCSSValue* borderTopWidth = aData->ValueForBorderTopWidth(); + if (borderTopWidth->GetUnit() == eCSSUnit_Null) + borderTopWidth->SetFloatValue((float)borderThickness, eCSSUnit_Pixel); + nsCSSValue* borderBottomWidth = aData->ValueForBorderBottomWidth(); + if (borderBottomWidth->GetUnit() == eCSSUnit_Null) + borderBottomWidth->SetFloatValue((float)borderThickness, eCSSUnit_Pixel); } } - if (aData->mSIDs & NS_STYLE_INHERIT_BIT(Background)) { - const nsStyleDisplay* readDisplay = aData->mStyleContext->GetStyleDisplay(); - - if (readDisplay->mDisplay != NS_STYLE_DISPLAY_TABLE_CELL) - nsGenericHTMLElement::MapBackgroundAttributesInto(aAttributes, aData); - } + nsGenericHTMLElement::MapBackgroundAttributesInto(aAttributes, aData); + nsGenericHTMLElement::MapCommonAttributesInto(aAttributes, aData); } NS_IMETHODIMP_(PRBool) @@ -1279,3 +1164,144 @@ nsHTMLTableElement::GetAttributeMappingFunction() const { return &MapAttributesIntoRule; } + +static void +MapInheritedTableAttributesIntoRule(const nsMappedAttributes* aAttributes, + nsRuleData* aData) +{ + if (aData->mSIDs & NS_STYLE_INHERIT_BIT(Padding)) { + const nsAttrValue* value = aAttributes->GetAttr(nsGkAtoms::cellpadding); + if (value) { + nsAttrValue::ValueType valueType = value->Type(); + if (valueType == nsAttrValue::eInteger || + valueType == nsAttrValue::ePercent) { + // We have cellpadding. This will override our padding values if we + // don't have any set. + nsCSSValue padVal; + if (valueType == nsAttrValue::eInteger) + padVal.SetFloatValue((float)value->GetIntegerValue(), eCSSUnit_Pixel); + else { + // when we support % cellpadding in standard mode, uncomment the + // following + float pctVal = value->GetPercentValue(); + //if (eCompatibility_NavQuirks == mode) { + // in quirks mode treat a pct cellpadding value as a pixel value + padVal.SetFloatValue(100.0f * pctVal, eCSSUnit_Pixel); + //} + //else { + // padVal.SetPercentValue(pctVal); + //} + } + nsCSSValue* paddingLeft = aData->ValueForPaddingLeftValue(); + if (paddingLeft->GetUnit() == eCSSUnit_Null) + *paddingLeft = padVal; + nsCSSValue* paddingRight = aData->ValueForPaddingRightValue(); + if (paddingRight->GetUnit() == eCSSUnit_Null) + *paddingRight = padVal; + nsCSSValue* paddingTop = aData->ValueForPaddingTop(); + if (paddingTop->GetUnit() == eCSSUnit_Null) + *paddingTop = padVal; + nsCSSValue* paddingBottom = aData->ValueForPaddingBottom(); + if (paddingBottom->GetUnit() == eCSSUnit_Null) + *paddingBottom = padVal; + } + } + } +} + +nsMappedAttributes* +nsHTMLTableElement::GetAttributesMappedForCell() +{ + if (mTableInheritedAttributes) { + if (mTableInheritedAttributes == TABLE_ATTRS_DIRTY) + BuildInheritedAttributes(); + if (mTableInheritedAttributes != TABLE_ATTRS_DIRTY) + return mTableInheritedAttributes; + } + return nsnull; +} + +void +nsHTMLTableElement::BuildInheritedAttributes() +{ + NS_ASSERTION(mTableInheritedAttributes == TABLE_ATTRS_DIRTY, + "potential leak, plus waste of work"); + nsIDocument *document = GetCurrentDoc(); + nsHTMLStyleSheet* sheet = document ? + document->GetAttributeStyleSheet() : nsnull; + nsRefPtr newAttrs; + if (sheet) { + const nsAttrValue* value = mAttrsAndChildren.GetAttr(nsGkAtoms::cellpadding); + if (value) { + nsRefPtr modifiableMapped = new + nsMappedAttributes(sheet, MapInheritedTableAttributesIntoRule); + + if (modifiableMapped) { + nsAttrValue val(*value); + modifiableMapped->SetAndTakeAttr(nsGkAtoms::cellpadding, val); + } + newAttrs = sheet->UniqueMappedAttributes(modifiableMapped); + NS_ASSERTION(newAttrs, "out of memory, but handling gracefully"); + + if (newAttrs != modifiableMapped) { + // Reset the stylesheet of modifiableMapped so that it doesn't + // spend time trying to remove itself from the hash. There is no + // risk that modifiableMapped is in the hash since we created + // it ourselves and it didn't come from the stylesheet (in which + // case it would not have been modifiable). + modifiableMapped->DropStyleSheetReference(); + } + } + mTableInheritedAttributes = newAttrs; + NS_IF_ADDREF(mTableInheritedAttributes); + } +} + +nsresult +nsHTMLTableElement::BindToTree(nsIDocument* aDocument, nsIContent* aParent, + nsIContent* aBindingParent, + PRBool aCompileEventHandlers) +{ + ReleaseInheritedAttributes(); + return nsGenericHTMLElement::BindToTree(aDocument, aParent, + aBindingParent, + aCompileEventHandlers); +} + +void +nsHTMLTableElement::UnbindFromTree(PRBool aDeep, PRBool aNullParent) +{ + ReleaseInheritedAttributes(); + nsGenericHTMLElement::UnbindFromTree(aDeep, aNullParent); +} + +nsresult +nsHTMLTableElement::SetAttr(PRInt32 aNameSpaceID, nsIAtom* aAttribute, + nsIAtom* aPrefix, const nsAString& aValue, + PRBool aNotify) +{ + PRBool isCellPadding = (aAttribute == nsGkAtoms::cellpadding); + if (isCellPadding) { + ReleaseInheritedAttributes(); + } + + nsresult rv = nsGenericHTMLElement::SetAttr(aNameSpaceID, aAttribute, + aPrefix, aValue, aNotify); + + if (isCellPadding) { + BuildInheritedAttributes(); + } + return rv; +} + +nsresult +nsHTMLTableElement::UnsetAttr(PRInt32 aNameSpaceID, nsIAtom* aAttribute, + PRBool aNotify) +{ + PRBool isCellPadding = (aAttribute == nsGkAtoms::cellpadding); + if (isCellPadding) { + ReleaseInheritedAttributes(); + } + + return nsGenericHTMLElement::UnsetAttr(aNameSpaceID, aAttribute, aNotify); +} diff --git a/content/html/content/src/nsHTMLTableElement.h b/content/html/content/src/nsHTMLTableElement.h new file mode 100644 index 000000000000..731115b38c51 --- /dev/null +++ b/content/html/content/src/nsHTMLTableElement.h @@ -0,0 +1,116 @@ +/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* ***** BEGIN LICENSE BLOCK ***** + * Version: MPL 1.1/GPL 2.0/LGPL 2.1 + * + * The contents of this file are subject to the Mozilla Public License Version + * 1.1 (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * http://www.mozilla.org/MPL/ + * + * Software distributed under the License is distributed on an "AS IS" basis, + * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License + * for the specific language governing rights and limitations under the + * License. + * + * The Original Code is Mozilla Communicator client code. + * + * The Initial Developer of the Original Code is + * Netscape Communications Corporation. + * Portions created by the Initial Developer are Copyright (C) 1998 + * the Initial Developer. All Rights Reserved. + * + * Contributor(s): + * + * Alternatively, the contents of this file may be used under the terms of + * either of the GNU General Public License Version 2 or later (the "GPL"), + * or the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), + * in which case the provisions of the GPL or the LGPL are applicable instead + * of those above. If you wish to allow use of your version of this file only + * under the terms of either the GPL or the LGPL, and not to allow others to + * use your version of this file under the terms of the MPL, indicate your + * decision by deleting the provisions above and replace them with the notice + * and other provisions required by the GPL or the LGPL. If you do not delete + * the provisions above, a recipient may use your version of this file under + * the terms of any one of the MPL, the GPL or the LGPL. + * + * ***** END LICENSE BLOCK ***** */ +#include "nsIDOMHTMLTableElement.h" +#include "nsGenericHTMLElement.h" +#include "nsMappedAttributes.h" + +#define TABLE_ATTRS_DIRTY ((nsMappedAttributes*)0x1) + + +class TableRowsCollection; + +class nsHTMLTableElement : public nsGenericHTMLElement, + public nsIDOMHTMLTableElement +{ +public: + nsHTMLTableElement(already_AddRefed aNodeInfo); + virtual ~nsHTMLTableElement(); + + // nsISupports + NS_DECL_ISUPPORTS_INHERITED + + // nsIDOMNode + NS_FORWARD_NSIDOMNODE(nsGenericHTMLElement::) + + // nsIDOMElement + NS_FORWARD_NSIDOMELEMENT(nsGenericHTMLElement::) + + // nsIDOMHTMLElement + NS_FORWARD_NSIDOMHTMLELEMENT(nsGenericHTMLElement::) + + // nsIDOMHTMLTableElement + NS_DECL_NSIDOMHTMLTABLEELEMENT + + virtual PRBool ParseAttribute(PRInt32 aNamespaceID, + nsIAtom* aAttribute, + const nsAString& aValue, + nsAttrValue& aResult); + virtual nsMapRuleToAttributesFunc GetAttributeMappingFunction() const; + NS_IMETHOD_(PRBool) IsAttributeMapped(const nsIAtom* aAttribute) const; + + virtual nsresult Clone(nsINodeInfo *aNodeInfo, nsINode **aResult) const; + + virtual nsXPCClassInfo* GetClassInfo(); + virtual nsresult BindToTree(nsIDocument* aDocument, nsIContent* aParent, + nsIContent* aBindingParent, + PRBool aCompileEventHandlers); + virtual void UnbindFromTree(PRBool aDeep = PR_TRUE, + PRBool aNullParent = PR_TRUE); + virtual nsresult SetAttr(PRInt32 aNameSpaceID, nsIAtom *aName, + nsIAtom *aPrefix, const nsAString &aValue, + PRBool aNotify); + virtual nsresult UnsetAttr(PRInt32 aNameSpaceID, nsIAtom* aAttribute, + PRBool aNotify); + + + NS_DECL_CYCLE_COLLECTION_CLASS_INHERITED_NO_UNLINK(nsHTMLTableElement, + nsGenericHTMLElement) + nsMappedAttributes* GetAttributesMappedForCell(); + already_AddRefed GetTHead() { + return GetSection(nsGkAtoms::thead); + } + already_AddRefed GetTFoot() { + return GetSection(nsGkAtoms::tfoot); + } + nsContentList* TBodies(); +protected: + already_AddRefed GetSection(nsIAtom *aTag); + + nsRefPtr mTBodies; + nsRefPtr mRows; + // Sentinel value of TABLE_ATTRS_DIRTY indicates that this is dirty and needs + // to be recalculated. + nsMappedAttributes *mTableInheritedAttributes; + void BuildInheritedAttributes(); + void ReleaseInheritedAttributes() { + if (mTableInheritedAttributes && + mTableInheritedAttributes != TABLE_ATTRS_DIRTY) + NS_RELEASE(mTableInheritedAttributes); + mTableInheritedAttributes = TABLE_ATTRS_DIRTY; + } +}; + diff --git a/content/media/test/test_delay_load.html b/content/media/test/test_delay_load.html index fc4d14541e0d..c4da3cdc640e 100644 --- a/content/media/test/test_delay_load.html +++ b/content/media/test/test_delay_load.html @@ -96,14 +96,16 @@ v.load(); // Load and move to another document. netscape.security.PrivilegeManager.enablePrivilege("UniversalXPConnect"); v = createVideo(test.name, test.type, "4"); +v.onloadstart = function(e) { + // Opening a new window to do this is a bit annoying, but if we use an iframe here, + // delaying of the iframe's load event might interfere with the firing of our load event + // in some confusing way. So it's simpler just to open another window. + var w = window.open("", "testWindow", "width=400,height=400"); + w.document.body.appendChild(v); + testWindows.push(w); +}; v.load(); // load started while in this document, this doc's load will block until - // the video's finished loading (in the other document). -// Opening a new window to do this is a bit annoying, but if we use an iframe here, -// delaying of the iframe's load event might interfere with the firing of our load event -// in some confusing way. So it's simpler just to open another window. -var w = window.open("", "testWindow", "width=400,height=400"); -w.document.body.appendChild(v); -testWindows.push(w); + // the video's finished loading (in the other document). if (gRegisteredElements.length > 0) { SimpleTest.waitForExplicitFinish(); diff --git a/content/svg/content/src/nsSVGFilters.cpp b/content/svg/content/src/nsSVGFilters.cpp index cf702025cbcb..dcd770dd861c 100644 --- a/content/svg/content/src/nsSVGFilters.cpp +++ b/content/svg/content/src/nsSVGFilters.cpp @@ -287,6 +287,20 @@ NS_IMETHODIMP nsSVGFE::GetResult(nsIDOMSVGAnimatedString * *aResult) return GetResultImageName().ToDOMAnimatedString(aResult, this); } +//---------------------------------------------------------------------- +// nsIContent methods + +NS_IMETHODIMP_(PRBool) +nsSVGFE::IsAttributeMapped(const nsIAtom* name) const +{ + static const MappedAttributeEntry* const map[] = { + sFiltersMap + }; + + return FindAttributeDependence(name, map, NS_ARRAY_LENGTH(map)) || + nsSVGFEBase::IsAttributeMapped(name); +} + //---------------------------------------------------------------------- // nsSVGElement methods @@ -2751,8 +2765,7 @@ NS_IMETHODIMP_(PRBool) nsSVGFEFloodElement::IsAttributeMapped(const nsIAtom* name) const { static const MappedAttributeEntry* const map[] = { - sFEFloodMap, - sFiltersMap + sFEFloodMap }; return FindAttributeDependence(name, map, NS_ARRAY_LENGTH(map)) || diff --git a/content/svg/content/src/nsSVGFilters.h b/content/svg/content/src/nsSVGFilters.h index 68b65c90f862..e7c448f2649d 100644 --- a/content/svg/content/src/nsSVGFilters.h +++ b/content/svg/content/src/nsSVGFilters.h @@ -147,6 +147,9 @@ public: NS_DECL_ISUPPORTS_INHERITED NS_DECL_NSIDOMSVGFILTERPRIMITIVESTANDARDATTRIBUTES + // nsIContent interface + NS_IMETHOD_(PRBool) IsAttributeMapped(const nsIAtom* aAttribute) const; + virtual nsSVGString& GetResultImageName() = 0; // Return a list of all image names used as sources. Default is to // return no sources. diff --git a/content/xul/content/public/nsIXULContextMenuBuilder.idl b/content/xul/content/public/nsIXULContextMenuBuilder.idl index b14ba38fabb4..86386c3a75b3 100644 --- a/content/xul/content/public/nsIXULContextMenuBuilder.idl +++ b/content/xul/content/public/nsIXULContextMenuBuilder.idl @@ -43,7 +43,7 @@ interface nsIDOMDocumentFragment; * and for triggering of menuitem actions with assigned identifiers. */ -[scriptable, uuid(f0c35053-14cc-4e23-a9db-f9a68fae8375)] +[scriptable, uuid(eb6b42c0-2f1c-4760-b5ca-bdc9b3ec77d4)] interface nsIXULContextMenuBuilder : nsISupports { @@ -53,21 +53,17 @@ interface nsIXULContextMenuBuilder : nsISupports * @param aDocumentFragment the fragment that will be used to append top * level elements * - * @param aGeneratedAttrName the name of the attribute that will be used - * to mark elements as generated. - * - * @param aIdentAttrName the name of the attribute that will be used for - * menuitem identification. + * @param aGeneratedItemIdAttrName the name of the attribute that will be + * used to mark elements as generated and for menuitem identification */ void init(in nsIDOMDocumentFragment aDocumentFragment, - in AString aGeneratedAttrName, - in AString aIdentAttrName); + in AString aGeneratedItemIdAttrName); /** - * Invoke the action of the menuitem with assigned identifier aIdent. + * Invoke the action of the menuitem with assigned id aGeneratedItemId. * - * @param aIdent the menuitem identifier + * @param aGeneratedItemId the menuitem id */ - void click(in DOMString aIdent); + void click(in DOMString aGeneratedItemId); }; diff --git a/content/xul/content/src/nsXULContextMenuBuilder.cpp b/content/xul/content/src/nsXULContextMenuBuilder.cpp index 3c660ad355ce..fb28d8d3e462 100644 --- a/content/xul/content/src/nsXULContextMenuBuilder.cpp +++ b/content/xul/content/src/nsXULContextMenuBuilder.cpp @@ -41,7 +41,7 @@ nsXULContextMenuBuilder::nsXULContextMenuBuilder() - : mCurrentIdent(0) + : mCurrentGeneratedItemId(0) { } @@ -85,13 +85,14 @@ nsXULContextMenuBuilder::OpenContainer(const nsAString& aLabel) mCurrentNode = mFragment; } else { nsCOMPtr menu; - nsresult rv = CreateElement(nsGkAtoms::menu, getter_AddRefs(menu)); + nsresult rv = CreateElement(nsGkAtoms::menu, nsnull, getter_AddRefs(menu)); NS_ENSURE_SUCCESS(rv, rv); menu->SetAttr(kNameSpaceID_None, nsGkAtoms::label, aLabel, PR_FALSE); nsCOMPtr menuPopup; - rv = CreateElement(nsGkAtoms::menupopup, getter_AddRefs(menuPopup)); + rv = CreateElement(nsGkAtoms::menupopup, nsnull, + getter_AddRefs(menuPopup)); NS_ENSURE_SUCCESS(rv, rv); rv = menu->AppendChildTo(menuPopup, PR_FALSE); @@ -115,7 +116,8 @@ nsXULContextMenuBuilder::AddItemFor(nsIDOMHTMLMenuItemElement* aElement, } nsCOMPtr menuitem; - nsresult rv = CreateElement(nsGkAtoms::menuitem, getter_AddRefs(menuitem)); + nsresult rv = CreateElement(nsGkAtoms::menuitem, aElement, + getter_AddRefs(menuitem)); NS_ENSURE_SUCCESS(rv, rv); nsAutoString type; @@ -154,17 +156,7 @@ nsXULContextMenuBuilder::AddItemFor(nsIDOMHTMLMenuItemElement* aElement, NS_LITERAL_STRING("true"), PR_FALSE); } - nsAutoString ident; - ident.AppendInt(mCurrentIdent++); - - menuitem->SetAttr(kNameSpaceID_None, mIdentAttr, ident, PR_FALSE); - - rv = mCurrentNode->AppendChildTo(menuitem, PR_FALSE); - NS_ENSURE_SUCCESS(rv, rv); - - mElements.AppendObject(aElement); - - return NS_OK; + return mCurrentNode->AppendChildTo(menuitem, PR_FALSE); } NS_IMETHODIMP @@ -175,7 +167,7 @@ nsXULContextMenuBuilder::AddSeparator() } nsCOMPtr menuseparator; - nsresult rv = CreateElement(nsGkAtoms::menuseparator, + nsresult rv = CreateElement(nsGkAtoms::menuseparator, nsnull, getter_AddRefs(menuseparator)); NS_ENSURE_SUCCESS(rv, rv); @@ -218,24 +210,22 @@ nsXULContextMenuBuilder::CloseContainer() NS_IMETHODIMP nsXULContextMenuBuilder::Init(nsIDOMDocumentFragment* aDocumentFragment, - const nsAString& aGeneratedAttrName, - const nsAString& aIdentAttrName) + const nsAString& aGeneratedItemIdAttrName) { NS_ENSURE_ARG_POINTER(aDocumentFragment); mFragment = do_QueryInterface(aDocumentFragment); mDocument = mFragment->GetOwnerDocument(); - mGeneratedAttr = do_GetAtom(aGeneratedAttrName); - mIdentAttr = do_GetAtom(aIdentAttrName); + mGeneratedItemIdAttr = do_GetAtom(aGeneratedItemIdAttrName); return NS_OK; } NS_IMETHODIMP -nsXULContextMenuBuilder::Click(const nsAString& aIdent) +nsXULContextMenuBuilder::Click(const nsAString& aGeneratedItemId) { PRInt32 rv; - PRInt32 idx = nsString(aIdent).ToInteger(&rv); + PRInt32 idx = nsString(aGeneratedItemId).ToInteger(&rv); if (NS_SUCCEEDED(rv)) { nsCOMPtr element = mElements.SafeObjectAt(idx); if (element) { @@ -247,7 +237,9 @@ nsXULContextMenuBuilder::Click(const nsAString& aIdent) } nsresult -nsXULContextMenuBuilder::CreateElement(nsIAtom* aTag, nsIContent** aResult) +nsXULContextMenuBuilder::CreateElement(nsIAtom* aTag, + nsIDOMHTMLElement* aHTMLElement, + nsIContent** aResult) { *aResult = nsnull; @@ -261,7 +253,14 @@ nsXULContextMenuBuilder::CreateElement(nsIAtom* aTag, nsIContent** aResult) return rv; } - (*aResult)->SetAttr(kNameSpaceID_None, mGeneratedAttr, EmptyString(), + nsAutoString generateditemid; + + if (aHTMLElement) { + mElements.AppendObject(aHTMLElement); + generateditemid.AppendInt(mCurrentGeneratedItemId++); + } + + (*aResult)->SetAttr(kNameSpaceID_None, mGeneratedItemIdAttr, generateditemid, PR_FALSE); return NS_OK; diff --git a/content/xul/content/src/nsXULContextMenuBuilder.h b/content/xul/content/src/nsXULContextMenuBuilder.h index 2b8c2bdc9224..112ec5b8226e 100644 --- a/content/xul/content/src/nsXULContextMenuBuilder.h +++ b/content/xul/content/src/nsXULContextMenuBuilder.h @@ -57,15 +57,16 @@ public: NS_DECL_NSIXULCONTEXTMENUBUILDER protected: - nsresult CreateElement(nsIAtom* aTag, nsIContent** aResult); + nsresult CreateElement(nsIAtom* aTag, + nsIDOMHTMLElement* aHTMLElement, + nsIContent** aResult); nsCOMPtr mFragment; nsCOMPtr mDocument; - nsCOMPtr mGeneratedAttr; - nsCOMPtr mIdentAttr; + nsCOMPtr mGeneratedItemIdAttr; nsCOMPtr mCurrentNode; - PRInt32 mCurrentIdent; + PRInt32 mCurrentGeneratedItemId; nsCOMArray mElements; }; diff --git a/db/Makefile.in b/db/Makefile.in deleted file mode 100644 index ee87e474d6c2..000000000000 --- a/db/Makefile.in +++ /dev/null @@ -1,45 +0,0 @@ -# -# ***** BEGIN LICENSE BLOCK ***** -# Version: MPL 1.1/GPL 2.0/LGPL 2.1 -# -# The contents of this file are subject to the Mozilla Public License Version -# 1.1 (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at -# http://www.mozilla.org/MPL/ -# -# Software distributed under the License is distributed on an "AS IS" basis, -# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License -# for the specific language governing rights and limitations under the -# License. -# -# The Original Code is mozilla.org code. -# -# The Initial Developer of the Original Code is -# Netscape Communications Corporation. -# Portions created by the Initial Developer are Copyright (C) 1998 -# the Initial Developer. All Rights Reserved. -# -# Contributor(s): -# -# Alternatively, the contents of this file may be used under the terms of -# either of the GNU General Public License Version 2 or later (the "GPL"), -# or the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), -# in which case the provisions of the GPL or the LGPL are applicable instead -# of those above. If you wish to allow use of your version of this file only -# under the terms of either the GPL or the LGPL, and not to allow others to -# use your version of this file under the terms of the MPL, indicate your -# decision by deleting the provisions above and replace them with the notice -# and other provisions required by the GPL or the LGPL. If you do not delete -# the provisions above, a recipient may use your version of this file under -# the terms of any one of the MPL, the GPL or the LGPL. -# -# ***** END LICENSE BLOCK ***** - -DEPTH = .. -topsrcdir = @top_srcdir@ -srcdir = @srcdir@ -VPATH = @srcdir@ - -include $(DEPTH)/config/autoconf.mk - -include $(topsrcdir)/config/rules.mk diff --git a/docshell/base/Makefile.in b/docshell/base/Makefile.in index 7d3e14277d6f..22d69ab8b26d 100644 --- a/docshell/base/Makefile.in +++ b/docshell/base/Makefile.in @@ -66,7 +66,6 @@ XPIDLSRCS = \ nsIDocShellTreeOwner.idl \ nsIDocShellHistory.idl \ nsIGlobalHistory2.idl \ - nsIGlobalHistory3.idl \ nsIMarkupDocumentViewer.idl \ nsIScrollable.idl \ nsITextScroll.idl \ diff --git a/docshell/base/nsDocShell.cpp b/docshell/base/nsDocShell.cpp index f7e75ae87145..6b7aeea814f9 100644 --- a/docshell/base/nsDocShell.cpp +++ b/docshell/base/nsDocShell.cpp @@ -197,7 +197,6 @@ #include "nsISelectionDisplay.h" #include "nsIGlobalHistory2.h" -#include "nsIGlobalHistory3.h" #ifdef DEBUG_DOCSHELL_FOCUS #include "nsEventStateManager.h" diff --git a/docshell/base/nsIGlobalHistory3.idl b/docshell/base/nsIGlobalHistory3.idl deleted file mode 100644 index d54ee56cd82e..000000000000 --- a/docshell/base/nsIGlobalHistory3.idl +++ /dev/null @@ -1,103 +0,0 @@ -/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- */ -/* ***** BEGIN LICENSE BLOCK ***** - * Version: MPL 1.1/GPL 2.0/LGPL 2.1 - * - * The contents of this file are subject to the Mozilla Public License Version - * 1.1 (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * http://www.mozilla.org/MPL/ - * - * Software distributed under the License is distributed on an "AS IS" basis, - * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License - * for the specific language governing rights and limitations under the - * License. - * - * The Original Code is the Mozilla gecko engine. - * - * The Initial Developer of the Original Code is - * Google Inc. - * Portions created by the Initial Developer are Copyright (C) 2006 - * the Initial Developer. All Rights Reserved. - * - * Contributor(s): - * Brett Wilson - * - * Alternatively, the contents of this file may be used under the terms of - * either the GNU General Public License Version 2 or later (the "GPL"), or - * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), - * in which case the provisions of the GPL or the LGPL are applicable instead - * of those above. If you wish to allow use of your version of this file only - * under the terms of either the GPL or the LGPL, and not to allow others to - * use your version of this file under the terms of the MPL, indicate your - * decision by deleting the provisions above and replace them with the notice - * and other provisions required by the GPL or the LGPL. If you do not delete - * the provisions above, a recipient may use your version of this file under - * the terms of any one of the MPL, the GPL or the LGPL. - * - * ***** END LICENSE BLOCK ***** */ - -#include "nsISupports.idl" -#include "nsIGlobalHistory2.idl" -interface nsIChannel; - -%{C++ - -// This is NOT part of the interface! It could change. -#define NS_GECKO_FLAG_NEEDS_VERTICAL_SCROLLBAR (1 << 0) - -%} - -/** - * Provides information about global history to gecko, extending GlobalHistory2 - */ -[scriptable, uuid(24306852-c60e-49c3-a455-90f6747118ba)] -interface nsIGlobalHistory3 : nsIGlobalHistory2 -{ - /** - * Notifies the history system that the page loading via aOldChannel - * redirected to aNewChannel. Implementations should generally add the URI for - * aOldChannel to history for link coloring, but are advised not to expose it - * in the history user interface. This function is preferred if - * nsIGlobalHistory3 is available. Otherwise, nsIGlobalHistory2.addURI should - * be called with redirect=true. - * - * This function is preferred to nsIGlobalHistory2.addURI because it provides - * more information (including the redirect destination, channels involved, - * and redirect flags) to the history implementation. - * - * For implementors of nsIGlobalHistory3: The history implementation is - * responsible for sending NS_LINK_VISITED_EVENT_TOPIC to observers for - * redirect pages. This notification must be sent for history consumers for - * all non-redirect pages. - * - * @param aToplevel whether the URI is loaded in a top-level window. If - * false, the load is in a subframe. - * - * The other params to this function are the same as those for - * nsIChannelEventSink::OnChannelRedirect. - * - * Note: Implementors who wish to implement this interface but rely on - * nsIGlobalHistory2.addURI for redirect processing may throw - * NS_ERROR_NOT_IMPLEMENTED from this method. If they do so, then callers - * must call nsIGlobalHistory2.addURI upon getting the - * NS_ERROR_NOT_IMPLEMENTED result. - */ - void addDocumentRedirect(in nsIChannel aOldChannel, - in nsIChannel aNewChannel, - in PRInt32 aFlags, - in boolean aTopLevel); - - /** - * Get the Gecko flags for this URI. These flags are used by Gecko as hints - * to optimize page loading. Not all histories have them; this need not be - * supported (just return NS_ERROR_NOT_IMPLEMENTED. These flags are opaque - * and should not be interpreted by the history engine. - */ - unsigned long getURIGeckoFlags(in nsIURI aURI); - - /** - * Set the Gecko flags for this URI. May fail if the history entry - * doesn't have any flags or if there is no entry for the URI. - */ - void setURIGeckoFlags(in nsIURI aURI, in unsigned long aFlags); -}; diff --git a/docshell/test/chrome/docshell_helpers.js b/docshell/test/chrome/docshell_helpers.js index 249a4a8fc188..7deaf8584f63 100755 --- a/docshell/test/chrome/docshell_helpers.js +++ b/docshell/test/chrome/docshell_helpers.js @@ -323,8 +323,20 @@ function finish() { // Close the test window and signal the framework that the test is done. let opener = window.opener; + let SimpleTest = opener.wrappedJSObject.SimpleTest; + + // Wait for the window to be closed before finishing the test + let ww = Cc["@mozilla.org/embedcomp/window-watcher;1"].getService(Ci.nsIWindowWatcher); + ww.registerNotification(function(subject, topic, data) { + if (topic == "domwindowclosed") { + ww.unregisterNotification(arguments.callee); + SimpleTest.waitForFocus(function() { + SimpleTest.finish(); + }, opener); + } + }); + window.close(); - opener.wrappedJSObject.SimpleTest.finish(); } /** diff --git a/dom/base/nsDOMClassInfo.cpp b/dom/base/nsDOMClassInfo.cpp index 04277248c163..1c79a8d85ac7 100644 --- a/dom/base/nsDOMClassInfo.cpp +++ b/dom/base/nsDOMClassInfo.cpp @@ -95,6 +95,7 @@ #include "nsIDOMGlobalPropertyInitializer.h" #include "mozilla/Preferences.h" #include "nsLocation.h" +#include "nsIDOMCaretPosition.h" // Window scriptable helper includes #include "nsIDocShell.h" @@ -665,6 +666,9 @@ static nsDOMClassInfoData sClassInfoData[] = { (DOM_DEFAULT_SCRIPTABLE_FLAGS & ~nsIXPCScriptable::ALLOW_PROP_MODS_TO_PROTOTYPE)) + NS_DEFINE_CLASSINFO_DATA(CaretPosition, nsDOMGenericSH, + DOM_DEFAULT_SCRIPTABLE_FLAGS) + NS_DEFINE_CLASSINFO_DATA(Navigator, nsNavigatorSH, DOM_DEFAULT_SCRIPTABLE_FLAGS | nsIXPCScriptable::WANT_PRECREATE) @@ -2280,6 +2284,10 @@ nsDOMClassInfo::Init() DOM_CLASSINFO_MAP_ENTRY(nsIDOMLocation) DOM_CLASSINFO_MAP_END + DOM_CLASSINFO_MAP_BEGIN(CaretPosition, nsIDOMCaretPosition) + DOM_CLASSINFO_MAP_ENTRY(nsIDOMCaretPosition) + DOM_CLASSINFO_MAP_END + if (nsNavigator::HasDesktopNotificationSupport()) { DOM_CLASSINFO_MAP_BEGIN(Navigator, nsIDOMNavigator) DOM_CLASSINFO_MAP_ENTRY(nsIDOMNavigator) diff --git a/dom/base/nsDOMClassInfoClasses.h b/dom/base/nsDOMClassInfoClasses.h index b6517a1e9539..ef84a51dcda7 100644 --- a/dom/base/nsDOMClassInfoClasses.h +++ b/dom/base/nsDOMClassInfoClasses.h @@ -38,6 +38,7 @@ DOMCI_CLASS(Window) DOMCI_CLASS(Location) +DOMCI_CLASS(CaretPosition) DOMCI_CLASS(Navigator) DOMCI_CLASS(Plugin) DOMCI_CLASS(PluginArray) diff --git a/dom/base/nsGlobalWindow.cpp b/dom/base/nsGlobalWindow.cpp index c0e95a79d6a1..822eba5e8f15 100644 --- a/dom/base/nsGlobalWindow.cpp +++ b/dom/base/nsGlobalWindow.cpp @@ -1037,8 +1037,6 @@ nsGlobalWindow::~nsGlobalWindow() CleanUp(PR_TRUE); - NS_ASSERTION(!mHasDeviceMotion, "Window still registered with device motion."); - #ifdef DEBUG nsCycleCollector_DEBUG_wasFreed(static_cast(this)); #endif @@ -1047,6 +1045,9 @@ nsGlobalWindow::~nsGlobalWindow() mURLProperty->ClearWindowReference(); } + DisableDeviceMotionUpdates(); + mHasDeviceMotion = PR_FALSE; + nsLayoutStatics::Release(); } @@ -1165,9 +1166,6 @@ nsGlobalWindow::CleanUp(PRBool aIgnoreModalDialog) inner->CleanUp(aIgnoreModalDialog); } - DisableDeviceMotionUpdates(); - mHasDeviceMotion = PR_FALSE; - if (mCleanMessageManager) { NS_ABORT_IF_FALSE(mIsChrome, "only chrome should have msg manager cleaned"); nsGlobalChromeWindow *asChrome = static_cast(this); @@ -7376,8 +7374,8 @@ nsGlobalWindow::AddEventListener(const nsAString& aType, nsEventListenerManager* manager = GetListenerManager(PR_TRUE); NS_ENSURE_STATE(manager); - return manager->AddEventListener(aType, aListener, aUseCapture, - aWantsUntrusted); + manager->AddEventListener(aType, aListener, aUseCapture, aWantsUntrusted); + return NS_OK; } nsEventListenerManager* @@ -11129,13 +11127,6 @@ nsNavigator::JavaEnabled(PRBool *aReturn) return NS_OK; } -NS_IMETHODIMP -nsNavigator::TaintEnabled(PRBool *aReturn) -{ - *aReturn = PR_FALSE; - return NS_OK; -} - void nsNavigator::LoadingNewDocument() { diff --git a/dom/base/nsWindowRoot.cpp b/dom/base/nsWindowRoot.cpp index 9dfb91a72b0b..4f5b42a36a12 100644 --- a/dom/base/nsWindowRoot.cpp +++ b/dom/base/nsWindowRoot.cpp @@ -146,7 +146,8 @@ nsWindowRoot::AddEventListener(const nsAString& aType, nsEventListenerManager* elm = GetListenerManager(PR_TRUE); NS_ENSURE_STATE(elm); - return elm->AddEventListener(aType, aListener, aUseCapture, aWantsUntrusted); + elm->AddEventListener(aType, aListener, aUseCapture, aWantsUntrusted); + return NS_OK; } nsEventListenerManager* diff --git a/dom/interfaces/base/nsIDOMNavigator.idl b/dom/interfaces/base/nsIDOMNavigator.idl index 287169146965..5ce84e870335 100644 --- a/dom/interfaces/base/nsIDOMNavigator.idl +++ b/dom/interfaces/base/nsIDOMNavigator.idl @@ -39,7 +39,7 @@ #include "domstubs.idl" -[scriptable, uuid(d7758ece-f088-4701-9ae4-1450192dca38)] +[scriptable, uuid(5dd9f1f5-3347-4945-a350-4eedeb97d24c)] interface nsIDOMNavigator : nsISupports { readonly attribute DOMString appCodeName; @@ -60,6 +60,5 @@ interface nsIDOMNavigator : nsISupports readonly attribute DOMString buildID; boolean javaEnabled(); - boolean taintEnabled(); }; diff --git a/dom/interfaces/core/Makefile.in b/dom/interfaces/core/Makefile.in index a1330a1c28e1..6b8e22de31bd 100644 --- a/dom/interfaces/core/Makefile.in +++ b/dom/interfaces/core/Makefile.in @@ -48,6 +48,7 @@ GRE_MODULE = 1 SDK_XPIDLSRCS = \ nsIDOMAttr.idl \ + nsIDOMCaretPosition.idl \ nsIDOMCDATASection.idl \ nsIDOMCharacterData.idl \ nsIDOMComment.idl \ diff --git a/dom/interfaces/css/nsIDOMDocumentCSS.idl b/dom/interfaces/core/nsIDOMCaretPosition.idl similarity index 69% rename from dom/interfaces/css/nsIDOMDocumentCSS.idl rename to dom/interfaces/core/nsIDOMCaretPosition.idl index bec6887edab2..548ce60acc4f 100644 --- a/dom/interfaces/css/nsIDOMDocumentCSS.idl +++ b/dom/interfaces/core/nsIDOMCaretPosition.idl @@ -1,4 +1,3 @@ -/* -*- Mode: IDL; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ /* ***** BEGIN LICENSE BLOCK ***** * Version: MPL 1.1/GPL 2.0/LGPL 2.1 * @@ -12,19 +11,19 @@ * for the specific language governing rights and limitations under the * License. * - * The Original Code is mozilla.org code. + * The Original Code is mozilla.org. * * The Initial Developer of the Original Code is - * Netscape Communications Corporation. - * Portions created by the Initial Developer are Copyright (C) 2000 + * the Mozilla Foundation. + * Portions created by the Initial Developer are Copyright (C) 2011 * the Initial Developer. All Rights Reserved. * * Contributor(s): - * Johnny Stenback (original author) + * Brad Lassey * * Alternatively, the contents of this file may be used under the terms of - * either of the GNU General Public License Version 2 or later (the "GPL"), - * or the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), + * either the GNU General Public License Version 2 or later (the "GPL"), or + * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), * in which case the provisions of the GPL or the LGPL are applicable instead * of those above. If you wish to allow use of your version of this file only * under the terms of either the GPL or the LGPL, and not to allow others to @@ -36,11 +35,10 @@ * * ***** END LICENSE BLOCK ***** */ -#include "nsIDOMDocumentStyle.idl" +#include "nsIDOMNode.idl" -[scriptable, uuid(39f76c23-45b2-428a-9240-a981e5abf148)] -interface nsIDOMDocumentCSS : nsIDOMDocumentStyle -{ - nsIDOMCSSStyleDeclaration getOverrideStyle(in nsIDOMElement elt, - in DOMString pseudoElt); +[scriptable, uuid(cf5ad6cf-6f49-4ca7-9b50-590d7bb27a13)] +interface nsIDOMCaretPosition : nsISupports { + readonly attribute nsIDOMNode offsetNode; + readonly attribute unsigned long offset; }; diff --git a/dom/interfaces/core/nsIDOMDocument.idl b/dom/interfaces/core/nsIDOMDocument.idl index a4393021968e..1b3de226e967 100644 --- a/dom/interfaces/core/nsIDOMDocument.idl +++ b/dom/interfaces/core/nsIDOMDocument.idl @@ -48,6 +48,7 @@ interface nsIDOMNodeIterator; interface nsIDOMNodeFilter; interface nsIDOMTreeWalker; interface nsIDOMLocation; +interface nsIDOMCaretPosition; /** * The nsIDOMDocument interface represents the entire HTML or XML document. @@ -62,7 +63,7 @@ interface nsIDOMLocation; * http://dvcs.w3.org/hg/domcore/raw-file/tip/Overview.html */ -[scriptable, uuid(10034b87-384e-4e19-902c-c4edafb899be)] +[scriptable, uuid(d19897dc-948a-42e7-8ac6-d8a0bd141b85)] interface nsIDOMDocument : nsIDOMNode { readonly attribute nsIDOMDocumentType doctype; @@ -368,4 +369,6 @@ interface nsIDOMDocument : nsIDOMNode */ void mozSetImageElement(in DOMString aImageElementId, in nsIDOMElement aImageElement); + + nsIDOMCaretPosition caretPositionFromPoint(in float x, in float y); }; diff --git a/dom/interfaces/events/nsIDOMMessageEvent.idl b/dom/interfaces/events/nsIDOMMessageEvent.idl index 284ad888b687..8bae70876d22 100644 --- a/dom/interfaces/events/nsIDOMMessageEvent.idl +++ b/dom/interfaces/events/nsIDOMMessageEvent.idl @@ -51,6 +51,7 @@ interface nsIDOMMessageEvent : nsIDOMEvent /** * Custom string data associated with this event. */ + [implicit_jscontext] readonly attribute jsval data; /** diff --git a/dom/interfaces/svg/nsIDOMSVGSVGElement.idl b/dom/interfaces/svg/nsIDOMSVGSVGElement.idl index de067ec4fa42..4ec15f9b1511 100644 --- a/dom/interfaces/svg/nsIDOMSVGSVGElement.idl +++ b/dom/interfaces/svg/nsIDOMSVGSVGElement.idl @@ -74,7 +74,6 @@ interface nsIDOMSVGSVGElement nsIDOMSVGFitToViewBox, nsIDOMSVGZoomAndPan, events::nsIDOMEventTarget, - css::nsIDOMDocumentCSS */ { readonly attribute nsIDOMSVGAnimatedLength x; diff --git a/dom/ipc/ContentParent.cpp b/dom/ipc/ContentParent.cpp index 5173be7a7c34..6eb464243f6f 100644 --- a/dom/ipc/ContentParent.cpp +++ b/dom/ipc/ContentParent.cpp @@ -44,6 +44,7 @@ #include "History.h" #include "mozilla/ipc/TestShellParent.h" #include "mozilla/net/NeckoParent.h" +#include "mozilla/Preferences.h" #include "nsHashPropertyBag.h" #include "nsIFilePicker.h" #include "nsIWindowWatcher.h" @@ -111,6 +112,7 @@ static NS_DEFINE_CID(kCClipboardCID, NS_CLIPBOARD_CID); static const char* sClipboardTextFlavors[] = { kUnicodeMime }; +using mozilla::Preferences; using namespace mozilla::ipc; using namespace mozilla::net; using namespace mozilla::places; @@ -154,21 +156,39 @@ MemoryReportRequestParent::~MemoryReportRequestParent() MOZ_COUNT_DTOR(MemoryReportRequestParent); } -ContentParent* ContentParent::gSingleton; +nsTArray* ContentParent::gContentParents; ContentParent* -ContentParent::GetSingleton(PRBool aForceNew) +ContentParent::GetNewOrUsed() { - if (gSingleton && !gSingleton->IsAlive()) - gSingleton = nsnull; - - if (!gSingleton && aForceNew) { - nsRefPtr parent = new ContentParent(); - gSingleton = parent; - parent->Init(); + if (!gContentParents) + gContentParents = new nsTArray(); + + PRInt32 maxContentProcesses = Preferences::GetInt("dom.ipc.processCount", 1); + if (maxContentProcesses < 1) + maxContentProcesses = 1; + + if (gContentParents->Length() >= PRUint32(maxContentProcesses)) { + ContentParent* p = (*gContentParents)[rand() % gContentParents->Length()]; + NS_ASSERTION(p->IsAlive(), "Non-alive contentparent in gContentParents?"); + return p; + } + + nsRefPtr p = new ContentParent(); + p->Init(); + gContentParents->AppendElement(p); + return p; +} + +void +ContentParent::GetAll(nsTArray& aArray) +{ + if (!gContentParents) { + aArray.Clear(); + return; } - return gSingleton; + aArray = *gContentParents; } void @@ -195,7 +215,7 @@ ContentParent::Init() threadInt->SetObserver(this); } if (obs) { - obs->NotifyObservers(nsnull, "ipc:content-created", nsnull); + obs->NotifyObservers(static_cast(this), "ipc:content-created", nsnull); } #ifdef ACCESSIBILITY @@ -274,6 +294,8 @@ ContentParent::ActorDestroy(ActorDestroyReason why) #endif } + mMessageManager->Disconnect(); + // clear the child memory reporters InfallibleTArray empty; SetChildMemoryReporters(empty); @@ -295,6 +317,14 @@ ContentParent::ActorDestroy(ActorDestroyReason why) if (mRunToCompletionDepth) mRunToCompletionDepth = 0; + if (gContentParents) { + gContentParents->RemoveElement(this); + if (!gContentParents->Length()) { + delete gContentParents; + gContentParents = NULL; + } + } + mIsAlive = false; if (obs) { @@ -362,6 +392,7 @@ ContentParent::ContentParent() , mShouldCallUnblockChild(false) , mIsAlive(true) , mProcessStartTime(time(NULL)) + , mSendPermissionUpdates(false) { NS_ASSERTION(NS_IsMainThread(), "Wrong thread!"); mSubprocess = new GeckoChildProcessHost(GeckoProcessType_Content); @@ -372,6 +403,7 @@ ContentParent::ContentParent() nsChromeRegistryChrome* chromeRegistry = static_cast(registrySvc.get()); chromeRegistry->SendRegisteredChrome(this); + mMessageManager = nsFrameMessageManager::NewProcessMessageManager(this); } ContentParent::~ContentParent() @@ -380,10 +412,8 @@ ContentParent::~ContentParent() base::CloseProcessHandle(OtherProcess()); NS_ASSERTION(NS_IsMainThread(), "Wrong thread!"); - //If the previous content process has died, a new one could have - //been started since. - if (gSingleton == this) - gSingleton = nsnull; + NS_ASSERTION(!gContentParents || !gContentParents->Contains(this), + "Should have been removed in ActorDestroy"); } bool @@ -459,7 +489,7 @@ ContentParent::RecvReadPermissions(InfallibleTArray* aPermissio } // Ask for future changes - permissionManager->ChildRequestPermissions(); + mSendPermissionUpdates = true; #endif return true; @@ -1083,7 +1113,7 @@ bool ContentParent::RecvSyncMessage(const nsString& aMsg, const nsString& aJSON, InfallibleTArray* aRetvals) { - nsRefPtr ppm = nsFrameMessageManager::sParentProcessManager; + nsRefPtr ppm = mMessageManager; if (ppm) { ppm->ReceiveMessage(static_cast(ppm.get()), aMsg,PR_TRUE, aJSON, nsnull, aRetvals); @@ -1094,7 +1124,7 @@ ContentParent::RecvSyncMessage(const nsString& aMsg, const nsString& aJSON, bool ContentParent::RecvAsyncMessage(const nsString& aMsg, const nsString& aJSON) { - nsRefPtr ppm = nsFrameMessageManager::sParentProcessManager; + nsRefPtr ppm = mMessageManager; if (ppm) { ppm->ReceiveMessage(static_cast(ppm.get()), aMsg, PR_FALSE, aJSON, nsnull, nsnull); diff --git a/dom/ipc/ContentParent.h b/dom/ipc/ContentParent.h index 9498fa815611..2ae3c7b15ffc 100644 --- a/dom/ipc/ContentParent.h +++ b/dom/ipc/ContentParent.h @@ -55,6 +55,7 @@ #include "nsIMemoryReporter.h" #include "nsCOMArray.h" +class nsFrameMessageManager; namespace mozilla { namespace ipc { @@ -77,12 +78,8 @@ private: typedef mozilla::ipc::TestShellParent TestShellParent; public: - static ContentParent* GetSingleton(PRBool aForceNew = PR_TRUE); - -#if 0 - // TODO: implement this somewhere! - static ContentParent* FreeSingleton(); -#endif + static ContentParent* GetNewOrUsed(); + static void GetAll(nsTArray& aArray); NS_DECL_ISUPPORTS NS_DECL_NSIOBSERVER @@ -102,12 +99,16 @@ public: void SetChildMemoryReporters(const InfallibleTArray& report); + bool NeedsPermissionsUpdate() { + return mSendPermissionUpdates; + } + protected: void OnChannelConnected(int32 pid); virtual void ActorDestroy(ActorDestroyReason why); private: - static ContentParent* gSingleton; + static nsTArray* gContentParents; // Hide the raw constructor methods since we don't want client code // using them. @@ -230,6 +231,10 @@ private: bool mIsAlive; nsCOMPtr mPrefService; time_t mProcessStartTime; + + bool mSendPermissionUpdates; + + nsRefPtr mMessageManager; }; } // namespace dom diff --git a/dom/ipc/test.xul b/dom/ipc/test.xul index d1cc5adfbc24..1e276637c3d5 100644 --- a/dom/ipc/test.xul +++ b/dom/ipc/test.xul @@ -106,14 +106,37 @@ if (!didThrow) { alert("One shouldn't be able to create content process message manager in chrome process!"); } + var tppm = ppm.QueryInterface(Components.interfaces.nsITreeItemFrameMessageManager); + if (tppm.childCount != 1) { + alert("Should have one child process!"); + } + var childprocessmm = tppm.getChildAt(0); + + childprocessmm.addMessageListener("ppm-sync", + function(m) { + if (m.target != childprocessmm) alert("Wrong target!"); + document.getElementById("messageLog").value += "[SYNC1 PPM]"; + } + ); + ppm.addMessageListener("ppm-sync", function(m) { - document.getElementById("messageLog").value += "[SYNC PPM]"; + // Check that global process message manager gets the per-process mm as target. + if (m.target != childprocessmm) alert("Wrong target!"); + document.getElementById("messageLog").value += "[SYNC2 PPM]"; + } + ); + childprocessmm.addMessageListener("ppm-async", + function(m) { + if (m.target != childprocessmm) alert("Wrong target!"); + document.getElementById("messageLog").value += "[ASYNC1 PPM]"; } ); ppm.addMessageListener("ppm-async", function(m) { - document.getElementById("messageLog").value += "[ASYNC PPM]"; + // Check that global process message manager gets the per-process mm as target. + if (m.target != childprocessmm) alert("Wrong target!"); + document.getElementById("messageLog").value += "[ASYNC2 PPM]"; } ); messageManager.loadFrameScript("chrome://global/content/remote-test-ipc.js", true); diff --git a/dom/plugins/base/nsPluginInstanceOwner.cpp b/dom/plugins/base/nsPluginInstanceOwner.cpp index ec0a4a10b55c..f09136328d3a 100644 --- a/dom/plugins/base/nsPluginInstanceOwner.cpp +++ b/dom/plugins/base/nsPluginInstanceOwner.cpp @@ -305,6 +305,7 @@ nsPluginInstanceOwner::nsPluginInstanceOwner() mContentFocused = PR_FALSE; mWidgetVisible = PR_TRUE; mPluginWindowVisible = PR_FALSE; + mPluginDocumentActiveState = PR_TRUE; mNumCachedAttrs = 0; mNumCachedParams = 0; mCachedAttrParamNames = nsnull; @@ -3241,7 +3242,7 @@ void nsPluginInstanceOwner::UpdateWindowPositionAndClipRect(PRBool aSetWindow) mPluginWindow->clipRect.left = 0; mPluginWindow->clipRect.top = 0; - if (mPluginWindowVisible) { + if (mPluginWindowVisible && mPluginDocumentActiveState) { mPluginWindow->clipRect.right = mPluginWindow->width; mPluginWindow->clipRect.bottom = mPluginWindow->height; } else { @@ -3269,6 +3270,12 @@ nsPluginInstanceOwner::UpdateWindowVisibility(PRBool aVisible) UpdateWindowPositionAndClipRect(PR_TRUE); } +void +nsPluginInstanceOwner::UpdateDocumentActiveState(PRBool aIsActive) +{ + mPluginDocumentActiveState = aIsActive; + UpdateWindowPositionAndClipRect(PR_TRUE); +} #endif // XP_MACOSX void diff --git a/dom/plugins/base/nsPluginInstanceOwner.h b/dom/plugins/base/nsPluginInstanceOwner.h index 21eeac2bfa7f..8305930bab12 100644 --- a/dom/plugins/base/nsPluginInstanceOwner.h +++ b/dom/plugins/base/nsPluginInstanceOwner.h @@ -202,6 +202,7 @@ public: #else // XP_MACOSX void UpdateWindowPositionAndClipRect(PRBool aSetWindow); void UpdateWindowVisibility(PRBool aVisible); + void UpdateDocumentActiveState(PRBool aIsActive); #endif // XP_MACOSX void CallSetWindow(); @@ -343,6 +344,7 @@ private: PRPackedBool mFlash10Quirks; #endif PRPackedBool mPluginWindowVisible; + PRPackedBool mPluginDocumentActiveState; // If true, destroy the widget on destruction. Used when plugin stop // is being delayed to a safer point in time. diff --git a/dom/plugins/ipc/PluginModuleChild.cpp b/dom/plugins/ipc/PluginModuleChild.cpp index 44090a901a30..7609cbf4a96c 100644 --- a/dom/plugins/ipc/PluginModuleChild.cpp +++ b/dom/plugins/ipc/PluginModuleChild.cpp @@ -129,6 +129,7 @@ PluginModuleChild::PluginModuleChild() memset(&mFunctions, 0, sizeof(mFunctions)); memset(&mSavedData, 0, sizeof(mSavedData)); gInstance = this; + mUserAgent.SetIsVoid(PR_TRUE); #ifdef XP_MACOSX mac_plugin_interposing::child::SetUpCocoaInterposing(); #endif @@ -729,7 +730,7 @@ PluginModuleChild::CleanUp() const char* PluginModuleChild::GetUserAgent() { - if (!CallNPN_UserAgent(&mUserAgent)) + if (mUserAgent.IsVoid() && !CallNPN_UserAgent(&mUserAgent)) return NULL; return NullableStringGet(mUserAgent); diff --git a/dom/plugins/test/unit/xpcshell.ini b/dom/plugins/test/unit/xpcshell.ini index 4a721a47f077..2043a0db3e18 100644 --- a/dom/plugins/test/unit/xpcshell.ini +++ b/dom/plugins/test/unit/xpcshell.ini @@ -3,4 +3,8 @@ head = head_plugins.js tail = [test_bug455213.js] +# Bug 676953: test fails consistently on Android +fail-if = os == "android" [test_bug471245.js] +# Bug 676953: test fails consistently on Android +fail-if = os == "android" diff --git a/dom/src/geolocation/Makefile.in b/dom/src/geolocation/Makefile.in index 82cef08fc159..384204910543 100644 --- a/dom/src/geolocation/Makefile.in +++ b/dom/src/geolocation/Makefile.in @@ -68,6 +68,11 @@ LOCAL_INCLUDES += $(MOZ_PLATFORM_MAEMO_CFLAGS) \ -I$(topsrcdir)/dom/system/unix \ $(NULL) endif +ifdef MOZ_ENABLE_QTMOBILITY +LOCAL_INCLUDES += $(MOZ_QT_CFLAGS) \ + -I$(topsrcdir)/dom/system/unix \ + $(NULL) +endif ifeq ($(MOZ_WIDGET_TOOLKIT),android) LOCAL_INCLUDES += -I$(topsrcdir)/dom/system/android \ diff --git a/dom/src/geolocation/nsGeolocation.cpp b/dom/src/geolocation/nsGeolocation.cpp index 3f42dab2f3f6..0d108131ea77 100644 --- a/dom/src/geolocation/nsGeolocation.cpp +++ b/dom/src/geolocation/nsGeolocation.cpp @@ -80,6 +80,10 @@ #include "MaemoLocationProvider.h" #endif +#ifdef MOZ_ENABLE_QTMOBILITY +#include "QTMLocationProvider.h" +#endif + #ifdef ANDROID #include "AndroidLocationProvider.h" #endif @@ -578,6 +582,12 @@ nsresult nsGeolocationService::Init() mProviders.AppendObject(provider); #endif +#ifdef MOZ_ENABLE_QTMOBILITY + provider = new QTMLocationProvider(); + if (provider) + mProviders.AppendObject(provider); +#endif + #ifdef ANDROID provider = new AndroidLocationProvider(); if (provider) diff --git a/dom/src/storage/nsDOMStorage.cpp b/dom/src/storage/nsDOMStorage.cpp index 3aaeefeb52d8..ac91693a6508 100644 --- a/dom/src/storage/nsDOMStorage.cpp +++ b/dom/src/storage/nsDOMStorage.cpp @@ -70,8 +70,8 @@ using mozilla::dom::StorageChild; #include "nsIPrivateBrowsingService.h" #include "nsDOMString.h" #include "nsNetCID.h" -#include "nsIProxyObjectManager.h" #include "mozilla/Preferences.h" +#include "nsThreadUtils.h" using namespace mozilla; @@ -1898,6 +1898,34 @@ nsDOMStorage2::StorageType() return nsPIDOMStorage::Unknown; } +namespace { + +class StorageNotifierRunnable : public nsRunnable +{ +public: + StorageNotifierRunnable(nsISupports* aSubject) + : mSubject(aSubject) + { } + + NS_DECL_NSIRUNNABLE + +private: + nsCOMPtr mSubject; +}; + +NS_IMETHODIMP +StorageNotifierRunnable::Run() +{ + nsCOMPtr observerService = + mozilla::services::GetObserverService(); + if (observerService) { + observerService->NotifyObservers(mSubject, "dom-storage2-changed", nsnull); + } + return NS_OK; +} + +} // anonymous namespace + void nsDOMStorage2::BroadcastChangeNotification(const nsSubstring &aKey, const nsSubstring &aOldValue, @@ -1917,26 +1945,8 @@ nsDOMStorage2::BroadcastChangeNotification(const nsSubstring &aKey, return; } - nsCOMPtr observerService = - mozilla::services::GetObserverService(); - if (!observerService) { - return; - } - - nsCOMPtr observerServiceProxy; - rv = NS_GetProxyForObject(NS_PROXY_TO_MAIN_THREAD, - NS_GET_IID(nsIObserverService), - observerService, - NS_PROXY_ASYNC | NS_PROXY_ALWAYS, - getter_AddRefs(observerServiceProxy)); - if (NS_FAILED(rv)) { - return; - } - - // Fire off a notification that a storage object changed. - observerServiceProxy->NotifyObservers(event, - "dom-storage2-changed", - nsnull); + nsRefPtr r = new StorageNotifierRunnable(event); + NS_DispatchToMainThread(r); } NS_IMETHODIMP diff --git a/dom/system/NetworkGeolocationProvider.js b/dom/system/NetworkGeolocationProvider.js index 8762d8ca70c8..bcf5a2747812 100755 --- a/dom/system/NetworkGeolocationProvider.js +++ b/dom/system/NetworkGeolocationProvider.js @@ -1,15 +1,53 @@ +/* ***** BEGIN LICENSE BLOCK ***** + * Version: MPL 1.1/GPL 2.0/LGPL 2.1 + * + * The contents of this file are subject to the Mozilla Public License Version + * 1.1 (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * http://www.mozilla.org/MPL/ + * + * Software distributed under the License is distributed on an "AS IS" basis, + * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License + * for the specific language governing rights and limitations under the + * License. + * + * The Original Code is Network Location Provider for GLS. + * + * The Initial Developer of the Original Code is + * Mozilla Foundation. + * Portions created by the Initial Developer are Copyright (C) 2011 + * the Initial Developer. All Rights Reserved. + * + * Contributor(s): + * Doug Turner + * + * Alternatively, the contents of this file may be used under the terms of + * either the GNU General Public License Version 2 or later (the "GPL"), or + * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), + * in which case the provisions of the GPL or the LGPL are applicable instead + * of those above. If you wish to allow use of your version of this file only + * under the terms of either the GPL or the LGPL, and not to allow others to + * use your version of this file under the terms of the MPL, indicate your + * decision by deleting the provisions above and replace them with the notice + * and other provisions required by the GPL or the LGPL. If you do not delete + * the provisions above, a recipient may use your version of this file under + * the terms of any one of the MPL, the GPL or the LGPL. + * + * ***** END LICENSE BLOCK ***** */ + + +// Do not use this API without permission from Google. +// See http://www.google.com/support/enterprise/bin/request.py?contact_type=gme&utm_campaign=en-us-ptr-mz +// for more information. + Components.utils.import("resource://gre/modules/XPCOMUtils.jsm"); +Components.utils.import("resource://gre/modules/Services.jsm"); const Ci = Components.interfaces; const Cc = Components.classes; -var gLoggingEnabled = false; -var gTestingEnabled = false; - -function nowInSeconds() -{ - return Date.now() / 1000; -} +let gLoggingEnabled = false; +let gTestingEnabled = false; function LOG(aMsg) { if (gLoggingEnabled) @@ -20,408 +58,254 @@ function LOG(aMsg) { } } -function WifiGeoAddressObject(streetNumber, street, premises, city, county, region, country, countryCode, postalCode) { - - this.streetNumber = streetNumber; - this.street = street; - this.premises = premises; - this.city = city; - this.county = county; - this.region = region; - this.country = country; - this.countryCode = countryCode; - this.postalCode = postalCode; -} - -WifiGeoAddressObject.prototype = { - - QueryInterface: XPCOMUtils.generateQI([Ci.nsIDOMGeoPositionAddress]), - - classInfo: XPCOMUtils.generateCI({interfaces: [Ci.nsIDOMGeoPositionAddress], - flags: Ci.nsIClassInfo.DOM_OBJECT}) -}; - function WifiGeoCoordsObject(lat, lon, acc, alt, altacc) { - this.latitude = lat; - this.longitude = lon; - this.accuracy = acc; - this.altitude = alt; - this.altitudeAccuracy = altacc; -}; + this.latitude = lat; + this.longitude = lon; + this.accuracy = acc; + this.altitude = alt; + this.altitudeAccuracy = altacc; +} WifiGeoCoordsObject.prototype = { - QueryInterface: XPCOMUtils.generateQI([Ci.nsIDOMGeoPositionCoords]), - - classInfo: XPCOMUtils.generateCI({interfaces: [Ci.nsIDOMGeoPositionCoords], - flags: Ci.nsIClassInfo.DOM_OBJECT, - classDescription: "wifi geo position coords object"}), - - latitude: 0, - longitude: 0, - accuracy: 0, - altitude: 0, - altitudeAccuracy: 0, + QueryInterface: XPCOMUtils.generateQI([Ci.nsIDOMGeoPositionCoords]), + classInfo: XPCOMUtils.generateCI({interfaces: [Ci.nsIDOMGeoPositionCoords], + flags: Ci.nsIClassInfo.DOM_OBJECT, + classDescription: "wifi geo position coords object"}), }; -function WifiGeoPositionObject(location) { - - this.coords = new WifiGeoCoordsObject(location.latitude, - location.longitude, - location.accuracy || 12450, // .5 * circumference of earth. - location.altitude || 0, - location.altitude_accuracy || 0); - - if (location.address) { - let address = location.address; - this.address = new WifiGeoAddressObject(address.street_number || null, - address.street || null, - address.premises || null, - address.city || null, - address.county || null, - address.region || null, - address.country || null, - address.country_code || null, - address.postal_code || null); - } - else - this.address = null; - - this.timestamp = Date.now(); -}; +function WifiGeoPositionObject(lat, lng, acc) { + this.coords = new WifiGeoCoordsObject(lat, lng, acc, 0, 0); + this.address = null; + this.timestamp = Date.now(); +} WifiGeoPositionObject.prototype = { - QueryInterface: XPCOMUtils.generateQI([Ci.nsIDOMGeoPosition]), + QueryInterface: XPCOMUtils.generateQI([Ci.nsIDOMGeoPosition]), - // Class Info is required to be able to pass objects back into the DOM. - classInfo: XPCOMUtils.generateCI({interfaces: [Ci.nsIDOMGeoPosition], - flags: Ci.nsIClassInfo.DOM_OBJECT, - classDescription: "wifi geo location position object"}), - - coords: null, - timestamp: 0, + // Class Info is required to be able to pass objects back into the DOM. + classInfo: XPCOMUtils.generateCI({interfaces: [Ci.nsIDOMGeoPosition], + flags: Ci.nsIClassInfo.DOM_OBJECT, + classDescription: "wifi geo location position object"}), }; -function HELD() {}; - // For information about the HELD format, see: - // http://tools.ietf.org/html/draft-thomson-geopriv-held-measurements-05 -HELD.encode = function(requestObject) { - // XML Header - var requestString = ""; - // Measurements - if (requestObject.wifi_towers && requestObject.wifi_towers.length > 0) { - requestString += ""; - requestString += ""; - for (var i=0; i < requestObject.wifi_towers.length; ++i) { - requestString += ""; - requestString += "" + requestObject.wifi_towers[i].mac_address + ""; - requestString += "" + requestObject.wifi_towers[i].ssid + ""; - requestString += "" + requestObject.wifi_towers[i].signal_strength + ""; - requestString += ""; - } - // XML Footer - requestString += ""; - } - requestString += ""; - return requestString; -}; - -// Decode a HELD response into a Gears-style object -HELD.decode = function(responseXML) { - // Find a Circle object in PIDF-LO and decode - function nsResolver(prefix) { - var ns = { - 'held': 'urn:ietf:params:xml:ns:geopriv:held', - 'pres': 'urn:ietf:params:xml:ns:pidf', - 'gp': 'urn:ietf:params:xml:ns:pidf:geopriv10', - 'gml': 'http://www.opengis.net/gml', - 'gs': 'http://www.opengis.net/pidflo/1.0', - }; - return ns[prefix] || null; - } - - var xpathEval = Components.classes["@mozilla.org/dom/xpath-evaluator;1"].createInstance(Ci.nsIDOMXPathEvaluator); - - // Grab values out of XML via XPath - var pos = xpathEval.evaluate( - '/held:locationResponse/pres:presence/pres:tuple/pres:status/gp:geopriv/gp:location-info/gs:Circle/gml:pos', - responseXML, - nsResolver, - Ci.nsIDOMXPathResult.STRING_TYPE, - null); - - var rad = xpathEval.evaluate( - '/held:locationResponse/pres:presence/pres:tuple/pres:status/gp:geopriv/gp:location-info/gs:Circle/gs:radius', - responseXML, - nsResolver, - Ci.nsIDOMXPathResult.NUMBER_TYPE, - null ); - - var uom = xpathEval.evaluate( - '/held:locationResponse/pres:presence/pres:tuple/pres:status/gp:geopriv/gp:location-info/gs:Circle/gs:radius/@uom', - responseXML, - nsResolver, - Ci.nsIDOMXPathResult.STRING_TYPE, - null); - - // Bail if we don't have a valid result (all values && uom==meters) - if ((pos.stringValue == null) || - (rad.numberValue == null) || - (uom.stringValue == null) || - (uom.stringValue != "urn:ogc:def:uom:EPSG::9001")) { - return null; - } - - // Split the pos value into lat/long - var coords = pos.stringValue.split(/[ \t\n]+/); - - // Fill out the object to return: - var obj = { - location: { - latitude: parseFloat(coords[0]), - longitude: parseFloat(coords[1]), - accuracy: rad.numberValue - } - }; - return obj; -} - function WifiGeoPositionProvider() { - this.prefService = Cc["@mozilla.org/preferences-service;1"].getService(Ci.nsIPrefBranch).QueryInterface(Ci.nsIPrefService); - try { - gLoggingEnabled = this.prefService.getBoolPref("geo.wifi.logging.enabled"); - } catch (e) {} + try { + gLoggingEnabled = Services.prefs.getBoolPref("geo.wifi.logging.enabled"); + } catch (e) {} - try { - gTestingEnabled = this.prefService.getBoolPref("geo.wifi.testing"); - } catch (e) {} + try { + gTestingEnabled = Services.prefs.getBoolPref("geo.wifi.testing"); + } catch (e) {} -}; + wifiService = null; + timer = null; + hasSeenWiFi = false; + started = false; +} WifiGeoPositionProvider.prototype = { - classID: Components.ID("{77DA64D3-7458-4920-9491-86CC9914F904}"), - QueryInterface: XPCOMUtils.generateQI([Ci.nsIGeolocationProvider, - Ci.nsIWifiListener, - Ci.nsITimerCallback]), + classID: Components.ID("{77DA64D3-7458-4920-9491-86CC9914F904}"), + QueryInterface: XPCOMUtils.generateQI([Ci.nsIGeolocationProvider, + Ci.nsIWifiListener, + Ci.nsITimerCallback]), + startup: function() { + if (this.started) + return; + this.started = true; + this.hasSeenWiFi = false; - prefService: null, - wifi_service: null, - timer: null, - hasSeenWiFi: false, - started: false, + LOG("startup called. testing mode is" + gTestingEnabled); - startup: function() { - if (this.started == true) - return; + // if we don't see anything in 5 seconds, kick of one IP geo lookup. + // if we are testing, just hammer this callback so that we are more or less + // always sending data. It doesn't matter if we have an access point or not. + this.timer = Cc["@mozilla.org/timer;1"].createInstance(Ci.nsITimer); + if (!gTestingEnabled) + this.timer.initWithCallback(this, 5000, this.timer.TYPE_ONE_SHOT); + else + this.timer.initWithCallback(this, 200, this.timer.TYPE_REPEATING_SLACK); + }, - this.started = true; + watch: function(c) { + LOG("watch called"); + if (!this.wifiService) { + this.wifiService = Cc["@mozilla.org/wifi/monitor;1"].getService(Components.interfaces.nsIWifiMonitor); + this.wifiService.startWatching(this); + } + }, - LOG("startup called. testing mode is" + gTestingEnabled); - // if we don't see anything in 5 seconds, kick of one IP geo lookup. - // if we are testing, just hammer this callback so that we are more or less - // always sending data. It doesn't matter if we have an access point or not. - this.hasSeenWiFi = false; - this.timer = Cc["@mozilla.org/timer;1"].createInstance(Ci.nsITimer); - if (gTestingEnabled == false) - this.timer.initWithCallback(this, 5000, this.timer.TYPE_ONE_SHOT); - else - this.timer.initWithCallback(this, 200, this.timer.TYPE_REPEATING_SLACK); - }, + shutdown: function() { + LOG("shutdown called"); + if(this.wifiService) { + this.wifiService.stopWatching(this); + this.wifiService = null; + } + if (this.timer != null) { + this.timer.cancel(); + this.timer = null; + } - watch: function(c) { - LOG("watch called"); - if (!this.wifi_service) { - this.wifi_service = Cc["@mozilla.org/wifi/monitor;1"].getService(Components.interfaces.nsIWifiMonitor); - this.wifi_service.startWatching(this); - } - }, + // Although we aren't using cookies, we should err on the side of not + // saving any access tokens if the user asked us not to save cookies or + // has changed the lifetimePolicy. The access token in these cases is + // used and valid for the life of this object (eg. between startup and + // shutdown). + if (Services.prefs.getIntPref("network.cookie.lifetimePolicy") != 0) + Services.prefs.deleteBranch("geo.wifi.access_token."); + this.started = false; + }, - shutdown: function() { - LOG("shutdown called"); - if(this.wifi_service) - this.wifi_service.stopWatching(this); - this.wifi_service = null; + getAccessTokenForURL: function(url) + { + // check to see if we have an access token: + let accessToken = ""; + try { + let accessTokenPrefName = "geo.wifi.access_token." + url; + accessToken = Services.prefs.getCharPref(accessTokenPrefName); - if (this.timer != null) { - this.timer.cancel(); - this.timer = null; - } - - // Although we aren't using cookies, we should err on the side of not - // saving any access tokens if the user asked us not to save cookies or - // has changed the lifetimePolicy. The access token in these cases is - // used and valid for the life of this object (eg. between startup and - // shutdown).e - let prefBranch = Cc["@mozilla.org/preferences-service;1"].getService(Ci.nsIPrefBranch); - if (prefBranch.getIntPref("network.cookie.lifetimePolicy") != 0) - prefBranch.deleteBranch("geo.wifi.access_token."); - - this.started = false; - }, - - getAccessTokenForURL: function(url) - { - // check to see if we have an access token: - var accessToken = ""; - - try { - var accessTokenPrefName = "geo.wifi.access_token." + url; - accessToken = this.prefService.getCharPref(accessTokenPrefName); + // check to see if it has expired + let accessTokenDate = Services.prefs.getIntPref(accessTokenPrefName + ".time"); + + let accessTokenInterval = 1209600; // seconds in 2 weeks + try { + accessTokenInterval = Services.prefs.getIntPref("geo.wifi.access_token.recycle_interval"); + } catch (e) {} - // check to see if it has expired - var accessTokenDate = this.prefService.getIntPref(accessTokenPrefName + ".time"); - - var accessTokenInterval = 1209600; /* seconds in 2 weeks */ - try { - accessTokenInterval = this.prefService.getIntPref("geo.wifi.access_token.recycle_interval"); - } catch (e) {} - - if (nowInSeconds() - accessTokenDate > accessTokenInterval) - accessToken = ""; + if ((Date.now() / 1000) - accessTokenDate > accessTokenInterval) + accessToken = ""; + } + catch (e) { + accessToken = ""; + } + return accessToken; + }, + + onChange: function(accessPoints) { + LOG("onChange called"); + this.hasSeenWiFi = true; + + let providerUrlBase = Services.prefs.getCharPref("geo.wifi.uri"); + let providerUrl; + + let query = providerUrlBase.indexOf("?"); + if (query == -1) + providerUrl = providerUrlBase + "?" + else + providerUrl = providerUrlBase + "&"; + providerUrl = providerUrl + "browser=firefox&sensor=true"; + + + let accessToken = this.getAccessTokenForURL(providerUrlBase); + if (accessToken !== "") + providerUrl = providerUrl + "&access_token="+access_token; + + function sort(a, b) { + return b.signal - a.signal; + }; + + function encode(ap) { + // make sure that the ssid doesn't contain any | chars. + ap.ssid = ap.ssid.replace("|", "\\|"); + // gls service parses the | as fields + return "&wifi=mac:"+ap.mac+"|ssid:"+ap.ssid+"|ss:"+ap.signal; + }; + + if (accessPoints) { + accessPoints.sort(sort).map(encode).join(""); + // max length is 2k. make sure we are under that + let x = providerUrl.length - 2000; + if (x >= 0) { + // we need to trim + let doomed = providerUrl.lastIndexOf("&", 2000); + LOG("Doomed:"+doomed); + providerUrl = providerUrl.substring(0, doomed); } - catch (e) { - accessToken = ""; - } - return accessToken; - }, + } - onChange: function(accessPoints) { + providerUrl = encodeURI(providerUrl); + LOG("************************************* Sending request:\n" + providerUrl + "\n"); - LOG("onChange called"); - this.hasSeenWiFi = true; + // send our request to a wifi geolocation network provider: + let xhr = Components.classes["@mozilla.org/xmlextras/xmlhttprequest;1"] + .createInstance(Ci.nsIXMLHttpRequest); - // send our request to a wifi geolocation network provider: - var xhr = Components.classes["@mozilla.org/xmlextras/xmlhttprequest;1"] - .createInstance(Ci.nsIXMLHttpRequest); + // This is a background load + xhr.mozBackgroundRequest = true; + xhr.open("GET", providerUrl, false); + xhr.channel.loadFlags = Ci.nsIChannel.LOAD_ANONYMOUS; + xhr.onerror = function(req) { + LOG("onerror: " + req); + }; + xhr.onload = function (req) { + LOG("service returned: " + req.target.responseText); + response = JSON.parse(req.target.responseText); + /* + { + "status": "OK", + "accuracy": 150.0, + "location": { + "lat": -33.85702, + "lng": 151.21494 + }, + "access_token": "quijibo" + } + */ - // This is a background load - xhr.mozBackgroundRequest = true; + if (response.status != "OK") + return; - var provider_url = this.prefService.getCharPref("geo.wifi.uri"); - var provider_protocol = 0; - try { - provider_protocol = this.prefService.getIntPref("geo.wifi.protocol"); - } catch (e) {} + if (response.location) { + let newLocation = new WifiGeoPositionObject(response.location.lat, + response.location.lng, + response.accuracy); - LOG("provider url = " + provider_url); - - xhr.open("POST", provider_url, false); - - // set something so that we can strip cookies - xhr.channel.loadFlags = Ci.nsIChannel.LOAD_ANONYMOUS; - - xhr.onerror = function(req) { - LOG("onerror: " + req); - }; - - xhr.onload = function (req) { - - LOG("xhr onload..."); - - try { - // if we get a bad response, we will throw and never report a location - var response; - switch (provider_protocol) { - case 1: - LOG("service returned: " + req.target.responseXML); - response = HELD.decode(req.target.responseXML); - break; - case 0: - default: - LOG("service returned: " + req.target.responseText); - response = JSON.parse(req.target.responseText); - } - } catch (e) { - LOG("Parse failed"); - return; - } - - // response looks something like: - // {"location":{"latitude":51.5090332,"longitude":-0.1212726,"accuracy":150.0},"access_token":"2:jVhRZJ-j6PiRchH_:RGMrR0W1BiwdZs12"} - - // Check to see if we have a new access token - var newAccessToken = response.access_token; - if (newAccessToken != undefined) - { - var prefService = Cc["@mozilla.org/preferences-service;1"].getService(Ci.nsIPrefBranch); - var accessToken = ""; - var accessTokenPrefName = "geo.wifi.access_token." + req.target.channel.URI.spec; - try { accessToken = prefService.getCharPref(accessTokenPrefName); } catch (e) {} - - if (accessToken != newAccessToken) { - // no match, lets cache - LOG("New Access Token: " + newAccessToken + "\n" + accessTokenPrefName); - - try { - prefService.setIntPref(accessTokenPrefName + ".time", nowInSeconds()); - prefService.setCharPref(accessTokenPrefName, newAccessToken); - } catch (x) { - // XXX temporary hack for bug 575346 to allow geolocation to function - } - } - } - - if (response.location) { - var newLocation = new WifiGeoPositionObject(response.location); - - var update = Cc["@mozilla.org/geolocation/service;1"].getService(Ci.nsIGeolocationUpdate); - update.update(newLocation); - } - }; - - var accessToken = this.getAccessTokenForURL(provider_url); - - var request = { - version: "1.1.0", - request_address: true, - }; - - if (accessToken != "") - request.access_token = accessToken; - - if (accessPoints != null) { - function filterBlankSSIDs(ap) ap.ssid != "" - function deconstruct(ap) ({ - mac_address: ap.mac, - ssid: ap.ssid, - signal_strength: ap.signal - }) - request.wifi_towers = accessPoints.filter(filterBlankSSIDs).map(deconstruct); + let update = Cc["@mozilla.org/geolocation/service;1"].getService(Ci.nsIGeolocationUpdate); + update.update(newLocation); } - var requestString; - switch (provider_protocol) { - case 1: - requestString = HELD.encode(request); - break; - case 0: - default: - requestString = JSON.stringify(request); - } - LOG("client sending: " + requestString); - - try { - xhr.send(requestString); - } catch (e) {} - }, + // Check to see if we have a new access token + let newAccessToken = response.access_token; + if (newAccessToken !== undefined) + { + let accessToken = ""; + let accessTokenPrefName = "geo.wifi.access_token." + providerUrlBase; + try { accessToken = Services.prefs.getCharPref(accessTokenPrefName); } catch (e) {} - onError: function (code) { - LOG("wifi error: " + code); - }, - - notify: function (timer) { - if (!gTestingEnabled) { - if (this.hasSeenWiFi == false) - this.onChange(null); - this.timer = null; - return; + if (accessToken != newAccessToken) { + // no match, lets cache + LOG("New Access Token: " + newAccessToken + "\n" + accessTokenPrefName); + try { + Services.prefs.setIntPref(accessTokenPrefName + ".time", nowInSeconds()); + Services.prefs.setCharPref(accessTokenPrefName, newAccessToken); + } catch (x) { + // XXX temporary hack for bug 575346 to allow geolocation to function + } + } } - // if we are testing, we need to hammer this. + }; + + LOG("************************************* ------>>>> sending."); + xhr.send(null); + }, + + onError: function (code) { + LOG("wifi error: " + code); + }, + + notify: function (timer) { + if (gTestingEnabled) { + // if we are testing, timer is repeating + this.onChange(null); + } + else { + if (!this.hasSeenWiFi) this.onChange(null); - }, - + this.timer = null; + } + }, }; -var NSGetFactory = XPCOMUtils.generateNSGetFactory([WifiGeoPositionProvider]); +let NSGetFactory = XPCOMUtils.generateNSGetFactory([WifiGeoPositionProvider]); diff --git a/dom/system/unix/Makefile.in b/dom/system/unix/Makefile.in index 1309bd2fc843..fa443281fea6 100644 --- a/dom/system/unix/Makefile.in +++ b/dom/system/unix/Makefile.in @@ -50,10 +50,14 @@ FORCE_STATIC_LIB = 1 EXPORT_LIBRARY = 1 include $(topsrcdir)/config/config.mk +include $(topsrcdir)/ipc/chromium/chromium-config.mk + +ifndef MOZ_ENABLE_QTMOBILITY CPPSRCS = \ nsDeviceMotionSystem.cpp \ $(NULL) +endif ifdef MOZ_MAEMO_LIBLOCATION CPPSRCS += MaemoLocationProvider.cpp @@ -67,7 +71,13 @@ CPPSRCS += nsHapticFeedback.cpp LOCAL_INCLUDES += $(MOZ_DBUS_CFLAGS) \ $(NULL) ifdef MOZ_ENABLE_QTMOBILITY +MOCSRCS += moc_QTMLocationProvider.cpp moc_nsQTMDeviceMotionSystem.cpp +CPPSRCS += $(MOCSRCS) \ + QTMLocationProvider.cpp \ + nsQTMDeviceMotionSystem.cpp \ + $(NULL) LOCAL_INCLUDES += $(MOZ_QT_CFLAGS) \ + -I$(topsrcdir)/dom/src/geolocation \ $(NULL) endif endif diff --git a/dom/system/unix/QTMLocationProvider.cpp b/dom/system/unix/QTMLocationProvider.cpp new file mode 100644 index 000000000000..712bf5b50da0 --- /dev/null +++ b/dom/system/unix/QTMLocationProvider.cpp @@ -0,0 +1,118 @@ +/* -*- Mode: c++; c-basic-offset: 4; tab-width: 20; indent-tabs-mode: nil; -*- + * ***** BEGIN LICENSE BLOCK ***** + * Version: MPL 1.1/GPL 2.0/LGPL 2.1 + * + * The contents of this file are subject to the Mozilla Public License Version + * 1.1 (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * http://www.mozilla.org/MPL/ + * + * Software distributed under the License is distributed on an "AS IS" basis, + * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License + * for the specific language governing rights and limitations under the + * License. + * + * The Original Code is Mozilla Qt code. + * + * The Initial Developer of the Original Code is Mozilla Foundation. + * Portions created by the Initial Developer are Copyright (C) 2011 + * the Initial Developer. All Rights Reserved. + * + * Contributor(s): + * Oleg Romashin + * + * Alternatively, the contents of this file may be used under the terms of + * either the GNU General Public License Version 2 or later (the "GPL"), or + * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), + * in which case the provisions of the GPL or the LGPL are applicable instead + * of those above. If you wish to allow use of your version of this file only + * under the terms of either the GPL or the LGPL, and not to allow others to + * use your version of this file under the terms of the MPL, indicate your + * decision by deleting the provisions above and replace them with the notice + * and other provisions required by the GPL or the LGPL. If you do not delete + * the provisions above, a recipient may use your version of this file under + * the terms of any one of the MPL, the GPL or the LGPL. + * + * ***** END LICENSE BLOCK ***** */ + +#include "QTMLocationProvider.h" +#include "nsGeoPosition.h" +#include +using namespace QtMobility; + +using namespace mozilla; + +NS_IMPL_ISUPPORTS1(QTMLocationProvider, nsIGeolocationProvider) + +QTMLocationProvider::QTMLocationProvider() +{ + mLocation = QGeoPositionInfoSource::createDefaultSource(this); + if (mLocation) + connect(mLocation, SIGNAL(positionUpdated(QGeoPositionInfo)), this, SLOT(positionUpdated(QGeoPositionInfo))); +} + +QTMLocationProvider::~QTMLocationProvider() +{ + delete mLocation; +} + +void +QTMLocationProvider::positionUpdated(const QGeoPositionInfo &geoPosition) +{ + if (!geoPosition.isValid()) { + NS_WARNING("Invalida geoposition received"); + return; + } + + QGeoCoordinate coord = geoPosition.coordinate(); + double latitude = coord.latitude(); + double longitude = coord.longitude(); + double altitude = coord.altitude(); + double accuracy = geoPosition.attribute(QGeoPositionInfo::HorizontalAccuracy); + double altitudeAccuracy = geoPosition.attribute(QGeoPositionInfo::VerticalAccuracy); + double heading = geoPosition.attribute(QGeoPositionInfo::Direction); + + bool providesSpeed = geoPosition.hasAttribute(QGeoPositionInfo::GroundSpeed); + double speed = geoPosition.attribute(QGeoPositionInfo::GroundSpeed); + + nsRefPtr p = + new nsGeoPosition(latitude, longitude, + altitude, accuracy, + altitudeAccuracy, heading, + speed, geoPosition.timestamp().toTime_t()); + if (mCallback) { + mCallback->Update(p); + } +} + +NS_IMETHODIMP +QTMLocationProvider::Startup() +{ + if (!mLocation) + return NS_ERROR_NOT_IMPLEMENTED; + + mLocation->startUpdates(); + + return NS_OK; +} + +NS_IMETHODIMP +QTMLocationProvider::Watch(nsIGeolocationUpdate* aCallback) +{ + mCallback = aCallback; + + return NS_OK; +} + +NS_IMETHODIMP +QTMLocationProvider::Shutdown() +{ + if (!mLocation) + return NS_ERROR_NOT_IMPLEMENTED; + + mLocation->stopUpdates(); + mCallback = nsnull; + + return NS_OK; +} + diff --git a/dom/system/unix/QTMLocationProvider.h b/dom/system/unix/QTMLocationProvider.h new file mode 100644 index 000000000000..8c572e280296 --- /dev/null +++ b/dom/system/unix/QTMLocationProvider.h @@ -0,0 +1,69 @@ +/* ***** BEGIN LICENSE BLOCK ***** + * Version: MPL 1.1/GPL 2.0/LGPL 2.1 + * + * The contents of this file are subject to the Mozilla Public License Version + * 1.1 (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * http://www.mozilla.org/MPL/ + * + * Software distributed under the License is distributed on an "AS IS" basis, + * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License + * for the specific language governing rights and limitations under the + * License. + * + * The Original Code is Mozilla Qt code. + * + * The Initial Developer of the Original Code is Mozilla Foundation. + * Portions created by the Initial Developer are Copyright (C) 2011 + * the Initial Developer. All Rights Reserved. + * + * Contributor(s): + * Oleg Romashin + * + * Alternatively, the contents of this file may be used under the terms of + * either the GNU General Public License Version 2 or later (the "GPL"), or + * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), + * in which case the provisions of the GPL or the LGPL are applicable instead + * of those above. If you wish to allow use of your version of this file only + * under the terms of either the GPL or the LGPL, and not to allow others to + * use your version of this file under the terms of the MPL, indicate your + * decision by deleting the provisions above and replace them with the notice + * and other provisions required by the GPL or the LGPL. If you do not delete + * the provisions above, a recipient may use your version of this file under + * the terms of any one of the MPL, the GPL or the LGPL. + * + * ***** END LICENSE BLOCK ***** */ + +#ifndef QTMLocationProvider_h +#define QTMLocationProvider_h + +#include +#include "nsGeolocation.h" +#include "nsIGeolocationProvider.h" +#include "nsCOMPtr.h" + +using namespace QtMobility; + +class QTMLocationProvider : public QObject, + public nsIGeolocationProvider +{ + Q_OBJECT + +public: + NS_DECL_ISUPPORTS + NS_DECL_NSIGEOLOCATIONPROVIDER + + QTMLocationProvider(); + +public Q_SLOTS: + // QGeoPositionInfoSource + void positionUpdated(const QGeoPositionInfo&); + +private: + ~QTMLocationProvider(); + + QtMobility::QGeoPositionInfoSource* mLocation; + nsCOMPtr mCallback; +}; + +#endif /* QTMLocationProvider_h */ diff --git a/dom/system/unix/nsQTMDeviceMotionSystem.cpp b/dom/system/unix/nsQTMDeviceMotionSystem.cpp new file mode 100644 index 000000000000..8a9909bd7cb8 --- /dev/null +++ b/dom/system/unix/nsQTMDeviceMotionSystem.cpp @@ -0,0 +1,126 @@ +/* -*- Mode: c++; c-basic-offset: 4; tab-width: 20; indent-tabs-mode: nil; -*- + * ***** BEGIN LICENSE BLOCK ***** + * Version: MPL 1.1/GPL 2.0/LGPL 2.1 + * + * The contents of this file are subject to the Mozilla Public License Version + * 1.1 (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * http://www.mozilla.org/MPL/ + * + * Software distributed under the License is distributed on an "AS IS" basis, + * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License + * for the specific language governing rights and limitations under the + * License. + * + * The Original Code is mozilla.org code. + * + * The Initial Developer of the Original Code is Mozilla Foundation. + * Portions created by the Initial Developer are Copyright (C) 2011 + * the Initial Developer. All Rights Reserved. + * + * Contributor(s): + * Oleg Romashin + * + * Alternatively, the contents of this file may be used under the terms of + * either the GNU General Public License Version 2 or later (the "GPL"), or + * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), + * in which case the provisions of the GPL or the LGPL are applicable instead + * of those above. If you wish to allow use of your version of this file only + * under the terms of either the GPL or the LGPL, and not to allow others to + * use your version of this file under the terms of the MPL, indicate your + * decision by deleting the provisions above and replace them with the notice + * and other provisions required by the GPL or the LGPL. If you do not delete + * the provisions above, a recipient may use your version of this file under + * the terms of any one of the MPL, the GPL or the LGPL. + * + * ***** END LICENSE BLOCK ***** */ + +#include "mozilla/dom/ContentChild.h" +#include "nsQTMDeviceMotionSystem.h" +#include +#include +#include + +#include "nsXULAppAPI.h" + +using namespace mozilla; +using namespace QtMobility; + +bool +MozQAccelerometerSensorFilter::filter(QAccelerometerReading* reading) +{ + mSystem.DeviceMotionChanged(nsIDeviceMotionData::TYPE_ACCELERATION, + -reading->x(), + -reading->y(), + -reading->z()); + return true; +} + +bool +MozQRotationSensorFilter::filter(QRotationReading* reading) +{ + // QRotationReading class: + // - the rotation around z axis (alpha) is given as z in QRotationReading; + // - the rotation around x axis (beta) is given as x in QRotationReading; + // - the rotation around y axis (gamma) is given as y in QRotationReading; + // See: http://doc.qt.nokia.com/qtmobility-1.0/qrotationreading.html + mSystem.DeviceMotionChanged(nsIDeviceMotionData::TYPE_ORIENTATION, + reading->z(), + reading->x(), + reading->y()); + return true; +} + +nsDeviceMotionSystem::nsDeviceMotionSystem() +{ + if (XRE_GetProcessType() == GeckoProcessType_Default) { + mAccelerometer = new QAccelerometer(); + mAccelerometerFilter = new MozQAccelerometerSensorFilter(*this); + mAccelerometer->addFilter(mAccelerometerFilter); + mRotation = new QRotationSensor(); + mRotationFilter = new MozQRotationSensorFilter(*this); + mRotation->addFilter(mRotationFilter); + } +} + +nsDeviceMotionSystem::~nsDeviceMotionSystem() +{ + if (XRE_GetProcessType() == GeckoProcessType_Default) { + mAccelerometer->removeFilter(mAccelerometerFilter); + mAccelerometer->stop(); + mRotation->removeFilter(mRotationFilter); + mRotation->stop(); + delete mAccelerometer; + delete mAccelerometerFilter; + delete mRotation; + delete mRotationFilter; + } +} + +void nsDeviceMotionSystem::Startup() +{ + if (XRE_GetProcessType() == GeckoProcessType_Default) { + mAccelerometer->start(); + if (!mAccelerometer->isActive()) { + NS_WARNING("AccelerometerSensor didn't start!"); + } + mRotation->start(); + if (!mRotation->isActive()) { + NS_WARNING("RotationSensor didn't start!"); + } + } + else + mozilla::dom::ContentChild::GetSingleton()-> + SendAddDeviceMotionListener(); +} + +void nsDeviceMotionSystem::Shutdown() +{ + if (XRE_GetProcessType() == GeckoProcessType_Default) { + mAccelerometer->stop(); + mRotation->stop(); + } + else + mozilla::dom::ContentChild::GetSingleton()-> + SendRemoveDeviceMotionListener(); +} diff --git a/dom/system/unix/nsQTMDeviceMotionSystem.h b/dom/system/unix/nsQTMDeviceMotionSystem.h new file mode 100644 index 000000000000..5df59c56dcbd --- /dev/null +++ b/dom/system/unix/nsQTMDeviceMotionSystem.h @@ -0,0 +1,100 @@ +/* ***** BEGIN LICENSE BLOCK ***** + * Version: MPL 1.1/GPL 2.0/LGPL 2.1 + * + * The contents of this file are subject to the Mozilla Public License Version + * 1.1 (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * http://www.mozilla.org/MPL/ + * + * Software distributed under the License is distributed on an "AS IS" basis, + * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License + * for the specific language governing rights and limitations under the + * License. + * + * The Original Code is mozilla.org code. + * + * The Initial Developer of the Original Code is Mozilla Foundation. + * Portions created by the Initial Developer are Copyright (C) 2011 + * the Initial Developer. All Rights Reserved. + * + * Contributor(s): + * Oleg Romashin + * + * Alternatively, the contents of this file may be used under the terms of + * either the GNU General Public License Version 2 or later (the "GPL"), or + * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), + * in which case the provisions of the GPL or the LGPL are applicable instead + * of those above. If you wish to allow use of your version of this file only + * under the terms of either the GPL or the LGPL, and not to allow others to + * use your version of this file under the terms of the MPL, indicate your + * decision by deleting the provisions above and replace them with the notice + * and other provisions required by the GPL or the LGPL. If you do not delete + * the provisions above, a recipient may use your version of this file under + * the terms of any one of the MPL, the GPL or the LGPL. + * + * ***** END LICENSE BLOCK ***** */ + +#ifndef nsDeviceMotionSystem_h +#define nsDeviceMotionSystem_h + +#include +#include +#include +#include "nsDeviceMotion.h" + +using namespace QtMobility; + + +class MozQAccelerometerSensorFilter; +class MozQRotationSensorFilter; + +class nsDeviceMotionSystem : public nsDeviceMotion +{ +public: + nsDeviceMotionSystem(); + virtual ~nsDeviceMotionSystem(); + +private: + virtual void Startup(); + virtual void Shutdown(); + + QtMobility::QAccelerometer* mAccelerometer; + MozQAccelerometerSensorFilter* mAccelerometerFilter; + QtMobility::QRotationSensor* mRotation; + MozQRotationSensorFilter* mRotationFilter; +}; + +class MozQAccelerometerSensorFilter : public QObject, public QAccelerometerFilter +{ + Q_OBJECT + +public: + MozQAccelerometerSensorFilter(nsDeviceMotionSystem& aSystem) : mSystem(aSystem) {} + + virtual ~MozQAccelerometerSensorFilter(){} + + virtual bool filter(QAccelerometerReading* reading); + +private: + bool filter(QSensorReading *reading) { return filter(static_cast(reading)); } + nsDeviceMotionSystem& mSystem; +}; + +class MozQRotationSensorFilter : public QObject, public QRotationFilter +{ + Q_OBJECT + +public: + MozQRotationSensorFilter(nsDeviceMotionSystem& aSystem) : mSystem(aSystem) {} + + virtual ~MozQRotationSensorFilter(){} + + virtual bool filter(QRotationReading* reading); + +private: + bool filter(QSensorReading *reading) { return filter(static_cast(reading)); } + nsDeviceMotionSystem& mSystem; +}; + +#endif /* nsDeviceMotionSystem_h */ + diff --git a/dom/tests/mochitest/geolocation/geolocation_common.js b/dom/tests/mochitest/geolocation/geolocation_common.js index 3fd8e7c901ff..b1628096288f 100644 --- a/dom/tests/mochitest/geolocation/geolocation_common.js +++ b/dom/tests/mochitest/geolocation/geolocation_common.js @@ -77,15 +77,15 @@ function check_geolocation(location) { ok("latitude" in coords, "Check to see if there is a latitude"); ok("longitude" in coords, "Check to see if there is a longitude"); - ok("altitude" in coords, "Check to see if there is a altitude"); ok("accuracy" in coords, "Check to see if there is a accuracy"); - ok("altitudeAccuracy" in coords, "Check to see if there is a alt accuracy"); - + + // optional ok("altitude" in coords, "Check to see if there is a altitude"); + // optional ok("altitudeAccuracy" in coords, "Check to see if there is a alt accuracy"); // optional ok("heading" in coords, "Check to see if there is a heading"); // optional ok("speed" in coords, "Check to see if there is a speed"); ok (location.coords.latitude == 37.41857, "lat matches known value"); ok (location.coords.longitude == -122.08769, "lon matches known value"); - ok(location.coords.altitude == 42, "alt matches known value"); - ok(location.coords.altitudeAccuracy == 42, "alt acc matches known value"); + // optional ok(location.coords.altitude == 42, "alt matches known value"); + // optional ok(location.coords.altitudeAccuracy == 42, "alt acc matches known value"); } diff --git a/dom/tests/mochitest/geolocation/network_geolocation.sjs b/dom/tests/mochitest/geolocation/network_geolocation.sjs index c4bbb9765fb6..66863480a39f 100644 --- a/dom/tests/mochitest/geolocation/network_geolocation.sjs +++ b/dom/tests/mochitest/geolocation/network_geolocation.sjs @@ -19,35 +19,16 @@ function parseQueryString(str) function getPosition(action) { - // this isn't the w3c data structure, it is the network location provider structure. - - var address = { - street_number: "street_number", - street: "street", - premises: "premises", - city: "city", - county: "county", - region: "region", - country: "country", - country_code: "country_code", - postal_code: "postal_code", - }; - - - var coords = { - latitude: 37.41857, - longitude: -122.08769, - - altitude: 42, + var response = { + status: "OK", + location: { + lat: 37.41857, + lng: -122.08769, + }, accuracy: (action == "worse-accuracy") ? 100 : 42, - altitude_accuracy: 42, }; - var geoposition = { - location: coords, - }; - - return JSON.stringify(geoposition); + return JSON.stringify(response); } function handleRequest(request, response) diff --git a/editor/composer/src/nsComposerCommands.cpp b/editor/composer/src/nsComposerCommands.cpp index 3e56ffb9a348..6c5c005799d1 100644 --- a/editor/composer/src/nsComposerCommands.cpp +++ b/editor/composer/src/nsComposerCommands.cpp @@ -431,7 +431,8 @@ nsRemoveListCommand::IsCommandEnabled(const char * aCommandName, if (editor) { PRBool isEditable = PR_FALSE; - NS_SUCCEEDED(editor->GetIsSelectionEditable(&isEditable)); + nsresult rv = editor->GetIsSelectionEditable(&isEditable); + NS_ENSURE_SUCCESS(rv, rv); if (isEditable) { // It is enabled if we are in any list type @@ -543,7 +544,8 @@ nsOutdentCommand::IsCommandEnabled(const char * aCommandName, if (editor && htmlEditor) { PRBool canIndent, isEditable = PR_FALSE; - NS_SUCCEEDED(editor->GetIsSelectionEditable(&isEditable)); + nsresult rv = editor->GetIsSelectionEditable(&isEditable); + NS_ENSURE_SUCCESS(rv, rv); if (isEditable) return htmlEditor->GetIndentState(&canIndent, outCmdEnabled); } @@ -1051,7 +1053,8 @@ nsAbsolutePositioningCommand::IsCommandEnabled(const char * aCommandName, if (htmlEditor) { PRBool isEditable = PR_FALSE; - NS_SUCCEEDED(editor->GetIsSelectionEditable(&isEditable)); + nsresult rv = editor->GetIsSelectionEditable(&isEditable); + NS_ENSURE_SUCCESS(rv, rv); if (isEditable) return htmlEditor->GetAbsolutePositioningEnabled(outCmdEnabled); } diff --git a/editor/libeditor/base/nsEditorCommands.cpp b/editor/libeditor/base/nsEditorCommands.cpp index a81012d192e3..590e4cc48bd6 100644 --- a/editor/libeditor/base/nsEditorCommands.cpp +++ b/editor/libeditor/base/nsEditorCommands.cpp @@ -71,7 +71,8 @@ nsUndoCommand::IsCommandEnabled(const char * aCommandName, if (editor) { PRBool isEnabled, isEditable = PR_FALSE; - NS_SUCCEEDED(editor->GetIsSelectionEditable(&isEditable)); + nsresult rv = editor->GetIsSelectionEditable(&isEditable); + NS_ENSURE_SUCCESS(rv, rv); if (isEditable) return editor->CanUndo(&isEnabled, outCmdEnabled); } @@ -119,7 +120,8 @@ nsRedoCommand::IsCommandEnabled(const char * aCommandName, if (editor) { PRBool isEnabled, isEditable = PR_FALSE; - NS_SUCCEEDED(editor->GetIsSelectionEditable(&isEditable)); + nsresult rv = editor->GetIsSelectionEditable(&isEditable); + NS_ENSURE_SUCCESS(rv, rv); if (isEditable) return editor->CanRedo(&isEnabled, outCmdEnabled); } @@ -215,7 +217,8 @@ nsCutCommand::IsCommandEnabled(const char * aCommandName, if (editor) { PRBool isEditable = PR_FALSE; - NS_SUCCEEDED(editor->GetIsSelectionEditable(&isEditable)); + nsresult rv = editor->GetIsSelectionEditable(&isEditable); + NS_ENSURE_SUCCESS(rv, rv); if (isEditable) return editor->CanCut(outCmdEnabled); } @@ -319,7 +322,8 @@ nsCopyCommand::IsCommandEnabled(const char * aCommandName, if (editor) { PRBool isEditable = PR_FALSE; - NS_SUCCEEDED(editor->GetIsSelectionEditable(&isEditable)); + nsresult rv = editor->GetIsSelectionEditable(&isEditable); + NS_ENSURE_SUCCESS(rv, rv); if (isEditable) return editor->CanCopy(outCmdEnabled); } @@ -422,7 +426,8 @@ nsPasteCommand::IsCommandEnabled(const char *aCommandName, if (editor) { PRBool isEditable = PR_FALSE; - NS_SUCCEEDED(editor->GetIsSelectionEditable(&isEditable)); + nsresult rv = editor->GetIsSelectionEditable(&isEditable); + NS_ENSURE_SUCCESS(rv, rv); if (isEditable) return editor->CanPaste(nsIClipboard::kGlobalClipboard, outCmdEnabled); } @@ -469,7 +474,8 @@ nsPasteTransferableCommand::IsCommandEnabled(const char *aCommandName, if (editor) { PRBool isEditable = PR_FALSE; - NS_SUCCEEDED(editor->GetIsSelectionEditable(&isEditable)); + nsresult rv = editor->GetIsSelectionEditable(&isEditable); + NS_ENSURE_SUCCESS(rv, rv); if (isEditable) return editor->CanPasteTransferable(nsnull, outCmdEnabled); } @@ -580,7 +586,8 @@ nsDeleteCommand::IsCommandEnabled(const char * aCommandName, NS_ENSURE_TRUE(editor, NS_OK); PRBool isEditable = PR_FALSE; - NS_SUCCEEDED(editor->GetIsSelectionEditable(&isEditable)); + nsresult rv = editor->GetIsSelectionEditable(&isEditable); + NS_ENSURE_SUCCESS(rv, rv); if (!isEditable) return NS_OK; diff --git a/editor/libeditor/base/nsEditorEventListener.cpp b/editor/libeditor/base/nsEditorEventListener.cpp index b17d3145c1b2..84817846668b 100644 --- a/editor/libeditor/base/nsEditorEventListener.cpp +++ b/editor/libeditor/base/nsEditorEventListener.cpp @@ -126,78 +126,62 @@ nsEditorEventListener::InstallToEditor() nsCOMPtr piTarget = mEditor->GetDOMEventTarget(); NS_ENSURE_TRUE(piTarget, NS_ERROR_FAILURE); - nsresult rv; - // register the event listeners with the listener manager nsEventListenerManager* elmP = piTarget->GetListenerManager(PR_TRUE); NS_ENSURE_STATE(elmP); - rv = elmP->AddEventListenerByType(this, - NS_LITERAL_STRING("keypress"), - NS_EVENT_FLAG_BUBBLE | - NS_PRIV_EVENT_UNTRUSTED_PERMITTED | - NS_EVENT_FLAG_SYSTEM_EVENT); - NS_ENSURE_SUCCESS(rv, rv); + elmP->AddEventListenerByType(this, + NS_LITERAL_STRING("keypress"), + NS_EVENT_FLAG_BUBBLE | + NS_PRIV_EVENT_UNTRUSTED_PERMITTED | + NS_EVENT_FLAG_SYSTEM_EVENT); // See bug 455215, we cannot use the standard dragstart event yet - rv = elmP->AddEventListenerByType(this, - NS_LITERAL_STRING("draggesture"), - NS_EVENT_FLAG_BUBBLE | - NS_EVENT_FLAG_SYSTEM_EVENT); - NS_ENSURE_SUCCESS(rv, rv); - rv = elmP->AddEventListenerByType(this, - NS_LITERAL_STRING("dragenter"), - NS_EVENT_FLAG_BUBBLE | - NS_EVENT_FLAG_SYSTEM_EVENT); - NS_ENSURE_SUCCESS(rv, rv); - rv = elmP->AddEventListenerByType(this, - NS_LITERAL_STRING("dragover"), - NS_EVENT_FLAG_BUBBLE | - NS_EVENT_FLAG_SYSTEM_EVENT); - NS_ENSURE_SUCCESS(rv, rv); - rv = elmP->AddEventListenerByType(this, - NS_LITERAL_STRING("dragexit"), - NS_EVENT_FLAG_BUBBLE | - NS_EVENT_FLAG_SYSTEM_EVENT); - NS_ENSURE_SUCCESS(rv, rv); - rv = elmP->AddEventListenerByType(this, - NS_LITERAL_STRING("drop"), - NS_EVENT_FLAG_BUBBLE | - NS_EVENT_FLAG_SYSTEM_EVENT); - NS_ENSURE_SUCCESS(rv, rv); - rv = elmP->AddEventListenerByType(this, - NS_LITERAL_STRING("mousedown"), - NS_EVENT_FLAG_CAPTURE); - NS_ENSURE_SUCCESS(rv, rv); - rv = elmP->AddEventListenerByType(this, - NS_LITERAL_STRING("mouseup"), - NS_EVENT_FLAG_CAPTURE); - NS_ENSURE_SUCCESS(rv, rv); - rv = elmP->AddEventListenerByType(this, - NS_LITERAL_STRING("click"), - NS_EVENT_FLAG_CAPTURE); - NS_ENSURE_SUCCESS(rv, rv); - // Focus event doesn't bubble so adding the listener to capturing phase. - // Make sure this works after bug 235441 gets fixed. - rv = elmP->AddEventListenerByType(this, - NS_LITERAL_STRING("blur"), - NS_EVENT_FLAG_CAPTURE); - NS_ENSURE_SUCCESS(rv, rv); - rv = elmP->AddEventListenerByType(this, - NS_LITERAL_STRING("focus"), - NS_EVENT_FLAG_CAPTURE); - NS_ENSURE_SUCCESS(rv, rv); - rv = elmP->AddEventListenerByType(this, - NS_LITERAL_STRING("text"), - NS_EVENT_FLAG_BUBBLE); - NS_ENSURE_SUCCESS(rv, rv); - rv = elmP->AddEventListenerByType(this, - NS_LITERAL_STRING("compositionstart"), - NS_EVENT_FLAG_BUBBLE); - NS_ENSURE_SUCCESS(rv, rv); - rv = elmP->AddEventListenerByType(this, - NS_LITERAL_STRING("compositionend"), - NS_EVENT_FLAG_BUBBLE); - NS_ENSURE_SUCCESS(rv, rv); + elmP->AddEventListenerByType(this, + NS_LITERAL_STRING("draggesture"), + NS_EVENT_FLAG_BUBBLE | + NS_EVENT_FLAG_SYSTEM_EVENT); + elmP->AddEventListenerByType(this, + NS_LITERAL_STRING("dragenter"), + NS_EVENT_FLAG_BUBBLE | + NS_EVENT_FLAG_SYSTEM_EVENT); + elmP->AddEventListenerByType(this, + NS_LITERAL_STRING("dragover"), + NS_EVENT_FLAG_BUBBLE | + NS_EVENT_FLAG_SYSTEM_EVENT); + elmP->AddEventListenerByType(this, + NS_LITERAL_STRING("dragexit"), + NS_EVENT_FLAG_BUBBLE | + NS_EVENT_FLAG_SYSTEM_EVENT); + elmP->AddEventListenerByType(this, + NS_LITERAL_STRING("drop"), + NS_EVENT_FLAG_BUBBLE | + NS_EVENT_FLAG_SYSTEM_EVENT); + elmP->AddEventListenerByType(this, + NS_LITERAL_STRING("mousedown"), + NS_EVENT_FLAG_CAPTURE); + elmP->AddEventListenerByType(this, + NS_LITERAL_STRING("mouseup"), + NS_EVENT_FLAG_CAPTURE); + elmP->AddEventListenerByType(this, + NS_LITERAL_STRING("click"), + NS_EVENT_FLAG_CAPTURE); +// Focus event doesn't bubble so adding the listener to capturing phase. +// Make sure this works after bug 235441 gets fixed. + elmP->AddEventListenerByType(this, + NS_LITERAL_STRING("blur"), + NS_EVENT_FLAG_CAPTURE); + elmP->AddEventListenerByType(this, + NS_LITERAL_STRING("focus"), + NS_EVENT_FLAG_CAPTURE); + elmP->AddEventListenerByType(this, + NS_LITERAL_STRING("text"), + NS_EVENT_FLAG_BUBBLE); + elmP->AddEventListenerByType(this, + NS_LITERAL_STRING("compositionstart"), + NS_EVENT_FLAG_BUBBLE); + elmP->AddEventListenerByType(this, + NS_LITERAL_STRING("compositionend"), + NS_EVENT_FLAG_BUBBLE); return NS_OK; } diff --git a/editor/libeditor/html/nsHTMLEditRules.cpp b/editor/libeditor/html/nsHTMLEditRules.cpp index d6f9a1a236d6..df93229bcdb1 100644 --- a/editor/libeditor/html/nsHTMLEditRules.cpp +++ b/editor/libeditor/html/nsHTMLEditRules.cpp @@ -6789,6 +6789,12 @@ nsHTMLEditRules::ReturnInListItem(nsISelection *aSelection, NS_ENSURE_SUCCESS(res, res); if (isEmpty && (rootNode != list) && mReturnInEmptyLIKillsList) { + // get the list offset now -- before we might eventually split the list + nsCOMPtr listparent; + PRInt32 offset; + res = nsEditor::GetNodeLocation(list, address_of(listparent), &offset); + NS_ENSURE_SUCCESS(res, res); + // are we the last list item in the list? PRBool bIsLast; res = mHTMLEditor->IsLastEditableChild(aListItem, &bIsLast); @@ -6802,10 +6808,6 @@ nsHTMLEditRules::ReturnInListItem(nsISelection *aSelection, } // are we in a sublist? - nsCOMPtr listparent; - PRInt32 offset; - res = nsEditor::GetNodeLocation(list, address_of(listparent), &offset); - NS_ENSURE_SUCCESS(res, res); if (nsHTMLEditUtils::IsList(listparent)) //in a sublist { // if so, move this list item out of this list and into the grandparent list diff --git a/editor/libeditor/html/tests/test_bug674861.html b/editor/libeditor/html/tests/test_bug674861.html index 9245c0442dec..5974b4aed0b4 100644 --- a/editor/libeditor/html/tests/test_bug674861.html +++ b/editor/libeditor/html/tests/test_bug674861.html @@ -13,29 +13,57 @@ https://bugzilla.mozilla.org/show_bug.cgi?id=674861 Mozilla Bug 674861

-

Bullet List

-
    -
  • item 1
    • -
  • item 2
    • -
  • item 3
    • -
+
+

Editable Bullet List

+
    +
  • item A
    • +
  • item B
    • +
  • item C
    • +
-

Ordered List

-
    -
  1. item 1
    2. -
  2. item 2
    3. -
  3. item 3
    4. -
+

Editable Ordered List

+
    +
  1. item A
    2. +
  2. item B
    3. +
  3. item C
    4. +
-

Definition List

-
-
term 1
-
definition 1
-
term 2
-
definition 2
-
term 3
-
definition 3
-
+

Editable Definition List

+
+
term A
+
definition A
+
term B
+
definition B
+
term C
+
definition C
+
+
+ +
+

Bullet List In Editable Section

+
    +
  • item A
    • +
  • item B
    • +
  • item C
    • +
+ +

Ordered List In Editable Section

+
    +
  1. item A
    2. +
  2. item B
    3. +
  3. item C
    4. +
+ +

Definition List In Editable Section

+
+
term A
+
definition A
+
term B
+
definition B
+
term C
+
definition C
+
+ 
@@ -82,34 +110,72 @@ function try2split(element, caretPos) {
 }
 
 function runTests() {
-  const ul = document.querySelector("#content ul");
-  const ol = document.querySelector("#content ol");
-  const dl = document.querySelector("#content dl");
+  const test1 = document.getElementById("test1");
+  const test2 = document.getElementById("test2");
+
+  // -----------------------------------------------------------------------
+  // #test1: editable lists should NOT be splittable
+  // -----------------------------------------------------------------------
+  const ul = test1.querySelector("ul");
+  const ol = test1.querySelector("ol");
+  const dl = test1.querySelector("dl");
 
   // bullet list
   ul.focus();
   try2split(ul.querySelector("li"), CARET_END);
-  is(document.querySelectorAll("#content ul").length, 1,
-    "The 
     list should not be splittable.");
+  is(test1.querySelectorAll("ul").length, 1,
+    "The 
       list should not be splittable.");
   is(ul.querySelectorAll("li").length, 5,
     "Two new 
    •  elements should have been created.");
 
   // ordered list
   ol.focus();
   try2split(ol.querySelector("li"), CARET_END);
-  is(document.querySelectorAll("#content ol").length, 1,
-    "The 
         list should not be splittable.");
+  is(test1.querySelectorAll("ol").length, 1,
+    "The 
           list should not be splittable.");
   is(ol.querySelectorAll("li").length, 5,
     "Two new 
        1.  elements should have been created.");
 
   // definition list
   dl.focus();
   try2split(dl.querySelector("dd"), CARET_END);
-  is(document.querySelectorAll("#content dl").length, 1,
-    "The 
           list should not be splittable.");
+  is(test1.querySelectorAll("dl").length, 1,
+    "The 
           list should not be splittable.");
   is(dl.querySelectorAll("dt").length, 5,
     "Two new 
           elements should have been created.");
 
+  // -----------------------------------------------------------------------
+  // #test2: lists in editable blocks should be splittable
+  // -----------------------------------------------------------------------
+  test2.focus();
+
+  // bullet list
+  try2split(test2.querySelector("ul li"), CARET_END);
+  is(test2.querySelectorAll("ul").length, 2,
+    "The 
             list should have been splitted.");
+  is(test2.querySelectorAll("ul li").length, 3,
+    "No new 
          •  element should have been created.");
+  is(test2.querySelectorAll("ul+p").length, 1,
+    "A new paragraph should have been created.");
+
+  // ordered list
+  try2split(test2.querySelector("ol li"), CARET_END);
+  is(test2.querySelectorAll("ol").length, 2,
+    "The 
               list should have been splitted.");
+  is(test2.querySelectorAll("ol li").length, 3,
+    "No new 
            1.  element should have been created.");
+  is(test2.querySelectorAll("ol+p").length, 1,
+    "A new paragraph should have been created.");
+
+  // definition list
+  try2split(test2.querySelector("dl dd"), CARET_END);
+  is(test2.querySelectorAll("dl").length, 2,
+    "The 
               list should have been splitted.");
+  is(test2.querySelectorAll("dt").length, 3,
+    "No new 
               element should have been created.");
+  is(test2.querySelectorAll("dl+p").length, 1,
+    "A new paragraph should have been created.");
+
   // done
   SimpleTest.finish();
 }
diff --git a/embedding/android/GeckoApp.java b/embedding/android/GeckoApp.java
index 9a61be3807c1..060fed6b7ec9 100644
--- a/embedding/android/GeckoApp.java
+++ b/embedding/android/GeckoApp.java
@@ -66,6 +66,8 @@ import android.telephony.*;
 abstract public class GeckoApp
     extends Activity
 {
+    private static final String LOG_FILE_NAME     = "GeckoApp";
+
     public static final String ACTION_ALERT_CLICK = "org.mozilla.gecko.ACTION_ALERT_CLICK";
     public static final String ACTION_ALERT_CLEAR = "org.mozilla.gecko.ACTION_ALERT_CLEAR";
     public static final String ACTION_WEBAPP      = "org.mozilla.gecko.WEBAPP";
@@ -151,13 +153,13 @@ abstract public class GeckoApp
                 try {
                     unpackComponents();
                 } catch (FileNotFoundException fnfe) {
-                    Log.e("GeckoApp", "error unpacking components", fnfe);
+                    Log.e(LOG_FILE_NAME, "error unpacking components", fnfe);
                     Looper.prepare();
                     showErrorDialog(getString(R.string.error_loading_file));
                     Looper.loop();
                     return;
                 } catch (IOException ie) {
-                    Log.e("GeckoApp", "error unpacking components", ie);
+                    Log.e(LOG_FILE_NAME, "error unpacking components", ie);
                     String msg = ie.getMessage();
                     Looper.prepare();
                     if (msg != null && msg.equalsIgnoreCase("No space left on device"))
@@ -175,7 +177,7 @@ abstract public class GeckoApp
                                            i.getStringExtra("args"),
                                            i.getDataString());
                 } catch (Exception e) {
-                    Log.e("GeckoApp", "top level exception", e);
+                    Log.e(LOG_FILE_NAME, "top level exception", e);
                     StringWriter sw = new StringWriter();
                     e.printStackTrace(new PrintWriter(sw));
                     GeckoAppShell.reportJavaCrash(sw.toString());
@@ -199,7 +201,7 @@ abstract public class GeckoApp
                     try {
                         Looper.loop();
                     } catch (Exception e) {
-                        Log.e("GeckoApp", "top level exception", e);
+                        Log.e(LOG_FILE_NAME, "top level exception", e);
                         StringWriter sw = new StringWriter();
                         e.printStackTrace(new PrintWriter(sw));
                         GeckoAppShell.reportJavaCrash(sw.toString());
@@ -215,7 +217,7 @@ abstract public class GeckoApp
         if (localeCode != null && localeCode.length() > 0)
             GeckoAppShell.setSelectedLocale(localeCode);
 
-        Log.i("GeckoApp", "create");
+        Log.i(LOG_FILE_NAME, "create");
         super.onCreate(savedInstanceState);
 
         if (sGREDir == null)
@@ -319,30 +321,30 @@ abstract public class GeckoApp
             return;
 
         if (Intent.ACTION_MAIN.equals(action)) {
-            Log.i("GeckoApp", "Intent : ACTION_MAIN");
+            Log.i(LOG_FILE_NAME, "Intent : ACTION_MAIN");
             GeckoAppShell.sendEventToGecko(new GeckoEvent(""));
         }
         else if (Intent.ACTION_VIEW.equals(action)) {
             String uri = intent.getDataString();
             GeckoAppShell.sendEventToGecko(new GeckoEvent(uri));
-            Log.i("GeckoApp","onNewIntent: "+uri);
+            Log.i(LOG_FILE_NAME,"onNewIntent: "+uri);
         }
         else if (ACTION_WEBAPP.equals(action)) {
             String uri = intent.getStringExtra("args");
             GeckoAppShell.sendEventToGecko(new GeckoEvent(uri));
-            Log.i("GeckoApp","Intent : WEBAPP - " + uri);
+            Log.i(LOG_FILE_NAME,"Intent : WEBAPP - " + uri);
         }
         else if (ACTION_BOOKMARK.equals(action)) {
             String args = intent.getStringExtra("args");
             GeckoAppShell.sendEventToGecko(new GeckoEvent(args));
-            Log.i("GeckoApp","Intent : BOOKMARK - " + args);
+            Log.i(LOG_FILE_NAME,"Intent : BOOKMARK - " + args);
         }
     }
 
     @Override
     public void onPause()
     {
-        Log.i("GeckoApp", "pause");
+        Log.i(LOG_FILE_NAME, "pause");
         GeckoAppShell.sendEventToGecko(new GeckoEvent(GeckoEvent.ACTIVITY_PAUSING));
         // The user is navigating away from this activity, but nothing
         // has come to the foreground yet; for Gecko, we may want to
@@ -364,7 +366,7 @@ abstract public class GeckoApp
     @Override
     public void onResume()
     {
-        Log.i("GeckoApp", "resume");
+        Log.i(LOG_FILE_NAME, "resume");
         if (checkLaunchState(LaunchState.GeckoRunning))
             GeckoAppShell.onResume();
         // After an onPause, the activity is back in the foreground.
@@ -389,7 +391,7 @@ abstract public class GeckoApp
     @Override
     public void onStop()
     {
-        Log.i("GeckoApp", "stop");
+        Log.i(LOG_FILE_NAME, "stop");
         // We're about to be stopped, potentially in preparation for
         // being destroyed.  We're killable after this point -- as I
         // understand it, in extreme cases the process can be terminated
@@ -410,7 +412,7 @@ abstract public class GeckoApp
     @Override
     public void onRestart()
     {
-        Log.i("GeckoApp", "restart");
+        Log.i(LOG_FILE_NAME, "restart");
         GeckoAppShell.putChildInForeground();
         super.onRestart();
     }
@@ -418,14 +420,15 @@ abstract public class GeckoApp
     @Override
     public void onStart()
     {
-        Log.i("GeckoApp", "start");
+        Log.i(LOG_FILE_NAME, "start");
+        GeckoAppShell.sendEventToGecko(new GeckoEvent(GeckoEvent.ACTIVITY_START));
         super.onStart();
     }
 
     @Override
     public void onDestroy()
     {
-        Log.i("GeckoApp", "destroy");
+        Log.i(LOG_FILE_NAME, "destroy");
         // Tell Gecko to shutting down; we'll end up calling System.exit()
         // in onXreExit.
         if (isFinishing())
@@ -437,7 +440,7 @@ abstract public class GeckoApp
     @Override
     public void onConfigurationChanged(android.content.res.Configuration newConfig)
     {
-        Log.i("GeckoApp", "configuration changed");
+        Log.i(LOG_FILE_NAME, "configuration changed");
         // nothing, just ignore
         super.onConfigurationChanged(newConfig);
     }
@@ -445,7 +448,7 @@ abstract public class GeckoApp
     @Override
     public void onLowMemory()
     {
-        Log.e("GeckoApp", "low memory");
+        Log.e(LOG_FILE_NAME, "low memory");
         if (checkLaunchState(LaunchState.GeckoRunning))
             GeckoAppShell.onLowMemory();
         super.onLowMemory();
@@ -470,7 +473,7 @@ abstract public class GeckoApp
                 removeFiles();
         } catch (Exception ex) {
             // This file may not be there, so just log any errors and move on
-            Log.w("GeckoApp", "error removing files", ex);
+            Log.w(LOG_FILE_NAME, "error removing files", ex);
         }
         unpackFile(zip, buf, null, "application.ini");
         unpackFile(zip, buf, null, getContentProcessName());
@@ -585,11 +588,11 @@ abstract public class GeckoApp
             addEnvToIntent(intent);
             intent.setFlags(Intent.FLAG_ACTIVITY_NEW_TASK |
                             Intent.FLAG_ACTIVITY_MULTIPLE_TASK);
-            Log.i("GeckoAppJava", intent.toString());
+            Log.i(LOG_FILE_NAME, intent.toString());
             GeckoAppShell.killAnyZombies();
             startActivity(intent);
         } catch (Exception e) {
-            Log.i("GeckoAppJava", "error doing restart", e);
+            Log.i(LOG_FILE_NAME, "error doing restart", e);
         }
         finish();
         // Give the restart process time to start before we die
@@ -601,7 +604,7 @@ abstract public class GeckoApp
     }
 
     private void checkAndLaunchUpdate() {
-        Log.i("GeckoAppJava", "Checking for an update");
+        Log.i(LOG_FILE_NAME, "Checking for an update");
 
         int statusCode = 8; // UNEXPECTED_ERROR
         File baseUpdateDir = null;
@@ -621,7 +624,7 @@ abstract public class GeckoApp
         if (!updateFile.exists())
             return;
 
-        Log.i("GeckoAppJava", "Update is available!");
+        Log.i(LOG_FILE_NAME, "Update is available!");
 
         // Launch APK
         File updateFileToRun = new File(updateDir, getPackageName() + "-update.apk");
@@ -630,15 +633,15 @@ abstract public class GeckoApp
                 String amCmd = "/system/bin/am start -a android.intent.action.VIEW " +
                                "-n com.android.packageinstaller/.PackageInstallerActivity -d file://" +
                                updateFileToRun.getPath();
-                Log.i("GeckoAppJava", amCmd);
+                Log.i(LOG_FILE_NAME, amCmd);
                 Runtime.getRuntime().exec(amCmd);
                 statusCode = 0; // OK
             } else {
-                Log.i("GeckoAppJava", "Cannot rename the update file!");
+                Log.i(LOG_FILE_NAME, "Cannot rename the update file!");
                 statusCode = 7; // WRITE_ERROR
             }
         } catch (Exception e) {
-            Log.i("GeckoAppJava", "error launching installer to update", e);
+            Log.i(LOG_FILE_NAME, "error launching installer to update", e);
         }
 
         // Update the status file
@@ -651,7 +654,7 @@ abstract public class GeckoApp
             outStream.write(buf, 0, buf.length);
             outStream.close();
         } catch (Exception e) {
-            Log.i("GeckoAppJava", "error writing status file", e);
+            Log.i(LOG_FILE_NAME, "error writing status file", e);
         }
 
         if (statusCode == 0)
@@ -665,7 +668,7 @@ abstract public class GeckoApp
             status = reader.readLine();
             reader.close();
         } catch (Exception e) {
-            Log.i("GeckoAppJava", "error reading update status", e);
+            Log.i(LOG_FILE_NAME, "error reading update status", e);
         }
         return status;
     }
@@ -682,10 +685,14 @@ abstract public class GeckoApp
                 Intent.createChooser(intent, getString(R.string.choose_file)),
                 FILE_PICKER_REQUEST);
         String filePickerResult = "";
+
         try {
-            filePickerResult = mFilePickerResult.take();
+            while (null == (filePickerResult = mFilePickerResult.poll(1, TimeUnit.MILLISECONDS))) {
+                Log.i("GeckoApp", "processing events from showFilePicker ");
+                GeckoAppShell.processNextNativeEvent();
+            }
         } catch (InterruptedException e) {
-            Log.i("GeckoApp", "showing file picker ",  e);
+            Log.i(LOG_FILE_NAME, "showing file picker ",  e);
         }
 
         return filePickerResult;
@@ -738,13 +745,13 @@ abstract public class GeckoApp
                 fos.close();
                 filePickerResult =  file.getAbsolutePath();
             }catch (Exception e) {
-                Log.e("GeckoApp", "showing file picker", e);
+                Log.e(LOG_FILE_NAME, "showing file picker", e);
             }
         }
         try {
             mFilePickerResult.put(filePickerResult);
         } catch (InterruptedException e) {
-            Log.i("GeckoApp", "error returning file picker result", e);
+            Log.i(LOG_FILE_NAME, "error returning file picker result", e);
         }
     }
 }
diff --git a/embedding/android/GeckoAppShell.java b/embedding/android/GeckoAppShell.java
index afd5cd0812e8..6cf86e196e0a 100644
--- a/embedding/android/GeckoAppShell.java
+++ b/embedding/android/GeckoAppShell.java
@@ -74,6 +74,8 @@ import android.graphics.Bitmap;
 
 public class GeckoAppShell
 {
+    private static final String LOG_FILE_NAME = "GeckoAppShell";
+
     // static members only
     private GeckoAppShell() { }
 
@@ -117,6 +119,8 @@ public class GeckoAppShell
     public static native void onChangeNetworkLinkStatus(String status, String type);
     public static native void reportJavaCrash(String stack);
 
+    public static native void processNextNativeEvent();
+
     // A looper thread, accessed by GeckoAppShell.getHandler
     private static class LooperThread extends Thread {
         public SynchronousQueue mHandlerQueue =
@@ -190,25 +194,25 @@ public class GeckoAppShell
                     sFreeSpace = cacheStats.getFreeBlocks() *
                         cacheStats.getBlockSize();
                 } else {
-                    Log.i("GeckoAppShell", "Unable to get cache dir");
+                    Log.i(LOG_FILE_NAME, "Unable to get cache dir");
                 }
             }
         } catch (Exception e) {
-            Log.e("GeckoAppShell", "exception while stating cache dir: ", e);
+            Log.e(LOG_FILE_NAME, "exception while stating cache dir: ", e);
         }
         return sFreeSpace;
     }
 
     static boolean moveFile(File inFile, File outFile)
     {
-        Log.i("GeckoAppShell", "moving " + inFile + " to " + outFile);
+        Log.i(LOG_FILE_NAME, "moving " + inFile + " to " + outFile);
         if (outFile.isDirectory())
             outFile = new File(outFile, inFile.getName());
         try {
             if (inFile.renameTo(outFile))
                 return true;
         } catch (SecurityException se) {
-            Log.w("GeckoAppShell", "error trying to rename file", se);
+            Log.w(LOG_FILE_NAME, "error trying to rename file", se);
         }
         try {
             long lastModified = inFile.lastModified();
@@ -227,11 +231,11 @@ public class GeckoAppShell
             else
                 return false;
         } catch (Exception e) {
-            Log.e("GeckoAppShell", "exception while moving file: ", e);
+            Log.e(LOG_FILE_NAME, "exception while moving file: ", e);
             try {
                 outFile.delete();
             } catch (SecurityException se) {
-                Log.w("GeckoAppShell", "error trying to delete file", se);
+                Log.w(LOG_FILE_NAME, "error trying to delete file", se);
             }
             return false;
         }
@@ -244,7 +248,7 @@ public class GeckoAppShell
             if (from.renameTo(to))
                 return true;
         } catch (SecurityException se) {
-            Log.w("GeckoAppShell", "error trying to rename file", se);
+            Log.w(LOG_FILE_NAME, "error trying to rename file", se);
         }
         File[] files = from.listFiles();
         boolean retVal = true;
@@ -262,7 +266,7 @@ public class GeckoAppShell
             }
             from.delete();
         } catch(Exception e) {
-            Log.e("GeckoAppShell", "error trying to move file", e);
+            Log.e(LOG_FILE_NAME, "error trying to move file", e);
         }
         return retVal;
     }
@@ -310,11 +314,11 @@ public class GeckoAppShell
         GeckoAppShell.putenv("GRE_HOME=" + GeckoApp.sGREDir.getPath());
         Intent i = geckoApp.getIntent();
         String env = i.getStringExtra("env0");
-        Log.i("GeckoApp", "env0: "+ env);
+        Log.i(LOG_FILE_NAME, "env0: "+ env);
         for (int c = 1; env != null; c++) {
             GeckoAppShell.putenv(env);
             env = i.getStringExtra("env" + c);
-            Log.i("GeckoApp", "env"+ c +": "+ env);
+            Log.i(LOG_FILE_NAME, "env"+ c +": "+ env);
         }
 
         File f = geckoApp.getDir("tmp", Context.MODE_WORLD_READABLE |
@@ -346,7 +350,7 @@ public class GeckoAppShell
             GeckoAppShell.putenv("UPDATES_DIRECTORY="   + updatesDir.getPath());
         }
         catch (Exception e) {
-            Log.i("GeckoApp", "No download directory has been found: " + e);
+            Log.i(LOG_FILE_NAME, "No download directory has been found: " + e);
         }
 
         putLocaleEnv();
@@ -1107,7 +1111,7 @@ public class GeckoAppShell
 
         // If the network state has changed, notify Gecko
         if (notifyChanged && (state != sNetworkState || typeCode != sNetworkTypeCode)) {
-            Log.i("GeckoAppShell", "Network state changed: (" + state + ", " + type + ") ");
+            Log.i(LOG_FILE_NAME, "Network state changed: (" + state + ", " + type + ") ");
             sNetworkState = state;
             sNetworkType = type;
             sNetworkTypeCode = typeCode;
@@ -1191,7 +1195,7 @@ public class GeckoAppShell
                             fos.write(new Integer(pid).toString().getBytes());
                             fos.close();
                         } catch(Exception e) {
-                            Log.e("GeckoAppShell", "error putting child in the background", e);
+                            Log.e(LOG_FILE_NAME, "error putting child in the background", e);
                         }
                     }
                     return true;
@@ -1212,7 +1216,7 @@ public class GeckoAppShell
                         fos.write(new Integer(pid).toString().getBytes());
                         fos.close();
                     } catch(Exception e) {
-                        Log.e("GeckoAppShell", "error putting child in the foreground", e);
+                        Log.e(LOG_FILE_NAME, "error putting child in the foreground", e);
                     }
                 }
                 return true;
@@ -1300,7 +1304,7 @@ public class GeckoAppShell
             in.close();
         }
         catch (Exception e) {
-            Log.i("GeckoAppShell", "finding procs throws ",  e);
+            Log.i(LOG_FILE_NAME, "finding procs throws ",  e);
         }
     }
 
@@ -1343,7 +1347,7 @@ public class GeckoAppShell
             return buf.array();
         }
         catch (Exception e) {
-            Log.i("GeckoAppShell", "getIconForExtension error: ",  e);
+            Log.i(LOG_FILE_NAME, "getIconForExtension error: ",  e);
             return null;
         }
     }
diff --git a/embedding/android/GeckoEvent.java b/embedding/android/GeckoEvent.java
index 4e808754c39e..7985f2a02526 100644
--- a/embedding/android/GeckoEvent.java
+++ b/embedding/android/GeckoEvent.java
@@ -72,6 +72,7 @@ public class GeckoEvent {
     public static final int SURFACE_CREATED = 13;
     public static final int SURFACE_DESTROYED = 14;
     public static final int GECKO_EVENT_SYNC = 15;
+    public static final int ACTIVITY_START = 17;
 
     public static final int IME_COMPOSITION_END = 0;
     public static final int IME_COMPOSITION_BEGIN = 1;
diff --git a/embedding/android/GeckoSurfaceView.java b/embedding/android/GeckoSurfaceView.java
index 7c940f48ddab..f53d1a84b4fd 100644
--- a/embedding/android/GeckoSurfaceView.java
+++ b/embedding/android/GeckoSurfaceView.java
@@ -71,6 +71,8 @@ class GeckoSurfaceView
     extends SurfaceView
     implements SurfaceHolder.Callback, SensorEventListener, LocationListener
 {
+    private static final String LOG_FILE_NAME = "GeckoSurfaceView";
+
     public GeckoSurfaceView(Context context) {
         super(context);
 
@@ -107,7 +109,7 @@ class GeckoSurfaceView
     void drawSplashScreen(SurfaceHolder holder, int width, int height) {
         Canvas c = holder.lockCanvas();
         if (c == null) {
-            Log.i("GeckoSurfaceView", "canvas is null");
+            Log.i(LOG_FILE_NAME, "canvas is null");
             return;
         }
         Resources res = getResources();
@@ -173,7 +175,7 @@ class GeckoSurfaceView
 
         try {
             if (mInDrawing) {
-                Log.w("GeckoAppJava", "surfaceChanged while mInDrawing is true!");
+                Log.w(LOG_FILE_NAME, "surfaceChanged while mInDrawing is true!");
             }
 
             boolean invalidSize;
@@ -198,7 +200,7 @@ class GeckoSurfaceView
             mHeight = height;
             mSurfaceValid = true;
 
-            Log.i("GeckoAppJava", "surfaceChanged: fmt: " + format + " dim: " + width + " " + height);
+            Log.i(LOG_FILE_NAME, "surfaceChanged: fmt: " + format + " dim: " + width + " " + height);
 
             DisplayMetrics metrics = new DisplayMetrics();
             GeckoApp.mAppContext.getWindowManager().getDefaultDisplay().getMetrics(metrics);
@@ -225,7 +227,7 @@ class GeckoSurfaceView
         try {
             syncDrawObject = mSyncDraws.take();
         } catch (InterruptedException ie) {
-            Log.e("GeckoAppJava", "Threw exception while getting sync draw bitmap/buffer: ", ie);
+            Log.e(LOG_FILE_NAME, "Threw exception while getting sync draw bitmap/buffer: ", ie);
         }
         if (syncDrawObject != null) {
             if (syncDrawObject instanceof Bitmap)
@@ -238,7 +240,7 @@ class GeckoSurfaceView
     }
 
     public void surfaceCreated(SurfaceHolder holder) {
-        Log.i("GeckoAppJava", "surface created");
+        Log.i(LOG_FILE_NAME, "surface created");
         GeckoEvent e = new GeckoEvent(GeckoEvent.SURFACE_CREATED);
         GeckoAppShell.sendEventToGecko(e);
         if (mShowingSplashScreen)
@@ -246,7 +248,7 @@ class GeckoSurfaceView
     }
 
     public void surfaceDestroyed(SurfaceHolder holder) {
-        Log.i("GeckoAppJava", "surface destroyed");
+        Log.i(LOG_FILE_NAME, "surface destroyed");
         mSurfaceValid = false;
         mSoftwareBuffer = null;
         mSoftwareBufferCopy = null;
@@ -294,7 +296,7 @@ class GeckoSurfaceView
 
     public int beginDrawing() {
         if (mInDrawing) {
-            Log.e("GeckoAppJava", "Recursive beginDrawing call!");
+            Log.e(LOG_FILE_NAME, "Recursive beginDrawing call!");
             return DRAW_ERROR;
         }
 
@@ -312,7 +314,7 @@ class GeckoSurfaceView
         mSurfaceLock.lock();
 
         if (!mSurfaceValid) {
-            Log.e("GeckoAppJava", "Surface not valid");
+            Log.e(LOG_FILE_NAME, "Surface not valid");
             mSurfaceLock.unlock();
             return DRAW_ERROR;
         }
@@ -324,20 +326,20 @@ class GeckoSurfaceView
 
     public void endDrawing() {
         if (!mInDrawing) {
-            Log.e("GeckoAppJava", "endDrawing without beginDrawing!");
+            Log.e(LOG_FILE_NAME, "endDrawing without beginDrawing!");
             return;
         }
 
         try {
             if (!mSurfaceValid) {
-                Log.e("GeckoAppJava", "endDrawing with false mSurfaceValid");
+                Log.e(LOG_FILE_NAME, "endDrawing with false mSurfaceValid");
                 return;
             }
         } finally {
             mInDrawing = false;
 
             if (!mSurfaceLock.isHeldByCurrentThread())
-                Log.e("GeckoAppJava", "endDrawing while mSurfaceLock not held by current thread!");
+                Log.e(LOG_FILE_NAME, "endDrawing while mSurfaceLock not held by current thread!");
 
             mSurfaceLock.unlock();
         }
@@ -368,7 +370,7 @@ class GeckoSurfaceView
                 try {
                     mSyncDraws.put(bitmap);
                 } catch (InterruptedException ie) {
-                    Log.e("GeckoAppJava", "Threw exception while getting sync draws queue: ", ie);
+                    Log.e(LOG_FILE_NAME, "Threw exception while getting sync draws queue: ", ie);
                 }
                 return;
             }
@@ -389,7 +391,7 @@ class GeckoSurfaceView
                 try {
                     mSyncDraws.put(buffer);
                 } catch (InterruptedException ie) {
-                    Log.e("GeckoAppJava", "Threw exception while getting sync bitmaps queue: ", ie);
+                    Log.e(LOG_FILE_NAME, "Threw exception while getting sync bitmaps queue: ", ie);
                 }
                 return;
             }
@@ -492,7 +494,7 @@ class GeckoSurfaceView
                 mLastGeoAddress = addresses.get(0);
                 GeckoAppShell.sendEventToGecko(new GeckoEvent(location[0], mLastGeoAddress));
             } catch (Exception e) {
-                Log.w("GeckoSurfaceView", "GeocoderTask "+e);
+                Log.w(LOG_FILE_NAME, "GeocoderTask "+e);
             }
             return null;
         }
diff --git a/embedding/browser/webBrowser/nsDocShellTreeOwner.cpp b/embedding/browser/webBrowser/nsDocShellTreeOwner.cpp
index fd143147880e..018cfd6c7064 100644
--- a/embedding/browser/webBrowser/nsDocShellTreeOwner.cpp
+++ b/embedding/browser/webBrowser/nsDocShellTreeOwner.cpp
@@ -887,15 +887,13 @@ nsDocShellTreeOwner::AddChromeListeners()
   GetDOMEventTarget(mWebBrowser, getter_AddRefs(target));
 
   nsEventListenerManager* elmP = target->GetListenerManager(PR_TRUE);
-  if (elmP)
-  {
-    rv = elmP->AddEventListenerByType(this, NS_LITERAL_STRING("dragover"),
-                                      NS_EVENT_FLAG_BUBBLE |
-                                      NS_EVENT_FLAG_SYSTEM_EVENT);
-    NS_ENSURE_SUCCESS(rv, rv);
-    rv = elmP->AddEventListenerByType(this, NS_LITERAL_STRING("drop"),
-                                      NS_EVENT_FLAG_BUBBLE |
-                                      NS_EVENT_FLAG_SYSTEM_EVENT);
+  if (elmP) {
+    elmP->AddEventListenerByType(this, NS_LITERAL_STRING("dragover"),
+                                 NS_EVENT_FLAG_BUBBLE |
+                                 NS_EVENT_FLAG_SYSTEM_EVENT);
+    elmP->AddEventListenerByType(this, NS_LITERAL_STRING("drop"),
+                                 NS_EVENT_FLAG_BUBBLE |
+                                 NS_EVENT_FLAG_SYSTEM_EVENT);
   }
 
   return rv;
diff --git a/embedding/tests/unit/xpcshell.ini b/embedding/tests/unit/xpcshell.ini
index b3c55a1e7f01..0b65665eca19 100644
--- a/embedding/tests/unit/xpcshell.ini
+++ b/embedding/tests/unit/xpcshell.ini
@@ -3,4 +3,8 @@ head =
 tail = 
 
 [test_wwauthpromptfactory.js]
+# Bug 676955: test fails consistently on Android
+fail-if = os == "android"
 [test_wwpromptfactory.js]
+# Bug 676955: test fails consistently on Android
+fail-if = os == "android"
diff --git a/extensions/cookie/nsPermissionManager.cpp b/extensions/cookie/nsPermissionManager.cpp
index f85221811170..486327dac96e 100644
--- a/extensions/cookie/nsPermissionManager.cpp
+++ b/extensions/cookie/nsPermissionManager.cpp
@@ -89,23 +89,6 @@ ChildProcess()
 }
 
 
-/**
- * @returns The parent process object, or if we are not in the parent
- *          process, nsnull.
- */
-static ContentParent*
-ParentProcess()
-{
-  if (!IsChildProcess()) {
-    ContentParent* cpc = ContentParent::GetSingleton();
-    if (!cpc)
-      NS_RUNTIMEABORT("Content Process is NULL!");
-    return cpc;
-  }
-
-  return nsnull;
-}
-
 #define ENSURE_NOT_CHILD_PROCESS_(onError) \
   PR_BEGIN_MACRO \
   if (IsChildProcess()) { \
@@ -170,7 +153,6 @@ NS_IMPL_ISUPPORTS3(nsPermissionManager, nsIPermissionManager, nsIObserver, nsISu
 
 nsPermissionManager::nsPermissionManager()
  : mLargestID(0)
- , mUpdateChildProcess(PR_FALSE)
 {
 }
 
@@ -467,12 +449,16 @@ nsPermissionManager::AddInternal(const nsAFlatCString &aHost,
                                  DBOperationType       aDBOperation)
 {
   if (!IsChildProcess()) {
-    // In the parent, send the update now, if the child is ready
-    if (mUpdateChildProcess) {
-      IPC::Permission permission((aHost),
-                                 (aType),
-                                 aPermission, aExpireType, aExpireTime);
-      unused << ParentProcess()->SendAddPermission(permission);
+    IPC::Permission permission((aHost),
+                               (aType),
+                               aPermission, aExpireType, aExpireTime);
+
+    nsTArray cplist;
+    ContentParent::GetAll(cplist);
+    for (PRUint32 i = 0; i < cplist.Length(); ++i) {
+      ContentParent* cp = cplist[i];
+      if (cp->NeedsPermissionsUpdate())
+        unused << cp->SendAddPermission(permission);
     }
   }
 
diff --git a/extensions/cookie/nsPermissionManager.h b/extensions/cookie/nsPermissionManager.h
index 78786a32943f..79f9b3f0bbb3 100644
--- a/extensions/cookie/nsPermissionManager.h
+++ b/extensions/cookie/nsPermissionManager.h
@@ -250,17 +250,6 @@ private:
 
   // An array to store the strings identifying the different types.
   nsTArray          mTypeArray;
-
-  // Whether we should update the child process with every change to a
-  // permission. This is set to true once the child is ready to receive
-  // such updates.
-  PRBool                       mUpdateChildProcess;
-
-public:
-  void ChildRequestPermissions()
-  {
-    mUpdateChildProcess = PR_TRUE;
-  }
 };
 
 // {4F6B5E00-0C36-11d5-A535-0010A401EB10}
diff --git a/gfx/cairo/README b/gfx/cairo/README
index 1286ef86e70f..da956c521996 100644
--- a/gfx/cairo/README
+++ b/gfx/cairo/README
@@ -168,6 +168,7 @@ pixman-image-transform.patch: Reset the transform on pixman images when using th
 
 fix-cairo-surface-wrapper-flush-build-warning.patch: Ensures that _cairo_surface_wrapper_flush always returns a status, to silence the build warning
 
+fixup-unbounded.patch: Hack to work around bad assumption.
 ==== pixman patches ====
 
 pixman-android-cpu-detect.patch: Add CPU detection support for Android, where we can't reliably access /proc/self/auxv.
diff --git a/gfx/cairo/cairo/src/cairo-image-surface.c b/gfx/cairo/cairo/src/cairo-image-surface.c
index 10c302e680ad..2f0cf031aca7 100644
--- a/gfx/cairo/cairo/src/cairo-image-surface.c
+++ b/gfx/cairo/cairo/src/cairo-image-surface.c
@@ -1802,7 +1802,7 @@ _cairo_image_surface_fixup_unbounded_boxes (cairo_image_surface_t *dst,
     struct _cairo_boxes_chunk *chunk;
     int i;
 
-    if (boxes->num_boxes <= 1 && clip_region == NULL)
+    if (boxes->num_boxes < 1 && clip_region == NULL)
 	return _cairo_image_surface_fixup_unbounded (dst, extents, NULL);
 
     _cairo_boxes_init (&clear);
diff --git a/gfx/cairo/fixup-unbounded.patch b/gfx/cairo/fixup-unbounded.patch
new file mode 100644
index 000000000000..09b3a90690f7
--- /dev/null
+++ b/gfx/cairo/fixup-unbounded.patch
@@ -0,0 +1,22 @@
+diff --git a/gfx/cairo/cairo/src/cairo-image-surface.c b/gfx/cairo/cairo/src/cairo-image-surface.c
+--- a/gfx/cairo/cairo/src/cairo-image-surface.c
++++ b/gfx/cairo/cairo/src/cairo-image-surface.c
+@@ -1797,17 +1797,17 @@ _cairo_image_surface_fixup_unbounded_box
+ 					    cairo_boxes_t *boxes)
+ {
+     cairo_boxes_t clear;
+     cairo_box_t box;
+     cairo_status_t status;
+     struct _cairo_boxes_chunk *chunk;
+     int i;
+ 
+-    if (boxes->num_boxes <= 1 && clip_region == NULL)
++    if (boxes->num_boxes < 1 && clip_region == NULL)
+ 	return _cairo_image_surface_fixup_unbounded (dst, extents, NULL);
+ 
+     _cairo_boxes_init (&clear);
+ 
+     box.p1.x = _cairo_fixed_from_int (extents->unbounded.x + extents->unbounded.width);
+     box.p1.y = _cairo_fixed_from_int (extents->unbounded.y);
+     box.p2.x = _cairo_fixed_from_int (extents->unbounded.x);
+     box.p2.y = _cairo_fixed_from_int (extents->unbounded.y + extents->unbounded.height);
diff --git a/gfx/layers/opengl/ThebesLayerOGL.cpp b/gfx/layers/opengl/ThebesLayerOGL.cpp
index 91fd36c40ee7..e8b2687cd1ed 100644
--- a/gfx/layers/opengl/ThebesLayerOGL.cpp
+++ b/gfx/layers/opengl/ThebesLayerOGL.cpp
@@ -191,40 +191,96 @@ ThebesLayerBufferOGL::RenderTo(const nsIntPoint& aOffset,
       renderRegion = &visibleRegion;
     }
 
-    mTexImage->BeginTileIteration();
-    if (mTexImageOnWhite) {
-      mTexImageOnWhite->BeginTileIteration();
-      NS_ASSERTION(mTexImageOnWhite->GetTileRect() == mTexImage->GetTileRect(), "component alpha textures should be the same size.");
-    }
     nsIntRegion region(*renderRegion);
     nsIntPoint origin = GetOriginOffset();
     region.MoveBy(-origin);           // translate into TexImage space, buffer origin might not be at texture (0,0)
 
+    // Figure out the intersecting draw region
+    nsIntSize texSize = mTexImage->GetSize();
+    nsIntRect textureRect = nsIntRect(0, 0, texSize.width, texSize.height);
+    textureRect.MoveBy(region.GetBounds().TopLeft());
+    nsIntRegion subregion;
+    subregion.And(region, textureRect);
+    if (subregion.IsEmpty())  // Region is empty, nothing to draw
+      return;
+
+    nsIntRegion screenRects;
+    nsIntRegion regionRects;
+
+    // Collect texture/screen coordinates for drawing
+    nsIntRegionRectIterator iter(subregion);
+    while (const nsIntRect* iterRect = iter.Next()) {
+        nsIntRect regionRect = *iterRect;
+        nsIntRect screenRect = regionRect;
+        screenRect.MoveBy(origin);
+
+        screenRects.Or(screenRects, screenRect);
+        regionRects.Or(regionRects, regionRect);
+    }
+
+    mTexImage->BeginTileIteration();
+    if (mTexImageOnWhite) {
+      NS_ASSERTION(mTexImage->GetTileCount() == mTexImageOnWhite->GetTileCount(),
+                   "Tile count mismatch on component alpha texture");
+      mTexImageOnWhite->BeginTileIteration();
+    }
+
+    bool usingTiles = (mTexImage->GetTileCount() > 1);
     do {
-      nsIntRect textureRect = mTexImage->GetTileRect();
-      textureRect.MoveBy(region.GetBounds().x, region.GetBounds().y);
-      nsIntRegion subregion(region);
-      subregion.And(region, textureRect); // region this texture is visible in
-      if (subregion.IsEmpty()) {
-        continue;
+      if (mTexImageOnWhite) {
+        NS_ASSERTION(mTexImageOnWhite->GetTileRect() == mTexImage->GetTileRect(), "component alpha textures should be the same size.");
       }
+
+      nsIntRect tileRect = mTexImage->GetTileRect();
+
       // Bind textures.
       TextureImage::ScopedBindTexture texBind(mTexImage, LOCAL_GL_TEXTURE0);
       TextureImage::ScopedBindTexture texOnWhiteBind(mTexImageOnWhite, LOCAL_GL_TEXTURE1);
 
-      nsIntRegionRectIterator iter(subregion);
-      while (const nsIntRect *iterRect = iter.Next()) {
-        nsIntRect regionRect = *iterRect;  // one rectangle of this texture's region
-        // translate into the correct place for this texture sub-region
-        nsIntRect screenRect = regionRect;
-        screenRect.MoveBy(origin);
-        program->SetLayerQuadRect(screenRect);
+      // Draw texture. If we're using tiles, we do repeating manually, as texture
+      // repeat would cause each individual tile to repeat instead of the
+      // compound texture as a whole. This involves drawing at most 4 sections,
+      // 2 for each axis that has texture repeat.
+      for (int y = 0; y < (usingTiles ? 2 : 1); y++) {
+        for (int x = 0; x < (usingTiles ? 2 : 1); x++) {
+          nsIntRect currentTileRect(tileRect);
+          currentTileRect.MoveBy(x * texSize.width, y * texSize.height);
 
-        regionRect.MoveBy(-mTexImage->GetTileRect().TopLeft()); // get region of tile
-        aManager->BindAndDrawQuadWithTextureRect(program, regionRect,
-                                                 textureRect.Size(),
-                                                 mTexImage->GetWrapMode());
+          nsIntRegionRectIterator screenIter(screenRects);
+          nsIntRegionRectIterator regionIter(regionRects);
+
+          const nsIntRect* screenRect;
+          const nsIntRect* regionRect;
+          while ((screenRect = screenIter.Next()) &&
+                 (regionRect = regionIter.Next())) {
+              nsIntRect tileScreenRect(*screenRect);
+              nsIntRect tileRegionRect(*regionRect);
+
+              // When we're using tiles, find the intersection between the tile
+              // rect and this region rect. Tiling is then handled by the
+              // outer for-loops and modifying the tile rect.
+              if (usingTiles) {
+                  tileScreenRect.MoveBy(-origin);
+                  tileScreenRect = tileScreenRect.Intersect(currentTileRect);
+                  tileScreenRect.MoveBy(origin);
+
+                  if (tileScreenRect.IsEmpty())
+                    continue;
+
+                  tileRegionRect = regionRect->Intersect(currentTileRect);
+                  tileRegionRect.MoveBy(-currentTileRect.TopLeft());
+              }
+
+              program->SetLayerQuadRect(tileScreenRect);
+              aManager->BindAndDrawQuadWithTextureRect(program, tileRegionRect,
+                                                       tileRect.Size(),
+                                                       mTexImage->GetWrapMode());
+          }
+        }
       }
+
+      if (mTexImageOnWhite)
+          mTexImageOnWhite->NextTile();
     } while (mTexImage->NextTile());
   }
 
@@ -791,6 +847,18 @@ ShadowBufferOGL::Upload(gfxASurface* aUpdate, const nsIntRegion& aUpdated,
   nsIntPoint visTopLeft = mLayer->GetVisibleRegion().GetBounds().TopLeft();
   destRegion.MoveBy(-visTopLeft);
 
+  // Correct for rotation
+  destRegion.MoveBy(aRotation);
+  nsIntRect destBounds = destRegion.GetBounds();
+  destRegion.MoveBy((destBounds.x >= size.width) ? -size.width : 0,
+                    (destBounds.y >= size.height) ? -size.height : 0);
+
+  // There's code to make sure that updated regions don't cross rotation
+  // boundaries, so assert here that this is the case
+  NS_ASSERTION(((destBounds.x % size.width) + destBounds.width <= size.width) &&
+               ((destBounds.y % size.height) + destBounds.height <= size.height),
+               "Updated region lies across rotation boundaries!");
+
   // NB: this gfxContext must not escape EndUpdate() below
   mTexImage->DirectUpdate(aUpdate, destRegion);
 
diff --git a/gfx/src/nsRenderingContext.h b/gfx/src/nsRenderingContext.h
index 301212ca1979..de0d12d33192 100644
--- a/gfx/src/nsRenderingContext.h
+++ b/gfx/src/nsRenderingContext.h
@@ -70,7 +70,7 @@ public:
     // These accessors will never return null.
     gfxContext *ThebesContext() { return mThebes; }
     nsDeviceContext *DeviceContext() { return mDeviceContext; }
-    PRUint32 AppUnitsPerDevPixel() { return mP2A; }
+    PRUint32 AppUnitsPerDevPixel() { return NSToIntRound(mP2A); }
 
     // Graphics state
 
diff --git a/gfx/src/nsThebesFontEnumerator.cpp b/gfx/src/nsThebesFontEnumerator.cpp
index d1e5f817d97f..46024e1fdbce 100644
--- a/gfx/src/nsThebesFontEnumerator.cpp
+++ b/gfx/src/nsThebesFontEnumerator.cpp
@@ -107,8 +107,7 @@ NS_IMETHODIMP
 nsThebesFontEnumerator::HaveFontFor(const char *aLangGroup,
                                     PRBool *aResult)
 {
-    NS_ENSURE_ARG_POINTER(*aResult);
-    NS_ENSURE_ARG_POINTER(*aLangGroup);
+    NS_ENSURE_ARG_POINTER(aResult);
 
     *aResult = PR_TRUE;
     return NS_OK;
diff --git a/gfx/thebes/GLContext.cpp b/gfx/thebes/GLContext.cpp
index fcf78f30db32..443fa8a961fa 100644
--- a/gfx/thebes/GLContext.cpp
+++ b/gfx/thebes/GLContext.cpp
@@ -575,20 +575,8 @@ BasicTextureImage::BeginUpdate(nsIntRegion& aRegion)
     NS_ASSERTION(!mUpdateSurface, "BeginUpdate() without EndUpdate()?");
 
     // determine the region the client will need to repaint
-    ImageFormat format =
-        (GetContentType() == gfxASurface::CONTENT_COLOR) ?
-        gfxASurface::ImageFormatRGB24 : gfxASurface::ImageFormatARGB32;
-    if (mTextureState != Valid)
-    {
-        // if the texture hasn't been initialized yet, or something important
-        // changed, we need to recreate our backing surface and force the
-        // client to paint everything
-        mUpdateRegion = nsIntRect(nsIntPoint(0, 0), mSize);
-    } else {
-        mUpdateRegion = aRegion;
-    }
-
-    aRegion = mUpdateRegion;
+    GetUpdateRegion(aRegion);
+    mUpdateRegion = aRegion;
 
     nsIntRect rgnSize = mUpdateRegion.GetBounds();
     if (!nsIntRect(nsIntPoint(0, 0), mSize).Contains(rgnSize)) {
@@ -596,7 +584,10 @@ BasicTextureImage::BeginUpdate(nsIntRegion& aRegion)
         return NULL;
     }
 
-    mUpdateSurface = 
+    ImageFormat format =
+        (GetContentType() == gfxASurface::CONTENT_COLOR) ?
+        gfxASurface::ImageFormatRGB24 : gfxASurface::ImageFormatARGB32;
+    mUpdateSurface =
         GetSurfaceForUpdate(gfxIntSize(rgnSize.width, rgnSize.height), format);
 
     if (!mUpdateSurface || mUpdateSurface->CairoStatus()) {
@@ -609,6 +600,16 @@ BasicTextureImage::BeginUpdate(nsIntRegion& aRegion)
     return mUpdateSurface;
 }
 
+void
+BasicTextureImage::GetUpdateRegion(nsIntRegion& aForRegion)
+{
+  // if the texture hasn't been initialized yet, or something important
+  // changed, we need to recreate our backing surface and force the
+  // client to paint everything
+  if (mTextureState != Valid)
+      aForRegion = nsIntRect(nsIntPoint(0, 0), mSize);
+}
+
 void
 BasicTextureImage::EndUpdate()
 {
@@ -729,10 +730,9 @@ TiledTextureImage::~TiledTextureImage()
 bool 
 TiledTextureImage::DirectUpdate(gfxASurface* aSurf, const nsIntRegion& aRegion, const nsIntPoint& aFrom /* = nsIntPoint(0, 0) */)
 {
-    nsIntRect bounds = aRegion.GetBounds();
     nsIntRegion region;
     if (mTextureState != Valid) {
-        bounds = nsIntRect(0, 0, mSize.width, mSize.height);
+        nsIntRect bounds = nsIntRect(0, 0, mSize.width, mSize.height);
         region = nsIntRegion(bounds);
     } else {
         region = aRegion;
@@ -740,8 +740,8 @@ TiledTextureImage::DirectUpdate(gfxASurface* aSurf, const nsIntRegion& aRegion,
 
     PRBool result = PR_TRUE;
     for (unsigned i = 0; i < mImages.Length(); i++) {
-        unsigned int xPos = (i % mColumns) * mTileSize;
-        unsigned int yPos = (i / mColumns) * mTileSize;
+        int xPos = (i % mColumns) * mTileSize;
+        int yPos = (i / mColumns) * mTileSize;
         nsIntRegion tileRegion;
         tileRegion.And(region, nsIntRect(nsIntPoint(xPos,yPos), mImages[i]->GetSize())); // intersect with tile
         if (tileRegion.IsEmpty())
@@ -757,25 +757,66 @@ TiledTextureImage::DirectUpdate(gfxASurface* aSurf, const nsIntRegion& aRegion,
     return result;
 }
 
+void
+TiledTextureImage::GetUpdateRegion(nsIntRegion& aForRegion)
+{
+    if (mTextureState != Valid) {
+        // if the texture hasn't been initialized yet, or something important
+        // changed, we need to recreate our backing surface and force the
+        // client to paint everything
+        aForRegion = nsIntRect(nsIntPoint(0, 0), mSize);
+        return;
+    }
+
+    nsIntRegion newRegion;
+
+    // We need to query each texture with the region it will be drawing and
+    // set aForRegion to be the combination of all of these regions
+    for (unsigned i = 0; i < mImages.Length(); i++) {
+        int xPos = (i % mColumns) * mTileSize;
+        int yPos = (i / mColumns) * mTileSize;
+        nsIntRect imageRect = nsIntRect(nsIntRect(nsIntPoint(xPos,yPos), mImages[i]->GetSize()));
+
+        if (aForRegion.Intersects(imageRect)) {
+            // Make a copy of the region
+            nsIntRegion subRegion;
+            subRegion.And(aForRegion, imageRect);
+            // Translate it into tile-space
+            subRegion.MoveBy(-xPos, -yPos);
+            // Query region
+            mImages[i]->GetUpdateRegion(subRegion);
+            // Translate back
+            subRegion.MoveBy(xPos, yPos);
+            // Add to the accumulated region
+            newRegion.Or(newRegion, subRegion);
+        }
+    }
+
+    aForRegion = newRegion;
+}
+
 gfxASurface*
 TiledTextureImage::BeginUpdate(nsIntRegion& aRegion)
 {
     NS_ASSERTION(!mInUpdate, "nested update");
     mInUpdate = PR_TRUE;
 
+    // Note, we don't call GetUpdateRegion here as if the updated region is
+    // fully contained in a single tile, we get to avoid iterating through
+    // the tiles again (and a little copying).
     if (mTextureState != Valid)
     {
         // if the texture hasn't been initialized yet, or something important
         // changed, we need to recreate our backing surface and force the
         // client to paint everything
-        mUpdateRegion = nsIntRect(nsIntPoint(0, 0), mSize);
-    } else {
-        mUpdateRegion = aRegion;
+        aRegion = nsIntRect(nsIntPoint(0, 0), mSize);
     }
 
+    nsIntRect bounds = aRegion.GetBounds();
+
     for (unsigned i = 0; i < mImages.Length(); i++) {
-        unsigned int xPos = (i % mColumns) * mTileSize;
-        unsigned int yPos = (i / mColumns) * mTileSize;
+        int xPos = (i % mColumns) * mTileSize;
+        int yPos = (i / mColumns) * mTileSize;
         nsIntRegion imageRegion = nsIntRegion(nsIntRect(nsIntPoint(xPos,yPos), mImages[i]->GetSize()));
 
         // a single Image can handle this update request
@@ -786,6 +827,10 @@ TiledTextureImage::BeginUpdate(nsIntRegion& aRegion)
             nsRefPtr surface = mImages[i]->BeginUpdate(aRegion);
             // caller expects container space
             aRegion.MoveBy(xPos, yPos);
+            // Correct the device offset
+            gfxPoint offset = surface->GetDeviceOffset();
+            surface->SetDeviceOffset(gfxPoint(offset.x - xPos,
+                                              offset.y - yPos));
             // we don't have a temp surface
             mUpdateSurface = nsnull;
             // remember which image to EndUpdate
@@ -793,15 +838,21 @@ TiledTextureImage::BeginUpdate(nsIntRegion& aRegion)
             return surface.get();
         }
     }
+
+    // Get the real updated region, taking into account the capabilities of
+    // each TextureImage tile
+    GetUpdateRegion(aRegion);
+    mUpdateRegion = aRegion;
+    bounds = aRegion.GetBounds();
+
     // update covers multiple Images - create a temp surface to paint in
     gfxASurface::gfxImageFormat format =
         (GetContentType() == gfxASurface::CONTENT_COLOR) ?
         gfxASurface::ImageFormatRGB24 : gfxASurface::ImageFormatARGB32;
-
-    nsIntRect bounds = aRegion.GetBounds();
     mUpdateSurface = gfxPlatform::GetPlatform()->
         CreateOffscreenSurface(gfxIntSize(bounds.width, bounds.height), gfxASurface::ContentFromFormat(format));
     mUpdateSurface->SetDeviceOffset(gfxPoint(-bounds.x, -bounds.y));
+
     return mUpdateSurface;
 }
 
@@ -820,9 +871,10 @@ TiledTextureImage::EndUpdate()
 
     // upload tiles from temp surface
     for (unsigned i = 0; i < mImages.Length(); i++) {
-        unsigned int xPos = (i % mColumns) * mTileSize;
-        unsigned int yPos = (i / mColumns) * mTileSize;
+        int xPos = (i % mColumns) * mTileSize;
+        int yPos = (i / mColumns) * mTileSize;
         nsIntRect imageRect = nsIntRect(nsIntPoint(xPos,yPos), mImages[i]->GetSize());
+
         nsIntRegion subregion;
         subregion.And(mUpdateRegion, imageRect);
         if (subregion.IsEmpty())
@@ -842,6 +894,7 @@ TiledTextureImage::EndUpdate()
     mInUpdate = PR_FALSE;
     mShaderType = mImages[0]->GetShaderProgramType();
     mIsRGBFormat = mImages[0]->IsRGB();
+    mTextureState = Valid;
 }
 
 void TiledTextureImage::BeginTileIteration()
@@ -901,6 +954,11 @@ void TiledTextureImage::Resize(const nsIntSize& aSize)
     mTextureState = Allocated;
 }
 
+PRUint32 TiledTextureImage::GetTileCount()
+{
+    return mImages.Length();
+}
+
 PRBool
 GLContext::ResizeOffscreenFBO(const gfxIntSize& aSize)
 {
diff --git a/gfx/thebes/GLContext.h b/gfx/thebes/GLContext.h
index 6114a438e8cb..72e4a4957d43 100644
--- a/gfx/thebes/GLContext.h
+++ b/gfx/thebes/GLContext.h
@@ -193,6 +193,15 @@ public:
      * followed by EndUpdate().
      */
     virtual gfxASurface* BeginUpdate(nsIntRegion& aRegion) = 0;
+    /**
+     * Retrieves the region that will require updating, given a
+     * region that needs to be updated. This can be used for
+     * making decisions about updating before calling BeginUpdate().
+     *
+     * |aRegion| is an inout param.
+     */
+    virtual void GetUpdateRegion(nsIntRegion& aForRegion) {
+    };
     /**
      * Finish the active update and synchronize with the server, if
      * necessary.
@@ -218,6 +227,11 @@ public:
     };
 
     virtual GLuint GetTextureID() = 0;
+
+    virtual PRUint32 GetTileCount() {
+        return 1;
+    };
+
     /**
      * Set this TextureImage's size, and ensure a texture has been
      * allocated.  Must not be called between BeginUpdate and EndUpdate.
@@ -348,6 +362,7 @@ public:
     virtual void BindTexture(GLenum aTextureUnit);
 
     virtual gfxASurface* BeginUpdate(nsIntRegion& aRegion);
+    virtual void GetUpdateRegion(nsIntRegion& aForRegion);
     virtual void EndUpdate();
     virtual bool DirectUpdate(gfxASurface* aSurf, const nsIntRegion& aRegion, const nsIntPoint& aFrom = nsIntPoint(0,0));
     virtual GLuint GetTextureID() { return mTexture; };
@@ -392,8 +407,10 @@ public:
     ~TiledTextureImage();
     void DumpDiv();
     virtual gfxASurface* BeginUpdate(nsIntRegion& aRegion);
+    virtual void GetUpdateRegion(nsIntRegion& aForRegion);
     virtual void EndUpdate();
     virtual void Resize(const nsIntSize& aSize);
+    virtual PRUint32 GetTileCount();
     virtual void BeginTileIteration();
     virtual PRBool NextTile();
     virtual nsIntRect GetTileRect();
diff --git a/gfx/thebes/GLContextProviderEGL.cpp b/gfx/thebes/GLContextProviderEGL.cpp
index b3251fd9ea88..3594229d27fd 100644
--- a/gfx/thebes/GLContextProviderEGL.cpp
+++ b/gfx/thebes/GLContextProviderEGL.cpp
@@ -1207,27 +1207,28 @@ public:
         }
     }
 
+    virtual void GetUpdateRegion(nsIntRegion& aForRegion)
+    {
+        if (mTextureState != Valid) {
+            // if the texture hasn't been initialized yet, force the
+            // client to paint everything
+            aForRegion = nsIntRect(nsIntPoint(0, 0), mSize);
+        } else if (!mBackingSurface) {
+            // We can only draw a rectangle, not subregions due to
+            // the way that our texture upload functions work.  If
+            // needed, we /could/ do multiple texture uploads if we have
+            // non-overlapping rects, but that's a tradeoff.
+            aForRegion = nsIntRegion(mUpdateRect);
+        }
+    }
+
     virtual gfxASurface* BeginUpdate(nsIntRegion& aRegion)
     {
         NS_ASSERTION(!mUpdateSurface, "BeginUpdate() without EndUpdate()?");
 
         // determine the region the client will need to repaint
-        if (mTextureState != Valid) {
-            // if the texture hasn't been initialized yet, force the
-            // client to paint everything
-            mUpdateRect = nsIntRect(nsIntPoint(0, 0), mSize);
-            //printf_stderr("v Forcing full paint\n");
-            aRegion = nsIntRegion(mUpdateRect);
-        } else {
-            mUpdateRect = aRegion.GetBounds();
-            if (!mBackingSurface) {
-                // We can only draw a rectangle, not subregions due to
-                // the way that our texture upload functions work.  If
-                // needed, we /could/ do multiple texture uploads if we have
-                // non-overlapping rects, but that's a tradeoff.
-                aRegion = nsIntRegion(mUpdateRect);
-            }
-        }
+        GetUpdateRegion(aRegion);
+        mUpdateRect = aRegion.GetBounds();
 
         //printf_stderr("BeginUpdate with updateRect [%d %d %d %d]\n", mUpdateRect.x, mUpdateRect.y, mUpdateRect.width, mUpdateRect.height);
         if (!nsIntRect(nsIntPoint(0, 0), mSize).Contains(mUpdateRect)) {
diff --git a/intl/uconv/tests/unit/xpcshell.ini b/intl/uconv/tests/unit/xpcshell.ini
index a9a34f6b66d6..809d365126c3 100644
--- a/intl/uconv/tests/unit/xpcshell.ini
+++ b/intl/uconv/tests/unit/xpcshell.ini
@@ -111,6 +111,8 @@ tail =
 [test_encode_CP852.js]
 [test_encode_CP855.js]
 [test_encode_CP857.js]
+# Bug 676958: test consistently hangs on Android
+skip-if = os == "android"
 [test_encode_CP862.js]
 [test_encode_CP864.js]
 [test_encode_CP874.js]
diff --git a/ipc/testshell/tests/xpcshell.ini b/ipc/testshell/tests/xpcshell.ini
index 045bfabadd89..71f62801c8ae 100644
--- a/ipc/testshell/tests/xpcshell.ini
+++ b/ipc/testshell/tests/xpcshell.ini
@@ -3,4 +3,6 @@ head =
 tail = 
 
 [test_ipcshell.js]
+# Bug 676963: test fails consistently on Android
+fail-if = os == "android"
 [test_ipcshell_child.js]
diff --git a/js/src/Makefile.in b/js/src/Makefile.in
index da5722c490ba..4bfcdb7007e5 100644
--- a/js/src/Makefile.in
+++ b/js/src/Makefile.in
@@ -77,36 +77,6 @@ GRE_MODULE	    = 1
 
 LIBS		= $(NSPR_LIBS) 
 
-ifdef GNU_CXX
-ifdef INTEL_CXX
-# icc gets special optimize flags
-ifdef MOZ_PROFILE_GENERATE
-MODULE_OPTIMIZE_FLAGS = -O0
-else
-MODULE_OPTIMIZE_FLAGS = -O2 -ip
-endif
-else # not INTEL_CXX
-
-MODULE_OPTIMIZE_FLAGS = -O3 -fstrict-aliasing -fno-stack-protector
-
-# We normally want -fomit-frame-pointer, but we want an explicit
-# -fno-omit-frame-pointer if we're using a sampling profiler.
-ifndef MOZ_PROFILING
-MODULE_OPTIMIZE_FLAGS += -fomit-frame-pointer
-else
-MODULE_OPTIMIZE_FLAGS += -fno-omit-frame-pointer
-endif
-
-endif
-else # not GNU_CXX
-ifeq ($(OS_ARCH),SunOS)
-MODULE_OPTIMIZE_FLAGS = -xO4
-endif
-ifeq ($(OS_ARCH),WINNT)
-MODULE_OPTIMIZE_FLAGS = -O2
-endif
-endif
-
 ifeq ($(OS_ARCH),WINNT)
 NO_PROFILE_GUIDED_OPTIMIZE = 1
 endif
@@ -185,12 +155,12 @@ CPPSRCS		= \
 		jsxml.cpp \
 		prmjtime.cpp \
 		sharkctl.cpp \
-		vm/Debugger.cpp \
-		vm/GlobalObject.cpp \
-		vm/Stack.cpp \
-		vm/String.cpp \
-		frontend/ParseMaps.cpp \
-		vm/Unicode.cpp \
+		Debugger.cpp \
+		GlobalObject.cpp \
+		Stack.cpp \
+		String.cpp \
+		ParseMaps.cpp \
+		Unicode.cpp \
 		$(NULL)
 
 # Changes to internal header files, used externally, massively slow down
@@ -266,71 +236,80 @@ INSTALLED_HEADERS = \
 ######################################################
 # BEGIN include sources for the engine subdirectories
 #
+VPATH		+= \
+		$(srcdir)/vm \
+		$(srcdir)/frontend \
+		$(NULL)
 
 EXPORTS_NAMESPACES = vm
 
 EXPORTS_vm = \
-  vm/ArgumentsObject.h \
-  vm/GlobalObject.h \
-  vm/Stack.h \
-  vm/String.h \
-  vm/StringObject.h \
-  vm/Unicode.h  \
-  $(NULL)
+		ArgumentsObject.h \
+		GlobalObject.h \
+		Stack.h \
+		String.h \
+		StringObject.h \
+		Unicode.h  \
+		$(NULL)
 
 ###############################################
 # BEGIN include sources for low-level code shared with Gecko
 #
-MFBT_DIR = $(srcdir)/../../mfbt
+VPATH		+= \
+		$(srcdir)/../../mfbt \
+		$(NULL)
 
 EXPORTS_NAMESPACES += mozilla
 
 EXPORTS_mozilla = \
-  $(MFBT_DIR)/RangedPtr.h \
-  $(MFBT_DIR)/RefPtr.h \
-  $(MFBT_DIR)/Types.h \
-  $(MFBT_DIR)/Util.h \
-  $(NULL)
+		RangedPtr.h \
+		RefPtr.h	\
+		Types.h		\
+		Util.h          \
+		$(NULL)
 
 ifdef ENABLE_TRACEJIT
+VPATH		+= \
+		$(srcdir)/tracejit \
+		$(srcdir)/nanojit \
 
 INSTALLED_HEADERS += \
-  jsbuiltins.h \
-  nanojit/Assembler.h \
-  nanojit/Allocator.h \
-  nanojit/CodeAlloc.h \
-  nanojit/Containers.h \
-  nanojit/LIR.h \
-  nanojit/LIRopcode.tbl \
-  nanojit/avmplus.h \
-  nanojit/Fragmento.h \
-  nanojit/Native.h \
-  nanojit/NativeCommon.h \
-  nanojit/Native$(NANOJIT_ARCH).h \
-  nanojit/njconfig.h \
-  nanojit/njcpudetect.h \
-  nanojit/RegAlloc.h \
-  nanojit/nanojit.h \
-  nanojit/VMPI.h \
-  tracejit/Writer.h \
-  $(NULL)
+		jsbuiltins.h    \
+		Assembler.h     \
+		Allocator.h     \
+		CodeAlloc.h     \
+		Containers.h    \
+		LIR.h		\
+		LIRopcode.tbl \
+		avmplus.h	\
+		Fragmento.h	\
+		Native.h	\
+		NativeCommon.h	\
+		Native$(NANOJIT_ARCH).h \
+		njconfig.h      \
+		njcpudetect.h   \
+		RegAlloc.h	\
+		nanojit.h	\
+		VMPI.h		\
+		Writer.h	\
+		$(NULL)
 
 CPPSRCS += \
-  jstracer.cpp \
-  nanojit/Assembler.cpp  \
-  nanojit/Allocator.cpp  \
-  nanojit/CodeAlloc.cpp  \
-  nanojit/Containers.cpp \
-  nanojit/Fragmento.cpp  \
-  nanojit/LIR.cpp        \
-  nanojit/njconfig.cpp   \
-  nanojit/RegAlloc.cpp   \
-  nanojit/avmplus.cpp    \
-  nanojit/Native$(NANOJIT_ARCH).cpp \
-  jsbuiltins.cpp \
-  nanojit/VMPI.cpp \
-  tracejit/Writer.cpp \
-  $(NULL)
+		jstracer.cpp \
+		Assembler.cpp  \
+		Allocator.cpp  \
+		CodeAlloc.cpp  \
+		Containers.cpp \
+		Fragmento.cpp  \
+		LIR.cpp        \
+		njconfig.cpp   \
+		RegAlloc.cpp   \
+		avmplus.cpp    \
+		Native$(NANOJIT_ARCH).cpp \
+		jsbuiltins.cpp \
+		VMPI.cpp       \
+		Writer.cpp     \
+		$(NULL)
 
 endif # ENABLE_TRACEJIT
 ifdef ENABLE_METHODJIT
@@ -338,41 +317,41 @@ ifdef ENABLE_METHODJIT
 ###############################################
 # BEGIN include sources for the method JIT
 #
+VPATH += 	$(srcdir)/methodjit
 
-CPPSRCS += \
-  methodjit/MethodJIT.cpp \
-  methodjit/StubCalls.cpp \
-  methodjit/Compiler.cpp \
-  methodjit/FrameState.cpp \
-  methodjit/FastArithmetic.cpp \
-  methodjit/FastOps.cpp \
-  methodjit/StubCompiler.cpp \
-  methodjit/MonoIC.cpp \
-  methodjit/PolyIC.cpp \
-  methodjit/ImmutableSync.cpp \
-  methodjit/InvokeHelpers.cpp \
-  methodjit/Retcon.cpp \
-  methodjit/TrampolineCompiler.cpp \
-  $(NULL)
+CPPSRCS += 	MethodJIT.cpp \
+		StubCalls.cpp \
+		Compiler.cpp \
+		FrameState.cpp \
+		FastArithmetic.cpp \
+		FastOps.cpp \
+		StubCompiler.cpp \
+		MonoIC.cpp \
+		PolyIC.cpp \
+		ImmutableSync.cpp \
+		InvokeHelpers.cpp \
+		Retcon.cpp \
+		TrampolineCompiler.cpp \
+		$(NULL)
 
 ifeq (86, $(findstring 86,$(TARGET_CPU)))
 ifeq (x86_64, $(TARGET_CPU))
 ifdef _MSC_VER
-ASFILES +=	methodjit/TrampolineMasmX64.asm
+ASFILES +=	TrampolineMasmX64.asm
 endif
 ifeq ($(OS_ARCH),WINNT)
 ifdef GNU_CC
-ASFILES +=	methodjit/TrampolineMingwX64.s
+ASFILES +=	TrampolineMingwX64.s
 endif
 endif
 ifdef SOLARIS_SUNPRO_CXX
-ASFILES +=	methodjit/TrampolineSUNWX64.s
+ASFILES +=	TrampolineSUNWX64.s
 endif
 #CPPSRCS		+= only_on_x86_64.cpp
 else
 #CPPSRCS		+= only_on_x86.cpp
 ifdef SOLARIS_SUNPRO_CXX
-ASFILES +=	methodjit/TrampolineSUNWX86.s
+ASFILES +=	TrampolineSUNWX86.s
 endif
 endif
 endif
@@ -380,7 +359,7 @@ ifeq (arm, $(TARGET_CPU))
 #CPPSRCS		+= only_on_arm.cpp
 endif
 ifeq (sparc, $(findstring sparc,$(TARGET_CPU)))
-ASFILES +=	methodjit/TrampolineSparc.s
+ASFILES +=	TrampolineSparc.s
 endif
 #
 # END enclude sources for the method JIT
@@ -391,16 +370,17 @@ endif
 ###############################################
 # BEGIN include sources for V8 dtoa
 #
+VPATH += 	$(srcdir)/v8-dtoa \
+		$(NONE)
 
-CPPSRCS += \
-  v8-dtoa/checks.cc \
-  v8-dtoa/conversions.cc \
-  v8-dtoa/diy-fp.cc \
-  v8-dtoa/v8-dtoa.cc \
-  v8-dtoa/fast-dtoa.cc \
-  v8-dtoa/platform.cc \
-  v8-dtoa/utils.cc \
-  $(NULL)
+CPPSRCS += 	checks.cc \
+		conversions.cc \
+		diy-fp.cc \
+		v8-dtoa.cc \
+		fast-dtoa.cc \
+		platform.cc \
+		utils.cc \
+		$(NONE)
 
 #
 # END enclude sources for V8 dtoa
@@ -472,10 +452,11 @@ endif
 endif
 
 ifdef JS_HAS_CTYPES
+VPATH += $(srcdir)/ctypes
 
 CPPSRCS += \
-    ctypes/CTypes.cpp \
-    ctypes/Library.cpp \
+    CTypes.cpp \
+    Library.cpp \
     $(NULL)
 
 ifdef MOZ_NATIVE_FFI
@@ -515,12 +496,13 @@ endif
 # it just doesn't necessarily do anything useful.  There is one
 # implementation source file per supported operating system, plus a stub
 # for unsupported OSes, plus the Javascript wrapper.
-INSTALLED_HEADERS += perf/jsperf.h
-CPPSRCS += perf/jsperf.cpp
+VPATH += $(srcdir)/perf
+INSTALLED_HEADERS += jsperf.h
+CPPSRCS += jsperf.cpp
 ifdef HAVE_LINUX_PERF_EVENT_H
-CPPSRCS += perf/pm_linux.cpp
+CPPSRCS += pm_linux.cpp
 else
-CPPSRCS += perf/pm_stub.cpp
+CPPSRCS += pm_stub.cpp
 endif
 
 ifeq ($(OS_ARCH),WINNT)
@@ -733,14 +715,6 @@ distclean::
 # our build system doesn't handle subdir srcs very gracefully today
 export::
 	$(MKDIR) -p nanojit
-	$(MKDIR) -p vm
-	$(MKDIR) -p frontend
-	$(MKDIR) -p tracejit
-	$(MKDIR) -p methodjit
-	$(MKDIR) -p v8-dtoa
-	$(MKDIR) -p perf
-
-GARBAGE_DIRS += nanojit vm frontend tracejit methodjit v8-dtoa perf
 
 DEFINES		+= -DEXPORT_JS_API
 
diff --git a/js/src/assembler/assembler/MacroAssemblerARM.h b/js/src/assembler/assembler/MacroAssemblerARM.h
index b3b0875b8ed8..93205905e39f 100644
--- a/js/src/assembler/assembler/MacroAssemblerARM.h
+++ b/js/src/assembler/assembler/MacroAssemblerARM.h
@@ -1150,8 +1150,7 @@ public:
         // as long as this is a sane mapping, (*2) should just work
         dest = (FPRegisterID) (dest * 2);
         ASSERT((address.offset & 0x3) == 0);
-        // address.offset is the offset in bytes, fmem_imm_off is expecting the offset in words.
-        m_assembler.fmem_imm_off(true, false, true, dest, address.base, address.offset >> 2);
+        m_assembler.floatTransfer(true, dest, address.base, address.offset);
         m_assembler.vcvt(m_assembler.FloatReg32, m_assembler.FloatReg64, (FPRegisterID)(dest*2), dest);
     }
     void loadFloat(BaseIndex address, FPRegisterID dest)
@@ -1200,7 +1199,7 @@ public:
 
     void storeFloat(FPRegisterID src, ImplicitAddress address)
     {
-        m_assembler.fmem_imm_off(false, false, true, src, address.base, address.offset);
+        m_assembler.floatTransfer(false, src, address.base, address.offset);
     }
 
     void storeFloat(FPRegisterID src, BaseIndex address)
diff --git a/js/src/config/rules.mk b/js/src/config/rules.mk
index 0d80aea302dd..d2bf49060f8d 100644
--- a/js/src/config/rules.mk
+++ b/js/src/config/rules.mk
@@ -153,6 +153,20 @@ xpcshell-tests:
 	  $(LIBXUL_DIST)/bin/xpcshell \
 	  $(foreach dir,$(XPCSHELL_TESTS),$(testxpcobjdir)/$(relativesrcdir)/$(dir))
 
+xpcshell-tests-remote: DM_TRANS?=adb
+xpcshell-tests-remote:
+	$(PYTHON) -u $(topsrcdir)/config/pythonpath.py \
+	  -I$(topsrcdir)/build \
+	  -I$(topsrcdir)/build/mobile \
+	  $(topsrcdir)/testing/xpcshell/remotexpcshelltests.py \
+	  --symbols-path=$(DIST)/crashreporter-symbols \
+	  --build-info-json=$(DEPTH)/mozinfo.json \
+	  $(EXTRA_TEST_ARGS) \
+	  --dm_trans=$(DM_TRANS) \
+	  --deviceIP=${TEST_DEVICE} \
+	  --objdir=$(DEPTH) \
+	  $(foreach dir,$(XPCSHELL_TESTS),$(testxpcobjdir)/$(relativesrcdir)/$(dir))
+
 # Execute a single test, specified in $(SOLO_FILE), but don't automatically
 # start the test. Instead, present the xpcshell prompt so the user can
 # attach a debugger and then start the test.
@@ -182,6 +196,23 @@ check-one:
 	  $(LIBXUL_DIST)/bin/xpcshell \
 	  $(foreach dir,$(XPCSHELL_TESTS),$(testxpcobjdir)/$(relativesrcdir)/$(dir))
 
+check-one-remote: DM_TRANS?=adb
+check-one-remote:
+	$(PYTHON) -u $(topsrcdir)/config/pythonpath.py \
+	  -I$(topsrcdir)/build \
+	  -I$(topsrcdir)/build/mobile \
+	  $(testxpcsrcdir)/remotexpcshelltests.py \
+	  --symbols-path=$(DIST)/crashreporter-symbols \
+	  --build-info-json=$(DEPTH)/mozinfo.json \
+	  --test-path=$(SOLO_FILE) \
+	  --profile-name=$(MOZ_APP_NAME) \
+	  --verbose \
+	  $(EXTRA_TEST_ARGS) \
+	  --dm_trans=$(DM_TRANS) \
+	  --deviceIP=${TEST_DEVICE} \
+	  --objdir=$(DEPTH) \
+          --noSetup \
+	  $(foreach dir,$(XPCSHELL_TESTS),$(testxpcobjdir)/$(relativesrcdir)/$(dir))
 endif # XPCSHELL_TESTS
 
 ifdef CPP_UNIT_TESTS
@@ -898,9 +929,6 @@ ifdef SHARED_LIBRARY
 	  $(SHARED_LIBRARY_NAME) $(DIST)/$(MOZ_APP_NAME)
 endif
 endif # SHARED_LIBRARY || PROGRAM
-else  # ! WINNT_
-# Force rebuilding all objects on the second pass
-$(OBJS): FORCE
 endif # WINNT_
 endif # MOZ_PROFILE_USE
 ifdef MOZ_PROFILE_GENERATE
diff --git a/js/src/configure.in b/js/src/configure.in
index 74dcc1b14cbd..3ef055fde5e8 100644
--- a/js/src/configure.in
+++ b/js/src/configure.in
@@ -1992,11 +1992,14 @@ case "$target" in
 *-darwin*) 
     MKSHLIB='$(CXX) $(CXXFLAGS) $(DSO_PIC_CFLAGS) $(DSO_LDOPTS) -o $@'
     MKCSHLIB='$(CC) $(CFLAGS) $(DSO_PIC_CFLAGS) $(DSO_LDOPTS) -o $@'
-    # If we're building with --enable-profiling, we need a frame pointer.
+
+    MOZ_OPTIMIZE_FLAGS="-O3  -fstrict-aliasing -fno-stack-protector"
+    # We normally want -fomit-frame-pointer, but we want an explicit
+    # -fno-omit-frame-pointer if we're using a sampling profiler.
     if test -z "$MOZ_PROFILING"; then
-        MOZ_OPTIMIZE_FLAGS="-O3 -fomit-frame-pointer"
+        MOZ_OPTIMIZE_FLAGS="$MOZ_OPTIMIZE_FLAGS -fomit-frame-pointer"
     else
-        MOZ_OPTIMIZE_FLAGS="-O3 -fno-omit-frame-pointer"
+        MOZ_OPTIMIZE_FLAGS="$MOZ_OPTIMIZE_FLAGS -fno-omit-frame-pointer"
     fi
     _PEDANTIC=
     CFLAGS="$CFLAGS -fpascal-strings -fno-common"
@@ -2012,6 +2015,8 @@ case "$target" in
     # logging code in nsObjCExceptions.h. Currently we only use that in debug
     # builds.
     MOZ_DEBUG_LDFLAGS="$MOZ_DEBUG_LDFLAGS -framework ExceptionHandling"
+    # Debug builds should always have frame pointers
+    MOZ_DEBUG_FLAGS="-g -fno-omit-frame-pointer"
 
     if test "x$lto_is_enabled" = "xyes"; then
         echo "Skipping -dead_strip because lto is enabled."
@@ -2160,6 +2165,8 @@ ia64*-hpux*)
     fi
     # The Maemo builders don't know about this flag
     MOZ_ARM_VFP_FLAGS="-mfpu=vfp"
+    # Debug builds should always have frame pointers
+    MOZ_DEBUG_FLAGS="-g -fno-omit-frame-pointer"
     ;;
 
 *-*linux*)
@@ -2185,7 +2192,8 @@ ia64*-hpux*)
         fi
         MOZ_PGO_OPTIMIZE_FLAGS="-O3 $MOZ_FRAMEPTR_FLAGS"
         MOZ_OPTIMIZE_FLAGS="-Os -freorder-blocks $MOZ_OPTIMIZE_SIZE_TWEAK $MOZ_FRAMEPTR_FLAGS"
-        MOZ_DEBUG_FLAGS="-g"
+        # Debug builds should always have frame pointers
+        MOZ_DEBUG_FLAGS="-g -fno-omit-frame-pointer"
     fi
 
     TARGET_NSPR_MDCPUCFG='\"md/_linux.cfg\"'
@@ -2301,7 +2309,8 @@ ia64*-hpux*)
         CFLAGS="$CFLAGS -we4553"
         CXXFLAGS="$CXXFLAGS -we4553"
         LIBS="$LIBS kernel32.lib user32.lib gdi32.lib winmm.lib wsock32.lib advapi32.lib"
-        MOZ_DEBUG_FLAGS='-Zi'
+        # Debug builds should always have frame pointers
+        MOZ_DEBUG_FLAGS='-Zi -Oy-'
         MOZ_DEBUG_LDFLAGS='-DEBUG -DEBUGTYPE:CV'
         WARNINGS_AS_ERRORS='-WX'
         # If we're building with --enable-profiling, we need -Oy-, which forces a frame pointer.
@@ -3494,53 +3503,6 @@ then
     LDFLAGS="${_PTHREAD_LDFLAGS} ${LDFLAGS}"
 fi
 
-dnl ========================================================
-dnl See if mmap sees writes
-dnl For cross compiling, just define it as no, which is a safe default
-dnl ========================================================
-AC_MSG_CHECKING(whether mmap() sees write()s)
-
-changequote(,)
-mmap_test_prog='
-    #include 
-    #include 
-    #include 
-    #include 
-    #include 
-    #include 
-
-    char fname[] = "conftest.file";
-    char zbuff[1024]; /* Fractional page is probably worst case */
-
-    int main() {
-	char *map;
-	int fd;
-	int i;
-	unlink(fname);
-	fd = open(fname, O_RDWR | O_CREAT, 0660);
-	if(fd<0) return 1;
-	unlink(fname);
-	write(fd, zbuff, sizeof(zbuff));
-	lseek(fd, 0, SEEK_SET);
-	map = (char*)mmap(0, sizeof(zbuff), PROT_READ, MAP_SHARED, fd, 0);
-	if(map==(char*)-1) return 2;
-	for(i=0; fname[i]; i++) {
-	    int rc = write(fd, &fname[i], 1);
-	    if(map[i]!=fname[i]) return 4;
-	}
-	return 0;
-    }
-'
-changequote([,])
-
-AC_TRY_RUN($mmap_test_prog , result="yes", result="no", result="yes")
-
-AC_MSG_RESULT("$result")
-
-if test "$result" = "no"; then
-    AC_DEFINE(MMAP_MISSES_WRITES)
-fi
-
 
 dnl Checks for library functions.
 dnl ========================================================
diff --git a/js/src/jit-test/tests/bug666448.js b/js/src/jit-test/tests/basic/bug666448.js
similarity index 100%
rename from js/src/jit-test/tests/bug666448.js
rename to js/src/jit-test/tests/basic/bug666448.js
diff --git a/js/src/jit-test/tests/basic/testBug677367.js b/js/src/jit-test/tests/basic/testBug677367.js
new file mode 100644
index 000000000000..3dd1d26b52a5
--- /dev/null
+++ b/js/src/jit-test/tests/basic/testBug677367.js
@@ -0,0 +1,5 @@
+// |jit-test| debug
+
+function f() {}
+trap(f, 0, 'eval("2+2")');
+f();
diff --git a/js/src/jit-test/tests/basic/testErrorInFinalizerCalledWhileUnwinding.js b/js/src/jit-test/tests/basic/testErrorInFinalizerCalledWhileUnwinding.js
new file mode 100644
index 000000000000..41b1e3d0ef47
--- /dev/null
+++ b/js/src/jit-test/tests/basic/testErrorInFinalizerCalledWhileUnwinding.js
@@ -0,0 +1,32 @@
+var finalizerRun = false;
+var caught = false;
+
+function foo(arr) {
+  finalizerRun = true;
+  return not_defined;
+}
+
+function gen() {
+  try {
+    yield 1;
+  } finally {
+    foo();
+  }
+}
+
+function test() {
+  var i_have_locals;
+  for (i in gen()) {
+    "this won't work"();
+  }
+}
+
+try {
+    test();
+} catch(e) {
+    caught = true;
+    assertEq(''+e, "ReferenceError: not_defined is not defined");
+}
+
+assertEq(finalizerRun, true);
+assertEq(caught, true);
diff --git a/js/src/jit-test/tests/basic/testEvalFromTrap.js b/js/src/jit-test/tests/basic/testEvalFromTrap.js
new file mode 100644
index 000000000000..ddfdce62058c
--- /dev/null
+++ b/js/src/jit-test/tests/basic/testEvalFromTrap.js
@@ -0,0 +1,4 @@
+// |jit-test| debug
+function f() {}
+trap(f, 0, 'eval("2+2")');
+f();
diff --git a/js/src/jit-test/tests/basic/testStackIter.js b/js/src/jit-test/tests/basic/testStackIter.js
index dc1d018d4ba5..9bd1aa8af3dd 100644
--- a/js/src/jit-test/tests/basic/testStackIter.js
+++ b/js/src/jit-test/tests/basic/testStackIter.js
@@ -128,6 +128,12 @@ var obj = { valueOf:(function valueOf() {
 
 /***********/
 
+var proxy = Proxy.createFunction({}, function f() { assertStackIs([f, "global-code"]) });
+proxy();
+new proxy();
+
+/***********/
+
 for (var i = 0; i < 10; ++i) {
     /* No loss for scripts. */
     (function f() {
diff --git a/js/src/jit-test/tests/debug/Object-deleteProperty-error-01.js b/js/src/jit-test/tests/debug/Object-deleteProperty-error-01.js
new file mode 100644
index 000000000000..00647496252b
--- /dev/null
+++ b/js/src/jit-test/tests/debug/Object-deleteProperty-error-01.js
@@ -0,0 +1,16 @@
+// Don't crash when a scripted proxy handler throws Error.prototype.
+
+var g = newGlobal('new-compartment');
+var dbg = Debugger(g);
+dbg.onDebuggerStatement = function (frame) {
+    try {
+	frame.arguments[0].deleteProperty("x");
+    } catch (exc) {
+	return;
+    }
+    throw new Error("deleteProperty should throw");
+};
+
+g.eval("function h(x) { debugger; }");
+g.eval("h(Proxy.create({delete: function () { throw Error.prototype; }}));");
+
diff --git a/js/src/jit-test/tests/debug/onDebuggerStatement-04.js b/js/src/jit-test/tests/debug/onDebuggerStatement-04.js
new file mode 100644
index 000000000000..f36c35f099d8
--- /dev/null
+++ b/js/src/jit-test/tests/debug/onDebuggerStatement-04.js
@@ -0,0 +1,10 @@
+var g = newGlobal('new-compartment');
+var dbg = new Debugger(g);
+dbg.onDebuggerStatement = function (frame) {
+    var code = "assertEq(c, 'ok');\n";
+    assertEq(frame.evalWithBindings("eval(s)", {s: code, a: 1234}).return, undefined);
+};
+g.eval("function first() { return second(); }");
+g.eval("function second() { return eval('third()'); }");
+g.eval("function third() { debugger; }");
+g.evaluate("first();");
diff --git a/js/src/jsapi-tests/testLookup.cpp b/js/src/jsapi-tests/testLookup.cpp
index 784ed8b6232a..2d1c4e81a46d 100644
--- a/js/src/jsapi-tests/testLookup.cpp
+++ b/js/src/jsapi-tests/testLookup.cpp
@@ -26,7 +26,7 @@ BEGIN_TEST(testLookup_bug522590)
     JSObject *funobj = JSVAL_TO_OBJECT(r);
     CHECK(funobj->isFunction());
     CHECK(!js::IsInternalFunctionObject(funobj));
-    CHECK(GET_FUNCTION_PRIVATE(cx, funobj) != (JSFunction *) funobj);
+    CHECK(funobj->getFunctionPrivate() != (JSFunction *) funobj);
 
     return true;
 }
diff --git a/js/src/jsapi.cpp b/js/src/jsapi.cpp
index 16b1dfc9e25d..eb17a1bc4006 100644
--- a/js/src/jsapi.cpp
+++ b/js/src/jsapi.cpp
@@ -343,7 +343,7 @@ JS_ConvertArgumentsVA(JSContext *cx, uintN argc, jsval *argv, const char *format
             if (!obj)
                 return JS_FALSE;
             *sp = OBJECT_TO_JSVAL(obj);
-            *va_arg(ap, JSFunction **) = GET_FUNCTION_PRIVATE(cx, obj);
+            *va_arg(ap, JSFunction **) = obj->getFunctionPrivate();
             break;
           case 'v':
             *va_arg(ap, jsval *) = *sp;
@@ -2270,10 +2270,10 @@ JS_PrintTraceThingInfo(char *buf, size_t bufsize, JSTracer *trc, void *thing, ui
             JSObject  *obj = (JSObject *)thing;
             Class *clasp = obj->getClass();
             if (clasp == &js_FunctionClass) {
-                JSFunction *fun = GET_FUNCTION_PRIVATE(trc->context, obj);
+                JSFunction *fun = obj->getFunctionPrivate();
                 if (!fun) {
                     JS_snprintf(buf, bufsize, "");
-                } else if (FUN_OBJECT(fun) != obj) {
+                } else if (fun != obj) {
                     JS_snprintf(buf, bufsize, "%p", fun);
                 } else {
                     if (fun->atom)
@@ -4208,8 +4208,8 @@ JS_CloneFunctionObject(JSContext *cx, JSObject *funobj, JSObject *parent)
         return NULL;
     }
 
-    JSFunction *fun = GET_FUNCTION_PRIVATE(cx, funobj);
-    if (!FUN_FLAT_CLOSURE(fun))
+    JSFunction *fun = funobj->getFunctionPrivate();
+    if (!fun->isFlatClosure())
         return CloneFunctionObject(cx, fun, parent);
 
     /*
@@ -4254,7 +4254,7 @@ JS_CloneFunctionObject(JSContext *cx, JSObject *funobj, JSObject *parent)
 JS_PUBLIC_API(JSObject *)
 JS_GetFunctionObject(JSFunction *fun)
 {
-    return FUN_OBJECT(fun);
+    return fun;
 }
 
 JS_PUBLIC_API(JSString *)
@@ -4357,7 +4357,7 @@ JS_DefineFunctions(JSContext *cx, JSObject *obj, JSFunctionSpec *fs)
              * as fun->object lives.
              */
             Value priv = PrivateValue(fs);
-            if (!js_SetReservedSlot(cx, FUN_OBJECT(fun), 0, priv))
+            if (!js_SetReservedSlot(cx, fun, 0, priv))
                 return JS_FALSE;
         }
 
@@ -4712,24 +4712,21 @@ CompileUCFunctionForPrincipalsCommon(JSContext *cx, JSObject *obj,
         funAtom = js_Atomize(cx, name, strlen(name));
         if (!funAtom) {
             fun = NULL;
-            goto out2;
+            goto out;
         }
     }
 
     fun = js_NewFunction(cx, NULL, NULL, 0, JSFUN_INTERPRETED, obj, funAtom);
     if (!fun)
-        goto out2;
+        goto out;
 
     {
         EmptyShape *emptyCallShape = EmptyShape::getEmptyCallShape(cx);
-        if (!emptyCallShape) {
+        if (!emptyCallShape)
             fun = NULL;
-            goto out2;
-        }
         AutoShapeRooter shapeRoot(cx, emptyCallShape);
 
-        AutoObjectRooter tvr(cx, FUN_OBJECT(fun));
-        MUST_FLOW_THROUGH("out");
+        AutoObjectRooter tvr(cx, fun);
 
         Bindings bindings(cx, emptyCallShape);
         AutoBindingsRooter root(cx, bindings);
@@ -4737,20 +4734,20 @@ CompileUCFunctionForPrincipalsCommon(JSContext *cx, JSObject *obj,
             argAtom = js_Atomize(cx, argnames[i], strlen(argnames[i]));
             if (!argAtom) {
                 fun = NULL;
-                goto out2;
+                goto out;
             }
 
             uint16 dummy;
             if (!bindings.addArgument(cx, argAtom, &dummy)) {
                 fun = NULL;
-                goto out2;
+                goto out;
             }
         }
 
         if (!Compiler::compileFunctionBody(cx, fun, principals, &bindings,
                                            chars, length, filename, lineno, version)) {
             fun = NULL;
-            goto out2;
+            goto out;
         }
 
         if (obj && funAtom &&
@@ -4760,10 +4757,11 @@ CompileUCFunctionForPrincipalsCommon(JSContext *cx, JSObject *obj,
         }
     }
 
-  out2:
+  out:
     LAST_FRAME_CHECKS(cx, fun);
     return fun;
 }
+
 JS_PUBLIC_API(JSFunction *)
 JS_CompileUCFunctionForPrincipalsVersion(JSContext *cx, JSObject *obj,
                                          JSPrincipals *principals, const char *name,
@@ -4892,7 +4890,7 @@ JS_ExecuteScript(JSContext *cx, JSObject *obj, JSObject *scriptObj, jsval *rval)
     CHECK_REQUEST(cx);
     assertSameCompartment(cx, obj, scriptObj);
 
-    JSBool ok = ExternalExecute(cx, scriptObj->getScript(), *obj, Valueify(rval));
+    JSBool ok = Execute(cx, scriptObj->getScript(), *obj, Valueify(rval));
     LAST_FRAME_CHECKS(cx, ok);
     return ok;
 }
@@ -4926,7 +4924,7 @@ EvaluateUCScriptForPrincipalsCommon(JSContext *cx, JSObject *obj,
     }
     JS_ASSERT(script->getVersion() == compileVersion);
 
-    bool ok = ExternalExecute(cx, script, *obj, Valueify(rval));
+    bool ok = Execute(cx, script, *obj, Valueify(rval));
     LAST_FRAME_CHECKS(cx, ok);
     js_DestroyScript(cx, script, 5);
     return ok;
@@ -5006,8 +5004,8 @@ JS_CallFunction(JSContext *cx, JSObject *obj, JSFunction *fun, uintN argc, jsval
     JS_THREADSAFE_ASSERT(cx->compartment != cx->runtime->atomsCompartment);
     CHECK_REQUEST(cx);
     assertSameCompartment(cx, obj, fun, JSValueArray(argv, argc));
-    JSBool ok = ExternalInvoke(cx, ObjectOrNullValue(obj), ObjectValue(*fun), argc,
-                               Valueify(argv), Valueify(rval));
+    JSBool ok = Invoke(cx, ObjectOrNullValue(obj), ObjectValue(*fun), argc, Valueify(argv),
+                       Valueify(rval));
     LAST_FRAME_CHECKS(cx, ok);
     return ok;
 }
@@ -5025,8 +5023,7 @@ JS_CallFunctionName(JSContext *cx, JSObject *obj, const char *name, uintN argc,
     JSBool ok =
         atom &&
         js_GetMethod(cx, obj, ATOM_TO_JSID(atom), JSGET_NO_METHOD_BARRIER, tvr.addr()) &&
-        ExternalInvoke(cx, ObjectOrNullValue(obj), tvr.value(), argc, Valueify(argv),
-                       Valueify(rval));
+        Invoke(cx, ObjectOrNullValue(obj), tvr.value(), argc, Valueify(argv), Valueify(rval));
     LAST_FRAME_CHECKS(cx, ok);
     return ok;
 }
@@ -5039,8 +5036,8 @@ JS_CallFunctionValue(JSContext *cx, JSObject *obj, jsval fval, uintN argc, jsval
 
     CHECK_REQUEST(cx);
     assertSameCompartment(cx, obj, fval, JSValueArray(argv, argc));
-    JSBool ok = ExternalInvoke(cx, ObjectOrNullValue(obj), Valueify(fval), argc, Valueify(argv),
-                               Valueify(rval));
+    JSBool ok = Invoke(cx, ObjectOrNullValue(obj), Valueify(fval), argc, Valueify(argv),
+                       Valueify(rval));
     LAST_FRAME_CHECKS(cx, ok);
     return ok;
 }
@@ -5054,7 +5051,7 @@ Call(JSContext *cx, jsval thisv, jsval fval, uintN argc, jsval *argv, jsval *rva
 
     CHECK_REQUEST(cx);
     assertSameCompartment(cx, thisv, fval, JSValueArray(argv, argc));
-    ok = ExternalInvoke(cx, Valueify(thisv), Valueify(fval), argc, Valueify(argv), Valueify(rval));
+    ok = Invoke(cx, Valueify(thisv), Valueify(fval), argc, Valueify(argv), Valueify(rval));
     LAST_FRAME_CHECKS(cx, ok);
     return ok;
 }
@@ -5070,7 +5067,7 @@ JS_New(JSContext *cx, JSObject *ctor, uintN argc, jsval *argv)
     // This is not a simple variation of JS_CallFunctionValue because JSOP_NEW
     // is not a simple variation of JSOP_CALL. We have to determine what class
     // of object to create, create it, and clamp the return value to an object,
-    // among other details. js_InvokeConstructor does the hard work.
+    // among other details. InvokeConstructor does the hard work.
     InvokeArgsGuard args;
     if (!cx->stack.pushInvokeArgs(cx, argc, &args))
         return NULL;
diff --git a/js/src/jsbuiltins.cpp b/js/src/jsbuiltins.cpp
index fd83b28ecd56..ae0cbe443ce4 100644
--- a/js/src/jsbuiltins.cpp
+++ b/js/src/jsbuiltins.cpp
@@ -310,7 +310,7 @@ js_NewNullClosure(JSContext* cx, JSObject* funobj, JSObject* proto, JSObject* pa
     JS_ASSERT(JS_ON_TRACE(cx));
 
     JSFunction *fun = (JSFunction*) funobj;
-    JS_ASSERT(GET_FUNCTION_PRIVATE(cx, funobj) == fun);
+    JS_ASSERT(funobj->getFunctionPrivate() == fun);
 
     JSObject* closure = js_NewGCObject(cx, gc::FINALIZE_OBJECT2);
     if (!closure)
diff --git a/js/src/jscntxt.cpp b/js/src/jscntxt.cpp
index 39c31997cb2e..ee7369ea95d3 100644
--- a/js/src/jscntxt.cpp
+++ b/js/src/jscntxt.cpp
@@ -1083,7 +1083,7 @@ js_ReportMissingArg(JSContext *cx, const Value &v, uintN arg)
     JS_snprintf(argbuf, sizeof argbuf, "%u", arg);
     bytes = NULL;
     if (IsFunctionObject(v)) {
-        atom = GET_FUNCTION_PRIVATE(cx, &v.toObject())->atom;
+        atom = v.toObject().getFunctionPrivate()->atom;
         bytes = DecompileValueGenerator(cx, JSDVG_SEARCH_STACK,
                                         v, atom);
         if (!bytes)
diff --git a/js/src/jscntxtinlines.h b/js/src/jscntxtinlines.h
index 674b73f755b9..9e8746f87d10 100644
--- a/js/src/jscntxtinlines.h
+++ b/js/src/jscntxtinlines.h
@@ -349,7 +349,7 @@ CallSetter(JSContext *cx, JSObject *obj, jsid id, js::StrictPropertyOp op, uintN
            uintN shortid, JSBool strict, js::Value *vp)
 {
     if (attrs & JSPROP_SETTER)
-        return ExternalGetOrSet(cx, obj, id, CastAsObjectJsval(op), JSACC_WRITE, 1, vp, vp);
+        return InvokeGetterOrSetter(cx, obj, CastAsObjectJsval(op), 1, vp, vp);
 
     if (attrs & JSPROP_GETTER)
         return js_ReportGetterOnlyAssignment(cx);
diff --git a/js/src/jsdbgapi.cpp b/js/src/jsdbgapi.cpp
index d59b21b0031e..b439e6801086 100644
--- a/js/src/jsdbgapi.cpp
+++ b/js/src/jsdbgapi.cpp
@@ -548,7 +548,7 @@ JS_ReleaseFunctionLocalNameArray(JSContext *cx, void *mark)
 JS_PUBLIC_API(JSScript *)
 JS_GetFunctionScript(JSContext *cx, JSFunction *fun)
 {
-    return FUN_SCRIPT(fun);
+    return fun->maybeScript();
 }
 
 JS_PUBLIC_API(JSNative)
@@ -1095,8 +1095,8 @@ JS_GetFunctionTotalSize(JSContext *cx, JSFunction *fun)
     size_t nbytes;
 
     nbytes = sizeof *fun;
-    nbytes += JS_GetObjectTotalSize(cx, FUN_OBJECT(fun));
-    if (FUN_INTERPRETED(fun))
+    nbytes += JS_GetObjectTotalSize(cx, fun);
+    if (fun->isInterpreted())
         nbytes += JS_GetScriptTotalSize(cx, fun->script());
     if (fun->atom)
         nbytes += GetAtomTotalSize(cx, fun->atom);
@@ -2202,7 +2202,7 @@ JS_DumpBytecode(JSContext *cx, JSScript *script)
 
     fprintf(stdout, "--- SCRIPT %s:%d ---\n", script->filename, script->lineno);
     js_Disassemble(cx, script, true, &sprinter);
-    fprintf(stdout, "%s\n", sprinter.base);
+    fputs(sprinter.base, stdout);
     fprintf(stdout, "--- END SCRIPT %s:%d ---\n", script->filename, script->lineno);
 #endif
 }
diff --git a/js/src/jsemit.cpp b/js/src/jsemit.cpp
index 8217d832a780..f1c10414c163 100644
--- a/js/src/jsemit.cpp
+++ b/js/src/jsemit.cpp
@@ -4815,7 +4815,7 @@ js_EmitTree(JSContext *cx, JSCodeGenerator *cg, JSParseNode *pn)
 #endif
 
         fun = pn->pn_funbox->function();
-        JS_ASSERT(FUN_INTERPRETED(fun));
+        JS_ASSERT(fun->isInterpreted());
         if (fun->script()) {
             /*
              * This second pass is needed to emit JSOP_NOP with a source note
@@ -4830,7 +4830,7 @@ js_EmitTree(JSContext *cx, JSCodeGenerator *cg, JSParseNode *pn)
         }
 
         JS_ASSERT_IF(pn->pn_funbox->tcflags & TCF_FUN_HEAVYWEIGHT,
-                     FUN_KIND(fun) == JSFUN_INTERPRETED);
+                     fun->kind() == JSFUN_INTERPRETED);
 
         /* Generate code for the function's body. */
         void *cg2mark = JS_ARENA_MARK(cg->codePool);
@@ -4913,7 +4913,7 @@ js_EmitTree(JSContext *cx, JSCodeGenerator *cg, JSParseNode *pn)
                 return false;
             if (pn->pn_cookie.isFree()) {
                 CG_SWITCH_TO_PROLOG(cg);
-                op = FUN_FLAT_CLOSURE(fun) ? JSOP_DEFFUN_FC : JSOP_DEFFUN;
+                op = fun->isFlatClosure() ? JSOP_DEFFUN_FC : JSOP_DEFFUN;
                 EMIT_INDEX_OP(op, index);
 
                 /* Make blockChain determination quicker. */
diff --git a/js/src/jsexn.cpp b/js/src/jsexn.cpp
index ff528302f294..9ee591518c27 100644
--- a/js/src/jsexn.cpp
+++ b/js/src/jsexn.cpp
@@ -528,24 +528,25 @@ js_ErrorFromException(JSContext *cx, jsval exn)
 }
 
 static JSString *
-ValueToShortSource(JSContext *cx, jsval v)
+ValueToShortSource(JSContext *cx, const Value &v)
 {
     JSString *str;
 
     /* Avoid toSource bloat and fallibility for object types. */
-    if (JSVAL_IS_PRIMITIVE(v))
-        return js_ValueToSource(cx, Valueify(v));
+    if (!v.isObject())
+        return js_ValueToSource(cx, v);
 
-    AutoCompartment ac(cx, JSVAL_TO_OBJECT(v));
+    JSObject *obj = &v.toObject();
+    AutoCompartment ac(cx, obj);
     if (!ac.enter())
         return NULL;
 
-    if (VALUE_IS_FUNCTION(cx, v)) {
+    if (obj->isFunction()) {
         /*
          * XXX Avoid function decompilation bloat for now.
          */
-        str = JS_GetFunctionId(JS_ValueToFunction(cx, v));
-        if (!str && !(str = js_ValueToSource(cx, Valueify(v)))) {
+        str = JS_GetFunctionId(obj->getFunctionPrivate());
+        if (!str && !(str = js_ValueToSource(cx, v))) {
             /*
              * Continue to soldier on if the function couldn't be
              * converted into a string.
@@ -559,8 +560,7 @@ ValueToShortSource(JSContext *cx, jsval v)
          * memory, for too many classes (see Mozilla bug 166743).
          */
         char buf[100];
-        JS_snprintf(buf, sizeof buf, "[object %s]",
-                    JSVAL_TO_OBJECT(v)->getClass()->name);
+        JS_snprintf(buf, sizeof buf, "[object %s]", obj->getClass()->name);
         str = JS_NewStringCopyZ(cx, buf);
     }
 
@@ -638,7 +638,7 @@ StackTraceToString(JSContext *cx, JSExnPrivate *priv)
             for (i = 0; i != elem->argc; i++, values++) {
                 if (i > 0)
                     APPEND_CHAR_TO_STACK(',');
-                str = ValueToShortSource(cx, *values);
+                str = ValueToShortSource(cx, Valueify(*values));
                 if (!str)
                     goto bad;
                 APPEND_STRING_TO_STACK(str);
diff --git a/js/src/jsexn.h b/js/src/jsexn.h
index a68e591c851e..3966331e3128 100644
--- a/js/src/jsexn.h
+++ b/js/src/jsexn.h
@@ -102,7 +102,9 @@ js_GetLocalizedErrorMessage(JSContext* cx, void *userRef, const char *locale,
  * Make a copy of errobj parented to scope.
  *
  * cx must be in the same compartment as scope. errobj may be in a different
- * compartment, but it must be an Error object (not a wrapper of one).
+ * compartment, but it must be an Error object (not a wrapper of one) and it
+ * must not be one of the prototype objects created by js_InitExceptionClasses
+ * (errobj->getPrivate() must not be NULL).
  */
 extern JSObject *
 js_CopyErrorObject(JSContext *cx, JSObject *errobj, JSObject *scope);
diff --git a/js/src/jsfun.cpp b/js/src/jsfun.cpp
index 7c1476cca1a5..704a8d7af6aa 100644
--- a/js/src/jsfun.cpp
+++ b/js/src/jsfun.cpp
@@ -1251,8 +1251,9 @@ StackFrame::getValidCalleeObject(JSContext *cx, Value *vp)
                             JSObject *clone;
 
                             if (IsFunctionObject(v, &clone) &&
-                                GET_FUNCTION_PRIVATE(cx, clone) == fun &&
-                                clone->hasMethodObj(*thisp)) {
+                                clone->getFunctionPrivate() == fun &&
+                                clone->hasMethodObj(*thisp))
+                            {
                                 JS_ASSERT(clone != &funobj);
                                 *vp = v;
                                 overwriteCallee(*clone);
@@ -1544,8 +1545,8 @@ js_XDRFunctionObject(JSXDRState *xdr, JSObject **objp)
 
     cx = xdr->cx;
     if (xdr->mode == JSXDR_ENCODE) {
-        fun = GET_FUNCTION_PRIVATE(cx, *objp);
-        if (!FUN_INTERPRETED(fun)) {
+        fun = (*objp)->getFunctionPrivate();
+        if (!fun->isInterpreted()) {
             JSAutoByteString funNameBytes;
             if (const char *name = GetFunctionNameBytes(cx, fun, &funNameBytes)) {
                 JS_ReportErrorNumber(cx, js_GetErrorMessage, NULL, JSMSG_NOT_SCRIPTED_FUNCTION,
@@ -1566,11 +1567,11 @@ js_XDRFunctionObject(JSXDRState *xdr, JSObject **objp)
         fun = js_NewFunction(cx, NULL, NULL, 0, JSFUN_INTERPRETED, NULL, NULL);
         if (!fun)
             return false;
-        FUN_OBJECT(fun)->clearParent();
-        FUN_OBJECT(fun)->clearProto();
+        fun->clearParent();
+        fun->clearProto();
     }
 
-    AutoObjectRooter tvr(cx, FUN_OBJECT(fun));
+    AutoObjectRooter tvr(cx, fun);
 
     if (!JS_XDRUint32(xdr, &firstword))
         return false;
@@ -1597,7 +1598,7 @@ js_XDRFunctionObject(JSXDRState *xdr, JSObject **objp)
     fun->u.i.script = script;
 
     if (xdr->mode == JSXDR_DECODE) {
-        *objp = FUN_OBJECT(fun);
+        *objp = fun;
         fun->u.i.script->setOwnerObject(fun);
 #ifdef CHECK_SCRIPT_OWNER
         fun->script()->owner = NULL;
@@ -1736,7 +1737,7 @@ fun_toStringHelper(JSContext *cx, JSObject *obj, uintN indent)
         return NULL;
     }
 
-    JSFunction *fun = GET_FUNCTION_PRIVATE(cx, obj);
+    JSFunction *fun = obj->getFunctionPrivate();
     if (!fun)
         return NULL;
 
@@ -2029,7 +2030,7 @@ fun_isGenerator(JSContext *cx, uintN argc, Value *vp)
         return true;
     }
 
-    JSFunction *fun = GET_FUNCTION_PRIVATE(cx, funobj);
+    JSFunction *fun = funobj->getFunctionPrivate();
 
     bool result = false;
     if (fun->isInterpreted()) {
@@ -2439,7 +2440,7 @@ js_NewFunction(JSContext *cx, JSObject *funobj, Native native, uintN nargs,
     fun->atom = atom;
 
     /* Set private to self to indicate non-cloned fully initialized function. */
-    FUN_OBJECT(fun)->setPrivate(fun);
+    fun->setPrivate(fun);
     return fun;
 }
 
@@ -2653,7 +2654,7 @@ js_ValueToFunction(JSContext *cx, const Value *vp, uintN flags)
         js_ReportIsNotFunction(cx, vp, flags);
         return NULL;
     }
-    return GET_FUNCTION_PRIVATE(cx, funobj);
+    return funobj->getFunctionPrivate();
 }
 
 JSObject *
diff --git a/js/src/jsfun.h b/js/src/jsfun.h
index 47f84f4a9783..0957b688a1e1 100644
--- a/js/src/jsfun.h
+++ b/js/src/jsfun.h
@@ -60,14 +60,14 @@
  *   10   interpreted, flat closure
  *   11   interpreted, null closure
  *
- * FUN_FLAT_CLOSURE implies FUN_INTERPRETED and u.i.script->upvarsOffset != 0.
- * FUN_NULL_CLOSURE implies FUN_INTERPRETED and u.i.script->upvarsOffset == 0.
+ * isFlatClosure() implies isInterpreted() and u.i.script->upvarsOffset != 0.
+ * isNullClosure() implies isInterpreted() and u.i.script->upvarsOffset == 0.
  *
- * FUN_INTERPRETED but not FUN_FLAT_CLOSURE and u.i.script->upvarsOffset != 0
+ * isInterpreted() but not isFlatClosure() and u.i.script->upvarsOffset != 0
  * is an Algol-like function expression or nested function, i.e., a function
  * that never escapes upward or downward (heapward), and is only ever called.
  *
- * Finally, FUN_INTERPRETED and u.i.script->upvarsOffset == 0 could be either
+ * Finally, isInterpreted() and u.i.script->upvarsOffset == 0 could be either
  * a non-closure (a global function definition, or any function that uses no
  * outer names), or a closure of an escaping function that uses outer names
  * whose values can't be snapshot (because the outer names could be reassigned
@@ -80,8 +80,8 @@
  * NB: JSFUN_EXPR_CLOSURE reuses JSFUN_STUB_GSOPS, which is an API request flag
  * bit only, never stored in fun->flags.
  *
- * If we need more bits in the future, all flags for FUN_INTERPRETED functions
- * can move to u.i.script->flags. For now we use function flag bits to minimize
+ * If we need more bits in the future, all flags for interpreted functions can
+ * move to u.i.script->flags. For now we use function flag bits to minimize
  * pointer-chasing.
  */
 #define JSFUN_JOINABLE      0x0001  /* function is null closure that does not
@@ -101,19 +101,6 @@
 #define JSFUN_KINDMASK      0xc000  /* encode interp vs. native and closure
                                        optimization level -- see above */
 
-#define FUN_OBJECT(fun)      (static_cast(fun))
-#define FUN_KIND(fun)        ((fun)->flags & JSFUN_KINDMASK)
-#define FUN_SET_KIND(fun,k)  ((fun)->flags = ((fun)->flags & ~JSFUN_KINDMASK) | (k))
-#define FUN_INTERPRETED(fun) (FUN_KIND(fun) >= JSFUN_INTERPRETED)
-#define FUN_FLAT_CLOSURE(fun)(FUN_KIND(fun) == JSFUN_FLAT_CLOSURE)
-#define FUN_NULL_CLOSURE(fun)(FUN_KIND(fun) == JSFUN_NULL_CLOSURE)
-#define FUN_SCRIPT(fun)      (FUN_INTERPRETED(fun) ? (fun)->script() : NULL)
-#define FUN_CLASP(fun)       (JS_ASSERT(!FUN_INTERPRETED(fun)),               \
-                              fun->u.n.clasp)
-#define FUN_TRCINFO(fun)     (JS_ASSERT(!FUN_INTERPRETED(fun)),               \
-                              JS_ASSERT((fun)->flags & JSFUN_TRCINFO),        \
-                              fun->u.n.trcinfo)
-
 struct JSFunction : public JSObject_Slots2
 {
     /* Functions always have two fixed slots (FUN_CLASS_RESERVED_SLOTS). */
@@ -145,16 +132,25 @@ struct JSFunction : public JSObject_Slots2
     } u;
     JSAtom          *atom;        /* name for diagnostics and decompiling */
 
-    bool optimizedClosure()  const { return FUN_KIND(this) > JSFUN_INTERPRETED; }
-    bool isInterpreted()     const { return FUN_INTERPRETED(this); }
-    bool isNative()          const { return !FUN_INTERPRETED(this); }
+    bool optimizedClosure()  const { return kind() > JSFUN_INTERPRETED; }
+    bool isInterpreted()     const { return kind() >= JSFUN_INTERPRETED; }
+    bool isNative()          const { return !isInterpreted(); }
     bool isConstructor()     const { return flags & JSFUN_CONSTRUCTOR; }
     bool isHeavyweight()     const { return JSFUN_HEAVYWEIGHT_TEST(flags); }
-    bool isFlatClosure()     const { return FUN_KIND(this) == JSFUN_FLAT_CLOSURE; }
+    bool isNullClosure()     const { return kind() == JSFUN_NULL_CLOSURE; }
+    bool isFlatClosure()     const { return kind() == JSFUN_FLAT_CLOSURE; }
     bool isFunctionPrototype() const { return flags & JSFUN_PROTOTYPE; }
     bool isInterpretedConstructor() const { return isInterpreted() && !isFunctionPrototype(); }
+
+    uint16 kind()            const { return flags & JSFUN_KINDMASK; }
+    void setKind(uint16 k) {
+        JS_ASSERT(!(k & ~JSFUN_KINDMASK));
+        flags = (flags & ~JSFUN_KINDMASK) | k;
+    }
+
     /* Returns the strictness of this function, which must be interpreted. */
     inline bool inStrictMode() const;
+
     void setArgCount(uint16 nargs) {
         JS_ASSERT(this->nargs == 0);
         this->nargs = nargs;
@@ -210,6 +206,10 @@ struct JSFunction : public JSObject_Slots2
         return u.i.script;
     }
 
+    JSScript * maybeScript() const {
+        return isInterpreted() ? script() : NULL;
+    }
+
     js::Native native() const {
         JS_ASSERT(isNative());
         return u.n.native;
@@ -227,6 +227,23 @@ struct JSFunction : public JSObject_Slots2
 
     /* Number of extra fixed function object slots. */
     static const uint32 CLASS_RESERVED_SLOTS = JSObject::FUN_CLASS_RESERVED_SLOTS;
+
+
+    js::Class *getConstructorClass() const {
+        JS_ASSERT(isNative());
+        return u.n.clasp;
+    }
+
+    void setConstructorClass(js::Class *clasp) {
+        JS_ASSERT(isNative());
+        u.n.clasp = clasp;
+    }
+
+    JSNativeTraceInfo *getTraceInfo() const {
+        JS_ASSERT(isNative());
+        JS_ASSERT(flags & JSFUN_TRCINFO);
+        return u.n.trcinfo;
+    }
 };
 
 /*
@@ -269,12 +286,6 @@ JSObject::getFunctionPrivate() const
 
 namespace js {
 
-/*
- * NB: jsapi.h and jsobj.h must be included before any call to this macro.
- */
-#define VALUE_IS_FUNCTION(cx, v)                                              \
-    (!JSVAL_IS_PRIMITIVE(v) && JSVAL_TO_OBJECT(v)->isFunction())
-
 static JS_ALWAYS_INLINE bool
 IsFunctionObject(const js::Value &v)
 {
@@ -354,14 +365,6 @@ SameTraceType(const Value &lhs, const Value &rhs)
             lhs.toObject().isFunction() == rhs.toObject().isFunction());
 }
 
-/*
- * Macro to access the private slot of the function object after the slot is
- * initialized.
- */
-#define GET_FUNCTION_PRIVATE(cx, funobj)                                      \
-    (JS_ASSERT((funobj)->isFunction()),                                       \
-     (JSFunction *) (funobj)->getPrivate())
-
 /*
  * Return true if this is a compiler-created internal function accessed by
  * its own object. Such a function object must not be accessible to script
diff --git a/js/src/jsfuninlines.h b/js/src/jsfuninlines.h
index 05d3a4cae830..9abf7cbacf9b 100644
--- a/js/src/jsfuninlines.h
+++ b/js/src/jsfuninlines.h
@@ -52,7 +52,7 @@ JSFunction::inStrictMode() const
 inline void
 JSFunction::setJoinable()
 {
-    JS_ASSERT(FUN_INTERPRETED(this));
+    JS_ASSERT(isInterpreted());
     setSlot(METHOD_ATOM_SLOT, js::NullValue());
     flags |= JSFUN_JOINABLE;
 }
diff --git a/js/src/jshashtable.h b/js/src/jshashtable.h
index 437067f15908..fc8fc44190fc 100644
--- a/js/src/jshashtable.h
+++ b/js/src/jshashtable.h
@@ -298,7 +298,8 @@ class HashTable : private AllocPolicy
 
     static const unsigned sMinSizeLog2  = 4;
     static const unsigned sMinSize      = 1 << sMinSizeLog2;
-    static const unsigned sSizeLimit    = JS_BIT(24);
+    static const unsigned sMaxInit      = JS_BIT(23);
+    static const unsigned sMaxCapacity  = JS_BIT(24);
     static const unsigned sHashBits     = tl::BitSize::result;
     static const uint8    sMinAlphaFrac = 64;  /* (0x100 * .25) taken from jsdhash.h */
     static const uint8    sMaxAlphaFrac = 192; /* (0x100 * .75) taken from jsdhash.h */
@@ -308,6 +309,14 @@ class HashTable : private AllocPolicy
     static const HashNumber sRemovedKey = Entry::sRemovedKey;
     static const HashNumber sCollisionBit = Entry::sCollisionBit;
 
+    static void staticAsserts()
+    {
+        /* Rely on compiler "constant overflow warnings". */
+        JS_STATIC_ASSERT(((sMaxInit * sInvMaxAlpha) >> 7) < sMaxCapacity);
+        JS_STATIC_ASSERT((sMaxCapacity * sInvMaxAlpha) <= UINT32_MAX);
+        JS_STATIC_ASSERT((sMaxCapacity * sizeof(Entry)) <= UINT32_MAX);
+    }
+
     static bool isLiveHash(HashNumber hash)
     {
         return Entry::isLiveHash(hash);
@@ -365,7 +374,10 @@ class HashTable : private AllocPolicy
          * Correct for sMaxAlphaFrac such that the table will not resize
          * when adding 'length' entries.
          */
-        JS_ASSERT(length < (uint32(1) << 23));
+        if (length > sMaxInit) {
+            this->reportAllocOverflow();
+            return false;
+        }
         uint32 capacity = (length * sInvMaxAlpha) >> 7;
 
         if (capacity < sMinSize)
@@ -379,10 +391,7 @@ class HashTable : private AllocPolicy
         }
 
         capacity = roundUp;
-        if (capacity >= sSizeLimit) {
-            this->reportAllocOverflow();
-            return false;
-        }
+        JS_ASSERT(capacity <= sMaxCapacity);
 
         table = createTable(*this, capacity);
         if (!table)
@@ -536,7 +545,7 @@ class HashTable : private AllocPolicy
         uint32 oldCap = tableCapacity;
         uint32 newLog2 = sHashBits - hashShift + deltaLog2;
         uint32 newCapacity = JS_BIT(newLog2);
-        if (newCapacity >= sSizeLimit) {
+        if (newCapacity > sMaxCapacity) {
             this->reportAllocOverflow();
             return false;
         }
diff --git a/js/src/jsinterp.cpp b/js/src/jsinterp.cpp
index 5f138007fc5f..86b7a0f58b0a 100644
--- a/js/src/jsinterp.cpp
+++ b/js/src/jsinterp.cpp
@@ -512,7 +512,7 @@ Class js_NoSuchMethodClass = {
  * the base object, we search for the __noSuchMethod__ method in the base.
  * If it exists, we store the method and the property's id into an object of
  * NoSuchMethod class and store this object into the callee's stack slot.
- * Later, js_Invoke will recognise such an object and transfer control to
+ * Later, Invoke will recognise such an object and transfer control to
  * NoSuchMethod that invokes the method like:
  *
  *   this.__noSuchMethod__(id, args)
@@ -621,7 +621,7 @@ RunScript(JSContext *cx, JSScript *script, StackFrame *fp)
  * when done.  Then push the return value.
  */
 JS_REQUIRES_STACK bool
-Invoke(JSContext *cx, const CallArgs &argsRef, MaybeConstruct construct)
+InvokeKernel(JSContext *cx, const CallArgs &argsRef, MaybeConstruct construct)
 {
     /* N.B. Must be kept in sync with InvokeSessionGuard::start/invoke */
 
@@ -781,8 +781,8 @@ InvokeSessionGuard::start(JSContext *cx, const Value &calleev, const Value &this
 }
 
 bool
-ExternalInvoke(JSContext *cx, const Value &thisv, const Value &fval,
-               uintN argc, Value *argv, Value *rval)
+Invoke(JSContext *cx, const Value &thisv, const Value &fval, uintN argc, Value *argv,
+       Value *rval)
 {
     LeaveTrace(cx);
 
@@ -814,8 +814,7 @@ ExternalInvoke(JSContext *cx, const Value &thisv, const Value &fval,
 }
 
 bool
-ExternalInvokeConstructor(JSContext *cx, const Value &fval, uintN argc, Value *argv,
-                          Value *rval)
+InvokeConstructor(JSContext *cx, const Value &fval, uintN argc, Value *argv, Value *rval)
 {
     LeaveTrace(cx);
 
@@ -835,18 +834,18 @@ ExternalInvokeConstructor(JSContext *cx, const Value &fval, uintN argc, Value *a
 }
 
 bool
-ExternalGetOrSet(JSContext *cx, JSObject *obj, jsid id, const Value &fval,
-                 JSAccessMode mode, uintN argc, Value *argv, Value *rval)
+InvokeGetterOrSetter(JSContext *cx, JSObject *obj, const Value &fval, uintN argc, Value *argv,
+                     Value *rval)
 {
     LeaveTrace(cx);
 
     /*
-     * ExternalInvoke could result in another try to get or set the same id
-     * again, see bug 355497.
+     * Invoke could result in another try to get or set the same id again, see
+     * bug 355497.
      */
     JS_CHECK_RECURSION(cx, return false);
 
-    return ExternalInvoke(cx, ObjectValue(*obj), fval, argc, argv, rval);
+    return Invoke(cx, ObjectValue(*obj), fval, argc, argv, rval);
 }
 
 #if JS_HAS_SHARP_VARS
@@ -878,8 +877,8 @@ InitSharpSlots(JSContext *cx, StackFrame *fp)
 #endif
 
 bool
-Execute(JSContext *cx, JSScript *script, JSObject &scopeChain, const Value &thisv,
-        ExecuteType type, StackFrame *evalInFrame, Value *result)
+ExecuteKernel(JSContext *cx, JSScript *script, JSObject &scopeChain, const Value &thisv,
+              ExecuteType type, StackFrame *evalInFrame, Value *result)
 {
     JS_ASSERT_IF(evalInFrame, type == EXECUTE_DEBUG);
 
@@ -919,7 +918,7 @@ Execute(JSContext *cx, JSScript *script, JSObject &scopeChain, const Value &this
 }
 
 bool
-ExternalExecute(JSContext *cx, JSScript *script, JSObject &scopeChainArg, Value *rval)
+Execute(JSContext *cx, JSScript *script, JSObject &scopeChainArg, Value *rval)
 {
     /* The scope chain could be anything, so innerize just in case. */
     JSObject *scopeChain = &scopeChainArg;
@@ -944,8 +943,8 @@ ExternalExecute(JSContext *cx, JSScript *script, JSObject &scopeChainArg, Value
         return false;
     Value thisv = ObjectValue(*thisObj);
 
-    return Execute(cx, script, *scopeChain, thisv, EXECUTE_GLOBAL,
-                   NULL /* evalInFrame */, rval);
+    return ExecuteKernel(cx, script, *scopeChain, thisv, EXECUTE_GLOBAL,
+                         NULL /* evalInFrame */, rval);
 }
 
 bool
@@ -1190,7 +1189,7 @@ TypeOfValue(JSContext *cx, const Value &vref)
 }
 
 JS_REQUIRES_STACK bool
-InvokeConstructor(JSContext *cx, const CallArgs &argsRef)
+InvokeConstructorKernel(JSContext *cx, const CallArgs &argsRef)
 {
     JS_ASSERT(!js_FunctionClass.construct);
     CallArgs args = argsRef;
@@ -1212,7 +1211,7 @@ InvokeConstructor(JSContext *cx, const CallArgs &argsRef)
             if (!fun->isInterpretedConstructor())
                 goto error;
 
-            if (!Invoke(cx, args, CONSTRUCT))
+            if (!InvokeKernel(cx, args, CONSTRUCT))
                 return false;
 
             JS_ASSERT(args.rval().isObject());
@@ -3986,7 +3985,7 @@ BEGIN_CASE(JSOP_EVAL)
         if (!DirectEval(cx, args))
             goto error;
     } else {
-        if (!Invoke(cx, args))
+        if (!InvokeKernel(cx, args))
             goto error;
     }
     CHECK_INTERRUPT_HANDLER();
@@ -4010,10 +4009,10 @@ BEGIN_CASE(JSOP_FUNAPPLY)
     /* Don't bother trying to fast-path calls to scripted non-constructors. */
     if (!IsFunctionObject(args.calleev(), &callee, &fun) || !fun->isInterpretedConstructor()) {
         if (construct) {
-            if (!InvokeConstructor(cx, args))
+            if (!InvokeConstructorKernel(cx, args))
                 goto error;
         } else {
-            if (!Invoke(cx, args))
+            if (!InvokeKernel(cx, args))
                 goto error;
         }
         regs.sp = args.spAfterCall();
@@ -4590,10 +4589,10 @@ BEGIN_CASE(JSOP_DEFFUN)
      */
     JSFunction *fun;
     LOAD_FUNCTION(0);
-    JSObject *obj = FUN_OBJECT(fun);
+    JSObject *obj = fun;
 
     JSObject *obj2;
-    if (FUN_NULL_CLOSURE(fun)) {
+    if (fun->isNullClosure()) {
         /*
          * Even a null closure needs a parent for principals finding.
          * FIXME: bug 476950, although debugger users may also demand some kind
@@ -4730,10 +4729,10 @@ BEGIN_CASE(JSOP_DEFLOCALFUN)
     JSFunction *fun;
     LOAD_FUNCTION(SLOTNO_LEN);
     JS_ASSERT(fun->isInterpreted());
-    JS_ASSERT(!FUN_FLAT_CLOSURE(fun));
-    JSObject *obj = FUN_OBJECT(fun);
+    JS_ASSERT(!fun->isFlatClosure());
+    JSObject *obj = fun;
 
-    if (FUN_NULL_CLOSURE(fun)) {
+    if (fun->isNullClosure()) {
         obj = CloneFunctionObject(cx, fun, ®s.fp()->scopeChain());
         if (!obj)
             goto error;
@@ -4782,12 +4781,12 @@ BEGIN_CASE(JSOP_LAMBDA)
     /* Load the specified function object literal. */
     JSFunction *fun;
     LOAD_FUNCTION(0);
-    JSObject *obj = FUN_OBJECT(fun);
+    JSObject *obj = fun;
 
     /* do-while(0) so we can break instead of using a goto. */
     do {
         JSObject *parent;
-        if (FUN_NULL_CLOSURE(fun)) {
+        if (fun->isNullClosure()) {
             parent = ®s.fp()->scopeChain();
 
             if (obj->getParent() == parent) {
@@ -4845,7 +4844,7 @@ BEGIN_CASE(JSOP_LAMBDA)
                         JSObject *callee;
 
                         if (IsFunctionObject(cref, &callee)) {
-                            JSFunction *calleeFun = GET_FUNCTION_PRIVATE(cx, callee);
+                            JSFunction *calleeFun = callee->getFunctionPrivate();
                             if (Native native = calleeFun->maybeNative()) {
                                 if ((iargc == 1 && native == array_sort) ||
                                     (iargc == 2 && native == str_replace)) {
@@ -6092,7 +6091,7 @@ END_CASE(JSOP_ARRAYPUSH)
     /*
      * At this point we are inevitably leaving an interpreted function or a
      * top-level script, and returning to one of:
-     * (a) an "out of line" call made through js_Invoke;
+     * (a) an "out of line" call made through Invoke;
      * (b) a js_Execute activation;
      * (c) a generator (SendToGenerator, jsiter.c).
      *
diff --git a/js/src/jsinterp.h b/js/src/jsinterp.h
index 2ae760c65247..82e7f05ff557 100644
--- a/js/src/jsinterp.h
+++ b/js/src/jsinterp.h
@@ -145,32 +145,43 @@ inline bool
 ComputeThis(JSContext *cx, StackFrame *fp);
 
 /*
- * The js::InvokeArgumentsGuard passed to js_Invoke must come from an
- * immediately-enclosing successful call to js::StackSpace::pushInvokeArgs,
- * i.e., there must have been no un-popped pushes to cx->stack. Furthermore,
- * |args.getvp()[0]| should be the callee, |args.getvp()[1]| should be |this|,
- * and the range [args.getvp() + 2, args.getvp() + 2 + args.getArgc()) should
- * be initialized actual arguments.
+ * InvokeKernel assumes that the given args have been pushed on the top of the
+ * VM stack. Additionally, if 'args' is contained in a CallArgsList, that they
+ * have already been marked 'active'.
  */
 extern bool
-Invoke(JSContext *cx, const CallArgs &args, MaybeConstruct construct = NO_CONSTRUCT);
+InvokeKernel(JSContext *cx, const CallArgs &args, MaybeConstruct construct = NO_CONSTRUCT);
 
 /*
- * For calls to natives, the InvokeArgsGuard object provides a record of the
- * call for the debugger's callstack. For this to work, the InvokeArgsGuard
- * record needs to know when the call is actually active (because the
- * InvokeArgsGuard can be pushed long before and popped long after the actual
- * call, during which time many stack-observing things can happen).
+ * Invoke assumes that 'args' has been pushed (via ContextStack::pushInvokeArgs)
+ * and is currently at the top of the VM stack.
  */
 inline bool
 Invoke(JSContext *cx, InvokeArgsGuard &args, MaybeConstruct construct = NO_CONSTRUCT)
 {
     args.setActive();
-    bool ok = Invoke(cx, ImplicitCast(args), construct);
+    bool ok = InvokeKernel(cx, args, construct);
     args.setInactive();
     return ok;
 }
 
+/*
+ * This Invoke overload places the least requirements on the caller: it may be
+ * called at any time and it takes care of copying the given callee, this, and
+ * arguments onto the stack.
+ */
+extern bool
+Invoke(JSContext *cx, const Value &thisv, const Value &fval, uintN argc, Value *argv,
+       Value *rval);
+
+/*
+ * This helper takes care of the infinite-recursion check necessary for
+ * getter/setter calls.
+ */
+extern bool
+InvokeGetterOrSetter(JSContext *cx, JSObject *obj, const Value &fval, uintN argc, Value *argv,
+                     Value *rval);
+
 /*
  * Natives like sort/forEach/replace call Invoke repeatedly with the same
  * callee, this, and number of arguments. To optimize this, such natives can
@@ -198,40 +209,34 @@ Invoke(JSContext *cx, InvokeArgsGuard &args, MaybeConstruct construct = NO_CONST
 class InvokeSessionGuard;
 
 /*
- * "External" calls may come from C or C++ code using a JSContext on which no
- * JS is running (!cx->fp), so they may need to push a dummy StackFrame.
+ * InvokeConstructor* implement a function call from a constructor context
+ * (e.g. 'new') handling the the creation of the new 'this' object.
  */
+extern JS_REQUIRES_STACK bool
+InvokeConstructorKernel(JSContext *cx, const CallArgs &args);
 
-extern bool
-ExternalInvoke(JSContext *cx, const Value &thisv, const Value &fval,
-               uintN argc, Value *argv, Value *rval);
+/* See the InvokeArgsGuard overload of Invoke. */
+inline bool
+InvokeConstructor(JSContext *cx, InvokeArgsGuard &args)
+{
+    args.setActive();
+    bool ok = InvokeConstructorKernel(cx, ImplicitCast(args));
+    args.setInactive();
+    return ok;
+}
 
+/* See the fval overload of Invoke. */
 extern bool
-ExternalGetOrSet(JSContext *cx, JSObject *obj, jsid id, const Value &fval,
-                 JSAccessMode mode, uintN argc, Value *argv, Value *rval);
+InvokeConstructor(JSContext *cx, const Value &fval, uintN argc, Value *argv, Value *rval);
 
 /*
- * These two functions invoke a function called from a constructor context
- * (e.g. 'new'). InvokeConstructor handles the general case where a new object
- * needs to be created for/by the constructor. ConstructWithGivenThis directly
- * calls the constructor with the given 'this', hence the caller must
- * understand the semantics of the constructor call.
+ * InvokeConstructorWithGivenThis directly calls the constructor with the given
+ * 'this'; the caller must choose the semantically correct 'this'.
  */
-
-extern JS_REQUIRES_STACK bool
-InvokeConstructor(JSContext *cx, const CallArgs &args);
-
 extern JS_REQUIRES_STACK bool
 InvokeConstructorWithGivenThis(JSContext *cx, JSObject *thisobj, const Value &fval,
                                uintN argc, Value *argv, Value *rval);
 
-extern bool
-ExternalInvokeConstructor(JSContext *cx, const Value &fval, uintN argc, Value *argv,
-                          Value *rval);
-
-extern bool
-ExternalExecute(JSContext *cx, JSScript *script, JSObject &scopeChain, Value *rval);
-
 /*
  * Executes a script with the given scopeChain/this. The 'type' indicates
  * whether this is eval code or global code. To support debugging, the
@@ -239,8 +244,12 @@ ExternalExecute(JSContext *cx, JSScript *script, JSObject &scopeChain, Value *rv
  * stack to simulate executing an eval in that frame.
  */
 extern bool
-Execute(JSContext *cx, JSScript *script, JSObject &scopeChain, const Value &thisv,
-        ExecuteType type, StackFrame *evalInFrame, Value *result);
+ExecuteKernel(JSContext *cx, JSScript *script, JSObject &scopeChain, const Value &thisv,
+              ExecuteType type, StackFrame *evalInFrame, Value *result);
+
+/* Execute a script with the given scopeChain as global code. */
+extern bool
+Execute(JSContext *cx, JSScript *script, JSObject &scopeChain, Value *rval);
 
 /* Flags to toggle js::Interpret() execution. */
 enum InterpMode
diff --git a/js/src/jsiter.cpp b/js/src/jsiter.cpp
index 08321b179fba..ddaef655e54d 100644
--- a/js/src/jsiter.cpp
+++ b/js/src/jsiter.cpp
@@ -362,7 +362,7 @@ GetCustomIterator(JSContext *cx, JSObject *obj, uintN flags, Value *vp)
     /* Otherwise call it and return that object. */
     LeaveTrace(cx);
     Value arg = BooleanValue((flags & JSITER_FOREACH) == 0);
-    if (!ExternalInvoke(cx, ObjectValue(*obj), *vp, 1, &arg, vp))
+    if (!Invoke(cx, ObjectValue(*obj), *vp, 1, &arg, vp))
         return false;
     if (vp->isPrimitive()) {
         /*
@@ -954,7 +954,7 @@ js_IteratorMore(JSContext *cx, JSObject *iterobj, Value *rval)
         jsid id = ATOM_TO_JSID(cx->runtime->atomState.nextAtom);
         if (!js_GetMethod(cx, iterobj, id, JSGET_METHOD_BARRIER, rval))
             return false;
-        if (!ExternalInvoke(cx, ObjectValue(*iterobj), *rval, 0, NULL, rval)) {
+        if (!Invoke(cx, ObjectValue(*iterobj), *rval, 0, NULL, rval)) {
             /* Check for StopIteration. */
             if (!cx->isExceptionPending() || !js_ValueIsStopIteration(cx->getPendingException()))
                 return false;
diff --git a/js/src/jsobj.cpp b/js/src/jsobj.cpp
index 50926dc83ae3..cf18922db671 100644
--- a/js/src/jsobj.cpp
+++ b/js/src/jsobj.cpp
@@ -1191,7 +1191,6 @@ EvalKernel(JSContext *cx, const CallArgs &call, EvalType evalType, StackFrame *c
 
 #ifdef DEBUG
         jsbytecode *callerPC = caller->pcQuadratic(cx);
-        JS_ASSERT_IF(caller->isFunctionFrame(), caller->fun()->isHeavyweight());
         JS_ASSERT(callerPC && js_GetOpcode(cx, caller->script(), callerPC) == JSOP_EVAL);
 #endif
     } else {
@@ -1275,8 +1274,8 @@ EvalKernel(JSContext *cx, const CallArgs &call, EvalType evalType, StackFrame *c
         esg.setNewScript(compiled);
     }
 
-    return Execute(cx, esg.script(), scopeobj, thisv, ExecuteType(evalType),
-                   NULL /* evalInFrame */, &call.rval());
+    return ExecuteKernel(cx, esg.script(), scopeobj, thisv, ExecuteType(evalType),
+                         NULL /* evalInFrame */, &call.rval());
 }
 
 /*
@@ -1405,8 +1404,8 @@ obj_watch_handler(JSContext *cx, JSObject *obj, jsid id, jsval old,
         return true;
 
     Value argv[] = { IdToValue(id), Valueify(old), Valueify(*nvp) };
-    return ExternalInvoke(cx, ObjectValue(*obj), ObjectOrNullValue(callable),
-                          JS_ARRAY_LENGTH(argv), argv, Valueify(nvp));
+    return Invoke(cx, ObjectValue(*obj), ObjectOrNullValue(callable), JS_ARRAY_LENGTH(argv), argv,
+                  Valueify(nvp));
 }
 
 static JSBool
@@ -3919,7 +3918,7 @@ DefineConstructorAndPrototype(JSContext *cx, JSObject *obj, JSProtoKey key, JSAt
             js_NewFunction(cx, NULL, constructor, nargs, JSFUN_CONSTRUCTOR, obj, atom);
         if (!fun)
             goto bad;
-        FUN_CLASP(fun) = clasp;
+        fun->setConstructorClass(clasp);
 
         AutoValueRooter tvr2(cx, ObjectValue(*fun));
         if (!DefineStandardSlot(cx, obj, key, atom, tvr2.value(), 0, named))
@@ -3931,7 +3930,7 @@ DefineConstructorAndPrototype(JSContext *cx, JSObject *obj, JSProtoKey key, JSAt
          * different object, as is done for operator new -- and as at least
          * XML support requires.
          */
-        ctor = FUN_OBJECT(fun);
+        ctor = fun;
         if (clasp->flags & JSCLASS_CONSTRUCT_PROTOTYPE) {
             Value rval;
             if (!InvokeConstructorWithGivenThis(cx, proto, ObjectOrNullValue(ctor),
@@ -4709,7 +4708,7 @@ DefineNativeProperty(JSContext *cx, JSObject *obj, jsid id, const Value &value,
             JS_ASSERT(!getter && !setter);
 
             JSObject *funobj = &value.toObject();
-            if (FUN_OBJECT(GET_FUNCTION_PRIVATE(cx, funobj)) == funobj) {
+            if (funobj->getFunctionPrivate() == funobj) {
                 flags |= Shape::METHOD;
                 getter = CastAsPropertyOp(funobj);
             }
@@ -5449,7 +5448,7 @@ JSObject::callMethod(JSContext *cx, jsid id, uintN argc, Value *argv, Value *vp)
 {
     Value fval;
     return js_GetMethod(cx, this, id, JSGET_NO_METHOD_BARRIER, &fval) &&
-           ExternalInvoke(cx, ObjectValue(*this), fval, argc, argv, vp);
+           Invoke(cx, ObjectValue(*this), fval, argc, argv, vp);
 }
 
 JSBool
@@ -5662,7 +5661,7 @@ js_SetPropertyHelper(JSContext *cx, JSObject *obj, jsid id, uintN defineHow,
             JS_ASSERT(!(attrs & (JSPROP_GETTER | JSPROP_SETTER)));
 
             JSObject *funobj = &vp->toObject();
-            JSFunction *fun = GET_FUNCTION_PRIVATE(cx, funobj);
+            JSFunction *fun = funobj->getFunctionPrivate();
             if (fun == funobj) {
                 flags |= Shape::METHOD;
                 getter = CastAsPropertyOp(funobj);
@@ -5797,7 +5796,7 @@ js_DeleteProperty(JSContext *cx, JSObject *obj, jsid id, Value *rval, JSBool str
             JSObject *funobj;
 
             if (IsFunctionObject(v, &funobj)) {
-                JSFunction *fun = GET_FUNCTION_PRIVATE(cx, funobj);
+                JSFunction *fun = funobj->getFunctionPrivate();
 
                 if (fun != funobj) {
                     for (StackFrame *fp = cx->maybefp(); fp; fp = fp->prev()) {
@@ -5854,7 +5853,7 @@ MaybeCallMethod(JSContext *cx, JSObject *obj, jsid id, Value *vp)
         *vp = ObjectValue(*obj);
         return true;
     }
-    return ExternalInvoke(cx, ObjectValue(*obj), *vp, 0, NULL, vp);
+    return Invoke(cx, ObjectValue(*obj), *vp, 0, NULL, vp);
 }
 
 JSBool
@@ -6492,7 +6491,7 @@ dumpValue(const Value &v)
         dumpString(v.toString());
     else if (v.isObject() && v.toObject().isFunction()) {
         JSObject *funobj = &v.toObject();
-        JSFunction *fun = GET_FUNCTION_PRIVATE(cx, funobj);
+        JSFunction *fun = funobj->getFunctionPrivate();
         if (fun->atom) {
             fputs("atom, 0);
@@ -6700,15 +6699,22 @@ js_DumpStackFrame(JSContext *cx, StackFrame *start)
     /* This should only called during live debugging. */
     VOUCH_DOES_NOT_REQUIRE_STACK();
 
-    if (!start)
-        start = cx->maybefp();
-    FrameRegsIter i(cx);
-    while (!i.done() && i.fp() != start)
-        ++i;
+    FrameRegsIter i(cx, StackIter::GO_THROUGH_SAVED);
+    if (!start) {
+        if (i.done()) {
+            fprintf(stderr, "no stack for cx = %p\n", (void*) cx);
+            return;
+        }
+        start = i.fp();
+    } else {
+        while (!i.done() && i.fp() != start)
+            ++i;
 
-    if (i.done()) {
-        fprintf(stderr, "fp = %p not found in cx = %p\n", (void *)start, (void *)cx);
-        return;
+        if (i.done()) {
+            fprintf(stderr, "fp = %p not found in cx = %p\n",
+                    (void *)start, (void *)cx);
+            return;
+        }
     }
 
     for (; !i.done(); ++i) {
diff --git a/js/src/jsobjinlines.h b/js/src/jsobjinlines.h
index 7c477501aeb7..4d8ad24d7ea8 100644
--- a/js/src/jsobjinlines.h
+++ b/js/src/jsobjinlines.h
@@ -218,7 +218,7 @@ JSObject::methodReadBarrier(JSContext *cx, const js::Shape &shape, js::Value *vp
     JSObject *funobj = &vp->toObject();
     JSFunction *fun = funobj->getFunctionPrivate();
     JS_ASSERT(fun == funobj);
-    JS_ASSERT(FUN_NULL_CLOSURE(fun));
+    JS_ASSERT(fun->isNullClosure());
 
     funobj = CloneFunctionObject(cx, fun, funobj->getParent());
     if (!funobj)
@@ -550,7 +550,7 @@ inline void
 JSObject::setFlatClosureUpvars(js::Value *upvars)
 {
     JS_ASSERT(isFunction());
-    JS_ASSERT(FUN_FLAT_CLOSURE(getFunctionPrivate()));
+    JS_ASSERT(getFunctionPrivate()->isFlatClosure());
     setSlot(JSSLOT_FLAT_CLOSURE_UPVARS, PrivateValue(upvars));
 }
 
diff --git a/js/src/jsopcode.cpp b/js/src/jsopcode.cpp
index 37ebdfc81dcb..a3fb0028ee58 100644
--- a/js/src/jsopcode.cpp
+++ b/js/src/jsopcode.cpp
@@ -396,7 +396,7 @@ ToDisassemblySource(JSContext *cx, jsval v, JSAutoByteString *bytes)
         }
 
         if (clasp == &js_FunctionClass) {
-            JSFunction *fun = GET_FUNCTION_PRIVATE(cx, obj);
+            JSFunction *fun = obj->getFunctionPrivate();
             JSString *str = JS_DecompileFunction(cx, fun, JS_DONT_PRETTY_PRINT);
             if (!str)
                 return false;
@@ -458,6 +458,23 @@ js_Disassemble1(JSContext *cx, JSScript *script, jsbytecode *pc,
     type = JOF_TYPE(cs->format);
     switch (type) {
       case JOF_BYTE:
+          // Scan the trynotes to find the associated catch block
+          // and make the try opcode look like a jump instruction
+          // with an offset. This simplifies code coverage analysis
+          // based on this disassembled output.
+          if (op == JSOP_TRY) {
+              JSTryNoteArray *trynotes = script->trynotes();
+              uint32 i;
+              for(i = 0; i < trynotes->length; i++) {
+                  JSTryNote note = trynotes->vector[i];
+                  if (note.kind == JSTRY_CATCH && note.start == loc + 1) {
+                      Sprint(sp, " %u (%+d)",
+                             (unsigned int) (loc+note.length+1),
+                             (int) (note.length+1));
+                      break;
+                  }
+              }
+          }
         break;
 
       case JOF_JUMP:
@@ -4972,7 +4989,7 @@ js_DecompileFunctionBody(JSPrinter *jp)
 
     JS_ASSERT(jp->fun);
     JS_ASSERT(!jp->script);
-    if (!FUN_INTERPRETED(jp->fun)) {
+    if (!jp->fun->isInterpreted()) {
         js_printf(jp, native_code_str);
         return JS_TRUE;
     }
@@ -5011,7 +5028,7 @@ js_DecompileFunction(JSPrinter *jp)
         return JS_FALSE;
     js_puts(jp, "(");
 
-    if (!FUN_INTERPRETED(fun)) {
+    if (!fun->isInterpreted()) {
         js_printf(jp, ") {\n");
         jp->indent += 4;
         js_printf(jp, native_code_str);
diff --git a/js/src/jsparse.cpp b/js/src/jsparse.cpp
index dee6585a9b9e..d07e89c38d4f 100644
--- a/js/src/jsparse.cpp
+++ b/js/src/jsparse.cpp
@@ -313,7 +313,7 @@ Parser::newFunctionBox(JSObject *obj, JSParseNode *fn, JSTreeContext *tc)
 bool
 JSFunctionBox::joinable() const
 {
-    return FUN_NULL_CLOSURE(function()) &&
+    return function()->isNullClosure() &&
            !(tcflags & (TCF_FUN_USES_ARGUMENTS | TCF_FUN_USES_OWN_NAME));
 }
 
@@ -990,7 +990,7 @@ Compiler::compileScript(JSContext *cx, JSObject *scopeChain, StackFrame *callerF
              * function captured in case it refers to an upvar, and someone
              * wishes to decompile it while it's running.
              */
-            JSObjectBox *funbox = parser.newObjectBox(FUN_OBJECT(callerFrame->fun()));
+            JSObjectBox *funbox = parser.newObjectBox(callerFrame->fun());
             if (!funbox)
                 goto out;
             funbox->emitLink = cg.objectList.lastbox;
@@ -1978,8 +1978,8 @@ Parser::newFunction(JSTreeContext *tc, JSAtom *atom, FunctionSyntaxKind kind)
                        JSFUN_INTERPRETED | (kind == Expression ? JSFUN_LAMBDA : 0),
                        parent, atom);
     if (fun && !tc->compileAndGo()) {
-        FUN_OBJECT(fun)->clearParent();
-        FUN_OBJECT(fun)->clearProto();
+        fun->clearParent();
+        fun->clearProto();
     }
     return fun;
 }
@@ -2461,12 +2461,12 @@ Parser::setFunctionKinds(JSFunctionBox *funbox, uint32 *tcflags)
 
         JSFunction *fun = funbox->function();
 
-        JS_ASSERT(FUN_KIND(fun) == JSFUN_INTERPRETED);
+        JS_ASSERT(fun->kind() == JSFUN_INTERPRETED);
 
         if (funbox->tcflags & TCF_FUN_HEAVYWEIGHT) {
             /* nothing to do */
         } else if (funbox->inAnyDynamicScope()) {
-            JS_ASSERT(!FUN_NULL_CLOSURE(fun));
+            JS_ASSERT(!fun->isNullClosure());
         } else if (pn->pn_type != TOK_UPVARS) {
             /*
              * No lexical dependencies => null closure, for best performance.
@@ -2484,7 +2484,7 @@ Parser::setFunctionKinds(JSFunctionBox *funbox, uint32 *tcflags)
              *
              * FIXME: bug 476950.
              */
-            FUN_SET_KIND(fun, JSFUN_NULL_CLOSURE);
+            fun->setKind(JSFUN_NULL_CLOSURE);
         } else {
             AtomDefnMapPtr upvars = pn->pn_names;
             JS_ASSERT(!upvars->empty());
@@ -2512,7 +2512,7 @@ Parser::setFunctionKinds(JSFunctionBox *funbox, uint32 *tcflags)
                 }
 
                 if (r.empty())
-                    FUN_SET_KIND(fun, JSFUN_NULL_CLOSURE);
+                    fun->setKind(JSFUN_NULL_CLOSURE);
             } else {
                 uintN nupvars = 0, nflattened = 0;
 
@@ -2550,13 +2550,13 @@ Parser::setFunctionKinds(JSFunctionBox *funbox, uint32 *tcflags)
                 }
 
                 if (nupvars == 0) {
-                    FUN_SET_KIND(fun, JSFUN_NULL_CLOSURE);
+                    fun->setKind(JSFUN_NULL_CLOSURE);
                 } else if (nflattened == nupvars) {
                     /*
                      * We made it all the way through the upvar loop, so it's
                      * safe to optimize to a flat closure.
                      */
-                    FUN_SET_KIND(fun, JSFUN_FLAT_CLOSURE);
+                    fun->setKind(JSFUN_FLAT_CLOSURE);
                     switch (PN_OP(fn)) {
                       case JSOP_DEFFUN:
                         fn->pn_op = JSOP_DEFFUN_FC;
@@ -2575,7 +2575,7 @@ Parser::setFunctionKinds(JSFunctionBox *funbox, uint32 *tcflags)
             }
         }
 
-        if (FUN_KIND(fun) == JSFUN_INTERPRETED && pn->pn_type == TOK_UPVARS) {
+        if (fun->kind() == JSFUN_INTERPRETED && pn->pn_type == TOK_UPVARS) {
             /*
              * One or more upvars cannot be safely snapshot into a flat
              * closure's non-reserved slot (see JSOP_GETFCSLOT), so we loop
@@ -2621,7 +2621,7 @@ Parser::markExtensibleScopeDescendants(JSFunctionBox *funbox, bool hasExtensible
 {
     for (; funbox; funbox = funbox->siblings) {
         /*
-         * It would be nice to use FUN_KIND(fun) here to recognize functions
+         * It would be nice to use fun->kind() here to recognize functions
          * that will never consult their parent chains, and thus don't need
          * their 'extensible parents' flag set. Filed as bug 619750. 
          */
@@ -2663,7 +2663,7 @@ EnterFunction(JSParseNode *fn, JSTreeContext *funtc, JSAtom *funAtom = NULL,
         return NULL;
 
     /* Create box for fun->object early to protect against last-ditch GC. */
-    JSFunctionBox *funbox = tc->parser->newFunctionBox(FUN_OBJECT(fun), fn, tc);
+    JSFunctionBox *funbox = tc->parser->newFunctionBox(fun, fn, tc);
     if (!funbox)
         return NULL;
 
diff --git a/js/src/jsprobes.cpp b/js/src/jsprobes.cpp
index 5239025b8e4e..2bd500ba2321 100644
--- a/js/src/jsprobes.cpp
+++ b/js/src/jsprobes.cpp
@@ -90,10 +90,10 @@ FunctionName(JSContext *cx, const JSFunction *fun, JSAutoByteString* bytes)
 static const char *
 FunctionClassname(const JSFunction *fun)
 {
-    if (!fun || FUN_INTERPRETED(fun))
+    if (!fun || fun->isInterpreted())
         return Probes::nullName;
-    if (!(fun->flags & JSFUN_TRCINFO) && FUN_CLASP(fun))
-        return (char *)FUN_CLASP(fun)->name;
+    if (!(fun->flags & JSFUN_TRCINFO) && fun->getConstructorClass())
+        return fun->getConstructorClass()->name;
     return Probes::nullName;
 }
 
diff --git a/js/src/jspropertycache.cpp b/js/src/jspropertycache.cpp
index 98b709f2050a..3aed109fcded 100644
--- a/js/src/jspropertycache.cpp
+++ b/js/src/jspropertycache.cpp
@@ -171,7 +171,7 @@ PropertyCache::fill(JSContext *cx, JSObject *obj, uintN scopeIndex, JSObject *po
                     if (!pobj->branded()) {
                         PCMETER(brandfills++);
 #ifdef DEBUG_notme
-                        JSFunction *fun = GET_FUNCTION_PRIVATE(cx, JSVAL_TO_OBJECT(v));
+                        JSFunction *fun = JSVAL_TO_OBJECT(v)->getFunctionPrivate();
                         JSAutoByteString funNameBytes;
                         if (const char *funName = GetFunctionNameBytes(cx, fun, &funNameBytes)) {
                             fprintf(stderr,
diff --git a/js/src/jsproxy.cpp b/js/src/jsproxy.cpp
index d9bbc5832c26..f4c67c44fff7 100644
--- a/js/src/jsproxy.cpp
+++ b/js/src/jsproxy.cpp
@@ -129,10 +129,8 @@ JSProxyHandler::get(JSContext *cx, JSObject *proxy, JSObject *receiver, jsid id,
         *vp = desc.value;
         return true;
     }
-    if (desc.attrs & JSPROP_GETTER) {
-        return ExternalGetOrSet(cx, receiver, id, CastAsObjectJsval(desc.getter),
-                                JSACC_READ, 0, NULL, vp);
-    }
+    if (desc.attrs & JSPROP_GETTER)
+        return InvokeGetterOrSetter(cx, receiver, CastAsObjectJsval(desc.getter), 0, NULL, vp);
     if (!(desc.attrs & JSPROP_SHARED))
         *vp = desc.value;
     else
@@ -275,8 +273,7 @@ JSProxyHandler::call(JSContext *cx, JSObject *proxy, uintN argc, Value *vp)
 {
     JS_ASSERT(OperationInProgress(cx, proxy));
     AutoValueRooter rval(cx);
-    JSBool ok = ExternalInvoke(cx, vp[1], GetCall(proxy), argc, JS_ARGV(cx, vp),
-                               rval.addr());
+    JSBool ok = Invoke(cx, vp[1], GetCall(proxy), argc, JS_ARGV(cx, vp), rval.addr());
     if (ok)
         JS_SET_RVAL(cx, vp, rval.value());
     return ok;
@@ -289,8 +286,8 @@ JSProxyHandler::construct(JSContext *cx, JSObject *proxy,
     JS_ASSERT(OperationInProgress(cx, proxy));
     Value fval = GetConstruct(proxy);
     if (fval.isUndefined())
-        return ExternalInvokeConstructor(cx, GetCall(proxy), argc, argv, rval);
-    return ExternalInvoke(cx, UndefinedValue(), fval, argc, argv, rval);
+        return InvokeConstructor(cx, GetCall(proxy), argc, argv, rval);
+    return Invoke(cx, UndefinedValue(), fval, argc, argv, rval);
 }
 
 bool
@@ -359,7 +356,7 @@ GetDerivedTrap(JSContext *cx, JSObject *handler, JSAtom *atom, Value *fvalp)
 static bool
 Trap(JSContext *cx, JSObject *handler, Value fval, uintN argc, Value* argv, Value *rval)
 {
-    return ExternalInvoke(cx, ObjectValue(*handler), fval, argc, argv, rval);
+    return Invoke(cx, ObjectValue(*handler), fval, argc, argv, rval);
 }
 
 static bool
@@ -1117,9 +1114,7 @@ proxy_Construct(JSContext *cx, uintN argc, Value *vp)
 {
     JSObject *proxy = &JS_CALLEE(cx, vp).toObject();
     JS_ASSERT(proxy->isProxy());
-    Value rval;
-    bool ok = JSProxy::construct(cx, proxy, argc, JS_ARGV(cx, vp), &rval);
-    *vp = rval;
+    bool ok = JSProxy::construct(cx, proxy, argc, JS_ARGV(cx, vp), vp);
     return ok;
 }
 
@@ -1315,9 +1310,7 @@ callable_Call(JSContext *cx, uintN argc, Value *vp)
     JS_ASSERT(callable->getClass() == &CallableObjectClass);
     const Value &fval = callable->getSlot(JSSLOT_CALLABLE_CALL);
     const Value &thisval = vp[1];
-    Value rval;
-    bool ok = ExternalInvoke(cx, thisval, fval, argc, JS_ARGV(cx, vp), &rval);
-    *vp = rval;
+    bool ok = Invoke(cx, thisval, fval, argc, JS_ARGV(cx, vp), vp);
     return ok;
 }
 
@@ -1355,8 +1348,8 @@ callable_Construct(JSContext *cx, uintN argc, Value *vp)
 
         /* If the call returns an object, return that, otherwise the original newobj. */
         Value rval;
-        if (!ExternalInvoke(cx, ObjectValue(*newobj), callable->getSlot(JSSLOT_CALLABLE_CALL),
-                            argc, vp + 2, &rval)) {
+        if (!Invoke(cx, ObjectValue(*newobj), callable->getSlot(JSSLOT_CALLABLE_CALL),
+                    argc, vp + 2, &rval)) {
             return false;
         }
         if (rval.isPrimitive())
@@ -1366,9 +1359,7 @@ callable_Construct(JSContext *cx, uintN argc, Value *vp)
         return true;
     }
 
-    Value rval;
-    bool ok = ExternalInvoke(cx, ObjectValue(*thisobj), fval, argc, vp + 2, &rval);
-    *vp = rval;
+    bool ok = Invoke(cx, ObjectValue(*thisobj), fval, argc, vp + 2, vp);
     return ok;
 }
 
diff --git a/js/src/jsreflect.cpp b/js/src/jsreflect.cpp
index bf8a9fca3ede..618712ca916c 100644
--- a/js/src/jsreflect.cpp
+++ b/js/src/jsreflect.cpp
@@ -231,11 +231,11 @@ class NodeBuilder
             if (!newNodeLoc(pos, &loc))
                 return false;
             Value argv[] = { loc };
-            return ExternalInvoke(cx, userv, fun, JS_ARRAY_LENGTH(argv), argv, dst);
+            return Invoke(cx, userv, fun, JS_ARRAY_LENGTH(argv), argv, dst);
         }
 
         Value argv[] = { NullValue() }; /* no zero-length arrays allowed! */
-        return ExternalInvoke(cx, userv, fun, 0, argv, dst);
+        return Invoke(cx, userv, fun, 0, argv, dst);
     }
 
     bool callback(Value fun, Value v1, TokenPos *pos, Value *dst) {
@@ -244,11 +244,11 @@ class NodeBuilder
             if (!newNodeLoc(pos, &loc))
                 return false;
             Value argv[] = { v1, loc };
-            return ExternalInvoke(cx, userv, fun, JS_ARRAY_LENGTH(argv), argv, dst);
+            return Invoke(cx, userv, fun, JS_ARRAY_LENGTH(argv), argv, dst);
         }
 
         Value argv[] = { v1 };
-        return ExternalInvoke(cx, userv, fun, JS_ARRAY_LENGTH(argv), argv, dst);
+        return Invoke(cx, userv, fun, JS_ARRAY_LENGTH(argv), argv, dst);
     }
 
     bool callback(Value fun, Value v1, Value v2, TokenPos *pos, Value *dst) {
@@ -257,11 +257,11 @@ class NodeBuilder
             if (!newNodeLoc(pos, &loc))
                 return false;
             Value argv[] = { v1, v2, loc };
-            return ExternalInvoke(cx, userv, fun, JS_ARRAY_LENGTH(argv), argv, dst);
+            return Invoke(cx, userv, fun, JS_ARRAY_LENGTH(argv), argv, dst);
         }
 
         Value argv[] = { v1, v2 };
-        return ExternalInvoke(cx, userv, fun, JS_ARRAY_LENGTH(argv), argv, dst);
+        return Invoke(cx, userv, fun, JS_ARRAY_LENGTH(argv), argv, dst);
     }
 
     bool callback(Value fun, Value v1, Value v2, Value v3, TokenPos *pos, Value *dst) {
@@ -270,11 +270,11 @@ class NodeBuilder
             if (!newNodeLoc(pos, &loc))
                 return false;
             Value argv[] = { v1, v2, v3, loc };
-            return ExternalInvoke(cx, userv, fun, JS_ARRAY_LENGTH(argv), argv, dst);
+            return Invoke(cx, userv, fun, JS_ARRAY_LENGTH(argv), argv, dst);
         }
 
         Value argv[] = { v1, v2, v3 };
-        return ExternalInvoke(cx, userv, fun, JS_ARRAY_LENGTH(argv), argv, dst);
+        return Invoke(cx, userv, fun, JS_ARRAY_LENGTH(argv), argv, dst);
     }
 
     bool callback(Value fun, Value v1, Value v2, Value v3, Value v4, TokenPos *pos, Value *dst) {
@@ -283,11 +283,11 @@ class NodeBuilder
             if (!newNodeLoc(pos, &loc))
                 return false;
             Value argv[] = { v1, v2, v3, v4, loc };
-            return ExternalInvoke(cx, userv, fun, JS_ARRAY_LENGTH(argv), argv, dst);
+            return Invoke(cx, userv, fun, JS_ARRAY_LENGTH(argv), argv, dst);
         }
 
         Value argv[] = { v1, v2, v3, v4 };
-        return ExternalInvoke(cx, userv, fun, JS_ARRAY_LENGTH(argv), argv, dst);
+        return Invoke(cx, userv, fun, JS_ARRAY_LENGTH(argv), argv, dst);
     }
 
     bool callback(Value fun, Value v1, Value v2, Value v3, Value v4, Value v5,
@@ -297,11 +297,11 @@ class NodeBuilder
             if (!newNodeLoc(pos, &loc))
                 return false;
             Value argv[] = { v1, v2, v3, v4, v5, loc };
-            return ExternalInvoke(cx, userv, fun, JS_ARRAY_LENGTH(argv), argv, dst);
+            return Invoke(cx, userv, fun, JS_ARRAY_LENGTH(argv), argv, dst);
         }
 
         Value argv[] = { v1, v2, v3, v4, v5 };
-        return ExternalInvoke(cx, userv, fun, JS_ARRAY_LENGTH(argv), argv, dst);
+        return Invoke(cx, userv, fun, JS_ARRAY_LENGTH(argv), argv, dst);
     }
 
     Value opt(Value v) {
diff --git a/js/src/jsscopeinlines.h b/js/src/jsscopeinlines.h
index 7dbca57e741e..915c473eb361 100644
--- a/js/src/jsscopeinlines.h
+++ b/js/src/jsscopeinlines.h
@@ -267,7 +267,7 @@ Shape::get(JSContext* cx, JSObject *receiver, JSObject* obj, JSObject *pobj, js:
     if (hasGetterValue()) {
         JS_ASSERT(!isMethod());
         js::Value fval = getterValue();
-        return js::ExternalGetOrSet(cx, receiver, propid, fval, JSACC_READ, 0, 0, vp);
+        return js::InvokeGetterOrSetter(cx, receiver, fval, 0, 0, vp);
     }
 
     if (isMethod()) {
@@ -291,7 +291,7 @@ Shape::set(JSContext* cx, JSObject* obj, bool strict, js::Value* vp) const
 
     if (attrs & JSPROP_SETTER) {
         js::Value fval = setterValue();
-        return js::ExternalGetOrSet(cx, obj, propid, fval, JSACC_WRITE, 1, vp, vp);
+        return js::InvokeGetterOrSetter(cx, obj, fval, 1, vp, vp);
     }
 
     if (attrs & JSPROP_GETTER)
diff --git a/js/src/jsscript.cpp b/js/src/jsscript.cpp
index 89c1b35bdd5c..77fd4ee2a9ef 100644
--- a/js/src/jsscript.cpp
+++ b/js/src/jsscript.cpp
@@ -1234,7 +1234,7 @@ JSScript::NewScriptFromCG(JSContext *cx, JSCodeGenerator *cg)
     if (cg->inFunction()) {
         /*
          * We initialize fun->u.i.script to be the script constructed above
-         * so that the debugger has a valid FUN_SCRIPT(fun).
+         * so that the debugger has a valid fun->script().
          */
         fun = cg->fun();
         JS_ASSERT(fun->isInterpreted());
diff --git a/js/src/jsscriptinlines.h b/js/src/jsscriptinlines.h
index ad6929e497e5..387185b15905 100644
--- a/js/src/jsscriptinlines.h
+++ b/js/src/jsscriptinlines.h
@@ -120,7 +120,7 @@ JSScript::getFunction(size_t index)
     JS_ASSERT(funobj->isFunction());
     JS_ASSERT(funobj == (JSObject *) funobj->getPrivate());
     JSFunction *fun = (JSFunction *) funobj;
-    JS_ASSERT(FUN_INTERPRETED(fun));
+    JS_ASSERT(fun->isInterpreted());
     return fun;
 }
 
diff --git a/js/src/jsstr.cpp b/js/src/jsstr.cpp
index 5ac46c7e84c6..fdf53f0e271d 100644
--- a/js/src/jsstr.cpp
+++ b/js/src/jsstr.cpp
@@ -3504,7 +3504,7 @@ js_ValueToSource(JSContext *cx, const Value &v)
     if (!js_GetMethod(cx, &v.toObject(), id, JSGET_NO_METHOD_BARRIER, &fval))
         return false;
     if (js_IsCallable(fval)) {
-        if (!ExternalInvoke(cx, v, fval, 0, NULL, &rval))
+        if (!Invoke(cx, v, fval, 0, NULL, &rval))
             return false;
     }
 
diff --git a/js/src/jstracer.cpp b/js/src/jstracer.cpp
index 0cfe1142965a..2875ca40e192 100644
--- a/js/src/jstracer.cpp
+++ b/js/src/jstracer.cpp
@@ -2810,7 +2810,7 @@ ValueToNative(const Value &v, JSValueType type, double* slot)
 
       case JSVAL_TYPE_FUNOBJ: {
         JS_ASSERT(IsFunctionObject(v));
-        JSFunction* fun = GET_FUNCTION_PRIVATE(cx, &v.toObject());
+        JSFunction* fun = v.toObject().getFunctionPrivate();
 #if defined JS_JIT_SPEW
         if (LogController.lcbits & LC_TMTracer) {
             char funName[40];
@@ -3109,7 +3109,7 @@ NativeToValue(JSContext* cx, Value& v, JSValueType type, double* slot)
         JS_ASSERT(IsFunctionObject(v));
 #if defined JS_JIT_SPEW
         if (LogController.lcbits & LC_TMTracer) {
-            JSFunction* fun = GET_FUNCTION_PRIVATE(cx, &v.toObject());
+            JSFunction* fun = v.toObject().getFunctionPrivate();
             char funName[40];
             if (fun->atom)
                 JS_PutEscapedFlatString(funName, sizeof funName, fun->atom, 0);
@@ -3385,7 +3385,7 @@ GetUpvarOnTrace(JSContext* cx, uint32 upvarLevel, int32 slot, uint32 callDepth,
          */
         stackOffset -= fi->callerHeight;
         JSObject* callee = *(JSObject**)(&state->stackBase[stackOffset]);
-        JSFunction* fun = GET_FUNCTION_PRIVATE(cx, callee);
+        JSFunction* fun = callee->getFunctionPrivate();
         uintN calleeLevel = fun->script()->staticLevel;
         if (calleeLevel == upvarLevel) {
             /*
@@ -10541,7 +10541,7 @@ static JSBool JS_FASTCALL
 functionProbe(JSContext *cx, JSFunction *fun, int enter)
 {
 #ifdef MOZ_TRACE_JSCALLS
-    JSScript *script = fun ? FUN_SCRIPT(fun) : NULL;
+    JSScript *script = fun ? fun->maybeScript() : NULL;
     if (enter > 0)
         Probes::enterJSFun(cx, fun, script, enter);
     else
@@ -11011,7 +11011,7 @@ TraceRecorder::getClassPrototype(JSObject* ctor, LIns*& proto_ins)
 {
     // ctor must be a function created via js_InitClass.
 #ifdef DEBUG
-    Class *clasp = FUN_CLASP(GET_FUNCTION_PRIVATE(cx, ctor));
+    Class *clasp = ctor->getFunctionPrivate()->getConstructorClass();
     JS_ASSERT(clasp);
 
     TraceMonitor &localtm = *traceMonitor;
@@ -11553,7 +11553,7 @@ TraceRecorder::callNative(uintN argc, JSOp mode)
     }
 
     if (fun->flags & JSFUN_TRCINFO) {
-        JSNativeTraceInfo *trcinfo = FUN_TRCINFO(fun);
+        JSNativeTraceInfo *trcinfo = fun->getTraceInfo();
         JS_ASSERT(trcinfo && fun->u.n.native == trcinfo->native);
 
         /* Try to call a type specialized version of the native. */
@@ -11708,10 +11708,10 @@ TraceRecorder::functionCall(uintN argc, JSOp mode)
      * Bytecode sequences that push shapeless callees must guard on the callee
      * class being Function and the function being interpreted.
      */
-    JSFunction* fun = GET_FUNCTION_PRIVATE(cx, &fval.toObject());
+    JSFunction* fun = fval.toObject().getFunctionPrivate();
 
     if (Probes::callTrackingActive(cx)) {
-        JSScript *script = FUN_SCRIPT(fun);
+        JSScript *script = fun->maybeScript();
         if (!script || !script->isEmpty()) {
             LIns* args[] = { w.immi(1), w.nameImmpNonGC(fun), cx_ins };
             LIns* call_ins = w.call(&functionProbe_ci, args);
@@ -11719,7 +11719,7 @@ TraceRecorder::functionCall(uintN argc, JSOp mode)
         }
     }
 
-    if (FUN_INTERPRETED(fun))
+    if (fun->isInterpreted())
         return interpretedFunctionCall(fval, fun, argc, mode == JSOP_NEW);
 
     Native native = fun->maybeNative();
@@ -13617,7 +13617,8 @@ TraceRecorder::guardCallee(Value& callee)
      * private data) case as noted above.
      */
     if (callee_fun->isInterpreted() &&
-        (!FUN_NULL_CLOSURE(callee_fun) || callee_fun->script()->bindings.hasUpvars())) {
+        (!callee_fun->isNullClosure() || callee_fun->script()->bindings.hasUpvars()))
+    {
         JSObject* parent = callee_obj.getParent();
 
         if (parent != globalObj) {
@@ -13819,8 +13820,8 @@ TraceRecorder::record_JSOP_FUNAPPLY()
     RETURN_IF_XML_A(vp[0]);
 
     JSObject* obj = &vp[0].toObject();
-    JSFunction* fun = GET_FUNCTION_PRIVATE(cx, obj);
-    if (FUN_INTERPRETED(fun))
+    JSFunction* fun = obj->getFunctionPrivate();
+    if (fun->isInterpreted())
         return record_JSOP_CALL();
 
     bool apply = fun->u.n.native == js_fun_apply;
@@ -15422,7 +15423,7 @@ TraceRecorder::record_JSOP_LAMBDA()
     JSFunction* fun;
     fun = cx->fp()->script()->getFunction(getFullIndex());
 
-    if (FUN_NULL_CLOSURE(fun) && FUN_OBJECT(fun)->getParent() != globalObj)
+    if (fun->isNullClosure() && fun->getParent() != globalObj)
         RETURN_STOP_A("Null closure function object parent must be global object");
 
     /*
@@ -15436,12 +15437,12 @@ TraceRecorder::record_JSOP_LAMBDA()
      * JSOP_INITMETHOD logic governing the early ARECORD_CONTINUE returns below
      * must agree with the corresponding break-from-do-while(0) logic there.
      */
-    if (FUN_NULL_CLOSURE(fun) && FUN_OBJECT(fun)->getParent() == &cx->fp()->scopeChain()) {
+    if (fun->isNullClosure() && fun->getParent() == &cx->fp()->scopeChain()) {
         jsbytecode *pc2 = AdvanceOverBlockchainOp(cx->regs().pc + JSOP_LAMBDA_LENGTH);
         JSOp op2 = JSOp(*pc2);
 
         if (op2 == JSOP_INITMETHOD) {
-            stack(0, w.immpObjGC(FUN_OBJECT(fun)));
+            stack(0, w.immpObjGC(fun));
             return ARECORD_CONTINUE;
         }
 
@@ -15449,7 +15450,7 @@ TraceRecorder::record_JSOP_LAMBDA()
             Value lval = stackval(-1);
 
             if (!lval.isPrimitive() && lval.toObject().canHaveMethodBarrier()) {
-                stack(0, w.immpObjGC(FUN_OBJECT(fun)));
+                stack(0, w.immpObjGC(fun));
                 return ARECORD_CONTINUE;
             }
         } else if (fun->joinable()) {
@@ -15477,7 +15478,7 @@ TraceRecorder::record_JSOP_LAMBDA()
 
                     if ((iargc == 1 && native == array_sort) ||
                         (iargc == 2 && native == str_replace)) {
-                        stack(0, w.immpObjGC(FUN_OBJECT(fun)));
+                        stack(0, w.immpObjGC(fun));
                         return ARECORD_CONTINUE;
                     }
                 }
@@ -15486,7 +15487,7 @@ TraceRecorder::record_JSOP_LAMBDA()
                 op2 = JSOp(*pc2);
 
                 if (op2 == JSOP_CALL && GET_ARGC(pc2) == 0) {
-                    stack(0, w.immpObjGC(FUN_OBJECT(fun)));
+                    stack(0, w.immpObjGC(fun));
                     return ARECORD_CONTINUE;
                 }
             }
@@ -15497,6 +15498,9 @@ TraceRecorder::record_JSOP_LAMBDA()
 
         LIns* args[] = { w.immpObjGC(globalObj), proto_ins, w.immpFunGC(fun), cx_ins };
         LIns* x = w.call(&js_NewNullClosure_ci, args);
+        guard(false,
+              w.name(w.eqp0(x), "guard(js_NewNullClosure_ci)"),
+              OOM_EXIT);
         stack(0, x);
         return ARECORD_CONTINUE;
     }
@@ -15524,7 +15528,7 @@ TraceRecorder::record_JSOP_LAMBDA_FC()
     JSFunction* fun;
     fun = cx->fp()->script()->getFunction(getFullIndex());
 
-    if (FUN_OBJECT(fun)->getParent() != globalObj)
+    if (fun->getParent() != globalObj)
         return ARECORD_STOP;
 
     if (GetBlockChainFast(cx, cx->fp(), JSOP_LAMBDA_FC, JSOP_LAMBDA_FC_LENGTH))
@@ -15672,9 +15676,9 @@ TraceRecorder::record_JSOP_ARGCNT()
 JS_REQUIRES_STACK AbortableRecordingStatus
 TraceRecorder::record_DefLocalFunSetSlot(uint32 slot, JSObject* obj)
 {
-    JSFunction* fun = GET_FUNCTION_PRIVATE(cx, obj);
+    JSFunction* fun = obj->getFunctionPrivate();
 
-    if (FUN_NULL_CLOSURE(fun) && FUN_OBJECT(fun)->getParent() == globalObj) {
+    if (fun->isNullClosure() && fun->getParent() == globalObj) {
         LIns *proto_ins;
         CHECK_STATUS_A(getClassPrototype(JSProto_Function, proto_ins));
 
@@ -16012,7 +16016,7 @@ TraceRecorder::record_JSOP_CALLPROP()
 
     if (pcval.isFunObj()) {
         if (l.isPrimitive()) {
-            JSFunction* fun = GET_FUNCTION_PRIVATE(cx, &pcval.toFunObj());
+            JSFunction* fun = pcval.toFunObj().getFunctionPrivate();
             if (fun->isInterpreted() && !fun->inStrictMode())
                 RETURN_STOP_A("callee does not accept primitive |this|");
         }
diff --git a/js/src/jswrapper.cpp b/js/src/jswrapper.cpp
index ff1bb1408414..779b23dd8add 100644
--- a/js/src/jswrapper.cpp
+++ b/js/src/jswrapper.cpp
@@ -409,11 +409,12 @@ ForceFrame::enter()
     LeaveTrace(context);
 
     JS_ASSERT(context->compartment == target->compartment());
+    JSCompartment *destination = context->compartment;
 
     JSObject *scopeChain = target->getGlobal();
     JS_ASSERT(scopeChain->isNative());
 
-    return context->stack.pushDummyFrame(context, REPORT_ERROR, *scopeChain, frame);
+    return context->stack.pushDummyFrame(context, destination, *scopeChain, frame);
 }
 
 AutoCompartment::AutoCompartment(JSContext *cx, JSObject *target)
@@ -442,21 +443,8 @@ AutoCompartment::enter()
         JS_ASSERT(scopeChain->isNative());
 
         frame.construct();
-
-        /*
-         * Set the compartment eagerly so that pushDummyFrame associates the
-         * resource allocation request with 'destination' instead of 'origin'.
-         * (This is important when content has overflowed the stack and chrome
-         * is preparing to run JS to throw up a slow script dialog.) However,
-         * if an exception is thrown, we need it to be in origin's compartment
-         * so be careful to only report after restoring.
-         */
-        context->compartment = destination;
-        if (!context->stack.pushDummyFrame(context, DONT_REPORT_ERROR, *scopeChain, &frame.ref())) {
-            context->compartment = origin;
-            js_ReportOverRecursed(context);
+        if (!context->stack.pushDummyFrame(context, destination, *scopeChain, &frame.ref()))
             return false;
-        }
 
         if (context->isExceptionPending())
             context->wrapPendingException();
@@ -484,7 +472,7 @@ ErrorCopier::~ErrorCopier()
         cx->isExceptionPending())
     {
         Value exc = cx->getPendingException();
-        if (exc.isObject() && exc.toObject().isError()) {
+        if (exc.isObject() && exc.toObject().isError() && exc.toObject().getPrivate()) {
             cx->clearPendingException();
             ac.leave();
             JSObject *copyobj = js_CopyErrorObject(cx, &exc.toObject(), scope);
diff --git a/js/src/jsxml.cpp b/js/src/jsxml.cpp
index 984650f5b5d1..5b1f0eb1721a 100644
--- a/js/src/jsxml.cpp
+++ b/js/src/jsxml.cpp
@@ -1643,7 +1643,7 @@ GetXMLSetting(JSContext *cx, const char *name, jsval *vp)
 
     if (!js_FindClassObject(cx, NULL, JSProto_XML, Valueify(&v)))
         return JS_FALSE;
-    if (!VALUE_IS_FUNCTION(cx, v)) {
+    if (JSVAL_IS_PRIMITIVE(v) || !JSVAL_TO_OBJECT(v)->isFunction()) {
         *vp = JSVAL_VOID;
         return JS_TRUE;
     }
@@ -5153,7 +5153,8 @@ StartNonListXMLMethod(JSContext *cx, jsval *vp, JSObject **objp)
     JSFunction *fun;
     char numBuf[12];
 
-    JS_ASSERT(VALUE_IS_FUNCTION(cx, *vp));
+    JS_ASSERT(!JSVAL_IS_PRIMITIVE(*vp));
+    JS_ASSERT(JSVAL_TO_OBJECT(*vp)->isFunction());
 
     *objp = ToObject(cx, Valueify(&vp[1]));
     if (!*objp)
@@ -5177,7 +5178,7 @@ StartNonListXMLMethod(JSContext *cx, jsval *vp, JSObject **objp)
         }
     }
 
-    fun = GET_FUNCTION_PRIVATE(cx, JSVAL_TO_OBJECT(*vp));
+    fun = JSVAL_TO_OBJECT(*vp)->getFunctionPrivate();
     JS_snprintf(numBuf, sizeof numBuf, "%u", xml->xml_kids.length);
     JSAutoByteString funNameBytes;
     if (const char *funName = GetFunctionNameBytes(cx, fun, &funNameBytes)) {
@@ -7500,7 +7501,7 @@ GetXMLFunction(JSContext *cx, JSObject *obj, jsid id, jsval *vp)
     for (;;) {
         if (!js_GetProperty(cx, target, id, Valueify(vp)))
             return false;
-        if (VALUE_IS_FUNCTION(cx, *vp))
+        if (!JSVAL_IS_PRIMITIVE(*vp) && JSVAL_TO_OBJECT(*vp)->isFunction())
             return true;
         target = target->getProto();
         if (target == NULL || !target->isNative())
diff --git a/js/src/methodjit/InvokeHelpers.cpp b/js/src/methodjit/InvokeHelpers.cpp
index 8d43c677bb78..730a5e704e20 100644
--- a/js/src/methodjit/InvokeHelpers.cpp
+++ b/js/src/methodjit/InvokeHelpers.cpp
@@ -114,6 +114,7 @@ top:
                 continue;
 
             jsbytecode *pc = script->main + tn->start + tn->length;
+            cx->regs().pc = pc;
             JSBool ok = js_UnwindScope(cx, tn->stackDepth, JS_TRUE);
             JS_ASSERT(cx->regs().sp == fp->base() + tn->stackDepth);
 
@@ -191,14 +192,14 @@ InlineReturn(VMFrame &f)
 void JS_FASTCALL
 stubs::SlowCall(VMFrame &f, uint32 argc)
 {
-    if (!Invoke(f.cx, CallArgsFromSp(argc, f.regs.sp)))
+    if (!InvokeKernel(f.cx, CallArgsFromSp(argc, f.regs.sp)))
         THROW();
 }
 
 void JS_FASTCALL
 stubs::SlowNew(VMFrame &f, uint32 argc)
 {
-    if (!InvokeConstructor(f.cx, CallArgsFromSp(argc, f.regs.sp)))
+    if (!InvokeConstructorKernel(f.cx, CallArgsFromSp(argc, f.regs.sp)))
         THROW();
 }
 
@@ -378,7 +379,7 @@ stubs::UncachedNewHelper(VMFrame &f, uint32 argc, UncachedCallResult *ucr)
         if (!UncachedInlineCall(f, CONSTRUCT, &ucr->codeAddr, &ucr->unjittable, argc))
             THROW();
     } else {
-        if (!InvokeConstructor(cx, args))
+        if (!InvokeConstructorKernel(cx, args))
             THROW();
     }
 }
@@ -397,7 +398,7 @@ stubs::Eval(VMFrame &f, uint32 argc)
     CallArgs args = CallArgsFromSp(argc, f.regs.sp);
 
     if (!IsBuiltinEvalForScope(&f.fp()->scopeChain(), args.calleev())) {
-        if (!Invoke(f.cx, args))
+        if (!InvokeKernel(f.cx, args))
             THROW();
         return;
     }
@@ -419,7 +420,7 @@ stubs::UncachedCallHelper(VMFrame &f, uint32 argc, UncachedCallResult *ucr)
 
     if (IsFunctionObject(args.calleev(), &ucr->callee)) {
         ucr->callee = &args.callee();
-        ucr->fun = GET_FUNCTION_PRIVATE(cx, ucr->callee);
+        ucr->fun = ucr->callee->getFunctionPrivate();
 
         if (ucr->fun->isInterpreted()) {
             if (!UncachedInlineCall(f, NO_CONSTRUCT, &ucr->codeAddr, &ucr->unjittable, argc))
@@ -434,7 +435,7 @@ stubs::UncachedCallHelper(VMFrame &f, uint32 argc, UncachedCallResult *ucr)
         }
     }
 
-    if (!Invoke(f.cx, args))
+    if (!InvokeKernel(f.cx, args))
         THROW();
 
     return;
diff --git a/js/src/methodjit/PolyIC.cpp b/js/src/methodjit/PolyIC.cpp
index e08b4a82614b..17e1a9ba96b4 100644
--- a/js/src/methodjit/PolyIC.cpp
+++ b/js/src/methodjit/PolyIC.cpp
@@ -558,7 +558,7 @@ class SetPropCompiler : public PICStubCompiler
                     return disable("can't have method barrier");
 
                 JSObject *funobj = &f.regs.sp[-1].toObject();
-                if (funobj != GET_FUNCTION_PRIVATE(cx, funobj))
+                if (funobj != funobj->getFunctionPrivate())
                     return disable("mismatched function");
 
                 flags |= Shape::METHOD;
diff --git a/js/src/methodjit/StubCalls.cpp b/js/src/methodjit/StubCalls.cpp
index 8bb81d97f3dd..61eb31e58207 100644
--- a/js/src/methodjit/StubCalls.cpp
+++ b/js/src/methodjit/StubCalls.cpp
@@ -704,9 +704,9 @@ stubs::DefFun(VMFrame &f, JSFunction *fun)
      * a compound statement (not at the top statement level of global code, or
      * at the top level of a function body).
      */
-    JSObject *obj = FUN_OBJECT(fun);
+    JSObject *obj = fun;
 
-    if (FUN_NULL_CLOSURE(fun)) {
+    if (fun->isNullClosure()) {
         /*
          * Even a null closure needs a parent for principals finding.
          * FIXME: bug 476950, although debugger users may also demand some kind
@@ -1325,10 +1325,10 @@ stubs::DefLocalFun(VMFrame &f, JSFunction *fun)
      * activation.
      */
     JS_ASSERT(fun->isInterpreted());
-    JS_ASSERT(!FUN_FLAT_CLOSURE(fun));
-    JSObject *obj = FUN_OBJECT(fun);
+    JS_ASSERT(!fun->isFlatClosure());
+    JSObject *obj = fun;
 
-    if (FUN_NULL_CLOSURE(fun)) {
+    if (fun->isNullClosure()) {
         obj = CloneFunctionObject(f.cx, fun, &f.fp()->scopeChain());
         if (!obj)
             THROWV(NULL);
@@ -1381,8 +1381,8 @@ stubs::RegExp(VMFrame &f, JSObject *regex)
 JSObject * JS_FASTCALL
 stubs::LambdaForInit(VMFrame &f, JSFunction *fun)
 {
-    JSObject *obj = FUN_OBJECT(fun);
-    if (FUN_NULL_CLOSURE(fun) && obj->getParent() == &f.fp()->scopeChain()) {
+    JSObject *obj = fun;
+    if (fun->isNullClosure() && obj->getParent() == &f.fp()->scopeChain()) {
         fun->setMethodAtom(f.fp()->script()->getAtom(GET_SLOTNO(f.regs.pc)));
         return obj;
     }
@@ -1392,8 +1392,8 @@ stubs::LambdaForInit(VMFrame &f, JSFunction *fun)
 JSObject * JS_FASTCALL
 stubs::LambdaForSet(VMFrame &f, JSFunction *fun)
 {
-    JSObject *obj = FUN_OBJECT(fun);
-    if (FUN_NULL_CLOSURE(fun) && obj->getParent() == &f.fp()->scopeChain()) {
+    JSObject *obj = fun;
+    if (fun->isNullClosure() && obj->getParent() == &f.fp()->scopeChain()) {
         const Value &lref = f.regs.sp[-1];
         if (lref.isObject() && lref.toObject().canHaveMethodBarrier()) {
             fun->setMethodAtom(f.fp()->script()->getAtom(GET_SLOTNO(f.regs.pc)));
@@ -1406,8 +1406,8 @@ stubs::LambdaForSet(VMFrame &f, JSFunction *fun)
 JSObject * JS_FASTCALL
 stubs::LambdaJoinableForCall(VMFrame &f, JSFunction *fun)
 {
-    JSObject *obj = FUN_OBJECT(fun);
-    if (FUN_NULL_CLOSURE(fun) && obj->getParent() == &f.fp()->scopeChain()) {
+    JSObject *obj = fun;
+    if (fun->isNullClosure() && obj->getParent() == &f.fp()->scopeChain()) {
         /*
          * Array.prototype.sort and String.prototype.replace are
          * optimized as if they are special form. We know that they
@@ -1443,8 +1443,8 @@ stubs::LambdaJoinableForCall(VMFrame &f, JSFunction *fun)
 JSObject * JS_FASTCALL
 stubs::LambdaJoinableForNull(VMFrame &f, JSFunction *fun)
 {
-    JSObject *obj = FUN_OBJECT(fun);
-    if (FUN_NULL_CLOSURE(fun) && obj->getParent() == &f.fp()->scopeChain()) {
+    JSObject *obj = fun;
+    if (fun->isNullClosure() && obj->getParent() == &f.fp()->scopeChain()) {
         jsbytecode *pc2 = f.regs.pc + JSOP_NULL_LENGTH;
         JSOp op2 = JSOp(*pc2);
 
@@ -1457,10 +1457,10 @@ stubs::LambdaJoinableForNull(VMFrame &f, JSFunction *fun)
 JSObject * JS_FASTCALL
 stubs::Lambda(VMFrame &f, JSFunction *fun)
 {
-    JSObject *obj = FUN_OBJECT(fun);
+    JSObject *obj = fun;
 
     JSObject *parent;
-    if (FUN_NULL_CLOSURE(fun)) {
+    if (fun->isNullClosure()) {
         parent = &f.fp()->scopeChain();
     } else {
         parent = GetScopeChainFast(f.cx, f.fp(), JSOP_LAMBDA, JSOP_LAMBDA_LENGTH);
diff --git a/js/src/shell/js.cpp b/js/src/shell/js.cpp
index dce40201f3b2..4c158f44c36c 100644
--- a/js/src/shell/js.cpp
+++ b/js/src/shell/js.cpp
@@ -1554,7 +1554,7 @@ ValueToScript(JSContext *cx, jsval v)
         } else if (clasp == Jsvalify(&js_GeneratorClass)) {
             JSGenerator *gen = (JSGenerator *) JS_GetPrivate(cx, obj);
             fun = gen->floatingFrame()->fun();
-            script = FUN_SCRIPT(fun);
+            script = fun->script();
         }
     }
 
@@ -1562,7 +1562,7 @@ ValueToScript(JSContext *cx, jsval v)
         fun = JS_ValueToFunction(cx, v);
         if (!fun)
             return NULL;
-        script = FUN_SCRIPT(fun);
+        script = fun->maybeScript();
         if (!script) {
             JS_ReportErrorNumber(cx, my_GetErrorMessage, NULL,
                                  JSSMSG_SCRIPTS_ONLY);
@@ -1992,7 +1992,7 @@ DisassembleValue(JSContext *cx, jsval v, bool lines, bool recursive, Sprinter *s
     JSScript *script = ValueToScript(cx, v);
     if (!script)
         return false;
-    if (VALUE_IS_FUNCTION(cx, v)) {
+    if (!JSVAL_IS_PRIMITIVE(v) && JSVAL_TO_OBJECT(v)->isFunction()) {
         JSFunction *fun = JS_ValueToFunction(cx, v);
         if (fun && (fun->flags & ~7U)) {
             uint16 flags = fun->flags;
@@ -2007,10 +2007,10 @@ DisassembleValue(JSContext *cx, jsval v, bool lines, bool recursive, Sprinter *s
 
 #undef SHOW_FLAG
 
-            if (FUN_INTERPRETED(fun)) {
-                if (FUN_NULL_CLOSURE(fun))
+            if (fun->isInterpreted()) {
+                if (fun->isNullClosure())
                     Sprint(sp, " NULL_CLOSURE");
-                else if (FUN_FLAT_CLOSURE(fun))
+                else if (fun->isFlatClosure())
                     Sprint(sp, " FLAT_CLOSURE");
 
                 JSScript *script = fun->script();
@@ -2698,7 +2698,7 @@ Clone(JSContext *cx, uintN argc, jsval *vp)
                 return JS_FALSE;
             argv[0] = OBJECT_TO_JSVAL(obj);
         }
-        if (VALUE_IS_FUNCTION(cx, argv[0])) {
+        if (!JSVAL_IS_PRIMITIVE(argv[0]) && JSVAL_TO_OBJECT(argv[0])->isFunction()) {
             funobj = JSVAL_TO_OBJECT(argv[0]);
         } else {
             JSFunction *fun = JS_ValueToFunction(cx, argv[0]);
diff --git a/js/src/tests/ecma_5/extensions/JSON-string-replacer-overflow.js b/js/src/tests/ecma_5/extensions/JSON-string-replacer-overflow.js
new file mode 100644
index 000000000000..6eb5c3148c68
--- /dev/null
+++ b/js/src/tests/ecma_5/extensions/JSON-string-replacer-overflow.js
@@ -0,0 +1,24 @@
+// Any copyright is dedicated to the Public Domain.
+// http://creativecommons.org/licenses/publicdomain/
+
+var r1 = [0, 1, 2, 3];
+Object.defineProperty(r1, (1 << 23) - 1, {});
+JSON.stringify({ 0: 0, 1: 1, 2: 2, 3: 3 }, r1)
+
+var r2 = [0, 1, 2, 3];
+Object.defineProperty(r2, (1 << 30), {});
+try
+{
+  JSON.stringify({ 0: 0, 1: 1, 2: 2, 3: 3 }, r2)
+}
+catch (e)
+{
+  assertEq(""+e, "InternalError: allocation size overflow");
+}
+
+/******************************************************************************/
+
+if (typeof reportCompare === "function")
+  reportCompare(true, true);
+
+print("Tests complete");
diff --git a/js/src/tests/ecma_5/extensions/jstests.list b/js/src/tests/ecma_5/extensions/jstests.list
index e96e4789c764..44a7486f9f8b 100644
--- a/js/src/tests/ecma_5/extensions/jstests.list
+++ b/js/src/tests/ecma_5/extensions/jstests.list
@@ -16,6 +16,7 @@ script extension-methods-reject-null-undefined-this.js
 skip-if(!xulRuntime.shell) script function-definition-with.js # needs evaluate()
 script function-properties.js
 script iterator-in-catch.js
+script JSON-string-replacer-overflow.js
 skip-if(!xulRuntime.shell) script legacy-JSON.js # needs parseLegacyJSON
 fails script nested-delete-name-in-evalcode.js # bug 604301, at a minimum
 script proxy-strict.js
diff --git a/js/src/vm/Debugger.cpp b/js/src/vm/Debugger.cpp
index 2af8e06ef8da..69d97edd44e9 100644
--- a/js/src/vm/Debugger.cpp
+++ b/js/src/vm/Debugger.cpp
@@ -520,7 +520,7 @@ Debugger::handleUncaughtException(AutoCompartment &ac, Value *vp, bool callHook)
             Value exc = cx->getPendingException();
             Value rv;
             cx->clearPendingException();
-            if (ExternalInvoke(cx, ObjectValue(*object), fval, 1, &exc, &rv))
+            if (Invoke(cx, ObjectValue(*object), fval, 1, &exc, &rv))
                 return vp ? parseResumptionValue(ac, true, rv, vp, false) : JSTRAP_CONTINUE;
         }
 
@@ -626,7 +626,7 @@ CallMethodIfPresent(JSContext *cx, JSObject *obj, const char *name, int argc, Va
     return atom &&
            js_GetMethod(cx, obj, ATOM_TO_JSID(atom), JSGET_NO_METHOD_BARRIER, &fval) &&
            (!js_IsCallable(fval) ||
-            ExternalInvoke(cx, ObjectValue(*obj), fval, argc, argv, rval));
+            Invoke(cx, ObjectValue(*obj), fval, argc, argv, rval));
 }
 
 JSTrapStatus
@@ -647,7 +647,7 @@ Debugger::fireDebuggerStatement(JSContext *cx, Value *vp)
         return handleUncaughtException(ac, vp, false);
 
     Value rv;
-    bool ok = ExternalInvoke(cx, ObjectValue(*object), ObjectValue(*hook), 1, argv, &rv);
+    bool ok = Invoke(cx, ObjectValue(*object), ObjectValue(*hook), 1, argv, &rv);
     return parseResumptionValue(ac, ok, rv, vp);
 }
 
@@ -672,7 +672,7 @@ Debugger::fireExceptionUnwind(JSContext *cx, Value *vp)
         return handleUncaughtException(ac, vp, false);
 
     Value rv;
-    bool ok = ExternalInvoke(cx, ObjectValue(*object), ObjectValue(*hook), 2, argv, &rv);
+    bool ok = Invoke(cx, ObjectValue(*object), ObjectValue(*hook), 2, argv, &rv);
     JSTrapStatus st = parseResumptionValue(ac, ok, rv, vp);
     if (st == JSTRAP_CONTINUE)
         cx->setPendingException(exc);
@@ -697,7 +697,7 @@ Debugger::fireEnterFrame(JSContext *cx)
         return;
     }
     Value rv;
-    if (!ExternalInvoke(cx, ObjectValue(*object), ObjectValue(*hook), 1, argv, &rv))
+    if (!Invoke(cx, ObjectValue(*object), ObjectValue(*hook), 1, argv, &rv))
         handleUncaughtException(ac, NULL, true);
 }
 
@@ -722,7 +722,7 @@ Debugger::fireNewScript(JSContext *cx, JSScript *script, JSObject *obj, NewScrip
     Value argv[1];
     argv[0].setObject(*dsobj);
     Value rv;
-    if (!ExternalInvoke(cx, ObjectValue(*object), ObjectValue(*hook), 1, argv, &rv))
+    if (!Invoke(cx, ObjectValue(*object), ObjectValue(*hook), 1, argv, &rv))
         handleUncaughtException(ac, NULL, true);
 }
 
@@ -2658,6 +2658,10 @@ EvaluateInScope(JSContext *cx, JSObject *scobj, StackFrame *fp, const jschar *ch
 {
     assertSameCompartment(cx, scobj, fp);
 
+    /* Execute assumes an already-computed 'this" value. */
+    if (!ComputeThis(cx, fp))
+        return false;
+
     /*
      * NB: This function breaks the assumption that the compiler can see all
      * calls and properly compute a static level. In order to get around this,
@@ -2672,7 +2676,7 @@ EvaluateInScope(JSContext *cx, JSObject *scobj, StackFrame *fp, const jschar *ch
     if (!script)
         return false;
 
-    bool ok = Execute(cx, script, *scobj, fp->thisValue(), EXECUTE_DEBUG, fp, rval);
+    bool ok = ExecuteKernel(cx, script, *scobj, fp->thisValue(), EXECUTE_DEBUG, fp, rval);
     js_DestroyScript(cx, script, 6);
     return ok;
 }
@@ -3003,6 +3007,7 @@ DebuggerObject_getOwnPropertyDescriptor(JSContext *cx, uintN argc, Value *vp)
         if (!ac.enter() || !cx->compartment->wrapId(cx, &id))
             return false;
 
+        ErrorCopier ec(ac, dbg->toJSObject());
         if (!GetOwnPropertyDescriptor(cx, obj, id, &desc))
             return false;
     }
@@ -3039,6 +3044,7 @@ DebuggerObject_getOwnPropertyNames(JSContext *cx, uintN argc, Value *vp)
         if (!ac.enter())
             return false;
 
+        ErrorCopier ec(ac, dbg->toJSObject());
         if (!GetPropertyNames(cx, obj, JSITER_OWNONLY | JSITER_HIDDEN, &keys))
             return false;
     }
@@ -3377,7 +3383,7 @@ ApplyOrCall(JSContext *cx, uintN argc, Value *vp, ApplyOrCallMode mode)
      * compartment and populate args.rval().
      */
     Value rval;
-    bool ok = ExternalInvoke(cx, thisv, calleev, callArgc, callArgv, &rval);
+    bool ok = Invoke(cx, thisv, calleev, callArgc, callArgv, &rval);
     return dbg->newCompletionValue(ac, ok, rval, &args.rval());
 }
 
diff --git a/js/src/vm/GlobalObject.cpp b/js/src/vm/GlobalObject.cpp
index 07902c147d44..facba994b6d9 100644
--- a/js/src/vm/GlobalObject.cpp
+++ b/js/src/vm/GlobalObject.cpp
@@ -214,7 +214,7 @@ GlobalObject::createConstructor(JSContext *cx, Native ctor, Class *clasp, JSAtom
      * Remember the class this function is a constructor for so that we know to
      * create an object of this class when we call the constructor.
      */
-    FUN_CLASP(fun) = clasp;
+    fun->setConstructorClass(clasp);
     return fun;
 }
 
diff --git a/js/src/vm/Stack-inl.h b/js/src/vm/Stack-inl.h
index 5f70a55f3cbc..2060c9ca9e89 100644
--- a/js/src/vm/Stack-inl.h
+++ b/js/src/vm/Stack-inl.h
@@ -388,7 +388,8 @@ StackSpace::ensureEnoughSpaceToEnterTrace(JSContext *cx)
 
 STATIC_POSTCONDITION(!return || ubound(from) >= nvals)
 JS_ALWAYS_INLINE bool
-StackSpace::ensureSpace(JSContext *cx, MaybeReportError report, Value *from, ptrdiff_t nvals) const
+StackSpace::ensureSpace(JSContext *cx, MaybeReportError report, Value *from, ptrdiff_t nvals,
+                        JSCompartment *dest) const
 {
     assertInvariants();
     JS_ASSERT(from >= firstUnused());
@@ -396,7 +397,7 @@ StackSpace::ensureSpace(JSContext *cx, MaybeReportError report, Value *from, ptr
     JS_ASSERT(from <= commitEnd_);
 #endif
     if (JS_UNLIKELY(conservativeEnd_ - from < nvals))
-        return ensureSpaceSlow(cx, report, from, nvals);
+        return ensureSpaceSlow(cx, report, from, nvals, dest);
     return true;
 }
 
diff --git a/js/src/vm/Stack.cpp b/js/src/vm/Stack.cpp
index 41ccdf8d5735..68dd68f3a907 100644
--- a/js/src/vm/Stack.cpp
+++ b/js/src/vm/Stack.cpp
@@ -414,13 +414,16 @@ StackSpace::mark(JSTracer *trc)
 }
 
 JS_FRIEND_API(bool)
-StackSpace::ensureSpaceSlow(JSContext *cx, MaybeReportError report,
-                            Value *from, ptrdiff_t nvals) const
+StackSpace::ensureSpaceSlow(JSContext *cx, MaybeReportError report, Value *from, ptrdiff_t nvals,
+                            JSCompartment *dest) const
 {
     assertInvariants();
 
-    bool trusted = !cx->compartment ||
-                   cx->compartment->principals == cx->runtime->trustedPrincipals();
+    /* See CX_COMPARTMENT comment. */
+    if (dest == (JSCompartment *)CX_COMPARTMENT)
+        dest = cx->compartment;
+
+    bool trusted = !dest || dest->principals == cx->runtime->trustedPrincipals();
     Value *end = trusted ? trustedEnd_ : defaultEnd_;
 
     /*
@@ -548,17 +551,17 @@ ContextStack::containsSlow(const StackFrame *target) const
  */
 Value *
 ContextStack::ensureOnTop(JSContext *cx, MaybeReportError report, uintN nvars,
-                          MaybeExtend extend, bool *pushedSeg)
+                          MaybeExtend extend, bool *pushedSeg, JSCompartment *dest)
 {
     Value *firstUnused = space().firstUnused();
 
     if (onTop() && extend) {
-        if (!space().ensureSpace(cx, report, firstUnused, nvars))
+        if (!space().ensureSpace(cx, report, firstUnused, nvars, dest))
             return NULL;
         return firstUnused;
     }
 
-    if (!space().ensureSpace(cx, report, firstUnused, VALUES_PER_STACK_SEGMENT + nvars))
+    if (!space().ensureSpace(cx, report, firstUnused, VALUES_PER_STACK_SEGMENT + nvars, dest))
         return NULL;
 
     FrameRegs *regs;
@@ -696,11 +699,12 @@ ContextStack::pushExecuteFrame(JSContext *cx, JSScript *script, const Value &thi
 }
 
 bool
-ContextStack::pushDummyFrame(JSContext *cx, MaybeReportError report, JSObject &scopeChain,
-                             DummyFrameGuard *dfg)
+ContextStack::pushDummyFrame(JSContext *cx, JSCompartment *dest, JSObject &scopeChain, DummyFrameGuard *dfg)
 {
+    JS_ASSERT(dest == scopeChain.compartment());
+
     uintN nvars = VALUES_PER_STACK_FRAME;
-    Value *firstUnused = ensureOnTop(cx, report, nvars, CAN_EXTEND, &dfg->pushedSeg_);
+    Value *firstUnused = ensureOnTop(cx, REPORT_ERROR, nvars, CAN_EXTEND, &dfg->pushedSeg_, dest);
     if (!firstUnused)
         return NULL;
 
@@ -708,6 +712,7 @@ ContextStack::pushDummyFrame(JSContext *cx, MaybeReportError report, JSObject &s
     fp->initDummyFrame(cx, scopeChain);
     dfg->regs_.initDummyFrame(*fp);
 
+    cx->compartment = dest;
     dfg->prevRegs_ = seg_->pushRegs(dfg->regs_);
     JS_ASSERT(space().firstUnused() == dfg->regs_.sp);
     dfg->setPushed(*this);
@@ -790,24 +795,11 @@ ContextStack::popGeneratorFrame(const GeneratorFrameGuard &gfg)
 bool
 ContextStack::saveFrameChain()
 {
-    /*
-     * The StackSpace uses the context's current compartment to determine
-     * whether to allow access to the privileged end-of-stack buffer.
-     * However, we always want saveFrameChain to have access to this privileged
-     * buffer since it gets used to prepare calling trusted JS. To force this,
-     * we clear the current compartment (which is interpreted by ensureSpace as
-     * 'trusted') and either restore it on OOM or let resetCompartment()
-     * clobber it.
-     */
-    JSCompartment *original = cx_->compartment;
-    cx_->compartment = NULL;
+    JSCompartment *dest = NULL;
 
     bool pushedSeg;
-    if (!ensureOnTop(cx_, DONT_REPORT_ERROR, 0, CANT_EXTEND, &pushedSeg)) {
-        cx_->compartment = original;
-        js_ReportOverRecursed(cx_);
+    if (!ensureOnTop(cx_, REPORT_ERROR, 0, CANT_EXTEND, &pushedSeg, dest))
         return false;
-    }
 
     JS_ASSERT(pushedSeg);
     JS_ASSERT(!hasfp());
diff --git a/js/src/vm/Stack.h b/js/src/vm/Stack.h
index e761cd3f5f9e..a329f21e8c75 100644
--- a/js/src/vm/Stack.h
+++ b/js/src/vm/Stack.h
@@ -44,6 +44,7 @@
 #include "jsfun.h"
 
 struct JSContext;
+struct JSCompartment;
 
 namespace js {
 
@@ -254,6 +255,13 @@ CallArgsFromSp(uintN argc, Value *sp)
 
 /*****************************************************************************/
 
+/*
+ * For calls to natives, the InvokeArgsGuard object provides a record of the
+ * call for the debugger's callstack. For this to work, the InvokeArgsGuard
+ * record needs to know when the call is actually active (because the
+ * InvokeArgsGuard can be pushed long before and popped long after the actual
+ * call, during which time many stack-observing things can happen).
+ */
 class CallArgsList : public CallArgs
 {
     friend class StackSegment;
@@ -1329,10 +1337,23 @@ class StackSpace
     friend class ContextStack;
     friend class StackFrame;
 
+    /*
+     * Except when changing compartment (see pushDummyFrame), the 'dest'
+     * parameter of ensureSpace is cx->compartment. Ideally, we'd just pass
+     * this directly (and introduce a helper that supplies cx->compartment when
+     * no 'dest' is given). For some compilers, this really hurts performance,
+     * so, instead, a trivially sinkable magic constant is used to indicate
+     * that dest should be cx->compartment.
+     */
+    static const size_t CX_COMPARTMENT = 0xc;
+
     inline bool ensureSpace(JSContext *cx, MaybeReportError report,
-                            Value *from, ptrdiff_t nvals) const;
+                            Value *from, ptrdiff_t nvals,
+                            JSCompartment *dest = (JSCompartment *)CX_COMPARTMENT) const;
     JS_FRIEND_API(bool) ensureSpaceSlow(JSContext *cx, MaybeReportError report,
-                                        Value *from, ptrdiff_t nvals) const;
+                                        Value *from, ptrdiff_t nvals,
+                                        JSCompartment *dest) const;
+
     StackSegment &findContainingSegment(const StackFrame *target) const;
 
   public:
@@ -1421,7 +1442,8 @@ class ContextStack
     StackSegment *pushSegment(JSContext *cx);
     enum MaybeExtend { CAN_EXTEND = true, CANT_EXTEND = false };
     Value *ensureOnTop(JSContext *cx, MaybeReportError report, uintN nvars,
-                       MaybeExtend extend, bool *pushedSeg);
+                       MaybeExtend extend, bool *pushedSeg,
+                       JSCompartment *dest = (JSCompartment *)StackSpace::CX_COMPARTMENT);
 
     inline StackFrame *
     getCallFrame(JSContext *cx, MaybeReportError report, const CallArgs &args,
@@ -1502,9 +1524,16 @@ class ContextStack
      */
     bool pushGeneratorFrame(JSContext *cx, JSGenerator *gen, GeneratorFrameGuard *gfg);
 
-    /* Pushes a "dummy" frame; should be removed one day. */
-    bool pushDummyFrame(JSContext *cx, MaybeReportError report, JSObject &scopeChain,
-                        DummyFrameGuard *dfg);
+    /*
+     * When changing the compartment of a cx, it is necessary to immediately
+     * change the scope chain to a global in the right compartment since any
+     * amount of general VM code can run before the first scripted frame is
+     * pushed (if at all). This is currently and hackily accomplished by
+     * pushing a "dummy frame" with the correct scope chain. On success, this
+     * function will change the compartment to 'scopeChain.compartment()' and
+     * push a dummy frame for 'scopeChain'. On failure, nothing is changed.
+     */
+    bool pushDummyFrame(JSContext *cx, JSCompartment *dest, JSObject &scopeChain, DummyFrameGuard *dfg);
 
     /*
      * An "inline frame" may only be pushed from within the top, active
@@ -1683,7 +1712,8 @@ class FrameRegsIter
     }
 
   public:
-    FrameRegsIter(JSContext *cx) : iter_(cx) { settle(); }
+    FrameRegsIter(JSContext *cx, StackIter::SavedOption opt = StackIter::STOP_AT_SAVED)
+        : iter_(cx, opt) { settle(); }
 
     bool done() const { return iter_.done(); }
     FrameRegsIter &operator++() { ++iter_; settle(); return *this; }
diff --git a/js/src/xpconnect/shell/xpcshell.cpp b/js/src/xpconnect/shell/xpcshell.cpp
index e1725a2a63ea..aa9318872d3e 100644
--- a/js/src/xpconnect/shell/xpcshell.cpp
+++ b/js/src/xpconnect/shell/xpcshell.cpp
@@ -1837,7 +1837,9 @@ main(int argc, char **argv, char **envp)
                 XRE_GetFileFromPath(argv[4], getter_AddRefs(appOmni));
                 argc-=2;
                 argv+=2;
-            } 
+            } else {
+                appOmni = greOmni;
+            }
             
             XRE_InitOmnijar(greOmni, appOmni);
             argc-=2;
diff --git a/js/src/xpconnect/src/nsXPConnect.cpp b/js/src/xpconnect/src/nsXPConnect.cpp
index 12e938c8ff4e..7ad2b28aa4fc 100644
--- a/js/src/xpconnect/src/nsXPConnect.cpp
+++ b/js/src/xpconnect/src/nsXPConnect.cpp
@@ -2073,7 +2073,8 @@ nsXPConnect::CreateSandbox(JSContext *cx, nsIPrincipal *principal,
     jsval rval = JSVAL_VOID;
     AUTO_MARK_JSVAL(ccx, &rval);
 
-    nsresult rv = xpc_CreateSandboxObject(cx, &rval, principal, NULL, false);
+    nsresult rv = xpc_CreateSandboxObject(cx, &rval, principal, NULL, false, 
+                                          EmptyCString());
     NS_ASSERTION(NS_FAILED(rv) || !JSVAL_IS_PRIMITIVE(rval),
                  "Bad return value from xpc_CreateSandboxObject()!");
 
diff --git a/js/src/xpconnect/src/xpccomponents.cpp b/js/src/xpconnect/src/xpccomponents.cpp
index 9b711e890c60..ea5e9dddbbe1 100644
--- a/js/src/xpconnect/src/xpccomponents.cpp
+++ b/js/src/xpconnect/src/xpccomponents.cpp
@@ -503,7 +503,7 @@ nsXPCComponents_InterfacesByID::GetContractID(char * *aContractID)
 NS_IMETHODIMP
 nsXPCComponents_InterfacesByID::GetClassDescription(char * *aClassDescription)
 {
-    static const char classDescription[] = "XPCComponents_Interfaces";
+    static const char classDescription[] = "XPCComponents_InterfacesByID";
     *aClassDescription = (char*)nsMemory::Clone(classDescription, sizeof(classDescription));
     return *aClassDescription ? NS_OK : NS_ERROR_OUT_OF_MEMORY;
 }
@@ -1075,7 +1075,7 @@ nsXPCComponents_ClassesByID::GetContractID(char * *aContractID)
 NS_IMETHODIMP 
 nsXPCComponents_ClassesByID::GetClassDescription(char * *aClassDescription)
 {
-    static const char classDescription[] = "XPCComponents_Interfaces";
+    static const char classDescription[] = "XPCComponents_ClassesByID";
     *aClassDescription = (char*)nsMemory::Clone(classDescription, sizeof(classDescription));
     return *aClassDescription ? NS_OK : NS_ERROR_OUT_OF_MEMORY;
 }
@@ -1346,7 +1346,7 @@ nsXPCComponents_Results::GetContractID(char * *aContractID)
 NS_IMETHODIMP 
 nsXPCComponents_Results::GetClassDescription(char * *aClassDescription)
 {
-    static const char classDescription[] = "XPCComponents_Interfaces";
+    static const char classDescription[] = "XPCComponents_Results";
     *aClassDescription = (char*)nsMemory::Clone(classDescription, sizeof(classDescription));
     return *aClassDescription ? NS_OK : NS_ERROR_OUT_OF_MEMORY;
 }
@@ -1575,7 +1575,7 @@ nsXPCComponents_ID::GetContractID(char * *aContractID)
 NS_IMETHODIMP 
 nsXPCComponents_ID::GetClassDescription(char * *aClassDescription)
 {
-    static const char classDescription[] = "XPCComponents_Interfaces";
+    static const char classDescription[] = "XPCComponents_ID";
     *aClassDescription = (char*)nsMemory::Clone(classDescription, sizeof(classDescription));
     return *aClassDescription ? NS_OK : NS_ERROR_OUT_OF_MEMORY;
 }
@@ -1803,7 +1803,7 @@ nsXPCComponents_Exception::GetContractID(char * *aContractID)
 NS_IMETHODIMP 
 nsXPCComponents_Exception::GetClassDescription(char * *aClassDescription)
 {
-    static const char classDescription[] = "XPCComponents_Interfaces";
+    static const char classDescription[] = "XPCComponents_Exception";
     *aClassDescription = (char*)nsMemory::Clone(classDescription, sizeof(classDescription));
     return *aClassDescription ? NS_OK : NS_ERROR_OUT_OF_MEMORY;
 }
@@ -2098,7 +2098,7 @@ nsXPCConstructor::GetContractID(char * *aContractID)
 NS_IMETHODIMP 
 nsXPCConstructor::GetClassDescription(char * *aClassDescription)
 {
-    static const char classDescription[] = "XPCComponents_Interfaces";
+    static const char classDescription[] = "XPCConstructor";
     *aClassDescription = (char*)nsMemory::Clone(classDescription, sizeof(classDescription));
     return *aClassDescription ? NS_OK : NS_ERROR_OUT_OF_MEMORY;
 }
@@ -2364,7 +2364,7 @@ nsXPCComponents_Constructor::GetContractID(char * *aContractID)
 NS_IMETHODIMP 
 nsXPCComponents_Constructor::GetClassDescription(char * *aClassDescription)
 {
-    static const char classDescription[] = "XPCComponents_Interfaces";
+    static const char classDescription[] = "XPCComponents_Constructor";
     *aClassDescription = (char*)nsMemory::Clone(classDescription, sizeof(classDescription));
     return *aClassDescription ? NS_OK : NS_ERROR_OUT_OF_MEMORY;
 }
@@ -3153,7 +3153,7 @@ NS_IMPL_ISUPPORTS0(Identity)
 
 nsresult
 xpc_CreateSandboxObject(JSContext * cx, jsval * vp, nsISupports *prinOrSop, JSObject *proto,
-                        bool wantXrays)
+                        bool wantXrays, const nsACString &sandboxName)
 {
     // Create the sandbox global object
     nsresult rv;
@@ -3240,6 +3240,10 @@ xpc_CreateSandboxObject(JSContext * cx, jsval * vp, nsISupports *prinOrSop, JSOb
         }
     }
 
+    xpc::CompartmentPrivate *compartmentPrivate =
+        static_cast(JS_GetCompartmentPrivate(cx, compartment));
+    compartmentPrivate->location = sandboxName;
+
     return NS_OK;
 }
 
@@ -3351,6 +3355,8 @@ nsXPCComponents_utils_Sandbox::CallOrConstruct(nsIXPConnectWrappedNative *wrappe
 
     JSObject *proto = nsnull;
     bool wantXrays = true;
+    nsCString sandboxName;
+
     if (argc > 1) {
         if (!JSVAL_IS_OBJECT(argv[1]))
             return ThrowAndFail(NS_ERROR_INVALID_ARG, cx, _retval);
@@ -3382,9 +3388,26 @@ nsXPCComponents_utils_Sandbox::CallOrConstruct(nsIXPConnectWrappedNative *wrappe
 
             wantXrays = JSVAL_TO_BOOLEAN(option);
         }
+
+        if (!JS_HasProperty(cx, optionsObject, "sandboxName", &found))
+            return NS_ERROR_INVALID_ARG;
+
+        if (found) {
+            if (!JS_GetProperty(cx, optionsObject, "sandboxName", &option) ||
+                !JSVAL_IS_STRING(option)) {
+                return ThrowAndFail(NS_ERROR_INVALID_ARG, cx, _retval);
+            }
+
+            char *tmp = JS_EncodeString(cx, JSVAL_TO_STRING(option));
+            if (!tmp) {
+                return ThrowAndFail(NS_ERROR_INVALID_ARG, cx, _retval);
+            }
+
+            sandboxName.Adopt(tmp, strlen(tmp));
+        }
     }
 
-    rv = xpc_CreateSandboxObject(cx, vp, prinOrSop, proto, wantXrays);
+    rv = xpc_CreateSandboxObject(cx, vp, prinOrSop, proto, wantXrays, sandboxName);
 
     if (NS_FAILED(rv)) {
         return ThrowAndFail(rv, cx, _retval);
diff --git a/js/src/xpconnect/src/xpcjsruntime.cpp b/js/src/xpconnect/src/xpcjsruntime.cpp
index cbcdb1933ae2..3c3791f5b911 100644
--- a/js/src/xpconnect/src/xpcjsruntime.cpp
+++ b/js/src/xpconnect/src/xpcjsruntime.cpp
@@ -1578,22 +1578,30 @@ CompartmentStats::CompartmentStats(JSContext *cx, JSCompartment *c)
     {
         if(c->principals->codebase)
         {
-            // A hack: replace forward slashes with '\\' so they aren't
-            // treated as path separators.  Users of the reporters
-            // (such as about:memory) have to undo this change.
             name.Assign(c->principals->codebase);
-            name.ReplaceChar('/', '\\');
 
             // If it's the system compartment, append the address.
             // This means that multiple system compartments (and there
             // can be many) can be distinguished.
             if(c->isSystemCompartment)
             {
+                if (c->data && 
+                    !((xpc::CompartmentPrivate*)c->data)->location.IsEmpty())
+                {
+                    name.AppendLiteral(", ");
+                    name.Append(((xpc::CompartmentPrivate*)c->data)->location);
+                }
+
                 // ample; 64-bit address max is 18 chars
                 static const int maxLength = 31;
                 nsPrintfCString address(maxLength, ", 0x%llx", PRUint64(c));
                 name.Append(address);
             }
+
+            // A hack: replace forward slashes with '\\' so they aren't
+            // treated as path separators.  Users of the reporters
+            // (such as about:memory) have to undo this change.
+            name.ReplaceChar('/', '\\');
         }
         else
         {
diff --git a/js/src/xpconnect/src/xpcprivate.h b/js/src/xpconnect/src/xpcprivate.h
index e70aa0cf721e..592f88de998b 100644
--- a/js/src/xpconnect/src/xpcprivate.h
+++ b/js/src/xpconnect/src/xpcprivate.h
@@ -4315,7 +4315,7 @@ xpc_GetJSPrivate(JSObject *obj)
 // and used.
 nsresult
 xpc_CreateSandboxObject(JSContext * cx, jsval * vp, nsISupports *prinOrSop,
-                        JSObject *proto, bool preferXray);
+                        JSObject *proto, bool preferXray, const nsACString &sandboxName);
 
 // Helper for evaluating scripts in a sandbox object created with
 // xpc_CreateSandboxObject(). The caller is responsible of ensuring
@@ -4394,6 +4394,7 @@ struct CompartmentPrivate
     JSObject2JSObjectMap *waiverWrapperMap;
     // NB: we don't want this map to hold a strong reference to the wrapper.
     nsDataHashtable, JSObject *> *expandoMap;
+    nsCString location;
 
     bool RegisterExpandoObject(XPCWrappedNative *wn, JSObject *expando) {
         if (!expandoMap) {
diff --git a/js/src/xpconnect/src/xpcwrappednativejsops.cpp b/js/src/xpconnect/src/xpcwrappednativejsops.cpp
index 8764bacaa113..d94a47992c1a 100644
--- a/js/src/xpconnect/src/xpcwrappednativejsops.cpp
+++ b/js/src/xpconnect/src/xpcwrappednativejsops.cpp
@@ -1576,7 +1576,7 @@ XPC_WN_CallMethod(JSContext *cx, uintN argc, jsval *vp)
 
 #ifdef DEBUG_slimwrappers
     {
-        JSFunction* fun = GET_FUNCTION_PRIVATE(cx, funobj);
+        JSFunction* fun = funobj->getFunctionPrivate();
         JSString *funid = JS_GetFunctionId(fun);
         JSAutoByteString bytes;
         const char *funname = !funid ? "" : bytes.encode(cx, funid) ? bytes.ptr() : "";
@@ -1615,7 +1615,7 @@ XPC_WN_GetterSetter(JSContext *cx, uintN argc, jsval *vp)
         JSAutoByteString bytes;
         if(JS_TypeOfValue(cx, JS_CALLEE(cx, vp)) == JSTYPE_FUNCTION)
         {
-            JSString *funid = JS_GetFunctionId(GET_FUNCTION_PRIVATE(cx, funobj));
+            JSString *funid = JS_GetFunctionId(funobj->getFunctionPrivate());
             funname = !funid ? "" : bytes.encode(cx, funid) ? bytes.ptr() : "";
         }
         SLIM_LOG_WILL_MORPH_FOR_PROP(cx, obj, funname);
diff --git a/js/src/xpconnect/tests/unit/test_bug677864.js b/js/src/xpconnect/tests/unit/test_bug677864.js
new file mode 100644
index 000000000000..14562757a5ad
--- /dev/null
+++ b/js/src/xpconnect/tests/unit/test_bug677864.js
@@ -0,0 +1,12 @@
+function check_cl(iface, desc) {
+    do_check_eq(iface.QueryInterface(Components.interfaces.nsIClassInfo).classDescription, desc);
+}
+
+function run_test() {
+    check_cl(Components, 'XPCComponents');
+    check_cl(Components.interfaces, 'XPCComponents_Interfaces');
+    check_cl(Components.interfacesByID, 'XPCComponents_InterfacesByID');
+    check_cl(Components.classes, 'XPCComponents_Classes');
+    check_cl(Components.classesByID, 'XPCComponents_ClassesByID');
+    check_cl(Components.results, 'XPCComponents_Results');
+}
diff --git a/js/src/xpconnect/tests/unit/xpcshell.ini b/js/src/xpconnect/tests/unit/xpcshell.ini
index 8dd29dfb60e1..cd04a912f44c 100644
--- a/js/src/xpconnect/tests/unit/xpcshell.ini
+++ b/js/src/xpconnect/tests/unit/xpcshell.ini
@@ -9,11 +9,14 @@ tail =
 [test_bug604362.js]
 [test_bug608142.js]
 [test_bug641378.js]
+[test_bug677864.js]
 [test_bug_442086.js]
 [test_file.js]
 [test_import.js]
 [test_js_weak_references.js]
 [test_localeCompare.js]
+# Bug 676965: test fails consistently on Android
+fail-if = os == "android"
 [test_recursive_import.js]
 [test_xpcomutils.js]
 [test_unload.js]
diff --git a/layout/base/nsCaret.cpp b/layout/base/nsCaret.cpp
index fc8f9111e1c3..a2331f5b0187 100644
--- a/layout/base/nsCaret.cpp
+++ b/layout/base/nsCaret.cpp
@@ -643,7 +643,8 @@ void nsCaret::InvalidateTextOverflowBlock()
         nsLayoutUtils::FindNearestBlockAncestor(caretFrame);
       if (block) {
         const nsStyleTextReset* style = block->GetStyleTextReset();
-        if (style->mTextOverflow.mType != NS_STYLE_TEXT_OVERFLOW_CLIP) {
+        if (style->mTextOverflow.mLeft.mType != NS_STYLE_TEXT_OVERFLOW_CLIP ||
+            style->mTextOverflow.mRight.mType != NS_STYLE_TEXT_OVERFLOW_CLIP) {
           block->InvalidateOverflowRect();
         }
       }
diff --git a/layout/base/nsPresArena.cpp b/layout/base/nsPresArena.cpp
index 7494dad46083..5cc33b3c4035 100644
--- a/layout/base/nsPresArena.cpp
+++ b/layout/base/nsPresArena.cpp
@@ -83,11 +83,7 @@
 #endif
 
 // Size to use for PLArena block allocations.
-// XXX: This should be 8192;  the subtracted elements are a hack that's
-// required to ensure the allocation requests are power-of-two-sized and thus
-// avoid lots of wasted memory caused by the heap allocator rounding up request
-// sizes.  Bug 676457 will fix it properly.
-static const size_t ARENA_PAGE_SIZE = 8192 - sizeof(PLArena) - PL_ARENA_CONST_ALIGN_MASK;
+static const size_t ARENA_PAGE_SIZE = 8192;
 
 // Freed memory is filled with a poison value, which we arrange to
 // form a pointer either to an always-unmapped region of the address
diff --git a/layout/base/nsPresShell.cpp b/layout/base/nsPresShell.cpp
index 3fd45cbd58b7..bf48c436d715 100644
--- a/layout/base/nsPresShell.cpp
+++ b/layout/base/nsPresShell.cpp
@@ -9411,6 +9411,16 @@ SetExternalResourceIsActive(nsIDocument* aDocument, void* aClosure)
   return PR_TRUE;
 }
 
+static void
+SetPluginIsActive(nsIContent* aContent, void* aClosure)
+{
+  nsIFrame *frame = aContent->GetPrimaryFrame();
+  nsIObjectFrame *objectFrame = do_QueryFrame(frame);
+  if (objectFrame) {
+    objectFrame->SetIsDocumentActive(*static_cast(aClosure));
+  }
+}
+
 nsresult
 PresShell::SetIsActive(PRBool aIsActive)
 {
@@ -9426,6 +9436,8 @@ PresShell::SetIsActive(PRBool aIsActive)
   // Propagate state-change to my resource documents' PresShells
   mDocument->EnumerateExternalResources(SetExternalResourceIsActive,
                                         &aIsActive);
+  mDocument->EnumerateFreezableElements(SetPluginIsActive,
+                                        &aIsActive);
   nsresult rv = UpdateImageLockingState();
 #ifdef ACCESSIBILITY
   if (aIsActive) {
diff --git a/layout/base/tests/test_reftests_with_caret.html b/layout/base/tests/test_reftests_with_caret.html
index ec292097576d..5a6b6179848e 100644
--- a/layout/base/tests/test_reftests_with_caret.html
+++ b/layout/base/tests/test_reftests_with_caret.html
@@ -117,7 +117,7 @@ var tests = [
     [ 'bug613433-1.html' , 'bug613433-ref.html' ] ,
     [ 'bug613433-2.html' , 'bug613433-ref.html' ] ,
     [ 'bug613433-3.html' , 'bug613433-ref.html' ] ,
-    [ 'bug613807-1.html' , 'bug613807-1-ref.html' ] ,
+//    [ 'bug613807-1.html' , 'bug613807-1-ref.html' ] ,  // see bug 680574
     [ 'bug632215-1.html' , 'bug632215-ref.html'   ] ,
     [ 'bug632215-2.html' , 'bug632215-ref.html'   ] ,
     [ 'bug633044-1.html' , 'bug633044-1-ref.html' ] ,
@@ -127,9 +127,9 @@ var tests = [
       SpecialPowers.setBoolPref("bidi.browser.ui", true);
     },
     [ 'bug646382-1.html' , 'bug646382-1-ref.html' ] ,
-    [ 'bug646382-2.html' , 'bug646382-2-ref.html' ] ,
+//    [ 'bug646382-2.html' , 'bug646382-2-ref.html' ] ,  // see bug 680577
     [ 'bug664087-1.html' , 'bug664087-1-ref.html' ] ,
-    [ 'bug664087-2.html' , 'bug664087-2-ref.html' ] ,
+//    [ 'bug664087-2.html' , 'bug664087-2-ref.html' ] ,  // see bug 680578
     function() {
       SpecialPowers.clearUserPref("bidi.browser.ui");
     },
diff --git a/layout/generic/TextOverflow.cpp b/layout/generic/TextOverflow.cpp
index 0ea8777fd3da..1ece3e055c54 100644
--- a/layout/generic/TextOverflow.cpp
+++ b/layout/generic/TextOverflow.cpp
@@ -280,8 +280,8 @@ TextOverflow::WillProcessLines(nsDisplayListBuilder*   aBuilder,
   textOverflow->mBlockIsRTL =
     aBlockFrame->GetStyleVisibility()->mDirection == NS_STYLE_DIRECTION_RTL;
   const nsStyleTextReset* style = aBlockFrame->GetStyleTextReset();
-  textOverflow->mLeft.Init(style->mTextOverflow);
-  textOverflow->mRight.Init(style->mTextOverflow);
+  textOverflow->mLeft.Init(style->mTextOverflow.mLeft);
+  textOverflow->mRight.Init(style->mTextOverflow.mRight);
   // The left/right marker string is setup in ExamineLineFrames when a line
   // has overflow on that side.
 
@@ -429,11 +429,11 @@ TextOverflow::ExamineLineFrames(nsLineBox*      aLine,
     mRight.mStyle->mType != NS_STYLE_TEXT_OVERFLOW_CLIP && rightOverflow;
   do {
     // Setup marker strings as needed.
-    if (guessLeft || guessRight) {
+    if (guessLeft) {
       mLeft.SetupString(mBlock);
-      mRight.mMarkerString = mLeft.mMarkerString;
-      mRight.mWidth = mLeft.mWidth;
-      mRight.mInitialized = mLeft.mInitialized;
+    }
+    if (guessRight) {
+      mRight.SetupString(mBlock);
     }
     
     // If there is insufficient space for both markers then keep the one on the
@@ -588,7 +588,8 @@ TextOverflow::CanHaveTextOverflow(nsDisplayListBuilder* aBuilder,
   const nsStyleTextReset* style = aBlockFrame->GetStyleTextReset();
   // Nothing to do for text-overflow:clip or if 'overflow-x:visible'
   // or if we're just building items for event processing.
-  if ((style->mTextOverflow.mType == NS_STYLE_TEXT_OVERFLOW_CLIP) ||
+  if ((style->mTextOverflow.mLeft.mType == NS_STYLE_TEXT_OVERFLOW_CLIP &&
+       style->mTextOverflow.mRight.mType == NS_STYLE_TEXT_OVERFLOW_CLIP) ||
       IsHorizontalOverflowVisible(aBlockFrame) ||
       aBuilder->IsForEventDelivery()) {
     return false;
diff --git a/layout/generic/TextOverflow.h b/layout/generic/TextOverflow.h
index b484b2f1d89a..0f8eaa2a2b44 100644
--- a/layout/generic/TextOverflow.h
+++ b/layout/generic/TextOverflow.h
@@ -188,7 +188,7 @@ class TextOverflow {
 
   class Marker {
   public:
-    void Init(const nsStyleTextOverflow& aStyle) {
+    void Init(const nsStyleTextOverflowSide& aStyle) {
       mInitialized = false;
       mWidth = 0;
       mStyle = &aStyle;
@@ -211,7 +211,7 @@ class TextOverflow {
     // The marker text.
     nsString                       mMarkerString;
     // The style for this side.
-    const nsStyleTextOverflow*     mStyle;
+    const nsStyleTextOverflowSide* mStyle;
     // True if there is visible overflowing inline content on this side.
     bool                           mHasOverflow;
     // True if mMarkerString and mWidth have been setup from style.
diff --git a/layout/generic/nsBlockFrame.cpp b/layout/generic/nsBlockFrame.cpp
index 38ef69446b30..92cef5cbf58e 100644
--- a/layout/generic/nsBlockFrame.cpp
+++ b/layout/generic/nsBlockFrame.cpp
@@ -1492,18 +1492,9 @@ nsBlockFrame::ComputeOverflowAreas(const nsHTMLReflowState& aReflowState,
   nsOverflowAreas areas(bounds, bounds);
 
   if (!IsClippingChildren(this, aReflowState)) {
-    PRBool inQuirks = (PresContext()->CompatibilityMode() == eCompatibility_NavQuirks);
     for (line_iterator line = begin_lines(), line_end = end_lines();
          line != line_end;
          ++line) {
-
-      // Text-shadow overflows
-      if (!inQuirks && line->IsInline()) {
-        nsRect shadowRect = nsLayoutUtils::GetTextShadowRectsUnion(
-                              line->GetVisualOverflowArea(), this);
-        areas.VisualOverflow().UnionRect(areas.VisualOverflow(), shadowRect);
-      }
-
       areas.UnionWith(line->GetOverflowAreas());
     }
 
diff --git a/layout/generic/nsGfxScrollFrame.cpp b/layout/generic/nsGfxScrollFrame.cpp
index 1f325c26a147..f293ad6e0f23 100644
--- a/layout/generic/nsGfxScrollFrame.cpp
+++ b/layout/generic/nsGfxScrollFrame.cpp
@@ -67,7 +67,6 @@
 #include "nsISupportsPrimitives.h"
 #include "nsAutoPtr.h"
 #include "nsPresState.h"
-#include "nsIGlobalHistory3.h"
 #include "nsDocShellCID.h"
 #include "nsIHTMLDocument.h"
 #include "nsEventDispatcher.h"
diff --git a/layout/generic/nsIObjectFrame.h b/layout/generic/nsIObjectFrame.h
index 1708e5f0bed1..dfb04648094a 100644
--- a/layout/generic/nsIObjectFrame.h
+++ b/layout/generic/nsIObjectFrame.h
@@ -94,6 +94,13 @@ public:
    * Get the native widget for the plugin, if any.
    */
   virtual nsIWidget* GetWidget() = 0;
+
+  /**
+   * Update plugin active state. Frame should update if it is on an active tab
+   * or not and forward that information to the plugin to make it possible to
+   * throttle down plugin instance in non active case.
+   */
+  virtual void SetIsDocumentActive(PRBool aIsActive) = 0;
 };
 
 #endif /* nsIObjectFrame_h___ */
diff --git a/layout/generic/nsLineLayout.cpp b/layout/generic/nsLineLayout.cpp
index b8e803863412..defc4c6a3e9a 100644
--- a/layout/generic/nsLineLayout.cpp
+++ b/layout/generic/nsLineLayout.cpp
@@ -2560,15 +2560,6 @@ nsLineLayout::RelativePositionFrames(PerSpanData* psd, nsOverflowAreas& aOverflo
 
     overflowAreas.ScrollableOverflow().UnionRect(
       psd->mFrame->mOverflowAreas.ScrollableOverflow(), adjustedBounds);
-
-    // Text-shadow overflow
-    if (mPresContext->CompatibilityMode() != eCompatibility_NavQuirks) {
-      nsRect shadowRect = nsLayoutUtils::GetTextShadowRectsUnion(adjustedBounds,
-                                                                 psd->mFrame->mFrame);
-      adjustedBounds.UnionRect(adjustedBounds, shadowRect);
-    }
-
-    // Text shadow is only part of visual overflow and not scrollable overflow.
     overflowAreas.VisualOverflow().UnionRect(
       psd->mFrame->mOverflowAreas.VisualOverflow(), adjustedBounds);
   }
diff --git a/layout/generic/nsObjectFrame.cpp b/layout/generic/nsObjectFrame.cpp
index 88e33b9877dd..69353db1d651 100644
--- a/layout/generic/nsObjectFrame.cpp
+++ b/layout/generic/nsObjectFrame.cpp
@@ -2494,6 +2494,16 @@ nsObjectFrame::GetCursor(const nsPoint& aPoint, nsIFrame::Cursor& aCursor)
   return nsObjectFrameSuper::GetCursor(aPoint, aCursor);
 }
 
+void
+nsObjectFrame::SetIsDocumentActive(PRBool aIsActive)
+{
+#ifndef XP_MACOSX
+  if (mInstanceOwner) {
+    mInstanceOwner->UpdateDocumentActiveState(aIsActive);
+  }
+#endif
+}
+
 void
 nsObjectFrame::NotifyContentObjectWrapper()
 {
diff --git a/layout/generic/nsObjectFrame.h b/layout/generic/nsObjectFrame.h
index f1b55af5e7bb..c141125bd584 100644
--- a/layout/generic/nsObjectFrame.h
+++ b/layout/generic/nsObjectFrame.h
@@ -128,6 +128,7 @@ public:
   virtual nsresult Instantiate(const char* aMimeType, nsIURI* aURI);
   virtual void TryNotifyContentObjectWrapper();
   virtual void StopPlugin();
+  virtual void SetIsDocumentActive(PRBool aIsActive);
 
   /*
    * Stop a plugin instance. If aDelayedStop is true, the plugin will
diff --git a/layout/generic/nsTextFrameThebes.cpp b/layout/generic/nsTextFrameThebes.cpp
index 0953044c876c..25988c4a70d1 100644
--- a/layout/generic/nsTextFrameThebes.cpp
+++ b/layout/generic/nsTextFrameThebes.cpp
@@ -6628,8 +6628,7 @@ RoundOut(const gfxRect& aRect)
 nsRect
 nsTextFrame::ComputeTightBounds(gfxContext* aContext) const
 {
-  if ((GetStyleContext()->HasTextDecorationLines() &&
-       eCompatibility_NavQuirks == PresContext()->CompatibilityMode()) ||
+  if (GetStyleContext()->HasTextDecorationLines() ||
       (GetStateBits() & TEXT_HYPHEN_BREAK)) {
     // This is conservative, but OK.
     return GetVisualOverflowRect();
diff --git a/layout/mathml/nsMathMLContainerFrame.cpp b/layout/mathml/nsMathMLContainerFrame.cpp
index 242cfae8521b..3805dc6eccac 100644
--- a/layout/mathml/nsMathMLContainerFrame.cpp
+++ b/layout/mathml/nsMathMLContainerFrame.cpp
@@ -850,15 +850,6 @@ nsMathMLContainerFrame::GatherAndStoreOverflow(nsHTMLReflowMetrics* aMetrics)
   // frame rectangle.
   aMetrics->SetOverflowAreasToDesiredBounds();
 
-  // Text-shadow overflows.
-  if (PresContext()->CompatibilityMode() != eCompatibility_NavQuirks) {
-    nsRect frameRect(0, 0, aMetrics->width, aMetrics->height);
-    nsRect shadowRect = nsLayoutUtils::GetTextShadowRectsUnion(frameRect, this);
-    // shadows contribute only to visual overflow
-    nsRect& visOverflow = aMetrics->VisualOverflow();
-    visOverflow.UnionRect(visOverflow, shadowRect);
-  }
-
   // All non-child-frame content such as nsMathMLChars (and most child-frame
   // content) is included in mBoundingMetrics.
   nsRect boundingBox(mBoundingMetrics.leftBearing,
diff --git a/layout/reftests/bugs/175190-1-ref.html b/layout/reftests/bugs/175190-1-ref.html
new file mode 100644
index 000000000000..9caadd2ccd65
--- /dev/null
+++ b/layout/reftests/bugs/175190-1-ref.html
@@ -0,0 +1,40 @@
+
+
+
+Test Page
+
+
+
+
+
+
+
              
+
+
+
+
              
+
+
+
+
              
+
              
+
+
diff --git a/layout/reftests/bugs/175190-1.html b/layout/reftests/bugs/175190-1.html
new file mode 100644
index 000000000000..2f7568c74bd4
--- /dev/null
+++ b/layout/reftests/bugs/175190-1.html
@@ -0,0 +1,41 @@
+
+
+
+Test Page
+
+
+
+
+
+
+
              
+
+
+
+
              
+
+
+
+
              
+
              
+
+
diff --git a/layout/reftests/bugs/186317-1-ref.html b/layout/reftests/bugs/186317-1-ref.html
new file mode 100644
index 000000000000..7aa1736dbc3b
--- /dev/null
+++ b/layout/reftests/bugs/186317-1-ref.html
@@ -0,0 +1,26 @@
+
+
+
+
+border crosstalk
+
+
+
+
+
+
+
+
              1 2 3
              
+
+
+
+
+
              12
              34
              
+
+
+
+
+
diff --git a/layout/reftests/bugs/186317-1.html b/layout/reftests/bugs/186317-1.html
new file mode 100644
index 000000000000..27148f87b782
--- /dev/null
+++ b/layout/reftests/bugs/186317-1.html
@@ -0,0 +1,24 @@
+
+
+
+
+border crosstalk
+
+
+
+
+
+
+
+
              1 2 3
              
+
+
+
+
+
              12
              34
              
+
+
+
+
+
diff --git a/layout/reftests/bugs/260406-1-ref.html b/layout/reftests/bugs/260406-1-ref.html
new file mode 100644
index 000000000000..f351341a86ab
--- /dev/null
+++ b/layout/reftests/bugs/260406-1-ref.html
@@ -0,0 +1,20 @@
+
+
+
+
+
+    
+        
+            
+        
+    
              P
              
+    
+        
+            
+        
+    
              
+
+
\ No newline at end of file
diff --git a/layout/reftests/bugs/260406-1.html b/layout/reftests/bugs/260406-1.html
new file mode 100644
index 000000000000..497b3278b662
--- /dev/null
+++ b/layout/reftests/bugs/260406-1.html
@@ -0,0 +1,20 @@
+
+
+
+
+
+    
+        
+            
+        
+    
              P
              
+    
+        
+            
+        
+    
              
+
+
\ No newline at end of file
diff --git a/layout/reftests/bugs/260406.gif b/layout/reftests/bugs/260406.gif
new file mode 100644
index 000000000000..5d0a77dc555a
Binary files /dev/null and b/layout/reftests/bugs/260406.gif differ
diff --git a/layout/reftests/bugs/reftest.list b/layout/reftests/bugs/reftest.list
index a44a2a8dc102..ed2430aa42c7 100644
--- a/layout/reftests/bugs/reftest.list
+++ b/layout/reftests/bugs/reftest.list
@@ -138,6 +138,7 @@ random == 99850-1b.html 99850-1-ref.html # bug 471629
 == 167496-1.html 167496-1-ref.html
 == 169749-1.html 169749-1-ref.html
 == 172073-1.html 172073-1-ref.html
+== 175190-1.html 175190-1-ref.html
 == 179596-1a.html 179596-1a-ref.html
 == 179596-1b.html 179596-1b-ref.html
 == 179596-2.html 179596-2-ref.html
@@ -146,6 +147,7 @@ random == 99850-1b.html 99850-1-ref.html # bug 471629
 == 180085-1.html 180085-1-ref.html
 == 180085-2.html 180085-2-ref.html
 == 185388-1.html 185388-1-ref.html
+== 186317-1.html 186317-1-ref.html
 == 192902-1.html 192902-ref.html
 == 192767-01.xul 192767-11.xul
 == 192767-02.xul 192767-12.xul
@@ -268,6 +270,7 @@ fails-if(Android) != 192767-17.xul 192767-37.xul
 == 252920-1.html 252920-1-ref.html
 == 253701-1.html 253701-1-ref.html
 == 255820-1.html 255820-1-ref.html
+== 260406-1.html 260406-1-ref.html
 == 261826-1.xul 261826-1-ref.xul
 == 262151-1.html 262151-1-ref.html
 == 262998-1.html 262998-1-ref.html
diff --git a/layout/reftests/reftest.list b/layout/reftests/reftest.list
index 436127f77b4e..ea30982b5269 100644
--- a/layout/reftests/reftest.list
+++ b/layout/reftests/reftest.list
@@ -288,6 +288,9 @@ include xul-document-load/reftest.list
 # xul/
 include xul/reftest.list
 
+# xul
+include ../xul/base/reftest/reftest.list
+
 # xul grid
 include ../xul/base/src/grid/reftests/reftest.list
 
diff --git a/layout/reftests/svg/dynamic-filter-contents-01.svg b/layout/reftests/svg/dynamic-filter-contents-01a.svg
similarity index 100%
rename from layout/reftests/svg/dynamic-filter-contents-01.svg
rename to layout/reftests/svg/dynamic-filter-contents-01a.svg
diff --git a/layout/reftests/svg/dynamic-filter-contents-01b.svg b/layout/reftests/svg/dynamic-filter-contents-01b.svg
new file mode 100644
index 000000000000..87d98aa3dc60
--- /dev/null
+++ b/layout/reftests/svg/dynamic-filter-contents-01b.svg
@@ -0,0 +1,28 @@
+
+
+  
+    
+      
+      
+    
+  
+
+  
+
+  
+
diff --git a/layout/reftests/svg/reftest.list b/layout/reftests/svg/reftest.list
index 5c01fc5ebf0a..321c67faa843 100644
--- a/layout/reftests/svg/reftest.list
+++ b/layout/reftests/svg/reftest.list
@@ -64,7 +64,8 @@ fails-if(Android) == dynamic-conditions-01.svg pass.svg # bug 652050
 == dynamic-clipPath-01.svg pass.svg
 == dynamic-feFlood-01.svg pass.svg
 == dynamic-feImage-01.svg pass.svg
-== dynamic-filter-contents-01.svg dynamic-filter-contents-01-ref.svg
+== dynamic-filter-contents-01a.svg dynamic-filter-contents-01-ref.svg
+== dynamic-filter-contents-01b.svg dynamic-filter-contents-01-ref.svg
 == dynamic-gradient-contents-01.svg pass.svg
 == dynamic-gradient-contents-02.svg pass.svg
 == dynamic-inner-svg-01.svg pass.svg
diff --git a/layout/reftests/table-anonymous-boxes/reftest.list b/layout/reftests/table-anonymous-boxes/reftest.list
index 546bf684147e..8c01d1dd1a3b 100644
--- a/layout/reftests/table-anonymous-boxes/reftest.list
+++ b/layout/reftests/table-anonymous-boxes/reftest.list
@@ -1,7 +1,7 @@
 == 121142-1a.html 121142-1-ref.html
 == 121142-1b.html 121142-1-ref.html
 == 121142-2.html 121142-2-ref.html
-fails == 156888-1.html 156888-1-ref.html # bug 484825
+== 156888-1.html 156888-1-ref.html
 == 156888-2.html 156888-2-ref.html
 == 162063-1.xhtml about:blank
 == 203923-1.html white-space-ref.html
diff --git a/layout/reftests/text-decoration/decoration-color-override-quirks-ref.html b/layout/reftests/text-decoration/decoration-color-override-quirks-ref.html
index 53b8565b2f68..5b8481674e09 100644
--- a/layout/reftests/text-decoration/decoration-color-override-quirks-ref.html
+++ b/layout/reftests/text-decoration/decoration-color-override-quirks-ref.html
@@ -1,5 +1,5 @@
 
 	
-		hellohello
+		hellohello
 	
 
diff --git a/layout/reftests/text-decoration/decoration-color-override-quirks.html b/layout/reftests/text-decoration/decoration-color-override-quirks.html
index 94cfc90a3d03..67e1346b94d0 100644
--- a/layout/reftests/text-decoration/decoration-color-override-quirks.html
+++ b/layout/reftests/text-decoration/decoration-color-override-quirks.html
@@ -1,5 +1,5 @@
 
 	
-		hellohello
+		hellohello
 	
 
diff --git a/layout/reftests/text-decoration/decoration-color-override-standards-ref.html b/layout/reftests/text-decoration/decoration-color-override-standards-ref.html
index 167c88bf8b51..4420e6fc35cb 100644
--- a/layout/reftests/text-decoration/decoration-color-override-standards-ref.html
+++ b/layout/reftests/text-decoration/decoration-color-override-standards-ref.html
@@ -1,6 +1,6 @@
 
 
 	
-		hellohello
+		hellohello
 	
 
diff --git a/layout/reftests/text-decoration/decoration-color-override-standards.html b/layout/reftests/text-decoration/decoration-color-override-standards.html
index a16d7d682569..2be52e67de56 100644
--- a/layout/reftests/text-decoration/decoration-color-override-standards.html
+++ b/layout/reftests/text-decoration/decoration-color-override-standards.html
@@ -1,6 +1,6 @@
 
 
 	
-		hellohello
+		hellohello
 	
 
diff --git a/layout/reftests/text-overflow/reftest.list b/layout/reftests/text-overflow/reftest.list
index 719345985678..588b1a5143e1 100644
--- a/layout/reftests/text-overflow/reftest.list
+++ b/layout/reftests/text-overflow/reftest.list
@@ -18,3 +18,4 @@ HTTP(..) == marker-shadow.html marker-shadow-ref.html
 skip-if(Android) == clipped-elements.html clipped-elements-ref.html
 == theme-overflow.html theme-overflow-ref.html
 HTTP(..) == table-cell.html table-cell-ref.html
+HTTP(..) == two-value-syntax.html two-value-syntax-ref.html
diff --git a/layout/reftests/text-overflow/two-value-syntax-ref.html b/layout/reftests/text-overflow/two-value-syntax-ref.html
new file mode 100644
index 000000000000..98a7de1e8269
--- /dev/null
+++ b/layout/reftests/text-overflow/two-value-syntax-ref.html
@@ -0,0 +1,66 @@
+
+
+
+text-overflow: text-overflow:<left> <right>
+
+
+
+
+
              
+|||||
+
               …||…
              
+
               …||…
              
+
               …||||
              
+
              ||||…
              
+
              ||||…
              
+
               …||||
              
+
              ||||.
              
+
               .||||
              
+
               .||||
              
+
              ||||.
              
+
               .||,
              
+
               ,||.
              
+
               …||,
              
+
               ,||…
              
+
               .||…
              
+
               …||.
              
+
              
+
+
+
+
diff --git a/layout/reftests/text-overflow/two-value-syntax.html b/layout/reftests/text-overflow/two-value-syntax.html
new file mode 100644
index 000000000000..9360c08fccf4
--- /dev/null
+++ b/layout/reftests/text-overflow/two-value-syntax.html
@@ -0,0 +1,75 @@
+
+
+
+text-overflow: text-overflow:<left> <right>
+
+
+
+
+
              
+|||||
+
              ||||||
              
+
              ||||||
              
+
              ||||||
              
+
              ||||||
              
+
              ||||||
              
+
              ||||||
              
+
              ||||||
              
+
              ||||||
              
+
              ||||||
              
+
              ||||||
              
+
              ||||||
              
+
              ||||||
              
+
              ||||||
              
+
              ||||||
              
+
              ||||||
              
+
              ||||||
              
+
              
+
+
+
+
diff --git a/layout/style/nsCSSParser.cpp b/layout/style/nsCSSParser.cpp
index ded3e24813c5..1dd924e35a6d 100644
--- a/layout/style/nsCSSParser.cpp
+++ b/layout/style/nsCSSParser.cpp
@@ -513,6 +513,7 @@ protected:
   PRBool ParseSize();
   PRBool ParseTextDecoration();
   PRBool ParseTextDecorationLine(nsCSSValue& aValue);
+  PRBool ParseTextOverflow(nsCSSValue& aValue);
 
   PRBool ParseShadowItem(nsCSSValue& aValue, PRBool aIsBoxShadow);
   PRBool ParseShadowList(nsCSSProperty aProperty);
@@ -5601,6 +5602,8 @@ CSSParserImpl::ParseSingleValueProperty(nsCSSValue& aValue,
         return ParseMarks(aValue);
       case eCSSProperty_text_decoration_line:
         return ParseTextDecorationLine(aValue);
+      case eCSSProperty_text_overflow:
+        return ParseTextOverflow(aValue);
       default:
         NS_ABORT_IF_FALSE(PR_FALSE, "should not reach here");
         return PR_FALSE;
@@ -8118,6 +8121,27 @@ CSSParserImpl::ParseTextDecorationLine(nsCSSValue& aValue)
   return PR_FALSE;
 }
 
+PRBool
+CSSParserImpl::ParseTextOverflow(nsCSSValue& aValue)
+{
+  if (ParseVariant(aValue, VARIANT_INHERIT, nsnull)) {
+    // 'inherit' and 'initial' must be alone
+    return PR_TRUE;
+  }
+
+  nsCSSValue left;
+  if (!ParseVariant(left, VARIANT_KEYWORD | VARIANT_STRING,
+                    nsCSSProps::kTextOverflowKTable))
+    return PR_FALSE;
+
+  nsCSSValue right;
+  if (ParseVariant(right, VARIANT_KEYWORD | VARIANT_STRING,
+                    nsCSSProps::kTextOverflowKTable))
+    aValue.SetPairValue(left, right);
+  else
+    aValue.SetPairValue(left, left);
+  return PR_TRUE;
+}
 
 PRBool
 CSSParserImpl::ParseTransitionProperty()
diff --git a/layout/style/nsCSSPropList.h b/layout/style/nsCSSPropList.h
index b3fd8ae06c44..bdd1bce579c8 100644
--- a/layout/style/nsCSSPropList.h
+++ b/layout/style/nsCSSPropList.h
@@ -2211,8 +2211,9 @@ CSS_PROP_TEXTRESET(
     text-overflow,
     text_overflow,
     TextOverflow,
-    CSS_PROPERTY_PARSE_VALUE,
-    VARIANT_HK | VARIANT_STRING,
+    CSS_PROPERTY_PARSE_VALUE |
+        CSS_PROPERTY_VALUE_PARSER_FUNCTION,
+    0,
     kTextOverflowKTable,
     offsetof(nsStyleTextReset, mTextOverflow),
     eStyleAnimType_None)
diff --git a/layout/style/nsCSSRuleProcessor.cpp b/layout/style/nsCSSRuleProcessor.cpp
index b808d9751e33..8b1200a5f746 100644
--- a/layout/style/nsCSSRuleProcessor.cpp
+++ b/layout/style/nsCSSRuleProcessor.cpp
@@ -1108,6 +1108,11 @@ InitSystemMetrics()
     sSystemMetrics->AppendElement(nsGkAtoms::mac_graphite_theme);
   }
 
+  rv = lookAndFeel->GetMetric(nsILookAndFeel::eMetric_MacLionTheme, metricResult);
+  if (NS_SUCCEEDED(rv) && metricResult) {
+    sSystemMetrics->AppendElement(nsGkAtoms::mac_lion_theme);
+  }
+
   rv = lookAndFeel->GetMetric(nsILookAndFeel::eMetric_DWMCompositor, metricResult);
   if (NS_SUCCEEDED(rv) && metricResult) {
     sSystemMetrics->AppendElement(nsGkAtoms::windows_compositor);
diff --git a/layout/style/nsComputedDOMStyle.cpp b/layout/style/nsComputedDOMStyle.cpp
index a9b89e084e31..415dbb5db0cb 100644
--- a/layout/style/nsComputedDOMStyle.cpp
+++ b/layout/style/nsComputedDOMStyle.cpp
@@ -2449,19 +2449,35 @@ nsComputedDOMStyle::DoGetTextIndent()
 nsIDOMCSSValue*
 nsComputedDOMStyle::DoGetTextOverflow()
 {
-  nsROCSSPrimitiveValue *val = GetROCSSPrimitiveValue();
   const nsStyleTextReset *style = GetStyleTextReset();
-
-  if (style->mTextOverflow.mType == NS_STYLE_TEXT_OVERFLOW_STRING) {
+  nsROCSSPrimitiveValue *left = GetROCSSPrimitiveValue();
+  if (style->mTextOverflow.mLeft.mType == NS_STYLE_TEXT_OVERFLOW_STRING) {
     nsString str;
-    nsStyleUtil::AppendEscapedCSSString(style->mTextOverflow.mString, str);
-    val->SetString(str);
+    nsStyleUtil::AppendEscapedCSSString(style->mTextOverflow.mLeft.mString, str);
+    left->SetString(str);
   } else {
-    val->SetIdent(
-      nsCSSProps::ValueToKeywordEnum(style->mTextOverflow.mType,
+    left->SetIdent(
+      nsCSSProps::ValueToKeywordEnum(style->mTextOverflow.mLeft.mType,
                                      nsCSSProps::kTextOverflowKTable));
   }
-  return val;
+  if (style->mTextOverflow.mLeft == style->mTextOverflow.mRight) {
+    return left;
+  }
+  nsROCSSPrimitiveValue *right = GetROCSSPrimitiveValue();
+  if (style->mTextOverflow.mRight.mType == NS_STYLE_TEXT_OVERFLOW_STRING) {
+    nsString str;
+    nsStyleUtil::AppendEscapedCSSString(style->mTextOverflow.mRight.mString, str);
+    right->SetString(str);
+  } else {
+    right->SetIdent(
+      nsCSSProps::ValueToKeywordEnum(style->mTextOverflow.mRight.mType,
+                                     nsCSSProps::kTextOverflowKTable));
+  }
+
+  nsDOMCSSValueList *valueList = GetROCSSValueList(PR_FALSE);
+  valueList->AppendCSSValue(left);
+  valueList->AppendCSSValue(right);
+  return valueList;
 }
 
 nsIDOMCSSValue*
diff --git a/layout/style/nsMediaFeatures.cpp b/layout/style/nsMediaFeatures.cpp
index 1d2dc7d95f5e..a5fda1a915f7 100644
--- a/layout/style/nsMediaFeatures.cpp
+++ b/layout/style/nsMediaFeatures.cpp
@@ -521,6 +521,13 @@ nsMediaFeatures::features[] = {
         { &nsGkAtoms::mac_graphite_theme },
         GetSystemMetric
     },
+    {
+        &nsGkAtoms::_moz_mac_lion_theme,
+        nsMediaFeature::eMinMaxNotAllowed,
+        nsMediaFeature::eBoolInteger,
+        { &nsGkAtoms::mac_lion_theme },
+        GetSystemMetric
+    },
     {
         &nsGkAtoms::_moz_windows_compositor,
         nsMediaFeature::eMinMaxNotAllowed,
diff --git a/layout/style/nsRuleNode.cpp b/layout/style/nsRuleNode.cpp
index 924fe735ed17..9441a5ee4c68 100644
--- a/layout/style/nsRuleNode.cpp
+++ b/layout/style/nsRuleNode.cpp
@@ -3495,22 +3495,41 @@ nsRuleNode::ComputeTextResetData(void* aStartStruct,
     text->SetDecorationStyle(NS_STYLE_TEXT_DECORATION_STYLE_SOLID);
   }
 
-  // text-overflow: enum, string, inherit, initial
+  // text-overflow: pair(enum|string), inherit, initial
   const nsCSSValue* textOverflowValue =
     aRuleData->ValueForTextOverflow();
-  if (eCSSUnit_Enumerated == textOverflowValue->GetUnit() ||
-      eCSSUnit_Initial    == textOverflowValue->GetUnit()) {
-    SetDiscrete(*textOverflowValue, text->mTextOverflow.mType,
-                canStoreInRuleTree,
-                SETDSC_ENUMERATED, parentText->mTextOverflow.mType,
-                NS_STYLE_TEXT_OVERFLOW_CLIP, 0, 0, 0, 0);
-    text->mTextOverflow.mString.Truncate();
+  if (eCSSUnit_Initial == textOverflowValue->GetUnit()) {
+    text->mTextOverflow = nsStyleTextOverflow();
   } else if (eCSSUnit_Inherit == textOverflowValue->GetUnit()) {
     canStoreInRuleTree = PR_FALSE;
     text->mTextOverflow = parentText->mTextOverflow;
-  } else if (eCSSUnit_String == textOverflowValue->GetUnit()) {
-    textOverflowValue->GetStringValue(text->mTextOverflow.mString);
-    text->mTextOverflow.mType = NS_STYLE_TEXT_OVERFLOW_STRING;
+  } else if (eCSSUnit_Pair == textOverflowValue->GetUnit()) {
+    const nsCSSValuePair& textOverflowValue =
+      aRuleData->ValueForTextOverflow()->GetPairValue();
+
+    const nsCSSValue *textOverflowLeftValue = &textOverflowValue.mXValue;
+    if (eCSSUnit_Enumerated == textOverflowLeftValue->GetUnit()) {
+      SetDiscrete(*textOverflowLeftValue, text->mTextOverflow.mLeft.mType,
+                  canStoreInRuleTree,
+                  SETDSC_ENUMERATED, parentText->mTextOverflow.mLeft.mType,
+                  NS_STYLE_TEXT_OVERFLOW_CLIP, 0, 0, 0, 0);
+      text->mTextOverflow.mLeft.mString.Truncate();
+    } else if (eCSSUnit_String == textOverflowLeftValue->GetUnit()) {
+      textOverflowLeftValue->GetStringValue(text->mTextOverflow.mLeft.mString);
+      text->mTextOverflow.mLeft.mType = NS_STYLE_TEXT_OVERFLOW_STRING;
+    }
+
+    const nsCSSValue *textOverflowRightValue = &textOverflowValue.mYValue;
+    if (eCSSUnit_Enumerated == textOverflowRightValue->GetUnit()) {
+      SetDiscrete(*textOverflowRightValue, text->mTextOverflow.mRight.mType,
+                  canStoreInRuleTree,
+                  SETDSC_ENUMERATED, parentText->mTextOverflow.mRight.mType,
+                  NS_STYLE_TEXT_OVERFLOW_CLIP, 0, 0, 0, 0);
+      text->mTextOverflow.mRight.mString.Truncate();
+    } else if (eCSSUnit_String == textOverflowRightValue->GetUnit()) {
+      textOverflowRightValue->GetStringValue(text->mTextOverflow.mRight.mString);
+      text->mTextOverflow.mRight.mType = NS_STYLE_TEXT_OVERFLOW_STRING;
+    }
   }
 
   // unicode-bidi: enum, inherit, initial
diff --git a/layout/style/nsStyleStruct.h b/layout/style/nsStyleStruct.h
index 27b38a2d3b86..81cded553ee5 100644
--- a/layout/style/nsStyleStruct.h
+++ b/layout/style/nsStyleStruct.h
@@ -1131,15 +1131,15 @@ private:
   }
 };
 
-struct nsStyleTextOverflow {
-  nsStyleTextOverflow() : mType(NS_STYLE_TEXT_OVERFLOW_CLIP) {}
+struct nsStyleTextOverflowSide {
+  nsStyleTextOverflowSide() : mType(NS_STYLE_TEXT_OVERFLOW_CLIP) {}
 
-  bool operator==(const nsStyleTextOverflow& aOther) const {
+  bool operator==(const nsStyleTextOverflowSide& aOther) const {
     return mType == aOther.mType &&
            (mType != NS_STYLE_TEXT_OVERFLOW_STRING ||
             mString == aOther.mString);
   }
-  bool operator!=(const nsStyleTextOverflow& aOther) const {
+  bool operator!=(const nsStyleTextOverflowSide& aOther) const {
     return !(*this == aOther);
   }
 
@@ -1147,6 +1147,18 @@ struct nsStyleTextOverflow {
   PRUint8  mType;
 };
 
+struct nsStyleTextOverflow {
+  bool operator==(const nsStyleTextOverflow& aOther) const {
+    return mLeft == aOther.mLeft && mRight == aOther.mRight;
+  }
+  bool operator!=(const nsStyleTextOverflow& aOther) const {
+    return !(*this == aOther);
+  }
+
+  nsStyleTextOverflowSide mLeft;
+  nsStyleTextOverflowSide mRight;
+};
+
 struct nsStyleTextReset {
   nsStyleTextReset(void);
   nsStyleTextReset(const nsStyleTextReset& aOther);
diff --git a/layout/style/test/property_database.js b/layout/style/test/property_database.js
index 55e6bb6b259a..66ecd88ae751 100644
--- a/layout/style/test/property_database.js
+++ b/layout/style/test/property_database.js
@@ -2546,9 +2546,9 @@ var gCSSProperties = {
 		domProp: "textOverflow",
 		inherited: false,
 		type: CSS_TYPE_LONGHAND,
-		initial_values: [ "clip" ],
-		other_values: [ "ellipsis", '""', "''", '"hello"' ],
-		invalid_values: [ "none", "auto" ]
+		initial_values: [ "clip", "clip clip" ],
+		other_values: [ "ellipsis", '""', "''", '"hello"', 'clip ellipsis', 'clip ""', '"hello" ""', '"" ellipsis' ],
+		invalid_values: [ "none", "auto", '"hello" inherit', 'inherit "hello"', 'clip initial', 'initial clip', 'initial inherit', 'inherit initial', 'inherit none']
 	},
 	"text-shadow": {
 		domProp: "textShadow",
diff --git a/layout/style/test/test_media_queries.html b/layout/style/test/test_media_queries.html
index 3ebcfa6f6e2b..a89a2555838d 100644
--- a/layout/style/test/test_media_queries.html
+++ b/layout/style/test/test_media_queries.html
@@ -550,6 +550,7 @@ function run() {
   expression_should_be_parseable("-moz-images-in-buttons");
   expression_should_be_parseable("-moz-windows-default-theme");
   expression_should_be_parseable("-moz-mac-graphite-theme");
+  expression_should_be_parseable("-moz-mac-lion-theme");
   expression_should_be_parseable("-moz-windows-compositor");
   expression_should_be_parseable("-moz-windows-classic");
   expression_should_be_parseable("-moz-touch-enabled");
@@ -564,6 +565,7 @@ function run() {
   expression_should_be_parseable("-moz-images-in-buttons: 0");
   expression_should_be_parseable("-moz-windows-default-theme: 0");
   expression_should_be_parseable("-moz-mac-graphite-theme: 0");
+  expression_should_be_parseable("-moz-mac-lion-theme: 0");
   expression_should_be_parseable("-moz-windows-compositor: 0");
   expression_should_be_parseable("-moz-windows-classic: 0");
   expression_should_be_parseable("-moz-touch-enabled: 0");
@@ -578,6 +580,7 @@ function run() {
   expression_should_be_parseable("-moz-images-in-buttons: 1");
   expression_should_be_parseable("-moz-windows-default-theme: 1");
   expression_should_be_parseable("-moz-mac-graphite-theme: 1");
+  expression_should_be_parseable("-moz-mac-lion-theme: 1");
   expression_should_be_parseable("-moz-windows-compositor: 1");
   expression_should_be_parseable("-moz-windows-classic: 1");
   expression_should_be_parseable("-moz-touch-enabled: 1");
@@ -592,6 +595,7 @@ function run() {
   expression_should_not_be_parseable("-moz-images-in-buttons: -1");
   expression_should_not_be_parseable("-moz-windows-default-theme: -1");
   expression_should_not_be_parseable("-moz-mac-graphite-theme: -1");
+  expression_should_not_be_parseable("-moz-mac-lion-theme: -1");
   expression_should_not_be_parseable("-moz-windows-compositor: -1");
   expression_should_not_be_parseable("-moz-windows-classic: -1");
   expression_should_not_be_parseable("-moz-touch-enabled: -1");
@@ -606,6 +610,7 @@ function run() {
   expression_should_not_be_parseable("-moz-images-in-buttons: true");
   expression_should_not_be_parseable("-moz-windows-default-theme: true");
   expression_should_not_be_parseable("-moz-mac-graphite-theme: true");
+  expression_should_not_be_parseable("-moz-mac-lion-theme: true");
   expression_should_not_be_parseable("-moz-windows-compositor: true");
   expression_should_not_be_parseable("-moz-windows-classic: true");
   expression_should_not_be_parseable("-moz-touch-enabled: true");
diff --git a/layout/xul/base/reftest/image-scaling-min-height-1-ref.xul b/layout/xul/base/reftest/image-scaling-min-height-1-ref.xul
new file mode 100644
index 000000000000..595450fe4716
--- /dev/null
+++ b/layout/xul/base/reftest/image-scaling-min-height-1-ref.xul
@@ -0,0 +1,14 @@
+
+
+
+
+
+
+
diff --git a/layout/xul/base/reftest/image-scaling-min-height-1.xul b/layout/xul/base/reftest/image-scaling-min-height-1.xul
new file mode 100644
index 000000000000..5c45d6b0c90e
--- /dev/null
+++ b/layout/xul/base/reftest/image-scaling-min-height-1.xul
@@ -0,0 +1,14 @@
+
+
+
+
+
+
+
diff --git a/layout/xul/base/reftest/reftest.list b/layout/xul/base/reftest/reftest.list
index 4742b9b0e207..c0f543284a3e 100644
--- a/layout/xul/base/reftest/reftest.list
+++ b/layout/xul/base/reftest/reftest.list
@@ -1,4 +1,5 @@
-== textbox-multiline-noresize.xul textbox-multiline-ref.xul 
+fails-if(Android) == textbox-multiline-noresize.xul textbox-multiline-ref.xul # reference is blank on Android (due to no native theme support?)
 != textbox-multiline-resize.xul textbox-multiline-ref.xul 
 == popup-explicit-size.xul popup-explicit-size-ref.xul
 == image-size.xul image-size-ref.xul
+== image-scaling-min-height-1.xul image-scaling-min-height-1-ref.xul
diff --git a/layout/xul/base/src/nsResizerFrame.cpp b/layout/xul/base/src/nsResizerFrame.cpp
index 38b345c34993..679d66af3549 100644
--- a/layout/xul/base/src/nsResizerFrame.cpp
+++ b/layout/xul/base/src/nsResizerFrame.cpp
@@ -61,6 +61,7 @@
 #include "nsMenuPopupFrame.h"
 #include "nsIScreenManager.h"
 #include "mozilla/dom/Element.h"
+#include "nsContentErrors.h"
 
 
 //
@@ -253,59 +254,31 @@ nsResizerFrame::HandleEvent(nsPresContext* aPresContext,
           appUnitsRect.height = mRect.height;
         nsIntRect cssRect = appUnitsRect.ToInsidePixels(nsPresContext::AppUnitsPerCSSPixel());
 
-        nsAutoString widthstr, heightstr;
-        widthstr.AppendInt(cssRect.width);
-        heightstr.AppendInt(cssRect.height);
+        nsIntRect oldRect;
+        nsWeakFrame weakFrame(menuPopupFrame);
+        if (menuPopupFrame) {
+          nsCOMPtr widget;
+          menuPopupFrame->GetWidget(getter_AddRefs(widget));
+          if (widget)
+            widget->GetScreenBounds(oldRect);
 
-        // for XUL elements, just set the width and height attributes. For
-        // other elements, set style.width and style.height
-        if (contentToResize->IsXUL()) {
-          nsIntRect oldRect;
-          nsWeakFrame weakFrame(menuPopupFrame);
-          if (menuPopupFrame) {
-            nsCOMPtr widget;
-            menuPopupFrame->GetWidget(getter_AddRefs(widget));
-            if (widget)
-              widget->GetScreenBounds(oldRect);
-
-            // convert the new rectangle into outer window coordinates
-            nsIntPoint clientOffset = widget->GetClientOffset();
-            rect.x -= clientOffset.x; 
-            rect.y -= clientOffset.y; 
-          }
-
-          // only set the property if the element could have changed in that direction
-          if (direction.mHorizontal) {
-            contentToResize->SetAttr(kNameSpaceID_None, nsGkAtoms::width, widthstr, PR_TRUE);
-          }
-          if (direction.mVertical) {
-            contentToResize->SetAttr(kNameSpaceID_None, nsGkAtoms::height, heightstr, PR_TRUE);
-          }
-
-          if (weakFrame.IsAlive() &&
-              (oldRect.x != rect.x || oldRect.y != rect.y) &&
-              (!menuPopupFrame->IsAnchored() ||
-               menuPopupFrame->PopupLevel() != ePopupLevelParent)) {
-            menuPopupFrame->MoveTo(rect.x, rect.y, PR_TRUE);
-          }
+          // convert the new rectangle into outer window coordinates
+          nsIntPoint clientOffset = widget->GetClientOffset();
+          rect.x -= clientOffset.x; 
+          rect.y -= clientOffset.y; 
         }
-        else {
-          nsCOMPtr inlineStyleContent =
-            do_QueryInterface(contentToResize);
-          if (inlineStyleContent) {
-            nsCOMPtr decl;
-            inlineStyleContent->GetStyle(getter_AddRefs(decl));
 
-            // only set the property if the element could have changed in that direction
-            if (direction.mHorizontal) {
-              widthstr.AppendLiteral("px");
-              decl->SetProperty(NS_LITERAL_STRING("width"), widthstr, EmptyString());
-            }
-            if (direction.mVertical) {
-              heightstr.AppendLiteral("px");
-              decl->SetProperty(NS_LITERAL_STRING("height"), heightstr, EmptyString());
-            }
-          }
+        SizeInfo sizeInfo, originalSizeInfo;
+        sizeInfo.width.AppendInt(cssRect.width);
+        sizeInfo.height.AppendInt(cssRect.height);
+        ResizeContent(contentToResize, direction, sizeInfo, &originalSizeInfo);
+        MaybePersistOriginalSize(contentToResize, originalSizeInfo);
+
+        if (weakFrame.IsAlive() &&
+            (oldRect.x != rect.x || oldRect.y != rect.y) &&
+            (!menuPopupFrame->IsAnchored() ||
+             menuPopupFrame->PopupLevel() != ePopupLevelParent)) {
+          menuPopupFrame->MoveTo(rect.x, rect.y, PR_TRUE);
         }
       }
       else {
@@ -323,6 +296,25 @@ nsResizerFrame::HandleEvent(nsPresContext* aPresContext,
       MouseClicked(aPresContext, aEvent);
     }
     break;
+
+  case NS_MOUSE_DOUBLECLICK:
+    if (aEvent->eventStructType == NS_MOUSE_EVENT &&
+        static_cast(aEvent)->button == nsMouseEvent::eLeftButton)
+    {
+      nsCOMPtr window;
+      nsIPresShell* presShell = aPresContext->GetPresShell();
+      nsIContent* contentToResize =
+        GetContentToResize(presShell, getter_AddRefs(window));
+      if (contentToResize) {
+        nsIFrame* frameToResize = contentToResize->GetPrimaryFrame();
+        if (frameToResize && frameToResize->GetType() == nsGkAtoms::menuPopupFrame)
+          break; // Don't restore original sizing for menupopup frames until
+                 // we handle screen constraints here. (Bug 357725)
+
+        RestoreOriginalSize(contentToResize);
+      }
+    }
+    break;
   }
 
   if (!doDefault)
@@ -418,6 +410,102 @@ nsResizerFrame::AdjustDimensions(PRInt32* aPos, PRInt32* aSize,
   }
 }
 
+/* static */ void
+nsResizerFrame::ResizeContent(nsIContent* aContent, const Direction& aDirection,
+                              const SizeInfo& aSizeInfo, SizeInfo* aOriginalSizeInfo)
+{
+  // for XUL elements, just set the width and height attributes. For
+  // other elements, set style.width and style.height
+  if (aContent->IsXUL()) {
+    if (aOriginalSizeInfo) {
+      aContent->GetAttr(kNameSpaceID_None, nsGkAtoms::width,
+                        aOriginalSizeInfo->width);
+      aContent->GetAttr(kNameSpaceID_None, nsGkAtoms::height,
+                        aOriginalSizeInfo->height);
+    }
+    // only set the property if the element could have changed in that direction
+    if (aDirection.mHorizontal) {
+      aContent->SetAttr(kNameSpaceID_None, nsGkAtoms::width, aSizeInfo.width, PR_TRUE);
+    }
+    if (aDirection.mVertical) {
+      aContent->SetAttr(kNameSpaceID_None, nsGkAtoms::height, aSizeInfo.height, PR_TRUE);
+    }
+  }
+  else {
+    nsCOMPtr inlineStyleContent =
+      do_QueryInterface(aContent);
+    if (inlineStyleContent) {
+      nsCOMPtr decl;
+      inlineStyleContent->GetStyle(getter_AddRefs(decl));
+
+      if (aOriginalSizeInfo) {
+        decl->GetPropertyValue(NS_LITERAL_STRING("width"),
+                               aOriginalSizeInfo->width);
+        decl->GetPropertyValue(NS_LITERAL_STRING("height"),
+                               aOriginalSizeInfo->height);
+      }
+
+      // only set the property if the element could have changed in that direction
+      if (aDirection.mHorizontal) {
+        nsAutoString widthstr(aSizeInfo.width);
+        if (!widthstr.IsEmpty() &&
+            !Substring(widthstr, widthstr.Length() - 2, 2).EqualsLiteral("px"))
+          widthstr.AppendLiteral("px");
+        decl->SetProperty(NS_LITERAL_STRING("width"), widthstr, EmptyString());
+      }
+      if (aDirection.mVertical) {
+        nsAutoString heightstr(aSizeInfo.height);
+        if (!heightstr.IsEmpty() &&
+            !Substring(heightstr, heightstr.Length() - 2, 2).EqualsLiteral("px"))
+          heightstr.AppendLiteral("px");
+        decl->SetProperty(NS_LITERAL_STRING("height"), heightstr, EmptyString());
+      }
+    }
+  }
+}
+
+/* static */ void
+nsResizerFrame::SizeInfoDtorFunc(void *aObject, nsIAtom *aPropertyName,
+                                 void *aPropertyValue, void *aData)
+{
+  nsResizerFrame::SizeInfo *propertyValue =
+    static_cast(aPropertyValue);
+  delete propertyValue;
+}
+
+/* static */ void
+nsResizerFrame::MaybePersistOriginalSize(nsIContent* aContent,
+                                         const SizeInfo& aSizeInfo)
+{
+  nsresult rv;
+
+  aContent->GetProperty(nsGkAtoms::_moz_original_size, &rv);
+  if (rv != NS_PROPTABLE_PROP_NOT_THERE)
+    return;
+
+  nsAutoPtr sizeInfo(new SizeInfo(aSizeInfo));
+  rv = aContent->SetProperty(nsGkAtoms::_moz_original_size, sizeInfo.get(),
+                             &SizeInfoDtorFunc);
+  if (NS_SUCCEEDED(rv))
+    sizeInfo.forget();
+}
+
+/* static */ void
+nsResizerFrame::RestoreOriginalSize(nsIContent* aContent)
+{
+  nsresult rv;
+  SizeInfo* sizeInfo =
+    static_cast(aContent->GetProperty(nsGkAtoms::_moz_original_size,
+                           &rv));
+  if (NS_FAILED(rv))
+    return;
+
+  NS_ASSERTION(sizeInfo, "We set a null sizeInfo!?");
+  Direction direction = {1, 1};
+  ResizeContent(aContent, direction, *sizeInfo, nsnull);
+  aContent->DeleteProperty(nsGkAtoms::_moz_original_size);
+}
+
 /* returns a Direction struct containing the horizontal and vertical direction
  */
 nsResizerFrame::Direction
diff --git a/layout/xul/base/src/nsResizerFrame.h b/layout/xul/base/src/nsResizerFrame.h
index 7212b1b480c9..e4d8c3d11be4 100644
--- a/layout/xul/base/src/nsResizerFrame.h
+++ b/layout/xul/base/src/nsResizerFrame.h
@@ -71,6 +71,15 @@ protected:
   static void AdjustDimensions(PRInt32* aPos, PRInt32* aSize,
                         PRInt32 aMovement, PRInt8 aResizerDirection);
 
+  struct SizeInfo {
+    nsString width, height;
+  };
+  static void SizeInfoDtorFunc(void *aObject, nsIAtom *aPropertyName,
+                               void *aPropertyValue, void *aData);
+  static void ResizeContent(nsIContent* aContent, const Direction& aDirection,
+                            const SizeInfo& aSizeInfo, SizeInfo* aOriginalSizeInfo);
+  static void MaybePersistOriginalSize(nsIContent* aContent, const SizeInfo& aSizeInfo);
+  static void RestoreOriginalSize(nsIContent* aContent);
 protected:
 	nsIntRect mMouseDownRect;
 	nsIntPoint mMouseDownPoint;
diff --git a/layout/xul/base/test/window_resizer_element.xul b/layout/xul/base/test/window_resizer_element.xul
index e760e7c02fdf..69c547b8030c 100644
--- a/layout/xul/base/test/window_resizer_element.xul
+++ b/layout/xul/base/test/window_resizer_element.xul
@@ -41,10 +41,17 @@ function testResizer(resizerid, noShrink, hResize, vResize, testid)
          " " + testid + " width moving " + mouseX + "," + mouseY + ",,," + hResize);
       is(Math.round(newrect.height), Math.round(expectedHeight), "resize element " + resizerid +
          " " + testid + " height moving " + mouseX + "," + mouseY);
-      // move it back before we release!
-      synthesizeMouse(document.documentElement, originalX + 5, originalY + 5, { type:"mousemove" });
-      synthesizeMouse(document.documentElement, originalX + 5, originalY + 5, { type:"mouseup" });
-    }
+      // release
+      synthesizeMouse(document.documentElement, originalX + 5 + mouseX * scale,
+                      originalY + 5 + mouseY * scale, { type:"mouseup" });    }
+      // return to the original size
+      synthesizeMouse(document.documentElement, originalX + 5 + mouseX * scale,
+                      originalY + 5 + mouseY * scale, { type:"dblclick" });    }
+      var newrect = document.getElementById(resizerid + "-container").getBoundingClientRect();
+      is(Math.round(newrect.width), Math.round(rect.width), "resize element " + resizerid +
+         " " + testid + " doubleclicking to restore original size");
+      is(Math.round(newrect.height), Math.round(rect.height), "resize element " + resizerid +
+         " " + testid + " doubleclicking to restore original size");
   }
 }
 
diff --git a/mobile/app/mobile.js b/mobile/app/mobile.js
index 0b1258685c9a..0ed920e5c6d7 100644
--- a/mobile/app/mobile.js
+++ b/mobile/app/mobile.js
@@ -372,7 +372,7 @@ pref("plugins.force.wmode", "opaque");
 pref("browser.geolocation.warning.infoURL", "http://www.mozilla.com/%LOCALE%/firefox/geolocation/");
 
 // base url for the wifi geolocation network provider
-pref("geo.wifi.uri", "https://www.google.com/loc/json");
+pref("geo.wifi.uri", "https://maps.googleapis.com/maps/api/browserlocation/json");
 
 // enable geo
 pref("geo.enabled", true);
diff --git a/mobile/chrome/content/ContentPopupHelper.js b/mobile/chrome/content/ContentPopupHelper.js
index 7a33734e2520..e3ce131d8aa4 100644
--- a/mobile/chrome/content/ContentPopupHelper.js
+++ b/mobile/chrome/content/ContentPopupHelper.js
@@ -93,10 +93,10 @@ var ContentPopupHelper = {
   },
 
   /**
-   * This method positioned an arrowbox on the screen using a 'virtual'
+   * This method positions an arrowbox on the screen using a 'virtual'
    * element as referrer that match the real content element
-   * This method called element.getBoundingClientRect() many times and can be
-   * expensive, do not called it too many times.
+   * This method calls element.getBoundingClientRect() many times and can be
+   * expensive, do not call it too many times.
    */
   anchorTo: function(aAnchorRect) {
     let popup = this._popup;
@@ -210,18 +210,21 @@ var ContentPopupHelper = {
 
       case "PanBegin":
       case "AnimatedZoomBegin":
-        popup.left = 0;
         popup.style.visibility = "hidden";
         break;
 
       case "PanFinished":
       case "AnimatedZoomEnd":
-        popup.style.visibility = "visible";
         this.anchorTo();
         break;
 
       case "MozBeforeResize":
-        popup.left = 0;
+        popup.style.visibility = "hidden";
+
+        // When screen orientation changes, we have to ensure that
+        // the popup width doesn't overflow the content's visible
+        // area.
+        popup.firstChild.style.maxWidth = "0px";
         break;
 
       case "resize":
diff --git a/mobile/chrome/content/ContextCommands.js b/mobile/chrome/content/ContextCommands.js
index 667be0206368..dac2eadd4c88 100644
--- a/mobile/chrome/content/ContextCommands.js
+++ b/mobile/chrome/content/ContextCommands.js
@@ -53,11 +53,6 @@ var ContextCommands = {
     Browser.addTab(ContextHelper.popupState.linkURL, false, Browser.selectedTab);
   },
 
-  saveLink: function cc_saveLink() {
-    let browser = ContextHelper.popupState.target;
-    ContentAreaUtils.saveURL(ContextHelper.popupState.linkURL, null, "SaveLinkTitle", false, true, browser.documentURI);
-  },
-
   saveImage: function cc_saveImage() {
     let popupState = ContextHelper.popupState;
     let browser = popupState.target;
diff --git a/mobile/chrome/content/bindings/browser.js b/mobile/chrome/content/bindings/browser.js
index 96fe2a135b74..56ab54af46a0 100644
--- a/mobile/chrome/content/bindings/browser.js
+++ b/mobile/chrome/content/bindings/browser.js
@@ -5,8 +5,6 @@ let Cu = Components.utils;
 
 Cu.import("resource://gre/modules/Services.jsm");
 
-dump("!! remote browser loaded\n");
-
 let WebProgressListener = {
   init: function() {
     let flags = Ci.nsIWebProgress.NOTIFY_LOCATION |
@@ -624,6 +622,13 @@ let ContentScroll =  {
           left: aEvent.x
         });
 
+        // Send event only after painting to make sure content views in the parent process have
+        // been updated.
+        addEventListener("MozAfterPaint", function afterPaint() {
+          removeEventListener("MozAfterPaint", afterPaint, false);
+          sendAsyncMessage("Content:UpdateDisplayPort");
+        }, false);
+
         break;
       }
     }
diff --git a/mobile/chrome/content/bindings/browser.xml b/mobile/chrome/content/bindings/browser.xml
index cf172b6f64a8..810fac39566e 100644
--- a/mobile/chrome/content/bindings/browser.xml
+++ b/mobile/chrome/content/bindings/browser.xml
@@ -134,7 +134,7 @@
                 }
                 break;
 
-              case "MozScrolledAreaChanged":
+              case "MozScrolledAreaChanged": {
                 self._contentDocumentWidth = json.width;
                 self._contentDocumentHeight = json.height;
                 self._contentDocumentLeft = (json.left < 0) ? json.left : 0;
@@ -143,6 +143,15 @@
                 let view = self.getRootView();
                 view.scrollBy(0, 0);
                 break;
+              }
+
+              case "Content:UpdateDisplayPort": {
+                // Recalculate whether the visible area is actually in bounds
+                let view = self.getRootView();
+                view.scrollBy(0, 0);
+                view._updateCacheViewport();
+                break;
+              }
             }
           }
         })
@@ -572,6 +581,7 @@
           this.messageManager.addMessageListener("pagehide", this._messageListenerLocal);
           this.messageManager.addMessageListener("DOMPopupBlocked", this._messageListenerLocal);
           this.messageManager.addMessageListener("MozScrolledAreaChanged", this._messageListenerLocal);
+          this.messageManager.addMessageListener("Content:UpdateDisplayPort", this._messageListenerLocal);
 
           this._webProgress._init();
 
diff --git a/mobile/chrome/content/browser-ui.js b/mobile/chrome/content/browser-ui.js
index 33a850761f64..37c849dec97c 100644
--- a/mobile/chrome/content/browser-ui.js
+++ b/mobile/chrome/content/browser-ui.js
@@ -272,31 +272,33 @@ var BrowserUI = {
     let awesomePanel = document.getElementById("awesome-panels");
     let awesomeHeader = document.getElementById("awesome-header");
 
-    let willShowPanel = (!this._activePanel && aPanel);
-    if (willShowPanel) {
-      this.pushDialog(aPanel);
-      this._edit.attachController();
-      this._editURI();
-      awesomePanel.hidden = awesomeHeader.hidden = false;
-    };
-
-    if (aPanel) {
-      aPanel.open();
-      if (this._edit.value == "")
-        this._showURI();
-    }
-
     let willHidePanel = (this._activePanel && !aPanel);
     if (willHidePanel) {
       awesomePanel.hidden = true;
       awesomeHeader.hidden = false;
       this._edit.reset();
       this._edit.detachController();
-      this.popDialog();
     }
 
-    if (this._activePanel)
+    if (this._activePanel) {
+      this.popDialog();
       this._activePanel.close();
+    }
+
+    let willShowPanel = (!this._activePanel && aPanel);
+    if (willShowPanel) {
+      this._edit.attachController();
+      this._editURI();
+      awesomePanel.hidden = awesomeHeader.hidden = false;
+    };
+
+    if (aPanel) {
+      this.pushDialog(aPanel);
+      aPanel.open();
+
+      if (this._edit.value == "")
+        this._showURI();
+    }
 
     // If the keyboard will cover the full screen, we do not want to show it right away.
     let isReadOnly = (aPanel != AllPagesList || this._isKeyboardFullscreen() || (!willShowPanel && this._edit.readOnly));
@@ -888,16 +890,16 @@ var BrowserUI = {
       return;
     }
 
-    // Check active panel
-    if (this.activePanel) {
-      this.activePanel = null;
+    // Check open dialogs
+    let dialog = this.activeDialog;
+    if (dialog && dialog != this.activePanel) {
+      dialog.close();
       return;
     }
 
-    // Check open dialogs
-    let dialog = this.activeDialog;
-    if (dialog) {
-      dialog.close();
+    // Check active panel
+    if (this.activePanel) {
+      this.activePanel = null;
       return;
     }
 
@@ -1261,11 +1263,13 @@ var BrowserUI = {
         break;
       case "cmd_remoteTabs":
         if (Weave.Status.checkSetup() == Weave.CLIENT_NOT_CONFIGURED) {
+          // We have to set activePanel before showing sync's dialog
+          // to make the sure the dialog stacking is correct.
+          this.activePanel = RemoteTabsList;
           WeaveGlue.open();
         } else if (!Weave.Service.isLoggedIn && !Services.prefs.getBoolPref("browser.sync.enabled")) {
           // unchecked the relative command button
           document.getElementById("remotetabs-button").removeAttribute("checked");
-          this.activePanel = null;
 
           BrowserUI.showPanel("prefs-container");
           let prefsBox = document.getElementById("prefs-list");
@@ -1277,11 +1281,10 @@ var BrowserUI = {
               prefsBox.scrollBoxObject.scrollTo(0, syncAreaY - prefsBoxY);
             }, 0);
           }
-
-          return;
+        } else {
+          this.activePanel = RemoteTabsList;
         }
 
-        this.activePanel = RemoteTabsList;
         break;
       case "cmd_quit":
         // Only close one window
diff --git a/mobile/chrome/content/browser.js b/mobile/chrome/content/browser.js
index c2cb9f6fea0f..dc7387d21ab6 100644
--- a/mobile/chrome/content/browser.js
+++ b/mobile/chrome/content/browser.js
@@ -322,6 +322,12 @@ var Browser = {
     os.addObserver(SessionHistoryObserver, "browser:purge-session-history", false);
     os.addObserver(ContentCrashObserver, "ipc:content-shutdown", false);
     os.addObserver(MemoryObserver, "memory-pressure", false);
+    os.addObserver(ActivityObserver, "application-background", false);
+    os.addObserver(ActivityObserver, "application-foreground", false);
+    os.addObserver(ActivityObserver, "system-active", false);
+    os.addObserver(ActivityObserver, "system-idle", false);
+    os.addObserver(ActivityObserver, "system-display-on", false);
+    os.addObserver(ActivityObserver, "system-display-off", false);
 
     // Listens for change in the viewable area
 #if MOZ_PLATFORM_MAEMO == 6
@@ -387,12 +393,6 @@ var Browser = {
     let event = document.createEvent("Events");
     event.initEvent("UIReady", true, false);
     window.dispatchEvent(event);
-
-    // If we have an opener this was not the first window opened and will not
-    // receive an initial resize event. instead we fire the resize handler manually
-    // Bug 610834
-    if (window.opener)
-      resizeHandler({ target: window });
   },
 
   _alertShown: function _alertShown() {
@@ -492,6 +492,12 @@ var Browser = {
     os.removeObserver(SessionHistoryObserver, "browser:purge-session-history");
     os.removeObserver(ContentCrashObserver, "ipc:content-shutdown");
     os.removeObserver(MemoryObserver, "memory-pressure");
+    os.removeObserver(ActivityObserver, "application-background", false);
+    os.removeObserver(ActivityObserver, "application-foreground", false);
+    os.removeObserver(ActivityObserver, "system-active", false);
+    os.removeObserver(ActivityObserver, "system-idle", false);
+    os.removeObserver(ActivityObserver, "system-display-on", false);
+    os.removeObserver(ActivityObserver, "system-display-off", false);
 
     window.controllers.removeController(this);
     window.controllers.removeController(BrowserUI);
@@ -2591,6 +2597,34 @@ var MemoryObserver = {
   }
 };
 
+var ActivityObserver = {
+  _inBackground : false,
+  _notActive : false,
+  _isDisplayOff : false,
+  observe: function ao_observe(aSubject, aTopic, aData) {
+    if (aTopic == "application-background") {
+      this._inBackground = true;
+    } else if (aTopic == "application-foreground") {
+      this._inBackground = false;
+    } else if (aTopic == "system-idle") {
+      this._notActive = true;
+    } else if (aTopic == "system-active") {
+      this._notActive = false;
+    } else if (aTopic == "system-display-on") {
+      this._isDisplayOff = false;
+    } else if (aTopic == "system-display-off") {
+      this._isDisplayOff = true;
+    }
+    let activeTabState = !this._inBackground && !this._notActive && !this._isDisplayOff;
+    if (Browser.selectedTab.active != activeTabState) {
+      // On Maemo all backgrounded applications getting portrait orientation
+      // so if browser had landscape mode then we need timeout in order
+      // to finish last rotate/paint operation and have nice lookine browser in TS
+      setTimeout(function() { Browser.selectedTab.active = activeTabState; }, 0);
+    }
+  }
+};
+
 function getNotificationBox(aBrowser) {
   return Browser.getNotificationBox(aBrowser);
 }
@@ -2936,8 +2970,7 @@ Tab.prototype = {
     if (isDefault) {
       if (browser.scale != this._defaultZoomLevel) {
         browser.scale = this._defaultZoomLevel;
-      }
-      else {
+      } else {
         // If the scale level has not changed we want to be sure the content
         // render correctly since the page refresh process could have been
         // stalled during page load. In this case if the page has the exact
diff --git a/mobile/chrome/content/browser.xul b/mobile/chrome/content/browser.xul
index e078ce84ccb8..4f2c28d5a88d 100644
--- a/mobile/chrome/content/browser.xul
+++ b/mobile/chrome/content/browser.xul
@@ -639,9 +639,6 @@
           
             
-          
-            
           
             
diff --git a/mobile/chrome/content/common-ui.js b/mobile/chrome/content/common-ui.js
index b417f60f90ec..a52aa5ca1551 100644
--- a/mobile/chrome/content/common-ui.js
+++ b/mobile/chrome/content/common-ui.js
@@ -1343,6 +1343,21 @@ var SelectionHelper = {
 
   handleEvent: function handleEvent(aEvent) {
     switch (aEvent.type) {
+      case "PanBegin":
+        window.removeEventListener("PanBegin", this, true);
+        window.removeEventListener("TapUp", this, true);
+        window.addEventListener("PanFinished", this, true);
+        this._start.hidden = true;
+        this._end.hidden = true;
+        break;
+      case "PanFinished":
+        window.removeEventListener("PanFinished", this, true);
+        try {
+          this.popupState.target.messageManager.sendAsyncMessage("Browser:SelectionMeasure", {});
+        } catch (e) {
+          Cu.reportError(e);
+        }
+        break
       case "TapDown":
         if (aEvent.target == this._start || aEvent.target == this._end) {
           this.target = aEvent.target;
@@ -1350,14 +1365,22 @@ var SelectionHelper = {
           this.deltaY = (aEvent.clientY - this.target.top);
           window.addEventListener("TapMove", this, true);
         } else {
-          this.hide(aEvent);
+          window.addEventListener("PanBegin", this, true);
+          window.addEventListener("TapUp", this, true);
+          this.target = null;
         }
         break;
       case "TapUp":
-        window.removeEventListener("TapMove", this, true);
-        this.target = null;
-        this.deltaX = -1;
-        this.deltaY = -1;
+        if (this.target) {
+          window.removeEventListener("TapMove", this, true);
+          this.target = null;
+          this.deltaX = -1;
+          this.deltaY = -1;
+        } else {
+          window.removeEventListener("PanBegin", this, true);
+          window.removeEventListener("TapUp", this, true);
+          this.hide(aEvent);
+        }
         break;
       case "TapMove":
         if (this.target) {
@@ -1375,10 +1398,18 @@ var SelectionHelper = {
         }
         break;
       case "resize":
-      case "keypress":
-      case "URLChanged":
       case "SizeChanged":
       case "ZoomChanged":
+      {
+        try {
+          this.popupState.target.messageManager.sendAsyncMessage("Browser:SelectionMeasure", {});
+        } catch (e) {
+          Cu.reportError(e);
+        }
+        break        
+      }
+      case "URLChanged":
+      case "keypress":
         this.hide(aEvent);
         break;
     }
diff --git a/mobile/chrome/content/content.js b/mobile/chrome/content/content.js
index 2a23667bf643..2f1111906092 100644
--- a/mobile/chrome/content/content.js
+++ b/mobile/chrome/content/content.js
@@ -1005,11 +1005,6 @@ ContextHandler.registerType("callto", function(aState, aElement) {
   return protocol == "tel" || protocol == "callto" || protocol == "sip" || protocol == "voipto";
 });
 
-ContextHandler.registerType("link-saveable", function(aState, aElement) {
-  let protocol = aState.linkProtocol;
-  return (protocol && protocol != "mailto" && protocol != "javascript" && protocol != "news" && protocol != "snews");
-});
-
 ContextHandler.registerType("link-openable", function(aState, aElement) {
   return Util.isOpenableScheme(aState.linkProtocol);
 });
@@ -1351,6 +1346,28 @@ var SelectionHandler = {
     addMessageListener("Browser:SelectionStart", this);
     addMessageListener("Browser:SelectionEnd", this);
     addMessageListener("Browser:SelectionMove", this);
+    addMessageListener("Browser:SelectionMeasure", this);
+  },
+
+  getCurrentWindowAndOffset: function(x, y, offset) {
+    let utils = Util.getWindowUtils(content);
+    let elem = utils.elementFromPoint(x, y, true, false);
+    while (elem && (elem instanceof HTMLIFrameElement || elem instanceof HTMLFrameElement)) {
+      // adjust client coordinates' origin to be top left of iframe viewport
+      let rect = elem.getBoundingClientRect();
+      scrollOffset = ContentScroll.getScrollOffset(elem.ownerDocument.defaultView);
+      offset.x += rect.left;
+      x -= rect.left;
+      
+      offset.y += rect.top + scrollOffset.y;
+      y -= rect.top + scrollOffset.y;
+      utils = elem.contentDocument.defaultView.QueryInterface(Ci.nsIInterfaceRequestor).getInterface(Ci.nsIDOMWindowUtils);
+      elem = utils.elementFromPoint(x, y, true, false);
+    }
+    if (!elem)
+      return;
+    
+    return { contentWindow: elem.ownerDocument.defaultView, offset: offset };
   },
 
   receiveMessage: function sh_receiveMessage(aMessage) {
@@ -1366,24 +1383,7 @@ var SelectionHandler = {
         // if this is an iframe, dig down to find the document that was clicked
         let x = json.x - scrollOffset.x;
         let y = json.y - scrollOffset.y;
-        let offset = scrollOffset;
-        let elem = utils.elementFromPoint(x, y, true, false);
-        while (elem && (elem instanceof HTMLIFrameElement || elem instanceof HTMLFrameElement)) {
-          // adjust client coordinates' origin to be top left of iframe viewport
-          let rect = elem.getBoundingClientRect();
-          scrollOffset = ContentScroll.getScrollOffset(elem.ownerDocument.defaultView);
-          offset.x += rect.left;
-          x -= rect.left;
-
-          offset.y += rect.top + scrollOffset.y;
-          y -= rect.top + scrollOffset.y;
-          utils = elem.contentDocument.defaultView.QueryInterface(Ci.nsIInterfaceRequestor).getInterface(Ci.nsIDOMWindowUtils);
-          elem = utils.elementFromPoint(x, y, true, false);
-        }
-        if (!elem)
-          return;
-
-        let contentWindow = elem.ownerDocument.defaultView;
+        let { contentWindow: contentWindow, offset: offset } = this.getCurrentWindowAndOffset(x, y, scrollOffset);
         let currentDocShell = contentWindow.QueryInterface(Ci.nsIInterfaceRequestor).getInterface(Ci.nsIWebNavigation).QueryInterface(Ci.nsIDocShell);
 
         // Remove any previous selected or created ranges. Tapping anywhere on a
@@ -1391,13 +1391,13 @@ var SelectionHandler = {
         let selection = contentWindow.getSelection();
         selection.removeAllRanges();
 
-        // Position the caret using a fake mouse click
-        utils.sendMouseEventToWindow("mousedown", x, y, 0, 1, 0, true);
-        utils.sendMouseEventToWindow("mouseup", x, y, 0, 1, 0, true);
-
-        // Select the word nearest the caret
         try {
+          let caretPos = contentWindow.document.caretPositionFromPoint(json.x - scrollOffset.x, json.y - scrollOffset.y);
           let selcon = currentDocShell.QueryInterface(Ci.nsIInterfaceRequestor).getInterface(Ci.nsISelectionDisplay).QueryInterface(Ci.nsISelectionController);
+          let sel = selcon.getSelection(1);
+          sel.collapse(caretPos.offsetNode, caretPos.offset);
+
+          // Select the word nearest the caret
           selcon.wordMove(false, false);
           selcon.wordMove(true, true);
         } catch(e) {
@@ -1438,7 +1438,9 @@ var SelectionHandler = {
           if (this.contentWindow)
             this.contentWindow.getSelection().removeAllRanges();
           this.contentWindow = null;
-        } catch(e) {}
+        } catch(e) {
+          Cu.reportError(e);
+        }
 
         if (pointInSelection && this.selectedText.length) {
           let clipboard = Cc["@mozilla.org/widget/clipboardhelper;1"].getService(Ci.nsIClipboardHelper);
@@ -1454,33 +1456,37 @@ var SelectionHandler = {
         if (!this.contentWindow)
           return;
 
-        // Hack to avoid setting focus in a textbox [Bugs 654352 & 667243]
-        let elemUnder = elementFromPoint(json.x - scrollOffset.x, json.y - scrollOffset.y);
-        if (elemUnder && elemUnder instanceof Ci.nsIDOMHTMLInputElement || elemUnder instanceof Ci.nsIDOMHTMLTextAreaElement)
+        let x = json.x - scrollOffset.x;
+        let y = json.y - scrollOffset.y;
+
+        try {
+          let caretPos = this.contentWindow.document.caretPositionFromPoint(x, y);
+          if (caretPos.offsetNode == null ||
+              caretPos.offsetNode instanceof Ci.nsIDOMHTMLInputElement || 
+              caretPos.offsetNode instanceof Ci.nsIDOMHTMLTextAreaElement ||
+              caretPos.offsetNode.ownerDocument.defaultView != this.contentWindow)
+            return;
+
+          // Keep the cache in "client" coordinates
+          if (json.type == "end")
+            this.cache.end = { x: json.x, y: json.y };
+          else
+            this.cache.start = { x: json.x, y: json.y };
+
+          let currentDocShell = this.contentWindow.QueryInterface(Ci.nsIInterfaceRequestor).getInterface(Ci.nsIWebNavigation).QueryInterface(Ci.nsIDocShell);
+          let selcon = currentDocShell.QueryInterface(Ci.nsIInterfaceRequestor).getInterface(Ci.nsISelectionDisplay).QueryInterface(Ci.nsISelectionController);
+          let sel = selcon.getSelection(1);
+          if (json.type != "end") {
+            let focusOffset = sel.focusOffset;
+            let focusNode = sel.focusNode;
+            sel.collapse(caretPos.offsetNode, caretPos.offset);
+            sel.extend(focusNode, focusOffset);
+          } else {
+            sel.extend(caretPos.offsetNode, caretPos.offset);
+          }
+        } catch(e) {
+          Cu.reportError(e);
           return;
-
-        // Limit the selection to the initial content window (don't leave or enter iframes)
-        if (elemUnder && elemUnder.ownerDocument.defaultView != this.contentWindow)
-          return;
-
-        // Use fake mouse events to update the selection
-        if (json.type == "end") {
-          // Keep the cache in "client" coordinates, but translate for the mouse event
-          this.cache.end = { x: json.x, y: json.y };
-          let end = { x: this.cache.end.x - scrollOffset.x, y: this.cache.end.y - scrollOffset.y };
-          utils.sendMouseEventToWindow("mousedown", end.x, end.y, 0, 1, Ci.nsIDOMNSEvent.SHIFT_MASK, true);
-          utils.sendMouseEventToWindow("mouseup", end.x, end.y, 0, 1, Ci.nsIDOMNSEvent.SHIFT_MASK, true);
-        } else {
-          // Keep the cache in "client" coordinates, but translate for the mouse event
-          this.cache.start = { x: json.x, y: json.y };
-          let start = { x: this.cache.start.x - scrollOffset.x, y: this.cache.start.y - scrollOffset.y };
-          let end = { x: this.cache.end.x - scrollOffset.x, y: this.cache.end.y - scrollOffset.y };
-
-          utils.sendMouseEventToWindow("mousedown", start.x, start.y, 0, 0, 0, true);
-          utils.sendMouseEventToWindow("mouseup", start.x, start.y, 0, 0, 0, true);
-
-          utils.sendMouseEventToWindow("mousedown", end.x, end.y, 0, 1, Ci.nsIDOMNSEvent.SHIFT_MASK, true);
-          utils.sendMouseEventToWindow("mouseup", end.x, end.y, 0, 1, Ci.nsIDOMNSEvent.SHIFT_MASK, true);
         }
 
         // Cache the selected text since the selection might be gone by the time we get the "end" message
@@ -1491,6 +1497,26 @@ var SelectionHandler = {
         let range = selection.getRangeAt(0).QueryInterface(Ci.nsIDOMNSRange);
         this.cache.rect = this._extractFromRange(range, this.cache.offset).rect;
         break;
+      case "Browser:SelectionMeasure": {
+        let selection = this.contentWindow.getSelection();
+        let range = selection.getRangeAt(0).QueryInterface(Ci.nsIDOMNSRange);
+        if (!range)
+          return;
+
+        // Cache the selected text since the selection might be gone by the time we get the "end" message
+        this.selectedText = selection.toString().trim();
+
+        // If the range didn't have any text, let's bail
+        if (!this.selectedText.length) {
+          selection.removeAllRanges();
+          return;
+        }
+
+        this.cache = this._extractFromRange(range, this.cache.offset);
+
+        sendAsyncMessage("Browser:SelectionRange", this.cache);
+        break;
+      }
     }
   },
 
diff --git a/mobile/chrome/tests/browser_tapping.js b/mobile/chrome/tests/browser_tapping.js
index 0cd2e6bf9a89..bc177ad51de4 100644
--- a/mobile/chrome/tests/browser_tapping.js
+++ b/mobile/chrome/tests/browser_tapping.js
@@ -263,7 +263,7 @@ gTests.push({
   contextPlainLinkTest: function() {
     waitForContextMenu(function(aJSON) {
       is(aJSON.linkTitle, "A blank page - nothing interesting", "Text content should be the content of the second link");
-      ok(checkContextTypes(["link", "link-saveable","link-openable"]), "Plain link context types");
+      ok(checkContextTypes(["link", "link-openable"]), "Plain link context types");
     }, gCurrentTest.contextPlainImageTest);
 
     let browser = gCurrentTab.browser;
@@ -292,7 +292,7 @@ gTests.push({
 
   contextNestedImageTest: function() {
     waitForContextMenu(function() {
-      ok(checkContextTypes(["link", "link-saveable","image","image-shareable","image-loaded","link-openable"]), "Nested image context types");
+      ok(checkContextTypes(["link","image","image-shareable","image-loaded","link-openable"]), "Nested image context types");
     }, runNextTest);
 
     let browser = gCurrentTab.browser;
diff --git a/mobile/chrome/tests/remote_head.js b/mobile/chrome/tests/remote_head.js
index 2d08274ce41c..157d2e7b8252 100644
--- a/mobile/chrome/tests/remote_head.js
+++ b/mobile/chrome/tests/remote_head.js
@@ -1,9 +1,7 @@
-dump("======================== Remote Head loaded ========================\n");
-
 // XXX Those constants are here because EventUtils.js need them
-const window = content.document.defaultView.wrappedJSObject;
-const Element = Components.interfaces.nsIDOMElement;
-const netscape = window.netscape;
+window = content.document.defaultView.wrappedJSObject;
+Element = Components.interfaces.nsIDOMElement;
+netscape = window.netscape;
 
 let AsyncTests = {
   _tests: [],
diff --git a/mobile/installer/Makefile.in b/mobile/installer/Makefile.in
index 52478d7da3fb..585e712363ec 100644
--- a/mobile/installer/Makefile.in
+++ b/mobile/installer/Makefile.in
@@ -179,16 +179,14 @@ PP_DEB_FILES =	debian/control \
 		debian/fennec.postinst \
 		$(NULL)
 
-ifdef MOZ_ENABLE_CONTENTMANAGER
-PP_DEB_FILES += debian/fennec.aegis \
-               $(NULL)
-endif
 ifeq ($(MOZ_PLATFORM_MAEMO),6)
-PP_DEB_FILES += debian/backup \
-                debian/restore \
-		 debian/fennec.conf \
-		 debian/fennec-cud.sh \
-		 debian/fennec-rfs.sh \
+PP_DEB_FILES += debian/fennec.aegis \
+		debian/backup \
+		debian/restore \
+		debian/fennec.conf \
+		debian/fennec-cud.sh \
+		debian/fennec-rfs.sh \
+		 debian/fennec.policy \
                 $(NULL)
 endif
 
@@ -224,7 +222,8 @@ ifeq ($(MOZ_PLATFORM_MAEMO),6)
 	cp debian/$(MOZ_APP_NAME).conf $(DEBDESTDIR)/usr/share/backup-framework/applications/$(MOZ_APP_NAME).conf
 	cp debian/$(MOZ_APP_NAME)-cud.sh $(DEBDESTDIR)/etc/osso-cud-scripts/$(MOZ_APP_NAME)-cud.sh
 	cp debian/$(MOZ_APP_NAME)-rfs.sh $(DEBDESTDIR)/etc/osso-rfs-scripts/$(MOZ_APP_NAME)-rfs.sh
-
+	$(NSINSTALL) -D $(DEBDESTDIR)/usr/share/policy/etc/syspart.conf.d
+	cp debian/$(MOZ_APP_NAME).policy $(DEBDESTDIR)/usr/share/policy/etc/syspart.conf.d/$(MOZ_APP_NAME)
 else
 	$(NSINSTALL)  debian/$(MOZ_APP_NAME).desktop $(DEBDESTDIR)/usr/share/applications/hildon/
 	$(NSINSTALL) -D $(DEBDESTDIR)/usr/share/dbus-1/services/
@@ -240,7 +239,7 @@ endif
 
 # a defined CONTENTMANAGER implicitly means MOZ_PLATFORM_MAEMO is equals 6
 # in case you use CONTENTMANGER you need to sign your package to gain tracker access.
-ifdef MOZ_ENABLE_CONTENTMANAGER
+ifeq ($(MOZ_PLATFORM_MAEMO),6)
 	if test -e "/usr/bin/aegis-deb-add"; then \
 	   fakeroot aegis-deb-add -control $(DEBDESTDIR)/DEBIAN/control .. debian/fennec.aegis=_aegis; \
 	else \
diff --git a/mobile/installer/debian/fennec.aegis.in b/mobile/installer/debian/fennec.aegis.in
index e98f5640dc19..370cd385efec 100644
--- a/mobile/installer/debian/fennec.aegis.in
+++ b/mobile/installer/debian/fennec.aegis.in
@@ -1,7 +1,11 @@
+#filter substitution
 
   
     
     
+    
+    
+    
   
 
 
diff --git a/mobile/installer/debian/fennec.policy.in b/mobile/installer/debian/fennec.policy.in
new file mode 100644
index 000000000000..98912d518812
--- /dev/null
+++ b/mobile/installer/debian/fennec.policy.in
@@ -0,0 +1,4 @@
+#filter substitution
+[classify browser]
+@installdir@/@MOZ_APP_NAME@
+@installdir@/plugin-container
diff --git a/mobile/locales/en-US/chrome/browser.dtd b/mobile/locales/en-US/chrome/browser.dtd
index 34eadcc70059..2c2f3d030b89 100644
--- a/mobile/locales/en-US/chrome/browser.dtd
+++ b/mobile/locales/en-US/chrome/browser.dtd
@@ -93,7 +93,6 @@
 
 
 
-
 
 
 
diff --git a/modules/libpr0n/src/imgLoader.cpp b/modules/libpr0n/src/imgLoader.cpp
index 0488b1650f6f..04faeb86f556 100644
--- a/modules/libpr0n/src/imgLoader.cpp
+++ b/modules/libpr0n/src/imgLoader.cpp
@@ -62,7 +62,6 @@
 #include "nsIProgressEventSink.h"
 #include "nsIChannelEventSink.h"
 #include "nsIAsyncVerifyRedirectCallback.h"
-#include "nsIProxyObjectManager.h"
 #include "nsIServiceManager.h"
 #include "nsIFileURL.h"
 #include "nsThreadUtils.h"
diff --git a/modules/libpr0n/src/imgRequest.cpp b/modules/libpr0n/src/imgRequest.cpp
index 36e857fd5d41..c24354cb8ee9 100644
--- a/modules/libpr0n/src/imgRequest.cpp
+++ b/modules/libpr0n/src/imgRequest.cpp
@@ -67,7 +67,6 @@
 
 #include "nsIComponentManager.h"
 #include "nsIInterfaceRequestorUtils.h"
-#include "nsIProxyObjectManager.h"
 #include "nsIServiceManager.h"
 #include "nsISupportsPrimitives.h"
 #include "nsIScriptSecurityManager.h"
diff --git a/modules/libpr0n/test/unit/xpcshell.ini b/modules/libpr0n/test/unit/xpcshell.ini
index 756f31b1b1d5..b1086d4e6d75 100644
--- a/modules/libpr0n/test/unit/xpcshell.ini
+++ b/modules/libpr0n/test/unit/xpcshell.ini
@@ -8,4 +8,6 @@ tail =
 [test_encoder_apng.js]
 [test_encoder_png.js]
 [test_imgtools.js]
+# Bug 676968: test fails consistently on Android
+fail-if = os == "android"
 [test_moz_icon_uri.js]
diff --git a/modules/libpref/src/init/all.js b/modules/libpref/src/init/all.js
index 0cdce378cddd..6290a3483894 100644
--- a/modules/libpref/src/init/all.js
+++ b/modules/libpref/src/init/all.js
@@ -1482,6 +1482,8 @@ pref("dom.ipc.plugins.enabled.602plugin.so", false);
 #endif
 #endif
 
+pref("dom.ipc.processCount", 1);
+
 pref("svg.smil.enabled", true);
 
 pref("font.minimum-size.ar", 0);
diff --git a/modules/libreg/src/Makefile.in b/modules/libreg/src/Makefile.in
index f5f27b8c9249..58e5132fae28 100644
--- a/modules/libreg/src/Makefile.in
+++ b/modules/libreg/src/Makefile.in
@@ -68,11 +68,6 @@ SDK_LIBRARY = $(LIBRARY)
 include $(topsrcdir)/config/config.mk
 
 DEFINES         += -DUSE_BUFFERED_REGISTRY_IO	
-# Memory mapped files are not supported under QNX, Neutrino, HP-UX and BeOS
-#ifeq (,$(filter BeOS HP-UX QNX,$(OS_ARCH)))
-#CSRCS		+= mmapio.c
-#DEFINES		+= -DUSE_MMAP_REGISTRY_IO
-#endif
 
 include $(topsrcdir)/config/rules.mk
 
diff --git a/modules/libreg/src/mmapio.c b/modules/libreg/src/mmapio.c
deleted file mode 100644
index fd9d0ca6fd17..000000000000
--- a/modules/libreg/src/mmapio.c
+++ /dev/null
@@ -1,213 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is Mozilla Communicator.
- *
- * The Initial Developer of the Original Code is
- * James L. Nance.
- * Portions created by the Initial Developer are Copyright (C) 1999
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   James L. Nance 
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-#include 
-#include "mmapio.h"
-#include "prmem.h"
-#include "prlog.h"
-
-struct MmioFileStruct
-{
-    PRFileDesc *fd;
-    PRFileMap  *fileMap;
-    PRUint32   fsize; /* The size of the file */
-    PRUint32   msize; /* The size of the mmap()ed area */
-    PRInt32    pos;   /* Our logical position for doing I/O */
-    char       *addr; /* The base address of our mapping */
-    PRBool     needSeek; /* Do we need to seek to pos before doing a write() */
-};
-
-PRStatus mmio_FileSeek(MmioFile *mmio, PRInt32 offset, PRSeekWhence whence)
-{
-    mmio->needSeek = PR_TRUE;
-
-    switch(whence) {
-        case PR_SEEK_SET:
-            mmio->pos = offset;
-            break;
-        case PR_SEEK_END:
-            mmio->pos = mmio->fsize + offset;
-            break;
-        case PR_SEEK_CUR:
-            mmio->pos = mmio->pos + offset;
-            break;
-        default:
-            return PR_FAILURE;
-    }
-
-    if(mmio->pos<0) {
-        mmio->pos = 0;
-    }
-
-    return PR_SUCCESS;
-}
-
-PRInt32  mmio_FileRead(MmioFile *mmio, char *dest, PRInt32 count)
-{
-    static PRFileMapProtect prot = PR_PROT_READONLY;
-    static PRInt64 fsize_l;
-
-    /* First see if we are going to try and read past the end of the file
-     * and shorten count if we are.
-    */
-    if(mmio->pos+count > mmio->fsize) {
-        count = mmio->fsize - mmio->pos;
-    }
-
-    if(count<1) {
-        return 0;
-    }
-
-    /* Check to see if we need to remap for this read */
-    if(mmio->pos+count > mmio->msize) {
-        if(mmio->addr && mmio->msize) {
-            PR_ASSERT(mmio->fileMap);
-            PR_MemUnmap(mmio->addr, mmio->msize);
-            PR_CloseFileMap(mmio->fileMap);
-            mmio->addr  = NULL;
-            mmio->msize = 0;
-        }
-
-        LL_UI2L(fsize_l, mmio->fsize);
-        mmio->fileMap = PR_CreateFileMap(mmio->fd, fsize_l, prot);
-
-        if(!mmio->fileMap) {
-            return -1;
-        }
-
-        mmio->addr = PR_MemMap(mmio->fileMap, 0, fsize_l);
-
-        if(!mmio->addr) {
-            return -1;
-        }
-
-        mmio->msize = mmio->fsize;
-    }
-
-    memcpy(dest, mmio->addr+mmio->pos, count);
-
-    mmio->pos += count;
-    mmio->needSeek = PR_TRUE;
-
-    return count;
-}
-
-PRInt32  mmio_FileWrite(MmioFile *mmio, const char *src, PRInt32 count)
-{
-    PRInt32 wcode;
-
-    if(mmio->needSeek) {
-        PR_Seek(mmio->fd, mmio->pos, PR_SEEK_SET);
-        mmio->needSeek = PR_FALSE;
-    }
-
-    /* If this system does not keep mmap() and write() synchronized, we can
-    ** force it to by doing an munmap() when we do a write.  This will
-    ** obviously slow things down but fortunatly we do not do that many
-    ** writes from within mozilla.  Platforms which need this may want to
-    ** use the new USE_BUFFERED_REGISTRY_IO code instead of this code though.
-    */
-#if MMAP_MISSES_WRITES
-    if(mmio->addr && mmio->msize) {
-	PR_ASSERT(mmio->fileMap);
-	PR_MemUnmap(mmio->addr, mmio->msize);
-	PR_CloseFileMap(mmio->fileMap);
-	mmio->addr  = NULL;
-	mmio->msize = 0;
-    }
-#endif
-
-    wcode = PR_Write(mmio->fd, src, count);
-
-    if(wcode>0) {
-        mmio->pos += wcode;
-        if(mmio->pos>mmio->fsize) {
-            mmio->fsize=mmio->pos;
-        }
-    }
-
-    return wcode;
-}
-
-PRInt32  mmio_FileTell(MmioFile *mmio)
-{
-    return mmio->pos;
-}
-
-PRStatus mmio_FileClose(MmioFile *mmio)
-{
-    if(mmio->addr && mmio->msize) {
-        PR_ASSERT(mmio->fileMap);
-        PR_MemUnmap(mmio->addr, mmio->msize);
-        PR_CloseFileMap(mmio->fileMap);
-    }
-
-    PR_Close(mmio->fd);
-
-    memset(mmio, 0, sizeof(*mmio)); /* Catch people who try to keep using it */
-
-    PR_Free(mmio);
-
-    return PR_SUCCESS;
-}
-
-MmioFile *mmio_FileOpen(char *path, PRIntn flags, PRIntn mode)
-{
-    PRFileDesc *fd = PR_Open(path, flags, mode);
-    PRFileInfo info;
-    MmioFile   *mmio;
-
-    if(!fd) {
-        return NULL;
-    }
-
-    mmio = PR_MALLOC(sizeof(MmioFile));
-
-    if(!mmio || PR_FAILURE==PR_GetOpenFileInfo(fd, &info)) {
-        PR_Close(fd);
-        return NULL;
-    }
-
-    mmio->fd = fd;
-    mmio->fileMap = NULL;
-    mmio->fsize = info.size;
-    mmio->msize = 0;
-    mmio->pos   = 0;
-    mmio->addr  = NULL;
-    mmio->needSeek = PR_FALSE;
-
-    return mmio;
-}
diff --git a/modules/libreg/src/vr_stubs.h b/modules/libreg/src/vr_stubs.h
index 50856ad1330a..f6eb75507ef8 100644
--- a/modules/libreg/src/vr_stubs.h
+++ b/modules/libreg/src/vr_stubs.h
@@ -137,26 +137,7 @@ typedef FILE          * XP_File;
 /* Alternate fileI/O function mappings */
 /*-------------------------------------*/
 
-#if USE_MMAP_REGISTRY_IO
-  /*-----------------------------------------------*/
-  /* NSPR mememory-mapped I/O (write through)      */
-  /* unfortunately this isn't supported on the Mac */
-  /*-----------------------------------------------*/
-#define USE_NSPR_MODES
-
-#include "mmapio.h"
-#define XP_FileSeek(file,offset,whence) mmio_FileSeek((file),(offset),(whence))
-#define XP_FileRead(dest,count,file)    mmio_FileRead((file), (dest), (count))
-#define XP_FileWrite(src,count,file)    mmio_FileWrite((file), (src), (count))
-#define XP_FileTell(file)               mmio_FileTell(file)
-#define XP_FileClose(file)              mmio_FileClose(file)
-#define XP_FileOpen(path, mode)         mmio_FileOpen((path), mode )
-#define XP_FileFlush(file)              ((void)1)
-#define XP_FileSetBufferSize(file, bufsize) (-1)
-
-typedef MmioFile* XP_File;
-
-#elif USE_BUFFERED_REGISTRY_IO
+#if USE_BUFFERED_REGISTRY_IO
   /*-----------------------------------------------*/
   /* home-grown XP buffering                       */
   /* writes are buffered too so use flush!         */
diff --git a/modules/plugin/test/unit/xpcshell.ini b/modules/plugin/test/unit/xpcshell.ini
deleted file mode 100644
index 4a721a47f077..000000000000
--- a/modules/plugin/test/unit/xpcshell.ini
+++ /dev/null
@@ -1,6 +0,0 @@
-[DEFAULT]
-head = head_plugins.js
-tail = 
-
-[test_bug455213.js]
-[test_bug471245.js]
diff --git a/netwerk/base/src/nsLoadGroup.cpp b/netwerk/base/src/nsLoadGroup.cpp
index 48d500f407fe..72a8f07cc34f 100644
--- a/netwerk/base/src/nsLoadGroup.cpp
+++ b/netwerk/base/src/nsLoadGroup.cpp
@@ -887,11 +887,6 @@ nsLoadGroup::TelemetryReportChannel(nsITimedChannel *aTimedChannel,
     if (NS_FAILED(rv) || !timingEnabled)
         return;
 
-    TimeStamp channelCreation;
-    rv = aTimedChannel->GetChannelCreation(&channelCreation);
-    if (NS_FAILED(rv))
-        return;
-
     TimeStamp asyncOpen;
     rv = aTimedChannel->GetAsyncOpen(&asyncOpen);
     // We do not check !asyncOpen.IsNull() bellow, prevent ASSERTIONs this way
@@ -972,7 +967,7 @@ nsLoadGroup::TelemetryReportChannel(nsITimedChannel *aTimedChannel,
             Telemetry::HTTP_##prefix##_FIRST_SENT_TO_LAST_RECEIVED,            \
             HISTOGRAM_TIME_DELTA(requestStart, responseEnd));                  \
                                                                                \
-        if (cacheReadStart.IsNull()) {                                         \
+        if (cacheReadStart.IsNull() && !responseStart.IsNull()) {              \
             Telemetry::Accumulate(                                             \
                 Telemetry::HTTP_##prefix##_OPEN_TO_FIRST_RECEIVED,             \
                 HISTOGRAM_TIME_DELTA(asyncOpen, responseStart));               \
diff --git a/netwerk/base/src/nsProxyAutoConfig.js b/netwerk/base/src/nsProxyAutoConfig.js
index cd80422cdfe8..84b08dcbc29e 100644
--- a/netwerk/base/src/nsProxyAutoConfig.js
+++ b/netwerk/base/src/nsProxyAutoConfig.js
@@ -75,7 +75,8 @@ nsProxyAutoConfig.prototype = {
         }
 
         // allocate a fresh Sandbox to clear global scope for new PAC script
-        this._sandBox = new Components.utils.Sandbox(pacURI);
+        this._sandBox = new Components.utils.Sandbox(pacURI, 
+                                                     {sandboxName: 'nsProxyAutoConfig'});
         Components.utils.evalInSandbox(pacUtils, this._sandBox);
 
         // add predefined functions to pac
diff --git a/netwerk/base/src/nsServerSocket.cpp b/netwerk/base/src/nsServerSocket.cpp
index 3d2a5ab3dc0d..bfc5424d3c0c 100644
--- a/netwerk/base/src/nsServerSocket.cpp
+++ b/netwerk/base/src/nsServerSocket.cpp
@@ -35,7 +35,6 @@
  *
  * ***** END LICENSE BLOCK ***** */
 
-#include "nsIProxyObjectManager.h"
 #include "nsIServiceManager.h"
 #include "nsSocketTransport2.h"
 #include "nsServerSocket.h"
@@ -361,6 +360,99 @@ nsServerSocket::Close()
   return PostEvent(this, &nsServerSocket::OnMsgClose);
 }
 
+namespace {
+
+class ServerSocketListenerProxy : public nsIServerSocketListener
+{
+public:
+  ServerSocketListenerProxy(nsIServerSocketListener* aListener)
+    : mListener(aListener)
+    , mTargetThread(do_GetCurrentThread())
+  { }
+
+  NS_DECL_ISUPPORTS
+  NS_DECL_NSISERVERSOCKETLISTENER
+
+  class OnSocketAcceptedRunnable : public nsRunnable
+  {
+  public:
+    OnSocketAcceptedRunnable(nsIServerSocketListener* aListener,
+                             nsIServerSocket* aServ,
+                             nsISocketTransport* aTransport)
+      : mListener(aListener)
+      , mServ(aServ)
+      , mTransport(aTransport)
+    { }
+    
+    NS_DECL_NSIRUNNABLE
+
+  private:
+    nsCOMPtr mListener;
+    nsCOMPtr mServ;
+    nsCOMPtr mTransport;
+  };
+
+  class OnStopListeningRunnable : public nsRunnable
+  {
+  public:
+    OnStopListeningRunnable(nsIServerSocketListener* aListener,
+                            nsIServerSocket* aServ,
+                            nsresult aStatus)
+      : mListener(aListener)
+      , mServ(aServ)
+      , mStatus(aStatus)
+    { }
+
+    NS_DECL_NSIRUNNABLE
+
+  private:
+    nsCOMPtr mListener;
+    nsCOMPtr mServ;
+    nsresult mStatus;
+  };
+
+private:
+  nsCOMPtr mListener;
+  nsCOMPtr mTargetThread;
+};
+
+NS_IMPL_THREADSAFE_ISUPPORTS1(ServerSocketListenerProxy,
+                              nsIServerSocketListener)
+
+NS_IMETHODIMP
+ServerSocketListenerProxy::OnSocketAccepted(nsIServerSocket* aServ,
+                                            nsISocketTransport* aTransport)
+{
+  nsRefPtr r =
+    new OnSocketAcceptedRunnable(mListener, aServ, aTransport);
+  return mTargetThread->Dispatch(r, NS_DISPATCH_NORMAL);
+}
+
+NS_IMETHODIMP
+ServerSocketListenerProxy::OnStopListening(nsIServerSocket* aServ,
+                                           nsresult aStatus)
+{
+  nsRefPtr r =
+    new OnStopListeningRunnable(mListener, aServ, aStatus);
+  return mTargetThread->Dispatch(r, NS_DISPATCH_NORMAL);
+}
+
+NS_IMETHODIMP
+ServerSocketListenerProxy::OnSocketAcceptedRunnable::Run()
+{
+  mListener->OnSocketAccepted(mServ, mTransport);
+  return NS_OK;
+}
+
+NS_IMETHODIMP
+ServerSocketListenerProxy::OnStopListeningRunnable::Run()
+{
+  mListener->OnStopListening(mServ, mStatus);
+  return NS_OK;
+}
+
+} // anonymous namespace
+
 NS_IMETHODIMP
 nsServerSocket::AsyncListen(nsIServerSocketListener *aListener)
 {
@@ -369,13 +461,7 @@ nsServerSocket::AsyncListen(nsIServerSocketListener *aListener)
   NS_ENSURE_TRUE(mListener == nsnull, NS_ERROR_IN_PROGRESS);
   {
     MutexAutoLock lock(mLock);
-    nsresult rv = NS_GetProxyForObject(NS_PROXY_TO_CURRENT_THREAD,
-                                       NS_GET_IID(nsIServerSocketListener),
-                                       aListener,
-                                       NS_PROXY_ASYNC | NS_PROXY_ALWAYS,
-                                       getter_AddRefs(mListener));
-    if (NS_FAILED(rv))
-      return rv;
+    mListener = new ServerSocketListenerProxy(aListener);
     mListenerTarget = NS_GetCurrentThread();
   }
   return PostEvent(this, &nsServerSocket::OnMsgAttach);
diff --git a/netwerk/base/src/nsSocketTransport2.cpp b/netwerk/base/src/nsSocketTransport2.cpp
index 99927f93e06d..6604a5dbc6b5 100644
--- a/netwerk/base/src/nsSocketTransport2.cpp
+++ b/netwerk/base/src/nsSocketTransport2.cpp
@@ -60,7 +60,6 @@
 #include "prerr.h"
 
 #include "nsIServiceManager.h"
-#include "nsIProxyObjectManager.h"
 #include "nsISocketProviderService.h"
 #include "nsISocketProvider.h"
 #include "nsISSLSocketControl.h"
diff --git a/netwerk/build/Makefile.in b/netwerk/build/Makefile.in
index a48f05221c50..2843a0efcca0 100644
--- a/netwerk/build/Makefile.in
+++ b/netwerk/build/Makefile.in
@@ -140,9 +140,6 @@ LOCAL_INCLUDES += -I$(srcdir)/../wifi
 
 endif
 
-
-DEFINES += -DNECKO_OFFLINE_CACHE
-
 include $(topsrcdir)/config/config.mk
 include $(topsrcdir)/ipc/chromium/chromium-config.mk
 include $(topsrcdir)/config/rules.mk
diff --git a/netwerk/build/nsNetModule.cpp b/netwerk/build/nsNetModule.cpp
index c0cb696d1d6f..f74fbd3e6fee 100644
--- a/netwerk/build/nsNetModule.cpp
+++ b/netwerk/build/nsNetModule.cpp
@@ -215,11 +215,9 @@ NS_GENERIC_FACTORY_CONSTRUCTOR(nsNestedAboutURI)
 NS_GENERIC_FACTORY_CONSTRUCTOR(nsAboutCacheEntry)
 #endif
 
-#ifdef NECKO_OFFLINE_CACHE
 NS_GENERIC_FACTORY_SINGLETON_CONSTRUCTOR(nsOfflineCacheDevice, nsOfflineCacheDevice::GetInstance)
 NS_GENERIC_FACTORY_CONSTRUCTOR(nsApplicationCacheNamespace)
 NS_GENERIC_FACTORY_CONSTRUCTOR(nsApplicationCache)
-#endif
 
 #ifdef NECKO_PROTOCOL_file
 // file
@@ -769,11 +767,9 @@ NS_DEFINE_NAMED_CID(NS_SOCKSSOCKETPROVIDER_CID);
 NS_DEFINE_NAMED_CID(NS_SOCKS4SOCKETPROVIDER_CID);
 NS_DEFINE_NAMED_CID(NS_UDPSOCKETPROVIDER_CID);
 NS_DEFINE_NAMED_CID(NS_CACHESERVICE_CID);
-#ifdef NECKO_OFFLINE_CACHE
 NS_DEFINE_NAMED_CID(NS_APPLICATIONCACHESERVICE_CID);
 NS_DEFINE_NAMED_CID(NS_APPLICATIONCACHENAMESPACE_CID);
 NS_DEFINE_NAMED_CID(NS_APPLICATIONCACHE_CID);
-#endif
 #ifdef NECKO_COOKIES
 NS_DEFINE_NAMED_CID(NS_COOKIEMANAGER_CID);
 NS_DEFINE_NAMED_CID(NS_COOKIESERVICE_CID);
@@ -902,11 +898,9 @@ static const mozilla::Module::CIDEntry kNeckoCIDs[] = {
     { &kNS_SOCKS4SOCKETPROVIDER_CID, false, NULL, nsSOCKSSocketProvider::CreateV4 },
     { &kNS_UDPSOCKETPROVIDER_CID, false, NULL, nsUDPSocketProviderConstructor },
     { &kNS_CACHESERVICE_CID, false, NULL, nsCacheService::Create },
-#ifdef NECKO_OFFLINE_CACHE
     { &kNS_APPLICATIONCACHESERVICE_CID, false, NULL, nsOfflineCacheDeviceConstructor },
     { &kNS_APPLICATIONCACHENAMESPACE_CID, false, NULL, nsApplicationCacheNamespaceConstructor },
     { &kNS_APPLICATIONCACHE_CID, false, NULL, nsApplicationCacheConstructor },
-#endif
 #ifdef NECKO_COOKIES
     { &kNS_COOKIEMANAGER_CID, false, NULL, nsICookieServiceConstructor },
     { &kNS_COOKIESERVICE_CID, false, NULL, nsICookieServiceConstructor },
@@ -1044,11 +1038,9 @@ static const mozilla::Module::ContractIDEntry kNeckoContracts[] = {
     { NS_NETWORK_SOCKET_CONTRACTID_PREFIX "socks4", &kNS_SOCKS4SOCKETPROVIDER_CID },
     { NS_NETWORK_SOCKET_CONTRACTID_PREFIX "udp", &kNS_UDPSOCKETPROVIDER_CID },
     { NS_CACHESERVICE_CONTRACTID, &kNS_CACHESERVICE_CID },
-#ifdef NECKO_OFFLINE_CACHE
     { NS_APPLICATIONCACHESERVICE_CONTRACTID, &kNS_APPLICATIONCACHESERVICE_CID },
     { NS_APPLICATIONCACHENAMESPACE_CONTRACTID, &kNS_APPLICATIONCACHENAMESPACE_CID },
     { NS_APPLICATIONCACHE_CONTRACTID, &kNS_APPLICATIONCACHE_CID },
-#endif
 #ifdef NECKO_COOKIES
     { NS_COOKIEMANAGER_CONTRACTID, &kNS_COOKIEMANAGER_CID },
     { NS_COOKIESERVICE_CONTRACTID, &kNS_COOKIESERVICE_CID },
diff --git a/netwerk/cache/Makefile.in b/netwerk/cache/Makefile.in
index 0f5e5d18ed70..929e5e9dd19e 100644
--- a/netwerk/cache/Makefile.in
+++ b/netwerk/cache/Makefile.in
@@ -72,22 +72,15 @@ CPPSRCS = \
   nsCacheService.cpp \
   nsCacheSession.cpp \
   nsMemoryCacheDevice.cpp \
-  nsDiskCacheDeviceSQL.cpp \
-  $(NULL)
-
-ifdef NECKO_DISK_CACHE
-CPPSRCS += \
   nsDiskCacheBinding.cpp \
   nsDiskCacheBlockFile.cpp \
   nsDiskCacheDevice.cpp \
+  nsDiskCacheDeviceSQL.cpp \
   nsDiskCacheEntry.cpp \
   nsDiskCacheMap.cpp \
   nsDiskCacheStreams.cpp \
   nsDeleteDir.cpp \
   $(NULL)
-endif
-
-DEFINES += -DNECKO_OFFLINE_CACHE
 
 LOCAL_INCLUDES = \
   -I$(srcdir)/../base/src \
diff --git a/netwerk/cache/nsCacheService.cpp b/netwerk/cache/nsCacheService.cpp
index 336d77e7763e..a2f351faf66d 100644
--- a/netwerk/cache/nsCacheService.cpp
+++ b/netwerk/cache/nsCacheService.cpp
@@ -52,10 +52,7 @@
 #include "nsMemoryCacheDevice.h"
 #include "nsICacheVisitor.h"
 #include "nsDiskCacheDevice.h"
-
-#ifdef NECKO_OFFLINE_CACHE
 #include "nsDiskCacheDeviceSQL.h"
-#endif
 
 #include "nsIMemoryReporter.h"
 #include "nsIObserverService.h"
@@ -112,18 +109,14 @@ static const char * observerList[] = {
     NS_PRIVATE_BROWSING_SWITCH_TOPIC
 };
 static const char * prefList[] = { 
-#ifdef NECKO_DISK_CACHE
     DISK_CACHE_ENABLE_PREF,
     DISK_CACHE_SMART_SIZE_ENABLED_PREF,
     DISK_CACHE_CAPACITY_PREF,
     DISK_CACHE_DIR_PREF,
     DISK_CACHE_MAX_ENTRY_SIZE_PREF,
-#endif
-#ifdef NECKO_OFFLINE_CACHE
     OFFLINE_CACHE_ENABLE_PREF,
     OFFLINE_CACHE_CAPACITY_PREF,
     OFFLINE_CACHE_DIR_PREF,
-#endif
     MEMORY_CACHE_ENABLE_PREF,
     MEMORY_CACHE_CAPACITY_PREF,
     MEMORY_CACHE_MAX_ENTRY_SIZE_PREF
@@ -410,7 +403,6 @@ nsCacheProfilePrefObserver::Observe(nsISupports *     subject,
         if (NS_FAILED(rv))  
             return rv;
 
-#ifdef NECKO_DISK_CACHE
         // which preference changed?
         if (!strcmp(DISK_CACHE_ENABLE_PREF, data.get())) {
 
@@ -478,10 +470,8 @@ nsCacheProfilePrefObserver::Observe(nsISupports *     subject,
             // XXX notification that the pref change won't take effect until
             // XXX the next time the profile changes (browser launch)
 #endif            
-        } else 
-#endif // !NECKO_DISK_CACHE
+        } else
 
-#ifdef NECKO_OFFLINE_CACHE
         // which preference changed?
         if (!strcmp(OFFLINE_CACHE_ENABLE_PREF, data.get())) {
 
@@ -507,7 +497,6 @@ nsCacheProfilePrefObserver::Observe(nsISupports *     subject,
             // XXX the next time the profile changes (browser launch)
 #endif
         } else
-#endif // !NECKO_OFFLINE_CACHE
 
         if (!strcmp(MEMORY_CACHE_ENABLE_PREF, data.get())) {
 
@@ -539,39 +528,29 @@ nsCacheProfilePrefObserver::Observe(nsISupports *     subject,
 
             nsCacheService::OnEnterExitPrivateBrowsing();
 
-#ifdef NECKO_DISK_CACHE
             mDiskCacheEnabled = PR_FALSE;
             nsCacheService::SetDiskCacheEnabled(DiskCacheEnabled());
-#endif // !NECKO_DISK_CACHE
 
-#ifdef NECKO_OFFLINE_CACHE
             mOfflineCacheEnabled = PR_FALSE;
             nsCacheService::SetOfflineCacheEnabled(OfflineCacheEnabled());
-#endif // !NECKO_OFFLINE_CACHE
         } else if (!strcmp(NS_PRIVATE_BROWSING_LEAVE, data.get())) {
             mInPrivateBrowsing = PR_FALSE;
 
             nsCacheService::OnEnterExitPrivateBrowsing();
 
-#if defined(NECKO_DISK_CACHE) || defined(NECKO_OFFLINE_CACHE)
             nsCOMPtr branch = do_GetService(NS_PREFSERVICE_CONTRACTID, &rv);
             if (NS_FAILED(rv))  
                 return rv;
-#endif // !NECKO_DISK_CACHE && !NECKO_OFFLINE_CACHE
 
-#ifdef NECKO_DISK_CACHE
             mDiskCacheEnabled = PR_TRUE; // by default enabled
             (void) branch->GetBoolPref(DISK_CACHE_ENABLE_PREF,
                                        &mDiskCacheEnabled);
             nsCacheService::SetDiskCacheEnabled(DiskCacheEnabled());
-#endif // !NECKO_DISK_CACHE
 
-#ifdef NECKO_OFFLINE_CACHE
             mOfflineCacheEnabled = PR_TRUE; // by default enabled
             (void) branch->GetBoolPref(OFFLINE_CACHE_ENABLE_PREF,
                                        &mOfflineCacheEnabled);
             nsCacheService::SetOfflineCacheEnabled(OfflineCacheEnabled());
-#endif // !NECKO_OFFLINE_CACHE
         }
     }
     
@@ -674,7 +653,6 @@ nsCacheProfilePrefObserver::ReadPrefs(nsIPrefBranch* branch)
 {
     nsresult rv = NS_OK;
 
-#ifdef NECKO_DISK_CACHE
     // read disk cache device prefs
     if (!mInPrivateBrowsing) {
         mDiskCacheEnabled = PR_TRUE;  // presume disk cache is enabled
@@ -770,9 +748,7 @@ nsCacheProfilePrefObserver::ReadPrefs(nsIPrefBranch* branch)
                 NS_WARNING("Failed setting first_run pref in ReadPrefs.");
         }
     }
-#endif // !NECKO_DISK_CACHE
 
-#ifdef NECKO_OFFLINE_CACHE
     // read offline cache device prefs
     if (!mInPrivateBrowsing) {
         mOfflineCacheEnabled = PR_TRUE;  // presume offline cache is enabled
@@ -815,8 +791,7 @@ nsCacheProfilePrefObserver::ReadPrefs(nsIPrefBranch* branch)
         if (directory)
             mOfflineCacheParentDirectory = do_QueryInterface(directory, &rv);
     }
-#endif // !NECKO_OFFLINE_CACHE
-    
+
     // read memory cache device prefs
     (void) branch->GetBoolPref(MEMORY_CACHE_ENABLE_PREF, &mMemoryCacheEnabled);
 
@@ -1121,16 +1096,12 @@ nsCacheService::Shutdown()
         delete mMemoryDevice;
         mMemoryDevice = nsnull;
 
-#ifdef NECKO_DISK_CACHE
         delete mDiskDevice;
         mDiskDevice = nsnull;
-#endif // !NECKO_DISK_CACHE
 
-#ifdef NECKO_OFFLINE_CACHE
         NS_IF_RELEASE(mOfflineDevice);
-#endif // !NECKO_OFFLINE_CACHE
 
-#if defined(NECKO_DISK_CACHE) && defined(PR_LOGGING)
+#ifdef PR_LOGGING
         LogCacheStatistics();
 #endif
 
@@ -1192,36 +1163,46 @@ nsCacheService::EvictEntriesForSession(nsCacheSession * session)
                                  session->StoragePolicy());
 }
 
+namespace {
+
+class EvictionNotifierRunnable : public nsRunnable
+{
+public:
+    EvictionNotifierRunnable(nsISupports* aSubject)
+        : mSubject(aSubject)
+    { }
+
+    NS_DECL_NSIRUNNABLE
+
+private:
+    nsCOMPtr mSubject;
+};
+
+NS_IMETHODIMP
+EvictionNotifierRunnable::Run()
+{
+    nsCOMPtr obsSvc =
+        mozilla::services::GetObserverService();
+    if (obsSvc) {
+        obsSvc->NotifyObservers(mSubject,
+                                NS_CACHESERVICE_EMPTYCACHE_TOPIC_ID,
+                                nsnull);
+    }
+    return NS_OK;
+}
+
+} // anonymous namespace
 
 nsresult
 nsCacheService::EvictEntriesForClient(const char *          clientID,
                                       nsCacheStoragePolicy  storagePolicy)
 {
-    if (this == nsnull) return NS_ERROR_NOT_AVAILABLE; // XXX eh?
-
-    nsCOMPtr obsSvc =
-        mozilla::services::GetObserverService();
-    if (obsSvc) {
-        // Proxy to the UI thread since the observer service isn't thredsafe.
-        // We use an async proxy, since this it's not important whether this
-        // notification happens before or after the actual eviction.
-
-        nsCOMPtr obsProxy;
-        NS_GetProxyForObject(NS_PROXY_TO_MAIN_THREAD,
-                             NS_GET_IID(nsIObserverService), obsSvc,
-                             NS_PROXY_ASYNC, getter_AddRefs(obsProxy));
-
-        if (obsProxy) {
-            obsProxy->NotifyObservers(this,
-                                      NS_CACHESERVICE_EMPTYCACHE_TOPIC_ID,
-                                      nsnull);
-        }
-    }
+    nsRefPtr r = new EvictionNotifierRunnable(this);
+    NS_DispatchToMainThread(r);
 
     nsCacheServiceAutoLock lock;
     nsresult res = NS_OK;
 
-#ifdef NECKO_DISK_CACHE
     if (storagePolicy == nsICache::STORE_ANYWHERE ||
         storagePolicy == nsICache::STORE_ON_DISK) {
 
@@ -1234,9 +1215,7 @@ nsCacheService::EvictEntriesForClient(const char *          clientID,
             if (NS_FAILED(rv)) res = rv;
         }
     }
-#endif // ! NECKO_DISK_CACHE
 
-#ifdef NECKO_OFFLINE_CACHE
     // Only clear the offline cache if it has been specifically asked for.
     if (storagePolicy == nsICache::STORE_OFFLINE) {
         if (mEnableOfflineDevice) {
@@ -1248,7 +1227,6 @@ nsCacheService::EvictEntriesForClient(const char *          clientID,
             if (NS_FAILED(rv)) res = rv;
         }
     }
-#endif // ! NECKO_OFFLINE_CACHE
 
     if (storagePolicy == nsICache::STORE_ANYWHERE ||
         storagePolicy == nsICache::STORE_IN_MEMORY) {
@@ -1318,7 +1296,6 @@ NS_IMETHODIMP nsCacheService::VisitEntries(nsICacheVisitor *visitor)
         if (NS_FAILED(rv)) return rv;
     }
 
-#ifdef NECKO_DISK_CACHE
     if (mEnableDiskDevice) {
         if (!mDiskDevice) {
             rv = CreateDiskDevice();
@@ -1327,9 +1304,7 @@ NS_IMETHODIMP nsCacheService::VisitEntries(nsICacheVisitor *visitor)
         rv = mDiskDevice->Visit(visitor);
         if (NS_FAILED(rv)) return rv;
     }
-#endif // !NECKO_DISK_CACHE
 
-#ifdef NECKO_OFFLINE_CACHE
     if (mEnableOfflineDevice) {
         if (!mOfflineDevice) {
             rv = CreateOfflineDevice();
@@ -1338,7 +1313,6 @@ NS_IMETHODIMP nsCacheService::VisitEntries(nsICacheVisitor *visitor)
         rv = mOfflineDevice->Visit(visitor);
         if (NS_FAILED(rv)) return rv;
     }
-#endif // !NECKO_OFFLINE_CACHE
 
     // XXX notify any shutdown process that visitation is complete for THIS visitor.
     // XXX keep queue of visitors
@@ -1369,7 +1343,6 @@ NS_IMETHODIMP nsCacheService::GetCacheIOTarget(nsIEventTarget * *aCacheIOTarget)
 nsresult
 nsCacheService::CreateDiskDevice()
 {
-#ifdef NECKO_DISK_CACHE
     if (!mInitialized)      return NS_ERROR_NOT_AVAILABLE;
     if (!mEnableDiskDevice) return NS_ERROR_NOT_AVAILABLE;
     if (mDiskDevice)        return NS_OK;
@@ -1395,16 +1368,11 @@ nsCacheService::CreateDiskDevice()
         mDiskDevice = nsnull;
     }
     return rv;
-#else // !NECKO_DISK_CACHE
-    NS_NOTREACHED("nsCacheService::CreateDiskDevice");
-    return NS_ERROR_NOT_IMPLEMENTED;
-#endif
 }
 
 nsresult
 nsCacheService::CreateOfflineDevice()
 {
-#ifdef NECKO_OFFLINE_CACHE
     CACHE_LOG_ALWAYS(("Creating offline device"));
 
     if (!mInitialized)         return NS_ERROR_NOT_AVAILABLE;
@@ -1430,10 +1398,6 @@ nsCacheService::CreateOfflineDevice()
         NS_RELEASE(mOfflineDevice);
     }
     return rv;
-#else // !NECKO_DISK_CACHE
-    NS_NOTREACHED("nsCacheService::CreateOfflineDevice");
-    return NS_ERROR_NOT_IMPLEMENTED;
-#endif
 }
 
 nsresult
@@ -1820,7 +1784,6 @@ nsCacheService::SearchCacheDevices(nsCString * key, nsCacheStoragePolicy policy,
     if (!entry && 
         ((policy == nsICache::STORE_ANYWHERE) || (policy == nsICache::STORE_ON_DISK))) {
 
-#ifdef NECKO_DISK_CACHE
         if (mEnableDiskDevice) {
             if (!mDiskDevice) {
                 nsresult rv = CreateDiskDevice();
@@ -1830,14 +1793,12 @@ nsCacheService::SearchCacheDevices(nsCString * key, nsCacheStoragePolicy policy,
             
             entry = mDiskDevice->FindEntry(key, collision);
         }
-#endif // !NECKO_DISK_CACHE
     }
 
     if (!entry && (policy == nsICache::STORE_OFFLINE ||
                    (policy == nsICache::STORE_ANYWHERE &&
                     gIOService->IsOffline()))) {
 
-#ifdef NECKO_OFFLINE_CACHE
         if (mEnableOfflineDevice) {
             if (!mOfflineDevice) {
                 nsresult rv = CreateOfflineDevice();
@@ -1847,7 +1808,6 @@ nsCacheService::SearchCacheDevices(nsCString * key, nsCacheStoragePolicy policy,
 
             entry = mOfflineDevice->FindEntry(key, collision);
         }
-#endif // !NECKO_OFFLINE_CACHE
     }
 
     return entry;
@@ -1863,7 +1823,6 @@ nsCacheService::EnsureEntryHasDevice(nsCacheEntry * entry)
     if (device || entry->IsDoomed())  return device;
 
     PRInt64 predictedDataSize = entry->PredictedDataSize();
-#ifdef NECKO_DISK_CACHE
     if (entry->IsStreamData() && entry->IsAllowedOnDisk() && mEnableDiskDevice) {
         // this is the default
         if (!mDiskDevice) {
@@ -1887,7 +1846,6 @@ nsCacheService::EnsureEntryHasDevice(nsCacheEntry * entry)
                 device = mDiskDevice;
         }
     }
-#endif // !NECKO_DISK_CACHE
 
     // if we can't use mDiskDevice, try mMemoryDevice
     if (!device && mEnableMemoryDevice && entry->IsAllowedInMemory()) {        
@@ -1911,7 +1869,6 @@ nsCacheService::EnsureEntryHasDevice(nsCacheEntry * entry)
         }
     }
 
-#ifdef NECKO_OFFLINE_CACHE
     if (!device && entry->IsStreamData() &&
         entry->IsAllowedOffline() && mEnableOfflineDevice) {
         if (!mOfflineDevice) {
@@ -1926,7 +1883,6 @@ nsCacheService::EnsureEntryHasDevice(nsCacheEntry * entry)
                 device = mOfflineDevice;
         }
     }
-#endif // ! NECKO_OFFLINE_CACHE
 
     if (device) 
         entry->SetCacheDevice(device);
@@ -2004,7 +1960,6 @@ nsCacheService::OnProfileShutdown(PRBool cleanse)
     // proceeding with destructive actions (bug #620660)
     (void) SyncWithCacheIOThread();
 
-#ifdef NECKO_DISK_CACHE
     if (gService->mDiskDevice && gService->mEnableDiskDevice) {
         if (cleanse)
             gService->mDiskDevice->EvictEntries(nsnull);
@@ -2012,9 +1967,7 @@ nsCacheService::OnProfileShutdown(PRBool cleanse)
         gService->mDiskDevice->Shutdown();
     }
     gService->mEnableDiskDevice = PR_FALSE;
-#endif // !NECKO_DISK_CACHE
 
-#ifdef NECKO_OFFLINE_CACHE
     if (gService->mOfflineDevice && gService->mEnableOfflineDevice) {
         if (cleanse)
             gService->mOfflineDevice->EvictEntries(nsnull);
@@ -2022,7 +1975,6 @@ nsCacheService::OnProfileShutdown(PRBool cleanse)
         gService->mOfflineDevice->Shutdown();
     }
     gService->mEnableOfflineDevice = PR_FALSE;
-#endif // !NECKO_OFFLINE_CACHE
 
     if (gService->mMemoryDevice) {
         // clear memory cache
@@ -2045,7 +1997,6 @@ nsCacheService::OnProfileChanged()
     gService->mEnableOfflineDevice = gService->mObserver->OfflineCacheEnabled();
     gService->mEnableMemoryDevice  = gService->mObserver->MemoryCacheEnabled();
 
-#ifdef NECKO_DISK_CACHE
     if (gService->mDiskDevice) {
         gService->mDiskDevice->SetCacheParentDirectory(gService->mObserver->DiskCacheParentDirectory());
         gService->mDiskDevice->SetCapacity(gService->mObserver->DiskCacheCapacity());
@@ -2058,9 +2009,7 @@ nsCacheService::OnProfileChanged()
             // XXX delete mDiskDevice?
         }
     }
-#endif // !NECKO_DISK_CACHE
 
-#ifdef NECKO_OFFLINE_CACHE
     if (gService->mOfflineDevice) {
         gService->mOfflineDevice->SetCacheParentDirectory(gService->mObserver->OfflineCacheParentDirectory());
         gService->mOfflineDevice->SetCapacity(gService->mObserver->OfflineCacheCapacity());
@@ -2073,8 +2022,7 @@ nsCacheService::OnProfileChanged()
             // XXX delete mOfflineDevice?
         }
     }
-#endif // !NECKO_OFFLINE_CACHE
-    
+
     // If memoryDevice exists, reset its size to the new profile
     if (gService->mMemoryDevice) {
         if (gService->mEnableMemoryDevice) {
@@ -2108,12 +2056,10 @@ nsCacheService::SetDiskCacheCapacity(PRInt32  capacity)
     if (!gService)  return;
     nsCacheServiceAutoLock lock;
 
-#ifdef NECKO_DISK_CACHE
     if (gService->mDiskDevice) {
         gService->mDiskDevice->SetCapacity(capacity);
     }
-#endif // !NECKO_DISK_CACHE
-    
+
     if (gService->mObserver)
         gService->mEnableDiskDevice = gService->mObserver->DiskCacheEnabled();
 }
@@ -2124,11 +2070,9 @@ nsCacheService::SetDiskCacheMaxEntrySize(PRInt32  maxSize)
     if (!gService)  return;
     nsCacheServiceAutoLock lock;
 
-#ifdef NECKO_DISK_CACHE
     if (gService->mDiskDevice) {
         gService->mDiskDevice->SetMaxEntrySize(maxSize);
     }
-#endif // !NECKO_DISK_CACHE
 }
 
 void
@@ -2156,11 +2100,9 @@ nsCacheService::SetOfflineCacheCapacity(PRInt32  capacity)
     if (!gService)  return;
     nsCacheServiceAutoLock lock;
 
-#ifdef NECKO_OFFLINE_CACHE
     if (gService->mOfflineDevice) {
         gService->mOfflineDevice->SetCapacity(capacity);
     }
-#endif // !NECKO_OFFLINE_CACHE
 
     gService->mEnableOfflineDevice = gService->mObserver->OfflineCacheEnabled();
 }
diff --git a/netwerk/cache/nsCacheService.h b/netwerk/cache/nsCacheService.h
index fe80029c99fb..04c6981123c0 100644
--- a/netwerk/cache/nsCacheService.h
+++ b/netwerk/cache/nsCacheService.h
@@ -53,7 +53,6 @@
 #include "prthread.h"
 #include "nsIObserver.h"
 #include "nsString.h"
-#include "nsProxiedService.h"
 #include "nsTArray.h"
 #include "mozilla/CondVar.h"
 #include "mozilla/Mutex.h"
diff --git a/netwerk/dns/nsDNSService2.cpp b/netwerk/dns/nsDNSService2.cpp
index d14e9db44b7a..df38be01ef30 100644
--- a/netwerk/dns/nsDNSService2.cpp
+++ b/netwerk/dns/nsDNSService2.cpp
@@ -39,7 +39,6 @@
 #include "nsIDNSRecord.h"
 #include "nsIDNSListener.h"
 #include "nsICancelable.h"
-#include "nsIProxyObjectManager.h"
 #include "nsIPrefService.h"
 #include "nsIPrefBranch.h"
 #include "nsIPrefBranch2.h"
@@ -50,6 +49,7 @@
 #include "nsNetCID.h"
 #include "nsNetError.h"
 #include "nsDNSPrefetch.h"
+#include "nsThreadUtils.h"
 #include "nsIProtocolProxyService.h"
 #include "prsystem.h"
 #include "prnetdb.h"
@@ -469,6 +469,67 @@ nsDNSService::Shutdown()
     return NS_OK;
 }
 
+namespace {
+
+class DNSListenerProxy : public nsIDNSListener
+{
+public:
+  DNSListenerProxy(nsIDNSListener* aListener, nsIEventTarget* aTargetThread)
+    : mListener(aListener)
+    , mTargetThread(aTargetThread)
+  { }
+
+  NS_DECL_ISUPPORTS
+  NS_DECL_NSIDNSLISTENER
+
+  class OnLookupCompleteRunnable : public nsRunnable
+  {
+  public:
+    OnLookupCompleteRunnable(nsIDNSListener* aListener,
+                             nsICancelable* aRequest,
+                             nsIDNSRecord* aRecord,
+                             nsresult aStatus)
+      : mListener(aListener)
+      , mRequest(aRequest)
+      , mRecord(aRecord)
+      , mStatus(aStatus)
+    { }
+
+    NS_DECL_NSIRUNNABLE
+
+  private:
+    nsCOMPtr mListener;
+    nsCOMPtr mRequest;
+    nsCOMPtr mRecord;
+    nsresult mStatus;
+  };
+
+private:
+  nsCOMPtr mListener;
+  nsCOMPtr mTargetThread;
+};
+
+NS_IMPL_THREADSAFE_ISUPPORTS1(DNSListenerProxy, nsIDNSListener)
+
+NS_IMETHODIMP
+DNSListenerProxy::OnLookupComplete(nsICancelable* aRequest,
+                                   nsIDNSRecord* aRecord,
+                                   nsresult aStatus)
+{
+  nsRefPtr r =
+    new OnLookupCompleteRunnable(mListener, aRequest, aRecord, aStatus);
+  return mTargetThread->Dispatch(r, NS_DISPATCH_NORMAL);
+}
+
+NS_IMETHODIMP
+DNSListenerProxy::OnLookupCompleteRunnable::Run()
+{
+  mListener->OnLookupComplete(mRequest, mRecord, mStatus);
+  return NS_OK;
+}
+
+} // anonymous namespace
+
 NS_IMETHODIMP
 nsDNSService::AsyncResolve(const nsACString  &hostname,
                            PRUint32           flags,
@@ -501,15 +562,8 @@ nsDNSService::AsyncResolve(const nsACString  &hostname,
             hostPtr = &hostACE;
     }
 
-    nsCOMPtr listenerProxy;
     if (target) {
-        rv = NS_GetProxyForObject(target,
-                                  NS_GET_IID(nsIDNSListener),
-                                  listener,
-                                  NS_PROXY_ASYNC | NS_PROXY_ALWAYS,
-                                  getter_AddRefs(listenerProxy));
-        if (NS_FAILED(rv)) return rv;
-        listener = listenerProxy;
+      listener = new DNSListenerProxy(listener, target);
     }
 
     PRUint16 af = GetAFForLookup(*hostPtr, flags);
diff --git a/netwerk/necko-config.h.in b/netwerk/necko-config.h.in
index 0a3cd20c5daf..dd8cb21ab253 100644
--- a/netwerk/necko-config.h.in
+++ b/netwerk/necko-config.h.in
@@ -37,8 +37,6 @@
 #ifndef _NECKO_CONFIG_H_
 #define _NECKO_CONFIG_H_
 
-#undef NECKO_DISK_CACHE
-
 #undef NECKO_COOKIES
 
 #undef NECKO_WIFI
diff --git a/netwerk/protocol/ftp/nsFTPChannel.cpp b/netwerk/protocol/ftp/nsFTPChannel.cpp
index 7bc47431fa5f..bc76a3cab62b 100644
--- a/netwerk/protocol/ftp/nsFTPChannel.cpp
+++ b/netwerk/protocol/ftp/nsFTPChannel.cpp
@@ -44,7 +44,6 @@
 #include "nsThreadUtils.h"
 #include "nsNetUtil.h"
 #include "nsMimeTypes.h"
-#include "nsIProxyObjectManager.h"
 #include "nsReadableUtils.h"
 #include "nsIPrefService.h"
 #include "nsIPrefBranch.h"
@@ -181,6 +180,62 @@ nsFtpChannel::OnCallbacksChanged()
 
 //-----------------------------------------------------------------------------
 
+namespace {
+
+class FTPEventSinkProxy : public nsIFTPEventSink
+{
+public:
+    FTPEventSinkProxy(nsIFTPEventSink* aTarget)
+        : mTarget(aTarget)
+        , mTargetThread(do_GetCurrentThread())
+    { }
+        
+    NS_DECL_ISUPPORTS
+    NS_DECL_NSIFTPEVENTSINK
+
+    class OnFTPControlLogRunnable : public nsRunnable
+    {
+    public:
+        OnFTPControlLogRunnable(nsIFTPEventSink* aTarget,
+                                PRBool aServer,
+                                const char* aMessage)
+            : mTarget(aTarget)
+            , mServer(aServer)
+            , mMessage(aMessage)
+        { }
+
+        NS_DECL_NSIRUNNABLE
+
+    private:
+        nsCOMPtr mTarget;
+        PRBool mServer;
+        nsCString mMessage;
+    };
+
+private:
+    nsCOMPtr mTarget;
+    nsCOMPtr mTargetThread;
+};
+
+NS_IMPL_THREADSAFE_ISUPPORTS1(FTPEventSinkProxy, nsIFTPEventSink)
+
+NS_IMETHODIMP
+FTPEventSinkProxy::OnFTPControlLog(PRBool aServer, const char* aMsg)
+{
+    nsRefPtr r =
+        new OnFTPControlLogRunnable(mTarget, aServer, aMsg);
+    return mTargetThread->Dispatch(r, NS_DISPATCH_NORMAL);
+}
+
+NS_IMETHODIMP
+FTPEventSinkProxy::OnFTPControlLogRunnable::Run()
+{
+    mTarget->OnFTPControlLog(mServer, mMessage.get());
+    return NS_OK;
+}
+
+} // anonymous namespace
+
 void
 nsFtpChannel::GetFTPEventSink(nsCOMPtr &aResult)
 {
@@ -188,11 +243,7 @@ nsFtpChannel::GetFTPEventSink(nsCOMPtr &aResult)
         nsCOMPtr ftpSink;
         GetCallback(ftpSink);
         if (ftpSink) {
-            NS_GetProxyForObject(NS_PROXY_TO_CURRENT_THREAD,
-                                 NS_GET_IID(nsIFTPEventSink),
-                                 ftpSink,
-                                 NS_PROXY_ASYNC | NS_PROXY_ALWAYS,
-                                 getter_AddRefs(mFTPEventSink));
+            mFTPEventSink = new FTPEventSinkProxy(ftpSink);
         }
     }
     aResult = mFTPEventSink;
diff --git a/netwerk/protocol/ftp/nsFtpConnectionThread.cpp b/netwerk/protocol/ftp/nsFtpConnectionThread.cpp
index 137c264d4ed7..3590a11256af 100644
--- a/netwerk/protocol/ftp/nsFtpConnectionThread.cpp
+++ b/netwerk/protocol/ftp/nsFtpConnectionThread.cpp
@@ -1698,7 +1698,9 @@ nsFtpState::Init(nsFtpChannel *channel)
 
     // Skip leading slash
     char *fwdPtr = path.BeginWriting();
-    if (fwdPtr && (*fwdPtr == '/'))
+    if (!fwdPtr)
+        return NS_ERROR_OUT_OF_MEMORY;
+    if (*fwdPtr == '/')
         fwdPtr++;
     if (*fwdPtr != '\0') {
         // now unescape it... %xx reduced inline to resulting character
diff --git a/netwerk/protocol/http/nsHttpHandler.h b/netwerk/protocol/http/nsHttpHandler.h
index ceea8a41bb79..c161a8253f78 100644
--- a/netwerk/protocol/http/nsHttpHandler.h
+++ b/netwerk/protocol/http/nsHttpHandler.h
@@ -54,7 +54,6 @@
 #include "nsIIOService.h"
 #include "nsIObserver.h"
 #include "nsIObserverService.h"
-#include "nsIProxyObjectManager.h"
 #include "nsIPrivateBrowsingService.h"
 #include "nsIStreamConverterService.h"
 #include "nsICacheSession.h"
diff --git a/netwerk/protocol/http/nsHttpTransaction.cpp b/netwerk/protocol/http/nsHttpTransaction.cpp
index f571526d3a56..494c13f9bc4f 100644
--- a/netwerk/protocol/http/nsHttpTransaction.cpp
+++ b/netwerk/protocol/http/nsHttpTransaction.cpp
@@ -592,8 +592,6 @@ nsHttpTransaction::Close(nsresult reason)
         return;
     }
 
-    mTimings.responseEnd = mozilla::TimeStamp::Now();
-
     if (mActivityDistributor) {
         // report the reponse is complete if not already reported
         if (!mResponseIsComplete)
@@ -1121,6 +1119,9 @@ nsHttpTransaction::HandleContent(char *buf,
         mTransactionDone = PR_TRUE;
         mResponseIsComplete = PR_TRUE;
 
+        if (TimingEnabled())
+            mTimings.responseEnd = mozilla::TimeStamp::Now();
+
         // report the entire response has arrived
         if (mActivityDistributor)
             mActivityDistributor->ObserveActivity(
diff --git a/netwerk/test/TestSocketTransport.cpp b/netwerk/test/TestSocketTransport.cpp
index 562db706b638..ddd988dce80f 100644
--- a/netwerk/test/TestSocketTransport.cpp
+++ b/netwerk/test/TestSocketTransport.cpp
@@ -44,7 +44,6 @@
 #include "nsIProgressEventSink.h"
 #include "nsIInterfaceRequestor.h"
 #include "nsIInterfaceRequestorUtils.h"
-#include "nsIProxyObjectManager.h"
 #include "nsIRequest.h"
 #include "nsIServiceManager.h"
 #include "nsIComponentManager.h"
diff --git a/netwerk/test/TestStreamChannel.cpp b/netwerk/test/TestStreamChannel.cpp
index a148cb27b1db..4fd9186fd31d 100644
--- a/netwerk/test/TestStreamChannel.cpp
+++ b/netwerk/test/TestStreamChannel.cpp
@@ -42,7 +42,6 @@
 #include "nsIProgressEventSink.h"
 #include "nsIInterfaceRequestor.h"
 #include "nsIInterfaceRequestorUtils.h"
-#include "nsIProxyObjectManager.h"
 #include "nsIRequest.h"
 #include "nsIServiceManager.h"
 #include "nsIComponentManager.h"
diff --git a/netwerk/test/TestStreamPump.cpp b/netwerk/test/TestStreamPump.cpp
index 0b8e3844b040..97929828fda4 100644
--- a/netwerk/test/TestStreamPump.cpp
+++ b/netwerk/test/TestStreamPump.cpp
@@ -42,7 +42,6 @@
 #include "nsIProgressEventSink.h"
 #include "nsIInterfaceRequestor.h"
 #include "nsIInterfaceRequestorUtils.h"
-#include "nsIProxyObjectManager.h"
 #include "nsIRequest.h"
 #include "nsIServiceManager.h"
 #include "nsIComponentManager.h"
diff --git a/netwerk/test/TestStreamTransport.cpp b/netwerk/test/TestStreamTransport.cpp
index 2a54cb976423..3041a11f8514 100644
--- a/netwerk/test/TestStreamTransport.cpp
+++ b/netwerk/test/TestStreamTransport.cpp
@@ -42,7 +42,6 @@
 #include "nsIProgressEventSink.h"
 #include "nsIInterfaceRequestor.h"
 #include "nsIInterfaceRequestorUtils.h"
-#include "nsIProxyObjectManager.h"
 #include "nsIRequest.h"
 #include "nsIServiceManager.h"
 #include "nsIComponentManager.h"
diff --git a/netwerk/test/unit/xpcshell.ini b/netwerk/test/unit/xpcshell.ini
index d1e99369179c..e7f65ce09b5c 100644
--- a/netwerk/test/unit/xpcshell.ini
+++ b/netwerk/test/unit/xpcshell.ini
@@ -8,6 +8,8 @@ tail =
 [test_aboutblank.js]
 [test_auth_proxy.js]
 [test_authentication.js]
+# Bug 675039: test hangs consistently on Android
+skip-if = os == "android"
 [test_authpromptwrapper.js]
 [test_bug203271.js]
 [test_bug248970_cache.js]
@@ -38,6 +40,8 @@ tail =
 [test_bug455311.js]
 [test_bug455598.js]
 [test_bug468426.js]
+# Bug 675039: test hangs consistently on Android 
+skip-if = os == "android"
 [test_bug468594.js]
 [test_bug470716.js]
 [test_bug479413.js]
@@ -47,6 +51,8 @@ tail =
 [test_bug490095.js]
 [test_bug504014.js]
 [test_bug510359.js]
+# Bug 675039: test hangs consistently on Android 
+skip-if = os == "android"
 [test_bug515583.js]
 [test_bug528292.js]
 [test_bug540566.js]
@@ -61,11 +67,21 @@ tail =
 [test_bug618835.js]
 [test_bug633743.js]
 [test_bug650955.js]
+# Bug 677427: test fails consistently on Android
+fail-if = os == "android"
 [test_bug652761.js]
 [test_bug651100.js]
+# Bug 675044: test fails consistently on Android
+fail-if = os == "android"  
 [test_bug654926.js]
+# Bug 675049: test fails consistently on Android
+fail-if = os == "android"  
 [test_bug654926_doom_and_read.js]
+# Bug 675049: test fails consistently on Android
+fail-if = os == "android"  
 [test_bug654926_test_seek.js]
+# Bug 675049: test fails consistently on Android
+fail-if = os == "android"  
 [test_bug659569.js]
 [test_bug660066.js]
 [test_bug651185.js]
@@ -83,13 +99,29 @@ tail =
 [test_event_sink.js]
 [test_extract_charset_from_content_type.js]
 [test_fallback_no-cache-entry_canceled.js]
+# Bug 675039: test hangs consistently on Android 
+skip-if = os == "android"
 [test_fallback_no-cache-entry_passing.js]
+# Bug 675039: test hangs consistently on Android 
+skip-if = os == "android"
 [test_fallback_redirect-to-different-origin_canceled.js]
+# Bug 675039: test hangs consistently on Android 
+skip-if = os == "android"
 [test_fallback_redirect-to-different-origin_passing.js]
+# Bug 675039: test hangs consistently on Android 
+skip-if = os == "android"
 [test_fallback_request-error_canceled.js]
+# Bug 675039: test hangs consistently on Android 
+skip-if = os == "android"
 [test_fallback_request-error_passing.js]
+# Bug 675039: test hangs consistently on Android 
+skip-if = os == "android"
 [test_fallback_response-error_canceled.js]
+# Bug 675039: test hangs consistently on Android 
+skip-if = os == "android"
 [test_fallback_response-error_passing.js]
+# Bug 675039: test hangs consistently on Android 
+skip-if = os == "android"
 [test_file_partial_inputstream.js]
 [test_file_protocol.js]
 [test_filestreams.js]
@@ -131,6 +163,8 @@ tail =
 [test_simple.js]
 [test_sockettransportsvc_available.js]
 [test_socks.js]
+# Bug 675039: test hangs consistently on Android
+skip-if = os == "android"
 [test_standardurl.js]
 [test_standardurl_port.js]
 [test_streamcopier.js]
diff --git a/nsprpub/TAG-INFO b/nsprpub/TAG-INFO
index b2eb7c24e836..39891545682d 100644
--- a/nsprpub/TAG-INFO
+++ b/nsprpub/TAG-INFO
@@ -1 +1 @@
-NSPR_4_8_9_RTM
+NSPR_4_9_BETA1
diff --git a/nsprpub/admin/repackage.sh b/nsprpub/admin/repackage.sh
index 8ed1a5df8e18..f48298243754 100755
--- a/nsprpub/admin/repackage.sh
+++ b/nsprpub/admin/repackage.sh
@@ -64,10 +64,10 @@
 # 
 # ------------------------------------------------------------------
 
-FROMTOP=/share/builds/components/nspr20/v4.8.9
-TOTOP=./v4.8.9
-NSPRDIR=nspr-4.8.9
-SOURCETAG=NSPR_4_8_9_RTM
+FROMTOP=/share/builds/components/nspr20/v4.9
+TOTOP=./v4.9
+NSPRDIR=nspr-4.9
+SOURCETAG=NSPR_4_9_RTM
 
 #
 # enumerate Unix object directories on /s/b/c
diff --git a/nsprpub/configure b/nsprpub/configure
index dc2de9b0a772..246114bccaf5 100755
--- a/nsprpub/configure
+++ b/nsprpub/configure
@@ -730,8 +730,8 @@ test "$host_alias" != "$target_alias" &&
 
 
 MOD_MAJOR_VERSION=4
-MOD_MINOR_VERSION=8
-MOD_PATCH_VERSION=9
+MOD_MINOR_VERSION=9
+MOD_PATCH_VERSION=0
 NSPR_MODNAME=nspr20
 _HAVE_PTHREADS=
 USE_PTHREADS=
@@ -878,11 +878,41 @@ case "$target" in
     fi
 
     if test -z "$android_toolchain" ; then
-       android_toolchain="$android_ndk"/build/prebuilt/`uname -s | tr "[:upper:]" "[:lower:]"`-x86/arm-eabi-4.4.0
+        echo $ac_n "checking for android toolchain directory""... $ac_c" 1>&6
+echo "configure:883: checking for android toolchain directory" >&5
+
+        kernel_name=`uname -s | tr "[:upper:]" "[:lower:]"`
+
+        android_toolchain="$android_ndk"/build/prebuilt/$kernel_name-x86/arm-eabi-4.4.0
+
+        # With newer NDK, the toolchain path has changed.
+        if ! test -d "$android_toolchain" ; then
+            android_toolchain="$android_ndk"/toolchains/arm-$kernel_name-androideabi-4.4.3/prebuilt/$kernel_name-x86
+        fi
+
+        if test -d "$android_toolchain" ; then
+            echo "$ac_t""$android_toolchain" 1>&6
+        else
+            { echo "configure: error: not found. You have to specify --with-android-toolchain=/path/to/ndk/toolchain." 1>&2; exit 1; }
+        fi
     fi
 
     if test -z "$android_platform" ; then
-       android_platform="$android_ndk"/build/platforms/android-5/arch-arm
+        echo $ac_n "checking for android platform directory""... $ac_c" 1>&6
+echo "configure:903: checking for android platform directory" >&5
+
+        android_platform="$android_ndk"/build/platforms/android-5/arch-arm
+
+        # With newer NDK, the platform path has changed.
+        if ! test -d "$android_platform" ; then
+            android_platform="$android_ndk"/platforms/android-5/arch-arm
+        fi
+
+        if test -d "$android_platform" ; then
+            echo "$ac_t""$android_platform" 1>&6
+        else
+            { echo "configure: error: not found. You have to specify --with-android-platform=/path/to/ndk/platform." 1>&2; exit 1; }
+        fi
     fi
 
         AS="$android_toolchain"/bin/"$android_tool_prefix"-as
@@ -1213,7 +1243,7 @@ if test -z "$SKIP_PATH_CHECKS"; then
     # Extract the first word of "$WHOAMI whoami", so it can be a program name with args.
 set dummy $WHOAMI whoami; ac_word=$2
 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
-echo "configure:1217: checking for $ac_word" >&5
+echo "configure:1247: checking for $ac_word" >&5
 if eval "test \"`echo '$''{'ac_cv_path_WHOAMI'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
@@ -1275,7 +1305,8 @@ EOF
 fi
 
 if test -z "$SKIP_COMPILER_CHECKS"; then
-if test "$target" != "$host"; then
+
+if test "$target" != "$host" -o -n "$CROSS_COMPILE"; then
     echo "cross compiling from $host to $target"
     cross_compiling=yes
 
@@ -1284,13 +1315,13 @@ if test "$target" != "$host"; then
     _SAVE_LDFLAGS="$LDFLAGS"
 
     echo $ac_n "checking for $host compiler""... $ac_c" 1>&6
-echo "configure:1288: checking for $host compiler" >&5
+echo "configure:1319: checking for $host compiler" >&5
     for ac_prog in $HOST_CC gcc cc /usr/ucb/cc
 do
 # Extract the first word of "$ac_prog", so it can be a program name with args.
 set dummy $ac_prog; ac_word=$2
 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
-echo "configure:1294: checking for $ac_word" >&5
+echo "configure:1325: checking for $ac_word" >&5
 if eval "test \"`echo '$''{'ac_cv_prog_HOST_CC'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
@@ -1336,16 +1367,16 @@ test -n "$HOST_CC" || HOST_CC=""""
     LDFLAGS="$HOST_LDFLAGS"
 
     echo $ac_n "checking whether the $host compiler ($HOST_CC $HOST_CFLAGS $HOST_LDFLAGS) works""... $ac_c" 1>&6
-echo "configure:1340: checking whether the $host compiler ($HOST_CC $HOST_CFLAGS $HOST_LDFLAGS) works" >&5
+echo "configure:1371: checking whether the $host compiler ($HOST_CC $HOST_CFLAGS $HOST_LDFLAGS) works" >&5
     cat > conftest.$ac_ext <&5; (eval $ac_compile) 2>&5; }; then
+if { (eval echo configure:1380: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
   rm -rf conftest*
   ac_cv_prog_host_cc_works=1 echo "$ac_t""yes" 1>&6
 else
@@ -1363,18 +1394,24 @@ rm -f conftest*
     case "$build:$target" in 
       powerpc-apple-darwin8*:i?86-apple-darwin*)
                                                 _SAVE_CFLAGS=$CFLAGS 
-        _SAVE_CXXFLAGS=$CXXLAGS
+        _SAVE_CXXFLAGS=$CXXFLAGS
         CFLAGS="-isysroot /Developer/SDKs/MacOSX10.4u.sdk $CFLAGS"
         CXXFLAGS="-isysroot /Developer/SDKs/MacOSX10.4u.sdk $CXXFLAGS"
-        ;;        
-    esac            
+        ;;
+      *:arm*-apple-darwin*)
+                                _SAVE_CFLAGS=$CFLAGS
+        _SAVE_CXXFLAGS=$CXXFLAGS
+        CFLAGS="-isysroot $MACOS_SDK_DIR $CFLAGS"
+        CXXFLAGS="-isysroot $MACOS_SDK_DIR $CXXFLAGS"
+        ;;
+    esac
 
     for ac_prog in $CC "${target_alias}-gcc" "${target}-gcc"
 do
 # Extract the first word of "$ac_prog", so it can be a program name with args.
 set dummy $ac_prog; ac_word=$2
 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
-echo "configure:1378: checking for $ac_word" >&5
+echo "configure:1415: checking for $ac_word" >&5
 if eval "test \"`echo '$''{'ac_cv_prog_CC'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
@@ -1408,7 +1445,7 @@ test -n "$CC" || CC="echo"
     # Extract the first word of "gcc", so it can be a program name with args.
 set dummy gcc; ac_word=$2
 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
-echo "configure:1412: checking for $ac_word" >&5
+echo "configure:1449: checking for $ac_word" >&5
 if eval "test \"`echo '$''{'ac_cv_prog_CC'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
@@ -1438,7 +1475,7 @@ if test -z "$CC"; then
   # Extract the first word of "cc", so it can be a program name with args.
 set dummy cc; ac_word=$2
 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
-echo "configure:1442: checking for $ac_word" >&5
+echo "configure:1479: checking for $ac_word" >&5
 if eval "test \"`echo '$''{'ac_cv_prog_CC'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
@@ -1489,7 +1526,7 @@ fi
       # Extract the first word of "cl", so it can be a program name with args.
 set dummy cl; ac_word=$2
 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
-echo "configure:1493: checking for $ac_word" >&5
+echo "configure:1530: checking for $ac_word" >&5
 if eval "test \"`echo '$''{'ac_cv_prog_CC'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
@@ -1521,7 +1558,7 @@ fi
 fi
 
 echo $ac_n "checking whether the C compiler ($CC $CFLAGS $LDFLAGS) works""... $ac_c" 1>&6
-echo "configure:1525: checking whether the C compiler ($CC $CFLAGS $LDFLAGS) works" >&5
+echo "configure:1562: checking whether the C compiler ($CC $CFLAGS $LDFLAGS) works" >&5
 
 ac_ext=c
 # CFLAGS is not in ac_cpp because -g, -O, etc. are not valid cpp options.
@@ -1532,12 +1569,12 @@ cross_compiling=$ac_cv_prog_cc_cross
 
 cat > conftest.$ac_ext << EOF
 
-#line 1536 "configure"
+#line 1573 "configure"
 #include "confdefs.h"
 
 main(){return(0);}
 EOF
-if { (eval echo configure:1541: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:1578: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
   ac_cv_prog_cc_works=yes
   # If we can't run a trivial program, we are probably using a cross compiler.
   if (./conftest; exit) 2>/dev/null; then
@@ -1563,12 +1600,12 @@ if test $ac_cv_prog_cc_works = no; then
   { echo "configure: error: installation or configuration problem: C compiler cannot create executables." 1>&2; exit 1; }
 fi
 echo $ac_n "checking whether the C compiler ($CC $CFLAGS $LDFLAGS) is a cross-compiler""... $ac_c" 1>&6
-echo "configure:1567: checking whether the C compiler ($CC $CFLAGS $LDFLAGS) is a cross-compiler" >&5
+echo "configure:1604: checking whether the C compiler ($CC $CFLAGS $LDFLAGS) is a cross-compiler" >&5
 echo "$ac_t""$ac_cv_prog_cc_cross" 1>&6
 cross_compiling=$ac_cv_prog_cc_cross
 
 echo $ac_n "checking whether we are using GNU C""... $ac_c" 1>&6
-echo "configure:1572: checking whether we are using GNU C" >&5
+echo "configure:1609: checking whether we are using GNU C" >&5
 if eval "test \"`echo '$''{'ac_cv_prog_gcc'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
@@ -1577,7 +1614,7 @@ else
   yes;
 #endif
 EOF
-if { ac_try='${CC-cc} -E conftest.c'; { (eval echo configure:1581: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }; } | egrep yes >/dev/null 2>&1; then
+if { ac_try='${CC-cc} -E conftest.c'; { (eval echo configure:1618: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }; } | egrep yes >/dev/null 2>&1; then
   ac_cv_prog_gcc=yes
 else
   ac_cv_prog_gcc=no
@@ -1596,7 +1633,7 @@ ac_test_CFLAGS="${CFLAGS+set}"
 ac_save_CFLAGS="$CFLAGS"
 CFLAGS=
 echo $ac_n "checking whether ${CC-cc} accepts -g""... $ac_c" 1>&6
-echo "configure:1600: checking whether ${CC-cc} accepts -g" >&5
+echo "configure:1637: checking whether ${CC-cc} accepts -g" >&5
 if eval "test \"`echo '$''{'ac_cv_prog_cc_g'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
@@ -1633,7 +1670,7 @@ do
 # Extract the first word of "$ac_prog", so it can be a program name with args.
 set dummy $ac_prog; ac_word=$2
 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
-echo "configure:1637: checking for $ac_word" >&5
+echo "configure:1674: checking for $ac_word" >&5
 if eval "test \"`echo '$''{'ac_cv_prog_CXX'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
@@ -1669,7 +1706,7 @@ do
 # Extract the first word of "$ac_prog", so it can be a program name with args.
 set dummy $ac_prog; ac_word=$2
 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
-echo "configure:1673: checking for $ac_word" >&5
+echo "configure:1710: checking for $ac_word" >&5
 if eval "test \"`echo '$''{'ac_cv_prog_CXX'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
@@ -1701,7 +1738,7 @@ test -n "$CXX" || CXX="gcc"
 
 
 echo $ac_n "checking whether the C++ compiler ($CXX $CXXFLAGS $LDFLAGS) works""... $ac_c" 1>&6
-echo "configure:1705: checking whether the C++ compiler ($CXX $CXXFLAGS $LDFLAGS) works" >&5
+echo "configure:1742: checking whether the C++ compiler ($CXX $CXXFLAGS $LDFLAGS) works" >&5
 
 ac_ext=C
 # CXXFLAGS is not in ac_cpp because -g, -O, etc. are not valid cpp options.
@@ -1712,12 +1749,12 @@ cross_compiling=$ac_cv_prog_cxx_cross
 
 cat > conftest.$ac_ext << EOF
 
-#line 1716 "configure"
+#line 1753 "configure"
 #include "confdefs.h"
 
 int main(){return(0);}
 EOF
-if { (eval echo configure:1721: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:1758: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
   ac_cv_prog_cxx_works=yes
   # If we can't run a trivial program, we are probably using a cross compiler.
   if (./conftest; exit) 2>/dev/null; then
@@ -1743,12 +1780,12 @@ if test $ac_cv_prog_cxx_works = no; then
   { echo "configure: error: installation or configuration problem: C++ compiler cannot create executables." 1>&2; exit 1; }
 fi
 echo $ac_n "checking whether the C++ compiler ($CXX $CXXFLAGS $LDFLAGS) is a cross-compiler""... $ac_c" 1>&6
-echo "configure:1747: checking whether the C++ compiler ($CXX $CXXFLAGS $LDFLAGS) is a cross-compiler" >&5
+echo "configure:1784: checking whether the C++ compiler ($CXX $CXXFLAGS $LDFLAGS) is a cross-compiler" >&5
 echo "$ac_t""$ac_cv_prog_cxx_cross" 1>&6
 cross_compiling=$ac_cv_prog_cxx_cross
 
 echo $ac_n "checking whether we are using GNU C++""... $ac_c" 1>&6
-echo "configure:1752: checking whether we are using GNU C++" >&5
+echo "configure:1789: checking whether we are using GNU C++" >&5
 if eval "test \"`echo '$''{'ac_cv_prog_gxx'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
@@ -1757,7 +1794,7 @@ else
   yes;
 #endif
 EOF
-if { ac_try='${CXX-g++} -E conftest.C'; { (eval echo configure:1761: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }; } | egrep yes >/dev/null 2>&1; then
+if { ac_try='${CXX-g++} -E conftest.C'; { (eval echo configure:1798: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }; } | egrep yes >/dev/null 2>&1; then
   ac_cv_prog_gxx=yes
 else
   ac_cv_prog_gxx=no
@@ -1776,7 +1813,7 @@ ac_test_CXXFLAGS="${CXXFLAGS+set}"
 ac_save_CXXFLAGS="$CXXFLAGS"
 CXXFLAGS=
 echo $ac_n "checking whether ${CXX-g++} accepts -g""... $ac_c" 1>&6
-echo "configure:1780: checking whether ${CXX-g++} accepts -g" >&5
+echo "configure:1817: checking whether ${CXX-g++} accepts -g" >&5
 if eval "test \"`echo '$''{'ac_cv_prog_cxx_g'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
@@ -1810,7 +1847,7 @@ fi
     fi
 
     case "$build:$target" in
-      powerpc-apple-darwin8*:i?86-apple-darwin*)
+      powerpc-apple-darwin8*:i?86-apple-darwin*|*:arm*-apple-darwin*)
                                 CFLAGS=$_SAVE_CFLAGS
         CXXFLAGS=$_SAVE_CXXFLAGS
         ;;
@@ -1821,7 +1858,7 @@ do
 # Extract the first word of "$ac_prog", so it can be a program name with args.
 set dummy $ac_prog; ac_word=$2
 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
-echo "configure:1825: checking for $ac_word" >&5
+echo "configure:1862: checking for $ac_word" >&5
 if eval "test \"`echo '$''{'ac_cv_prog_RANLIB'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
@@ -1856,7 +1893,7 @@ do
 # Extract the first word of "$ac_prog", so it can be a program name with args.
 set dummy $ac_prog; ac_word=$2
 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
-echo "configure:1860: checking for $ac_word" >&5
+echo "configure:1897: checking for $ac_word" >&5
 if eval "test \"`echo '$''{'ac_cv_prog_AR'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
@@ -1891,7 +1928,7 @@ do
 # Extract the first word of "$ac_prog", so it can be a program name with args.
 set dummy $ac_prog; ac_word=$2
 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
-echo "configure:1895: checking for $ac_word" >&5
+echo "configure:1932: checking for $ac_word" >&5
 if eval "test \"`echo '$''{'ac_cv_prog_AS'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
@@ -1926,7 +1963,7 @@ do
 # Extract the first word of "$ac_prog", so it can be a program name with args.
 set dummy $ac_prog; ac_word=$2
 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
-echo "configure:1930: checking for $ac_word" >&5
+echo "configure:1967: checking for $ac_word" >&5
 if eval "test \"`echo '$''{'ac_cv_prog_LD'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
@@ -1961,7 +1998,7 @@ do
 # Extract the first word of "$ac_prog", so it can be a program name with args.
 set dummy $ac_prog; ac_word=$2
 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
-echo "configure:1965: checking for $ac_word" >&5
+echo "configure:2002: checking for $ac_word" >&5
 if eval "test \"`echo '$''{'ac_cv_prog_STRIP'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
@@ -1996,7 +2033,7 @@ do
 # Extract the first word of "$ac_prog", so it can be a program name with args.
 set dummy $ac_prog; ac_word=$2
 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
-echo "configure:2000: checking for $ac_word" >&5
+echo "configure:2037: checking for $ac_word" >&5
 if eval "test \"`echo '$''{'ac_cv_prog_WINDRES'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
@@ -2031,7 +2068,7 @@ else
     # Extract the first word of "gcc", so it can be a program name with args.
 set dummy gcc; ac_word=$2
 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
-echo "configure:2035: checking for $ac_word" >&5
+echo "configure:2072: checking for $ac_word" >&5
 if eval "test \"`echo '$''{'ac_cv_prog_CC'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
@@ -2061,7 +2098,7 @@ if test -z "$CC"; then
   # Extract the first word of "cc", so it can be a program name with args.
 set dummy cc; ac_word=$2
 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
-echo "configure:2065: checking for $ac_word" >&5
+echo "configure:2102: checking for $ac_word" >&5
 if eval "test \"`echo '$''{'ac_cv_prog_CC'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
@@ -2112,7 +2149,7 @@ fi
       # Extract the first word of "cl", so it can be a program name with args.
 set dummy cl; ac_word=$2
 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
-echo "configure:2116: checking for $ac_word" >&5
+echo "configure:2153: checking for $ac_word" >&5
 if eval "test \"`echo '$''{'ac_cv_prog_CC'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
@@ -2144,7 +2181,7 @@ fi
 fi
 
 echo $ac_n "checking whether the C compiler ($CC $CFLAGS $LDFLAGS) works""... $ac_c" 1>&6
-echo "configure:2148: checking whether the C compiler ($CC $CFLAGS $LDFLAGS) works" >&5
+echo "configure:2185: checking whether the C compiler ($CC $CFLAGS $LDFLAGS) works" >&5
 
 ac_ext=c
 # CFLAGS is not in ac_cpp because -g, -O, etc. are not valid cpp options.
@@ -2155,12 +2192,12 @@ cross_compiling=$ac_cv_prog_cc_cross
 
 cat > conftest.$ac_ext << EOF
 
-#line 2159 "configure"
+#line 2196 "configure"
 #include "confdefs.h"
 
 main(){return(0);}
 EOF
-if { (eval echo configure:2164: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:2201: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
   ac_cv_prog_cc_works=yes
   # If we can't run a trivial program, we are probably using a cross compiler.
   if (./conftest; exit) 2>/dev/null; then
@@ -2186,12 +2223,12 @@ if test $ac_cv_prog_cc_works = no; then
   { echo "configure: error: installation or configuration problem: C compiler cannot create executables." 1>&2; exit 1; }
 fi
 echo $ac_n "checking whether the C compiler ($CC $CFLAGS $LDFLAGS) is a cross-compiler""... $ac_c" 1>&6
-echo "configure:2190: checking whether the C compiler ($CC $CFLAGS $LDFLAGS) is a cross-compiler" >&5
+echo "configure:2227: checking whether the C compiler ($CC $CFLAGS $LDFLAGS) is a cross-compiler" >&5
 echo "$ac_t""$ac_cv_prog_cc_cross" 1>&6
 cross_compiling=$ac_cv_prog_cc_cross
 
 echo $ac_n "checking whether we are using GNU C""... $ac_c" 1>&6
-echo "configure:2195: checking whether we are using GNU C" >&5
+echo "configure:2232: checking whether we are using GNU C" >&5
 if eval "test \"`echo '$''{'ac_cv_prog_gcc'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
@@ -2200,7 +2237,7 @@ else
   yes;
 #endif
 EOF
-if { ac_try='${CC-cc} -E conftest.c'; { (eval echo configure:2204: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }; } | egrep yes >/dev/null 2>&1; then
+if { ac_try='${CC-cc} -E conftest.c'; { (eval echo configure:2241: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }; } | egrep yes >/dev/null 2>&1; then
   ac_cv_prog_gcc=yes
 else
   ac_cv_prog_gcc=no
@@ -2219,7 +2256,7 @@ ac_test_CFLAGS="${CFLAGS+set}"
 ac_save_CFLAGS="$CFLAGS"
 CFLAGS=
 echo $ac_n "checking whether ${CC-cc} accepts -g""... $ac_c" 1>&6
-echo "configure:2223: checking whether ${CC-cc} accepts -g" >&5
+echo "configure:2260: checking whether ${CC-cc} accepts -g" >&5
 if eval "test \"`echo '$''{'ac_cv_prog_cc_g'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
@@ -2259,7 +2296,7 @@ do
 # Extract the first word of "$ac_prog", so it can be a program name with args.
 set dummy $ac_prog; ac_word=$2
 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
-echo "configure:2263: checking for $ac_word" >&5
+echo "configure:2300: checking for $ac_word" >&5
 if eval "test \"`echo '$''{'ac_cv_prog_CXX'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
@@ -2291,7 +2328,7 @@ test -n "$CXX" || CXX="gcc"
 
 
 echo $ac_n "checking whether the C++ compiler ($CXX $CXXFLAGS $LDFLAGS) works""... $ac_c" 1>&6
-echo "configure:2295: checking whether the C++ compiler ($CXX $CXXFLAGS $LDFLAGS) works" >&5
+echo "configure:2332: checking whether the C++ compiler ($CXX $CXXFLAGS $LDFLAGS) works" >&5
 
 ac_ext=C
 # CXXFLAGS is not in ac_cpp because -g, -O, etc. are not valid cpp options.
@@ -2302,12 +2339,12 @@ cross_compiling=$ac_cv_prog_cxx_cross
 
 cat > conftest.$ac_ext << EOF
 
-#line 2306 "configure"
+#line 2343 "configure"
 #include "confdefs.h"
 
 int main(){return(0);}
 EOF
-if { (eval echo configure:2311: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:2348: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
   ac_cv_prog_cxx_works=yes
   # If we can't run a trivial program, we are probably using a cross compiler.
   if (./conftest; exit) 2>/dev/null; then
@@ -2333,12 +2370,12 @@ if test $ac_cv_prog_cxx_works = no; then
   { echo "configure: error: installation or configuration problem: C++ compiler cannot create executables." 1>&2; exit 1; }
 fi
 echo $ac_n "checking whether the C++ compiler ($CXX $CXXFLAGS $LDFLAGS) is a cross-compiler""... $ac_c" 1>&6
-echo "configure:2337: checking whether the C++ compiler ($CXX $CXXFLAGS $LDFLAGS) is a cross-compiler" >&5
+echo "configure:2374: checking whether the C++ compiler ($CXX $CXXFLAGS $LDFLAGS) is a cross-compiler" >&5
 echo "$ac_t""$ac_cv_prog_cxx_cross" 1>&6
 cross_compiling=$ac_cv_prog_cxx_cross
 
 echo $ac_n "checking whether we are using GNU C++""... $ac_c" 1>&6
-echo "configure:2342: checking whether we are using GNU C++" >&5
+echo "configure:2379: checking whether we are using GNU C++" >&5
 if eval "test \"`echo '$''{'ac_cv_prog_gxx'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
@@ -2347,7 +2384,7 @@ else
   yes;
 #endif
 EOF
-if { ac_try='${CXX-g++} -E conftest.C'; { (eval echo configure:2351: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }; } | egrep yes >/dev/null 2>&1; then
+if { ac_try='${CXX-g++} -E conftest.C'; { (eval echo configure:2388: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }; } | egrep yes >/dev/null 2>&1; then
   ac_cv_prog_gxx=yes
 else
   ac_cv_prog_gxx=no
@@ -2366,7 +2403,7 @@ ac_test_CXXFLAGS="${CXXFLAGS+set}"
 ac_save_CXXFLAGS="$CXXFLAGS"
 CXXFLAGS=
 echo $ac_n "checking whether ${CXX-g++} accepts -g""... $ac_c" 1>&6
-echo "configure:2370: checking whether ${CXX-g++} accepts -g" >&5
+echo "configure:2407: checking whether ${CXX-g++} accepts -g" >&5
 if eval "test \"`echo '$''{'ac_cv_prog_cxx_g'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
@@ -2400,7 +2437,7 @@ fi
         fi
     fi
     echo $ac_n "checking how to run the C preprocessor""... $ac_c" 1>&6
-echo "configure:2404: checking how to run the C preprocessor" >&5
+echo "configure:2441: checking how to run the C preprocessor" >&5
 # On Suns, sometimes $CPP names a directory.
 if test -n "$CPP" && test -d "$CPP"; then
   CPP=
@@ -2415,13 +2452,13 @@ else
   # On the NeXT, cc -E runs the code through the compiler's parser,
   # not just through cpp.
   cat > conftest.$ac_ext <
 Syntax Error
 EOF
 ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
-{ (eval echo configure:2425: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
+{ (eval echo configure:2462: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
 ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
 if test -z "$ac_err"; then
   :
@@ -2432,13 +2469,13 @@ else
   rm -rf conftest*
   CPP="${CC-cc} -E -traditional-cpp"
   cat > conftest.$ac_ext <
 Syntax Error
 EOF
 ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
-{ (eval echo configure:2442: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
+{ (eval echo configure:2479: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
 ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
 if test -z "$ac_err"; then
   :
@@ -2449,13 +2486,13 @@ else
   rm -rf conftest*
   CPP="${CC-cc} -nologo -E"
   cat > conftest.$ac_ext <
 Syntax Error
 EOF
 ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
-{ (eval echo configure:2459: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
+{ (eval echo configure:2496: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
 ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
 if test -z "$ac_err"; then
   :
@@ -2482,7 +2519,7 @@ echo "$ac_t""$CPP" 1>&6
     # Extract the first word of "ranlib", so it can be a program name with args.
 set dummy ranlib; ac_word=$2
 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
-echo "configure:2486: checking for $ac_word" >&5
+echo "configure:2523: checking for $ac_word" >&5
 if eval "test \"`echo '$''{'ac_cv_prog_RANLIB'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
@@ -2514,7 +2551,7 @@ do
 # Extract the first word of "$ac_prog", so it can be a program name with args.
 set dummy $ac_prog; ac_word=$2
 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
-echo "configure:2518: checking for $ac_word" >&5
+echo "configure:2555: checking for $ac_word" >&5
 if eval "test \"`echo '$''{'ac_cv_path_AS'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
@@ -2555,7 +2592,7 @@ do
 # Extract the first word of "$ac_prog", so it can be a program name with args.
 set dummy $ac_prog; ac_word=$2
 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
-echo "configure:2559: checking for $ac_word" >&5
+echo "configure:2596: checking for $ac_word" >&5
 if eval "test \"`echo '$''{'ac_cv_path_AR'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
@@ -2596,7 +2633,7 @@ do
 # Extract the first word of "$ac_prog", so it can be a program name with args.
 set dummy $ac_prog; ac_word=$2
 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
-echo "configure:2600: checking for $ac_word" >&5
+echo "configure:2637: checking for $ac_word" >&5
 if eval "test \"`echo '$''{'ac_cv_path_LD'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
@@ -2637,7 +2674,7 @@ do
 # Extract the first word of "$ac_prog", so it can be a program name with args.
 set dummy $ac_prog; ac_word=$2
 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
-echo "configure:2641: checking for $ac_word" >&5
+echo "configure:2678: checking for $ac_word" >&5
 if eval "test \"`echo '$''{'ac_cv_path_STRIP'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
@@ -2678,7 +2715,7 @@ do
 # Extract the first word of "$ac_prog", so it can be a program name with args.
 set dummy $ac_prog; ac_word=$2
 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
-echo "configure:2682: checking for $ac_word" >&5
+echo "configure:2719: checking for $ac_word" >&5
 if eval "test \"`echo '$''{'ac_cv_path_WINDRES'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
@@ -2746,7 +2783,7 @@ else
 fi
 
 echo $ac_n "checking for gcc -pipe support""... $ac_c" 1>&6
-echo "configure:2750: checking for gcc -pipe support" >&5
+echo "configure:2787: checking for gcc -pipe support" >&5
 if test -n "$GNU_CC" && test -n "$GNU_CXX" && test -n "$GNU_AS"; then
     echo '#include ' > dummy-hello.c
     echo 'int main() { printf("Hello World\n"); return 0; }' >> dummy-hello.c
@@ -2761,14 +2798,14 @@ if test -n "$GNU_CC" && test -n "$GNU_CXX" && test -n "$GNU_AS"; then
         _SAVE_CFLAGS=$CFLAGS
         CFLAGS="$CFLAGS -pipe"
         cat > conftest.$ac_ext < 
 int main() {
 printf("Hello World\n");
 ; return 0; }
 EOF
-if { (eval echo configure:2772: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+if { (eval echo configure:2809: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
   rm -rf conftest*
   _res_gcc_pipe="yes"
 else
@@ -2798,16 +2835,16 @@ _SAVE_CFLAGS="$CFLAGS"
 CFLAGS="$CFLAGS -fprofile-generate -fprofile-correction"
 
 echo $ac_n "checking whether C compiler supports -fprofile-generate""... $ac_c" 1>&6
-echo "configure:2802: checking whether C compiler supports -fprofile-generate" >&5
+echo "configure:2839: checking whether C compiler supports -fprofile-generate" >&5
 cat > conftest.$ac_ext <&5; (eval $ac_compile) 2>&5; }; then
+if { (eval echo configure:2848: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
   rm -rf conftest*
    PROFILE_GEN_CFLAGS="-fprofile-generate"
                  result="yes" 
@@ -2830,7 +2867,7 @@ CFLAGS="$_SAVE_CFLAGS"
 
 if test "$GNU_CC"; then
     echo $ac_n "checking for visibility(hidden) attribute""... $ac_c" 1>&6
-echo "configure:2834: checking for visibility(hidden) attribute" >&5
+echo "configure:2871: checking for visibility(hidden) attribute" >&5
 if eval "test \"`echo '$''{'ac_cv_visibility_hidden'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
@@ -2854,7 +2891,7 @@ echo "$ac_t""$ac_cv_visibility_hidden" 1>&6
 EOF
 
         echo $ac_n "checking for visibility pragma support""... $ac_c" 1>&6
-echo "configure:2858: checking for visibility pragma support" >&5
+echo "configure:2895: checking for visibility pragma support" >&5
 if eval "test \"`echo '$''{'ac_cv_visibility_pragma'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
@@ -2907,7 +2944,7 @@ do
 # Extract the first word of "$ac_prog", so it can be a program name with args.
 set dummy $ac_prog; ac_word=$2
 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
-echo "configure:2911: checking for $ac_word" >&5
+echo "configure:2948: checking for $ac_word" >&5
 if eval "test \"`echo '$''{'ac_cv_path_PERL'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
@@ -3228,14 +3265,14 @@ no)
     _SAVE_CFLAGS="$CFLAGS"
     CFLAGS="$arch_flag"
     cat > conftest.$ac_ext <&5; (eval $ac_compile) 2>&5; }; then
+if { (eval echo configure:3276: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
   rm -rf conftest*
   MOZ_THUMB2=1
 else
@@ -3297,16 +3334,16 @@ if test -n "$all_flags"; then
     _SAVE_CFLAGS="$CFLAGS"
     CFLAGS="$all_flags"
     echo $ac_n "checking whether the chosen combination of compiler flags ($all_flags) works""... $ac_c" 1>&6
-echo "configure:3301: checking whether the chosen combination of compiler flags ($all_flags) works" >&5
+echo "configure:3338: checking whether the chosen combination of compiler flags ($all_flags) works" >&5
     cat > conftest.$ac_ext <&5; (eval $ac_compile) 2>&5; }; then
+if { (eval echo configure:3347: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
   rm -rf conftest*
   echo "$ac_t""yes" 1>&6
 else
@@ -3363,17 +3400,17 @@ EOF
     DSO_LDOPTS='-brtl -bnortllib -bM:SRE -bnoentry -bexpall -blibpath:/usr/lib:/lib'
     ac_safe=`echo "sys/atomic_op.h" | sed 'y%./+-%__p_%'`
 echo $ac_n "checking for sys/atomic_op.h""... $ac_c" 1>&6
-echo "configure:3367: checking for sys/atomic_op.h" >&5
+echo "configure:3404: checking for sys/atomic_op.h" >&5
 if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
   cat > conftest.$ac_ext <
 EOF
 ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
-{ (eval echo configure:3377: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
+{ (eval echo configure:3414: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
 ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
 if test -z "$ac_err"; then
   rm -rf conftest*
@@ -3569,7 +3606,7 @@ EOF
         _DEBUG_FLAGS='-gdwarf-2 -O0'
         MKSHLIB='$(CCC) $(DSO_LDOPTS) -o $@'
         echo $ac_n "checking for gethostbyaddr in -lbind""... $ac_c" 1>&6
-echo "configure:3573: checking for gethostbyaddr in -lbind" >&5
+echo "configure:3610: checking for gethostbyaddr in -lbind" >&5
 ac_lib_var=`echo bind'_'gethostbyaddr | sed 'y%./+-%__p_%'`
 if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
@@ -3577,7 +3614,7 @@ else
   ac_save_LIBS="$LIBS"
 LIBS="-lbind  $LIBS"
 cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:3629: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
   rm -rf conftest*
   eval "ac_cv_lib_$ac_lib_var=yes"
 else
@@ -3775,6 +3812,9 @@ EOF
     AS='$(CC) -x assembler-with-cpp'
     CFLAGS="$CFLAGS -Wall -fno-common"
     case "${target_cpu}" in
+        arm*)
+            CPU_ARCH=arm
+            ;;
         i*86*)
             if test -n "$USE_64"; then
                 CPU_ARCH=x86_64
@@ -3789,6 +3829,39 @@ EOF
     if test "`echo $CC | grep -c '\-arch '`" = "0"; then
         CC="$CC -arch $CPU_ARCH"
     fi
+    ac_safe=`echo "crt_externs.h" | sed 'y%./+-%__p_%'`
+echo $ac_n "checking for crt_externs.h""... $ac_c" 1>&6
+echo "configure:3835: checking for crt_externs.h" >&5
+if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <
+EOF
+ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
+{ (eval echo configure:3845: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
+ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
+if test -z "$ac_err"; then
+  rm -rf conftest*
+  eval "ac_cv_header_$ac_safe=yes"
+else
+  echo "$ac_err" >&5
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_header_$ac_safe=no"
+fi
+rm -f conftest*
+fi
+if eval "test \"`echo '$ac_cv_header_'$ac_safe`\" = yes"; then
+  echo "$ac_t""yes" 1>&6
+  :
+else
+  echo "$ac_t""no" 1>&6
+fi
+
     DSO_CFLAGS=-fPIC
     DSO_LDOPTS='-dynamiclib -compatibility_version 1 -current_version 1 -all_load -install_name @executable_path/$@ -headerpad_max_install_names'
     _OPTIMIZE_FLAGS=-O2
@@ -4942,17 +5015,17 @@ EOF
         _OPTIMIZE_FLAGS="$_OPTIMIZE_FLAGS -Olimit 4000"
         ac_safe=`echo "machine/builtins.h" | sed 'y%./+-%__p_%'`
 echo $ac_n "checking for machine/builtins.h""... $ac_c" 1>&6
-echo "configure:4946: checking for machine/builtins.h" >&5
+echo "configure:5019: checking for machine/builtins.h" >&5
 if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
   cat > conftest.$ac_ext <
 EOF
 ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
-{ (eval echo configure:4956: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
+{ (eval echo configure:5029: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
 ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
 if test -z "$ac_err"; then
   rm -rf conftest*
@@ -5601,7 +5674,7 @@ case $target in
     ;;
 *)
     echo $ac_n "checking for dlopen in -ldl""... $ac_c" 1>&6
-echo "configure:5605: checking for dlopen in -ldl" >&5
+echo "configure:5678: checking for dlopen in -ldl" >&5
 ac_lib_var=`echo dl'_'dlopen | sed 'y%./+-%__p_%'`
 if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
@@ -5609,7 +5682,7 @@ else
   ac_save_LIBS="$LIBS"
 LIBS="-ldl  $LIBS"
 cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:5697: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
   rm -rf conftest*
   eval "ac_cv_lib_$ac_lib_var=yes"
 else
@@ -5637,17 +5710,17 @@ if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then
   echo "$ac_t""yes" 1>&6
   ac_safe=`echo "dlfcn.h" | sed 'y%./+-%__p_%'`
 echo $ac_n "checking for dlfcn.h""... $ac_c" 1>&6
-echo "configure:5641: checking for dlfcn.h" >&5
+echo "configure:5714: checking for dlfcn.h" >&5
 if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
   cat > conftest.$ac_ext <
 EOF
 ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
-{ (eval echo configure:5651: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
+{ (eval echo configure:5724: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
 ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
 if test -z "$ac_err"; then
   rm -rf conftest*
@@ -5680,13 +5753,13 @@ esac
 
 if test $ac_cv_prog_gcc = yes; then
     echo $ac_n "checking whether ${CC-cc} needs -traditional""... $ac_c" 1>&6
-echo "configure:5684: checking whether ${CC-cc} needs -traditional" >&5
+echo "configure:5757: checking whether ${CC-cc} needs -traditional" >&5
 if eval "test \"`echo '$''{'ac_cv_prog_gcc_traditional'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
     ac_pattern="Autoconf.*'x'"
   cat > conftest.$ac_ext <
 Autoconf TIOCGETP
@@ -5704,7 +5777,7 @@ rm -f conftest*
 
   if test $ac_cv_prog_gcc_traditional = no; then
     cat > conftest.$ac_ext <
 Autoconf TCGETA
@@ -5728,12 +5801,12 @@ fi
 for ac_func in lchown strerror
 do
 echo $ac_n "checking for $ac_func""... $ac_c" 1>&6
-echo "configure:5732: checking for $ac_func" >&5
+echo "configure:5805: checking for $ac_func" >&5
 if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
   cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:5833: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
   rm -rf conftest*
   eval "ac_cv_func_$ac_func=yes"
 else
@@ -5807,7 +5880,7 @@ do
 # Extract the first word of "$ac_prog", so it can be a program name with args.
 set dummy $ac_prog; ac_word=$2
 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
-echo "configure:5811: checking for $ac_word" >&5
+echo "configure:5884: checking for $ac_word" >&5
 if eval "test \"`echo '$''{'ac_cv_path_CCACHE'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
@@ -5866,7 +5939,7 @@ hpux*)
 if test -z "$GNU_CC"; then
 
     echo $ac_n "checking for +Olit support""... $ac_c" 1>&6
-echo "configure:5870: checking for +Olit support" >&5
+echo "configure:5943: checking for +Olit support" >&5
 if eval "test \"`echo '$''{'ac_cv_hpux_usable_olit_option'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
@@ -5908,7 +5981,7 @@ wince*)
 *)
     
 echo $ac_n "checking for pthread_create in -lpthreads""... $ac_c" 1>&6
-echo "configure:5912: checking for pthread_create in -lpthreads" >&5
+echo "configure:5985: checking for pthread_create in -lpthreads" >&5
 echo "
     #include  
     void *foo(void *v) { return v; } 
@@ -5930,7 +6003,7 @@ echo "
         echo "$ac_t""no" 1>&6
         
 echo $ac_n "checking for pthread_create in -lpthread""... $ac_c" 1>&6
-echo "configure:5934: checking for pthread_create in -lpthread" >&5
+echo "configure:6007: checking for pthread_create in -lpthread" >&5
 echo "
     #include  
     void *foo(void *v) { return v; } 
@@ -5952,7 +6025,7 @@ echo "
         echo "$ac_t""no" 1>&6
         
 echo $ac_n "checking for pthread_create in -lc_r""... $ac_c" 1>&6
-echo "configure:5956: checking for pthread_create in -lc_r" >&5
+echo "configure:6029: checking for pthread_create in -lc_r" >&5
 echo "
     #include  
     void *foo(void *v) { return v; } 
@@ -5974,7 +6047,7 @@ echo "
         echo "$ac_t""no" 1>&6
         
 echo $ac_n "checking for pthread_create in -lc""... $ac_c" 1>&6
-echo "configure:5978: checking for pthread_create in -lc" >&5
+echo "configure:6051: checking for pthread_create in -lc" >&5
 echo "
     #include  
     void *foo(void *v) { return v; } 
@@ -6092,7 +6165,7 @@ if test -n "$USE_PTHREADS"; then
       rm -f conftest*
    ac_cv_have_dash_pthread=no
    echo $ac_n "checking whether ${CC-cc} accepts -pthread""... $ac_c" 1>&6
-echo "configure:6096: checking whether ${CC-cc} accepts -pthread" >&5
+echo "configure:6169: checking whether ${CC-cc} accepts -pthread" >&5
    echo 'int main() { return 0; }' | cat > conftest.c
    ${CC-cc} -pthread -o conftest conftest.c > conftest.out 2>&1
    if test $? -eq 0; then
@@ -6115,7 +6188,7 @@ echo "configure:6096: checking whether ${CC-cc} accepts -pthread" >&5
 			    ac_cv_have_dash_pthreads=no
     if test "$ac_cv_have_dash_pthread" = "no"; then
 	    echo $ac_n "checking whether ${CC-cc} accepts -pthreads""... $ac_c" 1>&6
-echo "configure:6119: checking whether ${CC-cc} accepts -pthreads" >&5
+echo "configure:6192: checking whether ${CC-cc} accepts -pthreads" >&5
     	echo 'int main() { return 0; }' | cat > conftest.c
 	    ${CC-cc} -pthreads -o conftest conftest.c > conftest.out 2>&1
     	if test $? -eq 0; then
diff --git a/nsprpub/configure.in b/nsprpub/configure.in
index 39c96a3086b1..fe556b89c302 100644
--- a/nsprpub/configure.in
+++ b/nsprpub/configure.in
@@ -49,8 +49,8 @@ dnl ========================================================
 dnl = Defaults
 dnl ========================================================
 MOD_MAJOR_VERSION=4
-MOD_MINOR_VERSION=8
-MOD_PATCH_VERSION=9
+MOD_MINOR_VERSION=9
+MOD_PATCH_VERSION=0
 NSPR_MODNAME=nspr20
 _HAVE_PTHREADS=
 USE_PTHREADS=
@@ -170,11 +170,39 @@ case "$target" in
     fi
 
     if test -z "$android_toolchain" ; then
-       android_toolchain="$android_ndk"/build/prebuilt/`uname -s | tr "[[:upper:]]" "[[:lower:]]"`-x86/arm-eabi-4.4.0
+        AC_MSG_CHECKING([for android toolchain directory])
+
+        kernel_name=`uname -s | tr "[[:upper:]]" "[[:lower:]]"`
+
+        android_toolchain="$android_ndk"/build/prebuilt/$kernel_name-x86/arm-eabi-4.4.0
+
+        # With newer NDK, the toolchain path has changed.
+        if ! test -d "$android_toolchain" ; then
+            android_toolchain="$android_ndk"/toolchains/arm-$kernel_name-androideabi-4.4.3/prebuilt/$kernel_name-x86
+        fi
+
+        if test -d "$android_toolchain" ; then
+            AC_MSG_RESULT([$android_toolchain])
+        else
+            AC_MSG_ERROR([not found. You have to specify --with-android-toolchain=/path/to/ndk/toolchain.])
+        fi
     fi
 
     if test -z "$android_platform" ; then
-       android_platform="$android_ndk"/build/platforms/android-5/arch-arm
+        AC_MSG_CHECKING([for android platform directory])
+
+        android_platform="$android_ndk"/build/platforms/android-5/arch-arm
+
+        # With newer NDK, the platform path has changed.
+        if ! test -d "$android_platform" ; then
+            android_platform="$android_ndk"/platforms/android-5/arch-arm
+        fi
+
+        if test -d "$android_platform" ; then
+            AC_MSG_RESULT([$android_platform])
+        else
+            AC_MSG_ERROR([not found. You have to specify --with-android-platform=/path/to/ndk/platform.])
+        fi
     fi
 
     dnl set up compilers
@@ -499,7 +527,11 @@ if test -z "$SKIP_COMPILER_CHECKS"; then
 dnl ========================================================
 dnl Checks for compilers.
 dnl ========================================================
-if test "$target" != "$host"; then
+
+dnl Explicitly honor $CROSS_COMPILE to allow cross-compiling
+dnl between toolkits on the same architecture, as when
+dnl targeting the iOS Simulator from OS X.
+if test "$target" != "$host" -o -n "$CROSS_COMPILE"; then
     echo "cross compiling from $host to $target"
     cross_compiling=yes
 
@@ -541,11 +573,20 @@ if test "$target" != "$host"; then
         dnl versions of PPC OS X 10.4 aren't fat, so these target compiler
         dnl checks will fail.  Fake a working SDK in that case.
         _SAVE_CFLAGS=$CFLAGS 
-        _SAVE_CXXFLAGS=$CXXLAGS
+        _SAVE_CXXFLAGS=$CXXFLAGS
         CFLAGS="-isysroot /Developer/SDKs/MacOSX10.4u.sdk $CFLAGS"
         CXXFLAGS="-isysroot /Developer/SDKs/MacOSX10.4u.sdk $CXXFLAGS"
-        ;;        
-    esac            
+        ;;
+      *:arm*-apple-darwin*)
+        dnl The arm compiler doesn't appear to know about its root by default,
+        dnl so explicitly pass it one here. Later on we'll put this in CFLAGS
+        dnl anyway.
+        _SAVE_CFLAGS=$CFLAGS
+        _SAVE_CXXFLAGS=$CXXFLAGS
+        CFLAGS="-isysroot $MACOS_SDK_DIR $CFLAGS"
+        CXXFLAGS="-isysroot $MACOS_SDK_DIR $CXXFLAGS"
+        ;;
+    esac
 
     AC_CHECK_PROGS(CC, $CC "${target_alias}-gcc" "${target}-gcc", echo)
     unset ac_cv_prog_CC
@@ -557,7 +598,7 @@ if test "$target" != "$host"; then
     fi
 
     case "$build:$target" in
-      powerpc-apple-darwin8*:i?86-apple-darwin*)
+      powerpc-apple-darwin8*:i?86-apple-darwin*|*:arm*-apple-darwin*)
         dnl Revert the changes made above.  From this point on, the target
         dnl compiler will never be used without applying the SDK to CFLAGS
         dnl (see --with-macos-sdk below).
@@ -1306,6 +1347,9 @@ case "$target" in
     AS='$(CC) -x assembler-with-cpp'
     CFLAGS="$CFLAGS -Wall -fno-common"
     case "${target_cpu}" in
+        arm*)
+            CPU_ARCH=arm
+            ;;
         i*86*)
             if test -n "$USE_64"; then
                 CPU_ARCH=x86_64
@@ -1320,6 +1364,7 @@ case "$target" in
     if test "`echo $CC | grep -c '\-arch '`" = "0"; then
         CC="$CC -arch $CPU_ARCH"
     fi
+    AC_CHECK_HEADER(crt_externs.h)
     DSO_CFLAGS=-fPIC
     DSO_LDOPTS='-dynamiclib -compatibility_version 1 -current_version 1 -all_load -install_name @executable_path/$@ -headerpad_max_install_names'
     _OPTIMIZE_FLAGS=-O2
diff --git a/nsprpub/lib/ds/plarena.c b/nsprpub/lib/ds/plarena.c
index 22dae78797af..bdc03e192771 100644
--- a/nsprpub/lib/ds/plarena.c
+++ b/nsprpub/lib/ds/plarena.c
@@ -129,7 +129,15 @@ PR_IMPLEMENT(void) PL_InitArenaPool(
     pool->first.base = pool->first.avail = pool->first.limit =
         (PRUword)PL_ARENA_ALIGN(pool, &pool->first + 1);
     pool->current = &pool->first;
-    pool->arenasize = size;                                  
+    /*
+     * Compute the net size so that each arena's gross size is |size|.
+     * sizeof(PLArena) + pool->mask is the header and alignment slop
+     * that PL_ArenaAllocate adds to the net size.
+     */
+    if (size > sizeof(PLArena) + pool->mask)
+        pool->arenasize = size - (sizeof(PLArena) + pool->mask);
+    else
+        pool->arenasize = size;
 #ifdef PL_ARENAMETER
     memset(&pool->stats, 0, sizeof pool->stats);
     pool->stats.name = strdup(name);
diff --git a/nsprpub/lib/ds/plarenas.h b/nsprpub/lib/ds/plarenas.h
index 9c9eee8ecd6a..f30d2943c243 100644
--- a/nsprpub/lib/ds/plarenas.h
+++ b/nsprpub/lib/ds/plarenas.h
@@ -44,7 +44,12 @@ typedef struct PLArenaPool      PLArenaPool;
 
 /*
 ** Initialize an arena pool with the given name for debugging and metering,
-** with a minimum size per arena of size bytes.
+** with a minimum gross size per arena of size bytes.  The net size per arena
+** is smaller than the gross size by a header of four pointers plus any
+** necessary padding for alignment.
+**
+** Note: choose a gross size that's a power of two to avoid the heap allocator
+** rounding the size up.
 **/
 PR_EXTERN(void) PL_InitArenaPool(
     PLArenaPool *pool, const char *name, PRUint32 size, PRUint32 align);
diff --git a/nsprpub/lib/msgc/.cvsignore b/nsprpub/lib/msgc/.cvsignore
deleted file mode 100644
index f3c7a7c5da68..000000000000
--- a/nsprpub/lib/msgc/.cvsignore
+++ /dev/null
@@ -1 +0,0 @@
-Makefile
diff --git a/nsprpub/lib/msgc/include/.cvsignore b/nsprpub/lib/msgc/include/.cvsignore
deleted file mode 100644
index f3c7a7c5da68..000000000000
--- a/nsprpub/lib/msgc/include/.cvsignore
+++ /dev/null
@@ -1 +0,0 @@
-Makefile
diff --git a/nsprpub/lib/msgc/include/gcint.h b/nsprpub/lib/msgc/include/gcint.h
deleted file mode 100644
index 10048f068916..000000000000
--- a/nsprpub/lib/msgc/include/gcint.h
+++ /dev/null
@@ -1,129 +0,0 @@
-/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape Portable Runtime (NSPR).
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1998-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifndef gcint_h___
-#define gcint_h___
-
-#include "prmon.h"
-#include "prgc.h"
-
-extern PRLogModuleInfo *_pr_msgc_lm;
-extern GCInfo _pr_gcData;
-
-#if defined(_WIN32) && !defined(DEBUG)
-#undef INLINE_LOCK
-#endif
-
-#ifdef INLINE_LOCK
-#define LOCK_GC()       EnterCriticalSection(&_pr_gcData.lock->mutexHandle)
-#define UNLOCK_GC()     LeaveCriticalSection(&_pr_gcData.lock->mutexHandle)
-#else
-#define LOCK_GC()       PR_EnterMonitor(_pr_gcData.lock)
-#define UNLOCK_GC()     PR_ExitMonitor (_pr_gcData.lock)
-#define GC_IS_LOCKED()  (PR_GetMonitorEntryCount(_pr_gcData.lock)!=0)
-#endif
-
-#ifdef DEBUG
-#define _GCTRACE(x, y) if (_pr_gcData.flags & x) GCTrace y
-#else
-#define _GCTRACE(x, y)
-#endif
-
-extern GCBeginGCHook *_pr_beginGCHook;
-extern void *_pr_beginGCHookArg;
-extern GCBeginGCHook *_pr_endGCHook;
-extern void *_pr_endGCHookArg;
-
-extern GCBeginFinalizeHook *_pr_beginFinalizeHook;
-extern void *_pr_beginFinalizeHookArg;
-extern GCBeginFinalizeHook *_pr_endFinalizeHook;
-extern void *_pr_endFinalizeHookArg;
-
-extern int _pr_do_a_dump;
-extern FILE *_pr_dump_file;
-
-extern PRLogModuleInfo *_pr_gc_lm;
-
-/*
-** Root finders. Root finders are used by the GC to find pointers into
-** the GC heap that are not contained in the GC heap.
-*/
-typedef struct RootFinderStr RootFinder;
-
-struct RootFinderStr {
-    RootFinder *next;
-    GCRootFinder *func;
-    char *name;
-    void *arg;
-};
-extern RootFinder *_pr_rootFinders;
-
-typedef struct CollectorTypeStr {
-    GCType gctype;
-    PRUint32 flags;
-} CollectorType;
-
-#define GC_MAX_TYPES	256
-extern CollectorType *_pr_collectorTypes;
-
-#define _GC_TYPE_BUSY   0x1
-#define _GC_TYPE_FINAL  0x2
-#define _GC_TYPE_WEAK   0x4
-
-/* Slot in _pr_gcTypes used for free memory */
-#define FREE_MEMORY_TYPEIX 255
-
-extern void _PR_InitGC(PRWord flags);
-extern void _MD_InitGC(void);
-extern void PR_CALLBACK _PR_ScanFinalQueue(void *notused);
-
-/*
-** Grow the GC Heap.
-*/
-extern void *_MD_GrowGCHeap(PRUint32 *sizep);
-
-/*
-** Extend the GC Heap.
-*/
-extern PRBool _MD_ExtendGCHeap(char *base, PRInt32 oldSize, PRInt32 newSize);
-
-/*
-** Free a GC segment.
-*/
-extern void _MD_FreeGCSegment(void *base, PRInt32 len);
-
-#endif /* gcint_h___ */
diff --git a/nsprpub/lib/msgc/include/prgc.h b/nsprpub/lib/msgc/include/prgc.h
deleted file mode 100644
index 859f7b1c0dd5..000000000000
--- a/nsprpub/lib/msgc/include/prgc.h
+++ /dev/null
@@ -1,419 +0,0 @@
-/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape Portable Runtime (NSPR).
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1998-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#ifndef prgc_h___
-#define prgc_h___
-
-/*
-** API to NSPR gc memory system.
-*/
-#include "prtypes.h"
-#include "prmon.h"
-#include "prthread.h"
-#include 
-
-#if defined(WIN16)
-#define GCPTR __far
-#else
-#define GCPTR
-#endif
-
-
-PR_BEGIN_EXTERN_C
-
-/*
-** Initialize the garbage collector.
-**     "flags" is the trace flags (see below).
-**     "initialHeapSize" is the initial size of the heap and may be zero
-**        if the default is desired.
-**    "segmentSize" is the size of each segment of memory added to the
-**       heap when the heap is grown.
-*/
-PR_EXTERN(void) PR_InitGC(
-    PRWord flags, PRInt32 initialHeapSize, PRInt32 segmentSize, PRThreadScope scope);
-
-/*
-** Shuts down gc and frees up all memory associated with it. 
-*/
-PR_EXTERN(void) PR_ShutdownGC(PRBool finalizeOnExit);
-
-/*
-** This walk function will be called for every gc object in the
-** heap as it is walked. If it returns non-zero, the walk is terminated.
-*/
-typedef PRInt32 (*PRWalkFun)(void GCPTR* obj, void* data);
-
-/*
-** GC Type record. This defines all of the GC operations used on a
-** particular object type. These structures are passed to
-** PR_RegisterType.
-*/
-typedef struct GCType {
-    /*
-    ** Scan an object that is in the GC heap and call GCInfo.livePointer
-    ** on all of the pointers in it. If this slot is null then the object
-    ** won't be scanned (i.e. it has no embedded pointers).
-    */
-    void (PR_CALLBACK *scan)(void GCPTR *obj);
-
-    /*
-    ** Finalize an object that has no references. This is called by the
-    ** GC after it has determined where the object debris is but before
-    ** it has moved the debris to the logical "free list". The object is
-    ** marked alive for this call and removed from the list of objects
-    ** that need finalization (finalization only happens once for an
-    ** object). If this slot is null then the object doesn't need
-    ** finalization.
-    */
-    void (PR_CALLBACK *finalize)(void GCPTR *obj);
-
-    /*
-    ** Dump out an object during a PR_DumpGCHeap(). This is used as a
-    ** debugging tool.
-    */
-    void (PR_CALLBACK *dump)(FILE *out, void GCPTR *obj, PRBool detailed, PRIntn indentLevel);
-
-    /*
-    ** Add object to summary table.
-    */
-    void (PR_CALLBACK *summarize)(void GCPTR *obj, PRUint32 bytes);
-
-    /*
-    ** Free hook called by GC when the object is being freed.
-    */
-    void (PR_CALLBACK *free)(void *obj);
-
-    /* Weak pointer support: If the object has a weak pointer (Note:
-       at most one), this function is used to get the weak link's
-       offset from the start of the body of a gc object */
-    PRUint32 (PR_CALLBACK *getWeakLinkOffset)(void *obj);
-
-    /* Descriptive character for dumping this GCType */
-    char kindChar;
-
-    /*
-    ** Walker routine. This routine should apply fun(obj->ptr, data)
-    ** for every gc pointer within the object.
-    */
-    PRInt32 (PR_CALLBACK *walk)(void GCPTR *obj, PRWalkFun fun, void* data);
-} GCType;
-
-/*
-** This data structure must be added as the hash table passed to 
-** the summarize method of GCType.
-*/ 
-typedef struct PRSummaryEntry {
-    void* clazz;
-    PRInt32 instancesCount;
-    PRInt32 totalSize;
-} PRSummaryEntry;
-
-/*
-** This function pointer must be registered by users of nspr
-** to produce the finally summary after all object in the
-** heap have been visited.
-*/
-typedef void (PR_CALLBACK *PRSummaryPrinter)(FILE *out, void* closure);
-
-PR_EXTERN(void) PR_CALLBACK PR_RegisterSummaryPrinter(PRSummaryPrinter fun, void* closure);
-
-typedef void PR_CALLBACK GCRootFinder(void *arg);
-typedef void PR_CALLBACK GCBeginFinalizeHook(void *arg);
-typedef void PR_CALLBACK GCEndFinalizeHook(void *arg);
-typedef void PR_CALLBACK GCBeginGCHook(void *arg);
-typedef void PR_CALLBACK GCEndGCHook(void *arg);
-
-typedef enum { PR_GCBEGIN, PR_GCEND } GCLockHookArg;
-
-typedef void PR_CALLBACK GCLockHookFunc(GCLockHookArg arg1, void *arg2);
-
-typedef struct GCLockHook GCLockHook;
-
-struct GCLockHook {
-  GCLockHookFunc* func;
-  void* arg;
-  GCLockHook* next;
-  GCLockHook* prev;
-};
-
-
-/*
-** Hooks which are called at the beginning and end of the GC process.
-** The begin hooks are called before the root finding step. The hooks are
-** called with threading disabled, so it is now allowed to re-enter the
-** kernel. The end hooks are called after the gc has finished but before
-** the finalizer has run.
-*/
-PR_EXTERN(void) PR_CALLBACK PR_SetBeginGCHook(GCBeginGCHook *hook, void *arg);
-PR_EXTERN(void) PR_CALLBACK PR_GetBeginGCHook(GCBeginGCHook **hook, void **arg);
-PR_EXTERN(void) PR_CALLBACK PR_SetEndGCHook(GCBeginGCHook *hook, void *arg);
-PR_EXTERN(void) PR_CALLBACK PR_GetEndGCHook(GCEndGCHook **hook, void **arg);
-
-/*
-** Called before SuspendAll is called by dogc, so that GC thread can hold
-** all the locks before hand to avoid any deadlocks
-*/
-
-/*
-PR_EXTERN(void) PR_SetGCLockHook(GCLockHook *hook, void *arg);
-PR_EXTERN(void) PR_GetGCLockHook(GCLockHook **hook, void **arg);
-*/
-
-PR_EXTERN(int) PR_RegisterGCLockHook(GCLockHookFunc *hook, void *arg);
-
-/*
-** Hooks which are called at the beginning and end of the GC finalization
-** process. After the GC has identified all of the dead objects in the
-** heap, it looks for objects that need finalization. Before it calls the
-** first finalization proc (see the GCType structure above) it calls the
-** begin hook. When it has finalized the last object it calls the end
-** hook.
-*/
-PR_EXTERN(void) PR_SetBeginFinalizeHook(GCBeginFinalizeHook *hook, void *arg);
-PR_EXTERN(void) PR_GetBeginFinalizeHook(GCBeginFinalizeHook **hook, void **arg);
-PR_EXTERN(void) PR_SetEndFinalizeHook(GCBeginFinalizeHook *hook, void *arg);
-PR_EXTERN(void) PR_GetEndFinalizeHook(GCEndFinalizeHook **hook, void **arg);
-
-/*
-** Register a GC type. Return's the index into the GC internal type
-** table. The returned value is passed to PR_AllocMemory. After the call,
-** the "type" memory belongs to the GC (the caller must not free it or
-** change it).
-*/
-PR_EXTERN(PRInt32) PR_RegisterType(GCType *type);
-
-/*
-** Register a root finder with the collector. The collector will call
-** these functions to identify all of the roots before collection
-** proceeds. "arg" is passed to the function when it is called.
-*/
-PR_EXTERN(PRStatus) PR_RegisterRootFinder(GCRootFinder func, char *name, void *arg);
-
-/*
-** Allocate some GC'able memory. The object must be at least bytes in
-** size. The type index function for the object is specified. "flags"
-** specifies some control flags. If PR_ALLOC_CLEAN is set then the memory
-** is zero'd before being returned. If PR_ALLOC_DOUBLE is set then the
-** allocated memory is double aligned.
-**
-** Any memory cell that you store a pointer to something allocated by
-** this call must be findable by the GC. Use the PR_RegisterRootFinder to
-** register new places where the GC will look for pointers into the heap.
-** The GC already knows how to scan any NSPR threads or monitors.
-*/
-PR_EXTERN(PRWord GCPTR *)PR_AllocMemory(
-    PRWord bytes, PRInt32 typeIndex, PRWord flags);
-PR_EXTERN(PRWord GCPTR *)PR_AllocSimpleMemory(
-    PRWord bytes, PRInt32 typeIndex);
-
-/*
-** This function can be used to cause PR_AllocMemory to always return
-** NULL. This may be useful in low memory situations when we're trying to
-** shutdown applets.
-*/
-PR_EXTERN(void) PR_EnableAllocation(PRBool yesOrNo);
-
-/* flags bits */
-#define PR_ALLOC_CLEAN 0x1
-#define PR_ALLOC_DOUBLE 0x2
-#define PR_ALLOC_ZERO_HANDLE 0x4              /* XXX yes, it's a hack */
-
-/*
-** Force a garbage collection right now. Return when it completes.
-*/
-PR_EXTERN(void) PR_GC(void);
-
-/*
-** Force a finalization right now. Return when finalization has
-** completed. Finalization completes when there are no more objects
-** pending finalization. This does not mean there are no objects in the
-** gc heap that will need finalization should a collection be done after
-** this call.
-*/
-PR_EXTERN(void) PR_ForceFinalize(void);
-
-/*
-** Dump the GC heap out to the given file. This will stop the system dead
-** in its tracks while it is occuring.
-*/
-PR_EXTERN(void) PR_DumpGCHeap(FILE *out, PRBool detailed);
-
-/*
-** Wrapper for PR_DumpGCHeap
-*/
-PR_EXTERN(void) PR_DumpMemory(PRBool detailed);
-
-/*
-** Dump summary of objects allocated.
-*/
-PR_EXTERN(void) PR_DumpMemorySummary(void);
-
-/*
-** Dump the application heaps.
-*/
-PR_EXTERN(void) PR_DumpApplicationHeaps(void);
-
-/*
-** Helper function used by dump routines to do the indentation in a
-** consistent fashion.
-*/
-PR_EXTERN(void) PR_DumpIndent(FILE *out, PRIntn indent);
-
-/*
-** The GCInfo structure contains all of the GC state...
-**
-** busyMemory:
-**    The amount of GC heap memory that is busy at this instant. Busy
-**    doesn't mean alive, it just means that it has been
-**    allocated. Immediately after a collection busy means how much is
-**    alive.
-**
-** freeMemory:
-**    The amount of GC heap memory that is as yet unallocated.
-**
-** allocMemory:
-**    The sum of free and busy memory in the GC heap.
-**
-** maxMemory:
-**    The maximum size that the GC heap is allowed to grow.
-**
-** lowSeg:
-**    The lowest segment currently used in the GC heap.
-**
-** highSeg:
-**    The highest segment currently used in the GC heap.  
-**    The lowSeg and highSeg members are used for a "quick test" of whether 
-**    a pointer falls within the GC heap. [ see GC_IN_HEAP(...) ]
-**
-** lock:
-**    Monitor used for synchronization within the GC.
-**
-** finalizer:
-**    Thread in which the GC finalizer is running.
-**
-** liveBlock:
-**    Object scanning functions call through this function pointer to
-**    register a potential block of pointers with the collector. (This is
-**    currently not at all different than processRoot.)
-**
-** livePointer:
-**    Object scanning functions call through this function pointer to
-**    register a single pointer with the collector.
-**
-** processRootBlock:
-**    When a root finder identifies a root it should call through this
-**    function pointer so that the GC can process the root. The call takes
-**    a base address and count which the gc will examine for valid heap
-**    pointers.
-**
-** processRootPointer:
-**    When a root finder identifies a root it should call through this
-**    function pointer so that the GC can process the root. The call takes
-**    a single pointer value.
-*/
-typedef struct GCInfoStr {
-    PRWord  flags;         /* trace flags (see below)               */
-    PRWord  busyMemory;    /* memory in use right now               */
-    PRWord  freeMemory;    /* memory free right now                 */
-    PRWord  allocMemory;   /* sum of busy & free memory             */
-    PRWord  maxMemory;     /* max memory we are allowed to allocate */
-    PRWord *lowSeg;        /* lowest segment in the GC heap         */
-    PRWord *highSeg;       /* highest segment in the GC heap         */
-
-    PRMonitor *lock;
-    PRThread  *finalizer;
-
-    void (PR_CALLBACK *liveBlock)(void **base, PRInt32 count);
-    void (PR_CALLBACK *livePointer)(void *ptr);
-    void (PR_CALLBACK *processRootBlock)(void **base, PRInt32 count);
-    void (PR_CALLBACK *processRootPointer)(void *ptr);
-    FILE* dumpOutput;
-#ifdef GCTIMINGHOOK
-    void (*gcTimingHook)(int32 gcTime);
-#endif
-} GCInfo;
-
-PR_EXTERN(GCInfo *) PR_GetGCInfo(void);
-PR_EXTERN(PRBool) PR_GC_In_Heap(void GCPTR *object);
-
-/*
-** Simple bounds check to see if a pointer is anywhere near the GC heap.
-** Used to avoid calls to PR_ProcessRoot and GCInfo.livePointer by object
-** scanning code.
-*/
-#if !defined(XP_PC) || defined(_WIN32)
-#define GC_IN_HEAP(_info, _p) (((PRWord*)(_p) >= (_info)->lowSeg) && \
-                               ((PRWord*)(_p) <  (_info)->highSeg))
-#else
-/*
-** The simple bounds check, above, doesn't work in Win16, because we don't
-** maintain: lowSeg == MIN(all segments) and highSeg == MAX(all segments).
-** So we have to do a little better.
-*/
-#define GC_IN_HEAP(_info, _p) PR_GC_In_Heap(_p)
-#endif
-
-PR_EXTERN(PRWord) PR_GetObjectHeader(void *ptr);
-
-PR_EXTERN(PRWord) PR_SetObjectHeader(void *ptr, PRWord newUserBits);
-
-/************************************************************************/
-
-/* Trace flags (passed to PR_InitGC or in environment GCLOG) */
-#define GC_TRACE    0x0001
-#define GC_ROOTS    0x0002
-#define GC_LIVE     0x0004
-#define GC_ALLOC    0x0008
-#define GC_MARK     0x0010
-#define GC_SWEEP    0x0020
-#define GC_DEBUG    0x0040
-#define GC_FINAL    0x0080
-
-#if defined(DEBUG_kipp) || defined(DEBUG_warren)
-#define GC_CHECK    0x0100
-#endif
-
-#ifdef DEBUG
-#define GCTRACE(x, y) if (PR_GetGCInfo()->flags & x) GCTrace y
-PR_EXTERN(void) GCTrace(char *fmt, ...);
-#else
-#define GCTRACE(x, y)
-#endif
-
-PR_END_EXTERN_C
-
-#endif /* prgc_h___ */
diff --git a/nsprpub/lib/msgc/src/.cvsignore b/nsprpub/lib/msgc/src/.cvsignore
deleted file mode 100644
index f3c7a7c5da68..000000000000
--- a/nsprpub/lib/msgc/src/.cvsignore
+++ /dev/null
@@ -1 +0,0 @@
-Makefile
diff --git a/nsprpub/lib/msgc/src/Makefile.in b/nsprpub/lib/msgc/src/Makefile.in
deleted file mode 100644
index bcc586248d94..000000000000
--- a/nsprpub/lib/msgc/src/Makefile.in
+++ /dev/null
@@ -1,93 +0,0 @@
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape Portable Runtime (NSPR).
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1998-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-#! gmake
-
-MOD_DEPTH	= ../../..
-topsrcdir	= @top_srcdir@
-srcdir		= @srcdir@
-VPATH		= @srcdir@
-
-include $(MOD_DEPTH)/config/autoconf.mk
-
-include $(topsrcdir)/config/config.mk
-
-INCLUDES = -I$(dist_includedir) -I../include
-
-CSRCS = prgcapi.c prmsgc.c
-
-ifeq ($(OS_ARCH),WINNT)
-CSRCS += win32gc.c
-else
-ifeq ($(OS_ARCH),OS2)
-CSRCS += os2gc.c
-else
-CSRCS += unixgc.c
-endif
-endif
-
-NSPR_VERSION = $(MOD_MAJOR_VERSION)
-
-EXTRA_LIBS = $(LIBNSPR)
-
-ifdef RESOLVE_LINK_SYMBOLS
-EXTRA_LIBS += $(OS_LIBS)
-endif
-
-ifeq ($(OS_ARCH), WINNT)
-#RES=$(OBJDIR)/ds.res
-#RESNAME=$(MOD_DEPTH)/pr/src/nspr.rc
-#OS_LIBS = user32.lib
-endif # WINNT
-
-LIBRARY_NAME = msgc
-LIBRARY_VERSION = $(MOD_MAJOR_VERSION)
-
-RELEASE_LIBS = $(TARGETS)
-
-include $(topsrcdir)/config/rules.mk
-
-#
-# The Client build wants the shared libraries in $(dist_bindir),
-# so we also install them there.
-#
-
-export:: $(TARGETS)
-	$(INSTALL) -m 444 $(TARGETS) $(dist_libdir)
-ifdef SHARED_LIBRARY
-	$(INSTALL) -m 444 $(SHARED_LIBRARY) $(dist_bindir)
-endif
diff --git a/nsprpub/lib/msgc/src/prgcapi.c b/nsprpub/lib/msgc/src/prgcapi.c
deleted file mode 100644
index 324ac7b9303c..000000000000
--- a/nsprpub/lib/msgc/src/prgcapi.c
+++ /dev/null
@@ -1,330 +0,0 @@
-/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape Portable Runtime (NSPR).
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1998-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include 
-#include 
-#include 
-#include "prenv.h"
-#include "prmem.h"
-#include "prmon.h"
-#include "prlog.h"
-#include "prthread.h"
-#include "private/pprthred.h"
-#include "gcint.h"
-
-/*
-** Generic GC implementation independent code for the NSPR GC
-*/
-
-RootFinder *_pr_rootFinders;
-
-CollectorType *_pr_collectorTypes;
-
-/* GC State information */
-GCInfo _pr_gcData;
-
-GCBeginGCHook *_pr_beginGCHook;
-void *_pr_beginGCHookArg;
-GCBeginGCHook *_pr_endGCHook;
-void *_pr_endGCHookArg;
-
-GCBeginFinalizeHook *_pr_beginFinalizeHook;
-void *_pr_beginFinalizeHookArg;
-GCBeginFinalizeHook *_pr_endFinalizeHook;
-void *_pr_endFinalizeHookArg;
-
-FILE *_pr_dump_file;
-int _pr_do_a_dump;
-GCLockHook *_pr_GCLockHook;
-
-extern PRLogModuleInfo *_pr_msgc_lm;
-
-/************************************************************************/
-
-static PRStatus PR_CALLBACK
-pr_ScanOneThread(PRThread* t, void** addr, PRUword count, void* closure)
-{
-    _pr_gcData.processRootBlock(addr, count);
-    return PR_SUCCESS;
-}
-
-/*
-** Scan all of the threads C stack's and registers, looking for "root"
-** pointers into the GC heap. These are the objects that the GC cannot
-** move and are considered "live" by the GC. Caller has stopped all of
-** the threads from running.
-*/
-static void PR_CALLBACK ScanThreads(void *arg)
-{
-    PR_ScanStackPointers(pr_ScanOneThread, arg);
-}
-
-/************************************************************************/
-
-PR_IMPLEMENT(GCInfo *) PR_GetGCInfo(void)
-{
-    return &_pr_gcData;
-}
-
-
-PR_IMPLEMENT(PRInt32) PR_RegisterType(GCType *t)
-{
-    CollectorType *ct, *ect;
-    int rv = -1;
-
-    LOCK_GC();
-    ct = &_pr_collectorTypes[0];
-    ect = &_pr_collectorTypes[FREE_MEMORY_TYPEIX];
-    for (; ct < ect; ct++) {
-	if (ct->flags == 0) {
-	    ct->gctype = *t;
-	    ct->flags = _GC_TYPE_BUSY;
-	    if (0 != ct->gctype.finalize) {
-		ct->flags |= _GC_TYPE_FINAL;
-	    }
-	    if (0 != ct->gctype.getWeakLinkOffset) {
-		ct->flags |= _GC_TYPE_WEAK;
-	    }
-	    rv = ct - &_pr_collectorTypes[0];
-	    break;
-	}
-    }
-    UNLOCK_GC();
-    return rv;
-}
-
-PR_IMPLEMENT(PRStatus) PR_RegisterRootFinder(
-    GCRootFinder f, char *name, void *arg)
-{
-    RootFinder *rf = PR_NEWZAP(RootFinder);
-    if (rf) {
-	    rf->func = f;
-	    rf->name = name;
-	    rf->arg = arg;
-
-	    LOCK_GC();
-	    rf->next = _pr_rootFinders;
-	    _pr_rootFinders = rf;
-	    UNLOCK_GC();
-	    return PR_SUCCESS;
-    }
-    return PR_FAILURE;
-}
-
-
-PR_IMPLEMENT(int) PR_RegisterGCLockHook(GCLockHookFunc* f, void *arg)
-{
-
-    GCLockHook *rf = 0;
-
-    rf = (GCLockHook*) calloc(1, sizeof(GCLockHook));
-    if (rf) {
-	rf->func = f;
-	rf->arg = arg;
-
-	LOCK_GC();
-        /* first dummy node */
-        if (! _pr_GCLockHook) {
-          _pr_GCLockHook = (GCLockHook*) calloc(1, sizeof(GCLockHook));
-          _pr_GCLockHook->next = _pr_GCLockHook;
-          _pr_GCLockHook->prev = _pr_GCLockHook;
-        }
-
-        rf->next = _pr_GCLockHook;
-        rf->prev = _pr_GCLockHook->prev;
-        _pr_GCLockHook->prev->next = rf;
-        _pr_GCLockHook->prev = rf;
-	UNLOCK_GC();
-	return 0;
-    }
-    return -1;
-}
-
-/*
-PR_IMPLEMENT(void) PR_SetGCLockHook(GCLockHook *hook, void *arg)
-{
-    LOCK_GC();
-    _pr_GCLockHook = hook;
-    _pr_GCLockHookArg2 = arg;
-    UNLOCK_GC();
-}
-
-PR_IMPLEMENT(void) PR_GetGCLockHook(GCLockHook **hook, void **arg)
-{
-    LOCK_GC();
-    *hook = _pr_GCLockHook;
-    *arg = _pr_GCLockHookArg2;
-    UNLOCK_GC();
-}
-*/
-
-  
-PR_IMPLEMENT(void) PR_SetBeginGCHook(GCBeginGCHook *hook, void *arg)
-{
-    LOCK_GC();
-    _pr_beginGCHook = hook;
-    _pr_beginGCHookArg = arg;
-    UNLOCK_GC();
-}
-
-PR_IMPLEMENT(void) PR_GetBeginGCHook(GCBeginGCHook **hook, void **arg)
-{
-    LOCK_GC();
-    *hook = _pr_beginGCHook;
-    *arg = _pr_beginGCHookArg;
-    UNLOCK_GC();
-}
-
-PR_IMPLEMENT(void) PR_SetEndGCHook(GCEndGCHook *hook, void *arg)
-{
-    LOCK_GC();
-    _pr_endGCHook = hook;
-    _pr_endGCHookArg = arg;
-    UNLOCK_GC();
-}
-
-PR_IMPLEMENT(void) PR_GetEndGCHook(GCEndGCHook **hook, void **arg)
-{
-    LOCK_GC();
-    *hook = _pr_endGCHook;
-    *arg = _pr_endGCHookArg;
-    UNLOCK_GC();
-}
-
-PR_IMPLEMENT(void) PR_SetBeginFinalizeHook(GCBeginFinalizeHook *hook, void *arg)
-{
-    LOCK_GC();
-    _pr_beginFinalizeHook = hook;
-    _pr_beginFinalizeHookArg = arg;
-    UNLOCK_GC();
-}
-
-PR_IMPLEMENT(void) PR_GetBeginFinalizeHook(GCBeginFinalizeHook **hook, 
-                                           void **arg)
-{
-    LOCK_GC();
-    *hook = _pr_beginFinalizeHook;
-    *arg = _pr_beginFinalizeHookArg;
-    UNLOCK_GC();
-}
-
-PR_IMPLEMENT(void) PR_SetEndFinalizeHook(GCEndFinalizeHook *hook, void *arg)
-{
-    LOCK_GC();
-    _pr_endFinalizeHook = hook;
-    _pr_endFinalizeHookArg = arg;
-    UNLOCK_GC();
-}
-
-PR_IMPLEMENT(void) PR_GetEndFinalizeHook(GCEndFinalizeHook **hook, void **arg)
-{
-    LOCK_GC();
-    *hook = _pr_endFinalizeHook;
-    *arg = _pr_endFinalizeHookArg;
-    UNLOCK_GC();
-}
-
-#ifdef DEBUG
-#include "prprf.h"
-
-PR_IMPLEMENT(void) GCTrace(char *fmt, ...)
-{	
-    va_list ap;
-    char buf[400];
-
-    va_start(ap, fmt);
-    PR_vsnprintf(buf, sizeof(buf), fmt, ap);
-    va_end(ap);
-    PR_LOG(_pr_msgc_lm, PR_LOG_ALWAYS, ("%s", buf));
-}
-#endif
-
-void _PR_InitGC(PRWord flags)
-{
-    static char firstTime = 1;
-
-    if (!firstTime) return;
-    firstTime = 0;
-
-    _MD_InitGC();
-
-    if (flags == 0) {
-	char *ev = PR_GetEnv("GCLOG");
-	if (ev && ev[0]) {
-	    flags = atoi(ev);
-	}
-    }
-    _pr_gcData.flags = flags;
-
-    _pr_gcData.lock = PR_NewMonitor();
-
-    _pr_collectorTypes = (CollectorType*) PR_CALLOC(256 * sizeof(CollectorType));
-
-    PR_RegisterRootFinder(ScanThreads, "scan threads", 0);
-    PR_RegisterRootFinder(_PR_ScanFinalQueue, "scan final queue", 0);
-}
-
-extern void pr_FinalizeOnExit(void);
-
-#ifdef DEBUG
-#ifdef GC_STATS
-PR_PUBLIC_API(void) PR_PrintGCAllocStats(void);
-#endif 
-#endif 
-  
-PR_IMPLEMENT(void) 
-PR_ShutdownGC(PRBool finalizeOnExit)
-{
-    /* first finalize all the objects in the heap */
-    if (finalizeOnExit) {
-        pr_FinalizeOnExit();
-    }
-
-#ifdef DEBUG
-#ifdef GC_STATS
-    PR_PrintGCAllocStats();
-#endif /* GC_STATS */
-#endif /* DEBUG */
-
-    /* then the chance for any future allocations */
-
-    /* finally delete the gc heap */
-
-    /* write me */
-}
-
-/******************************************************************************/
diff --git a/nsprpub/lib/msgc/src/prmsgc.c b/nsprpub/lib/msgc/src/prmsgc.c
deleted file mode 100644
index 2c1e85397591..000000000000
--- a/nsprpub/lib/msgc/src/prmsgc.c
+++ /dev/null
@@ -1,3320 +0,0 @@
-/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape Portable Runtime (NSPR).
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1998-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include 
-#include 
-#include 
-#include 
-
-#ifdef WIN32
-#include 
-#include 
-#endif
-
-#include "prclist.h"
-#include "prbit.h"
-
-#include "prtypes.h"
-#include "prenv.h"
-#include "prgc.h"
-#include "prthread.h"
-#include "prlog.h"
-#include "prlong.h"
-#include "prinrval.h"
-#include "prprf.h"
-#include "gcint.h"
-
-#include "private/pprthred.h"
-
-typedef void (*PRFileDumper)(FILE *out, PRBool detailed);
-
-PR_EXTERN(void)
-PR_DumpToFile(char* filename, char* msg, PRFileDumper dump, PRBool detailed);
-
-/*
-** Mark&sweep garbage collector. Supports objects that require
-** finalization, objects that can have a single weak link, and special
-** objects that require care during sweeping.
-*/
-
-PRLogModuleInfo *_pr_msgc_lm;
-PRLogModuleInfo* GC;
-
-static PRInt32 _pr_pageShift;
-static PRInt32 _pr_pageSize;
-
-#ifdef DEBUG
-#define GCMETER
-#endif
-#ifdef DEBUG_jwz
-# undef GCMETER
-#endif /* 1 */
-
-#ifdef GCMETER
-#define METER(x) x
-#else
-#define METER(x)
-#endif
-
-/*
-** Make this constant bigger to reduce the amount of recursion during
-** garbage collection.
-*/
-#define MAX_SCAN_Q    100L
-
-#if defined(XP_PC) && !defined(WIN32)
-#define MAX_SEGS            400L
-#define MAX_SEGMENT_SIZE    (65536L - 4096L)
-#define SEGMENT_SIZE        (65536L - 4096L)
-#define MAX_ALLOC_SIZE      (65536L - 4096L)
-#else
-#define MAX_SEGS                    400L
-#define MAX_SEGMENT_SIZE            (2L * 256L * 1024L)
-#define SEGMENT_SIZE                (1L * 256L * 1024L)
-#define MAX_ALLOC_SIZE              (4L * 1024L * 1024L)
-#endif  
-
-/* 
- * The highest value that can fit into a signed integer. This
- * is used to prevent overflow of allocation size in alloc routines.
- */
- 
-#define MAX_INT ((1UL << (PR_BITS_PER_INT - 1)) - 1)
-
-/* 
- * On 32-bit machines, only 22 bits are used in the cibx integer to
- * store size since 8 bits of the integer are used to store type, and
- * of the remainder, 2 are user defined. Max allocation size = 2^22 -1
- */
-
-#define MAX_ALLOC ( (1L << (PR_BYTES_PER_WORD_LOG2 + WORDS_BITS )) -1)
-
-/* The minimum percentage of free heap space after a collection. If
-   the amount of free space doesn't meet this criteria then we will
-   attempt to grow the heap */
-#define MIN_FREE_THRESHOLD_AFTER_GC 20L
-
-static PRInt32 segmentSize = SEGMENT_SIZE;
-
-static PRInt32 collectorCleanupNeeded;
-
-#ifdef GCMETER
-PRUint32 _pr_gcMeter;
-
-#define _GC_METER_STATS         0x01L
-#define _GC_METER_GROWTH        0x02L
-#define _GC_METER_FREE_LIST     0x04L
-#endif
-
-/************************************************************************/
-
-#define LINEAR_BIN_EXPONENT 5
-#define NUM_LINEAR_BINS ((PRUint32)1 << LINEAR_BIN_EXPONENT)
-#define FIRST_LOG_BIN (NUM_LINEAR_BINS - LINEAR_BIN_EXPONENT)
-
-/* Each free list bin holds a chunk of memory sized from
-   2^n to (2^(n+1))-1 inclusive. */
-#define NUM_BINS        (FIRST_LOG_BIN + 32)
-
-/*
- * Find the bin number for a given size (in bytes). This does not round up as
- * values from 2^n to (2^(n+1))-1 share the same bin.
- */
-#define InlineBinNumber(_bin,_bytes)  \
-{  \
-    PRUint32 _t, _n = (PRUint32) _bytes / 4;  \
-    if (_n < NUM_LINEAR_BINS) {  \
-        _bin = _n;  \
-    } else {  \
-        _bin = FIRST_LOG_BIN;  \
-        if ((_t = (_n >> 16)) != 0) { _bin += 16; _n = _t; }  \
-        if ((_t = (_n >> 8)) != 0)  { _bin += 8; _n = _t; }  \
-        if ((_t = (_n >> 4)) != 0)  { _bin += 4; _n = _t; }  \
-        if ((_t = (_n >> 2)) != 0) { _bin += 2; _n = _t; }  \
-        if ((_n >> 1) != 0) _bin++;  \
-    }  \
-}
-
-#define BIG_ALLOC       16384L
-
-#define MIN_FREE_CHUNK_BYTES    ((PRInt32)sizeof(GCFreeChunk))
-
-/* Note: fix code in PR_AllocMemory if you change the size of GCFreeChunk
-   so that it zeros the right number of words */
-typedef struct GCFreeChunk {
-    struct GCFreeChunk *next;
-    struct GCSeg *segment;
-    PRInt32 chunkSize;
-} GCFreeChunk;
-
-typedef struct GCSegInfo {
-    struct GCSegInfo *next;
-    char *base;
-    char *limit;
-    PRWord *hbits;
-    int fromMalloc;
-} GCSegInfo;
-    
-typedef struct GCSeg {
-    char *base;
-    char *limit;
-    PRWord *hbits;
-    GCSegInfo *info;
-} GCSeg;
-
-#ifdef GCMETER
-typedef struct GCMeter {
-    PRInt32 allocBytes;
-    PRInt32 wastedBytes;
-    PRInt32 numFreeChunks;
-    PRInt32 skippedFreeChunks;
-} GCMeter;
-static GCMeter meter;
-#endif
-
-/*
-** There is one of these for each segment of GC'able memory.
-*/
-static GCSeg segs[MAX_SEGS];
-static GCSegInfo *freeSegs;
-static GCSeg* lastInHeap;
-static int nsegs;
-
-static GCFreeChunk *bins[NUM_BINS];
-static PRInt32 minBin;
-static PRInt32 maxBin;
-
-/*
-** Scan Q used to avoid deep recursion when scanning live objects for
-** heap pointers
-*/
-typedef struct GCScanQStr {
-    PRWord *q[MAX_SCAN_Q];
-    int queued;
-} GCScanQ;
-
-static GCScanQ *pScanQ;
-
-#ifdef GCMETER
-PRInt32 _pr_maxScanDepth;
-PRInt32 _pr_scanDepth;
-#endif
-
-/*
-** Keeps track of the number of bytes allocated via the BigAlloc() 
-** allocator.  When the number of bytes allocated, exceeds the 
-** BIG_ALLOC_GC_SIZE, then a GC will occur before the next allocation
-** is done...
-*/
-#define BIG_ALLOC_GC_SIZE       (4*SEGMENT_SIZE)
-static PRWord bigAllocBytes = 0;
-
-/*
-** There is one GC header word in front of each GC allocated object.  We
-** use it to contain information about the object (what TYPEIX to use for
-** scanning it, how big it is, it's mark status, and if it's a root).
-*/
-#define TYPEIX_BITS    8L
-#define WORDS_BITS    20L
-#define MAX_CBS        (1L << GC_TYPEIX_BITS)
-#define MAX_WORDS    (1L << GC_WORDS_BITS)
-#define TYPEIX_SHIFT    24L
-#define MAX_TYPEIX    ((1L << TYPEIX_BITS) - 1L)
-#define TYPEIX_MASK    PR_BITMASK(TYPEIX_BITS)
-#define WORDS_SHIFT    2L
-#define WORDS_MASK    PR_BITMASK(WORDS_BITS)
-#define MARK_BIT    1L
-#define FINAL_BIT    2L
-
-/* Two bits per object header are reserved for the user of the memory
-   system to store information into. */
-#define GC_USER_BITS_SHIFT 22L
-#define GC_USER_BITS    0x00c00000L
-
-#define MAKE_HEADER(_cbix,_words)              \
-    ((PRWord) (((unsigned long)(_cbix) << TYPEIX_SHIFT) \
-         | ((unsigned long)(_words) << WORDS_SHIFT)))
-
-#define GET_TYPEIX(_h) \
-    (((PRUword)(_h) >> TYPEIX_SHIFT) & 0xff)
-
-#define MARK(_sp,_p) \
-    (((PRWord *)(_p))[0] |= MARK_BIT)
-#define IS_MARKED(_sp,_p) \
-    (((PRWord *)(_p))[0] & MARK_BIT)
-#define OBJ_BYTES(_h) \
-    (((PRInt32) (_h) & 0x003ffffcL) << (PR_BYTES_PER_WORD_LOG2-2L))
-
-#define GC_GET_USER_BITS(_h) (((_h) & GC_USER_BITS) >> GC_USER_BITS_SHIFT)
-
-/************************************************************************/
-
-/*
-** Mark the start of an object in a segment. Note that we mark the header
-** word (which we always have), not the data word (which we may not have
-** for empty objects).
-** XXX tune: put subtract of _sp->base into _sp->hbits pointer?
-*/
-#define SET_HBIT(_sp,_ph) \
-    SET_BIT((_sp)->hbits, (((PRWord*)(_ph)) - ((PRWord*) (_sp)->base)))
-
-#define CLEAR_HBIT(_sp,_ph) \
-    CLEAR_BIT((_sp)->hbits, (((PRWord*)(_ph)) - ((PRWord*) (_sp)->base)))
-
-#define IS_HBIT(_sp,_ph) \
-    TEST_BIT((_sp)->hbits, (((PRWord*)(_ph)) - ((PRWord*) (_sp)->base)))
-
-/*
-** Given a pointer into this segment, back it up until we are at the
-** start of the object the pointer points into. Each heap segment has a
-** bitmap that has one bit for each word of the objects it contains.  The
-** bit's are set for the firstword of an object, and clear for it's other
-** words.
-*/
-static PRWord *FindObject(GCSeg *sp, PRWord *p)
-{
-    PRWord *base;
-    
-    /* Align p to it's proper boundary before we start fiddling with it */
-    p = (PRWord*) ((PRWord)p & ~(PR_BYTES_PER_WORD-1L));
-
-    base = (PRWord *) sp->base;
-    do {
-    if (IS_HBIT(sp, p)) {
-        return (p);
-    }
-    p--;
-    } while ( p >= base );
-
-    /* Heap is corrupted! */
-    _GCTRACE(GC_TRACE, ("ERROR: The heap is corrupted!!! aborting now!"));
-    abort();
-    return NULL;
-}
-
-/************************************************************************/
-#if !defined(XP_PC) || defined(XP_OS2)
-#define OutputDebugString(msg)
-#endif 
-
-#define IN_SEGMENT(_sp, _p)             \
-    ((((char *)(_p)) >= (_sp)->base) &&    \
-     (((char *)(_p)) < (_sp)->limit))
-
-static GCSeg *InHeap(void *p)
-{
-    GCSeg *sp, *esp;
-
-    if (lastInHeap && IN_SEGMENT(lastInHeap, p)) {
-    return lastInHeap;
-    }
-
-    sp = segs;
-    esp = segs + nsegs;
-    for (; sp < esp; sp++) {
-    if (IN_SEGMENT(sp, p)) {
-        lastInHeap = sp;
-        return sp;
-    }
-    }
-    return 0;
-}
-
-/*
-** Grow the heap by allocating another segment. Fudge the requestedSize
-** value to try to pre-account for the HBITS.
-*/
-static GCSeg* DoGrowHeap(PRInt32 requestedSize, PRBool exactly)
-{
-    GCSeg *sp;
-    GCSegInfo *segInfo;
-    GCFreeChunk *cp;
-    char *base;
-    PRWord *hbits;
-    PRInt32 nhbytes, nhbits;
-    PRUint32 allocSize;
-
-    if (nsegs == MAX_SEGS) {
-    /* No room for more segments */
-    return 0;
-    }
-
-    segInfo = (GCSegInfo*) PR_MALLOC(sizeof(GCSegInfo));
-#ifdef DEBUG
-    {
-    char str[256];
-    sprintf(str, "[1] Allocated %ld bytes at %p\n",
-        (long) sizeof(GCSegInfo), segInfo);
-    OutputDebugString(str);
-    }
-#endif
-    if (!segInfo) {
-    return 0;
-    }
-
-    /* Get more memory from the OS */
-    if (exactly) {
-    allocSize = requestedSize;
-    base = (char *) PR_MALLOC(requestedSize);
-    } else {
-    allocSize = requestedSize;
-    allocSize = (allocSize + _pr_pageSize - 1L) >> _pr_pageShift;
-    allocSize <<= _pr_pageShift;
-    base = (char*)_MD_GrowGCHeap(&allocSize);
-    }
-    if (!base) {
-    PR_DELETE(segInfo);
-    return 0;
-    }
-
-    nhbits = (PRInt32)(
-        (allocSize + PR_BYTES_PER_WORD - 1L) >> PR_BYTES_PER_WORD_LOG2);
-    nhbytes = ((nhbits + PR_BITS_PER_WORD - 1L) >> PR_BITS_PER_WORD_LOG2)
-    * sizeof(PRWord);
-
-    /* Get bitmap memory from malloc heap */
-    hbits = (PRWord *) PR_CALLOC((PRUint32)nhbytes);
-    if (!hbits) {
-    /* Loser! */
-    PR_DELETE(segInfo);
-    if (exactly) {
-        PR_DELETE(base);
-    } else {
-      /* XXX do something about this */
-      /* _MD_FreeGCSegment(base, allocSize); */
-    }
-    return 0;
-    }
-
-    /*
-    ** Setup new segment.
-    */
-    sp = &segs[nsegs++];
-    segInfo->base = sp->base = base;
-    segInfo->limit = sp->limit = base + allocSize;
-    segInfo->hbits = sp->hbits = hbits;
-    sp->info = segInfo;
-    segInfo->fromMalloc = exactly;
-    memset(base, 0, allocSize);
-
-#ifdef GCMETER
-    if (_pr_gcMeter & _GC_METER_GROWTH) {
-        fprintf(stderr, "[GC: new segment base=%p size=%ld]\n",
-                sp->base, (long) allocSize);
-    }
-#endif    
-
-    _pr_gcData.allocMemory += allocSize;
-    _pr_gcData.freeMemory  += allocSize;
-
-    if (!exactly) {
-    PRInt32 bin;
-
-        /* Put free memory into a freelist bin */
-        cp = (GCFreeChunk *) base;
-        cp->segment = sp;
-        cp->chunkSize = allocSize;
-        InlineBinNumber(bin, allocSize)
-        cp->next = bins[bin];
-        bins[bin] = cp;
-    if (bin < minBin) minBin = bin;
-    if (bin > maxBin) maxBin = bin;
-    } else {
-        /*
-        ** When exactly allocating the entire segment is given over to a
-        ** single object to prevent fragmentation
-        */
-    }
-
-    if (!_pr_gcData.lowSeg) {
-    _pr_gcData.lowSeg  = (PRWord*) sp->base;
-    _pr_gcData.highSeg = (PRWord*) sp->limit;
-    } else {
-    if ((PRWord*)sp->base < _pr_gcData.lowSeg) {
-        _pr_gcData.lowSeg = (PRWord*) sp->base;
-    }
-    if ((PRWord*)sp->limit > _pr_gcData.highSeg) {
-        _pr_gcData.highSeg = (PRWord*) sp->limit;
-    }
-    }
-
-    /* 
-    ** Get rid of the GC pointer in case it shows up in some uninitialized
-    ** local stack variable later (while scanning the C stack looking for
-    ** roots).
-    */ 
-    memset(&base, 0, sizeof(base));  /* optimizers beware */
-
-    PR_LOG(_pr_msgc_lm, PR_LOG_WARNING, ("grow heap: total gc memory now %d",
-                      _pr_gcData.allocMemory));
-
-    return sp;
-}
-
-#ifdef USE_EXTEND_HEAP
-static PRBool ExtendHeap(PRInt32 requestedSize) {
-  GCSeg* sp;
-  PRUint32 allocSize;
-  PRInt32 oldSize, newSize;
-  PRInt32 newHBits, newHBytes;
-  PRInt32 oldHBits, oldHBytes;
-  PRWord* hbits;
-  GCFreeChunk* cp;
-  PRInt32 bin;
-
-  /* Can't extend nothing */
-  if (nsegs == 0) return PR_FALSE;
-
-  /* Round up requested size to the size of a page */
-  allocSize = (PRUint32) requestedSize;
-  allocSize = (allocSize + _pr_pageSize - 1L) >> _pr_pageShift;
-  allocSize <<= _pr_pageShift;
-
-  /* Malloc some memory for the new hbits array */
-  sp = segs;
-  oldSize = sp->limit - sp->base;
-  newSize = oldSize + allocSize;
-  newHBits = (newSize + PR_BYTES_PER_WORD - 1L) >> PR_BYTES_PER_WORD_LOG2;
-  newHBytes = ((newHBits + PR_BITS_PER_WORD - 1L) >> PR_BITS_PER_WORD_LOG2)
-    * sizeof(PRWord);
-  hbits = (PRWord*) PR_MALLOC(newHBytes);
-  if (0 == hbits) return PR_FALSE;
-
-  /* Attempt to extend the last segment by the desired amount */
-  if (_MD_ExtendGCHeap(sp->base, oldSize, newSize)) {
-    oldHBits = (oldSize + PR_BYTES_PER_WORD - 1L) >> PR_BYTES_PER_WORD_LOG2;
-    oldHBytes = ((oldHBits + PR_BITS_PER_WORD - 1L) >> PR_BITS_PER_WORD_LOG2)
-      * sizeof(PRWord);
-
-    /* Copy hbits from old memory into new memory */
-    memset(hbits, 0, newHBytes);
-    memcpy(hbits, sp->hbits, oldHBytes);
-    PR_DELETE(sp->hbits);
-    memset(sp->base + oldSize, 0, allocSize);
-
-    /* Adjust segment state */
-    sp->limit += allocSize;
-    sp->hbits = hbits;
-    sp->info->limit = sp->limit;
-    sp->info->hbits = hbits;
-
-    /* Put free memory into a freelist bin */
-    cp = (GCFreeChunk *) (sp->base + oldSize);
-    cp->segment = sp;
-    cp->chunkSize = allocSize;
-    InlineBinNumber(bin, allocSize)
-    cp->next = bins[bin];
-    bins[bin] = cp;
-    if (bin < minBin) minBin = bin;
-    if (bin > maxBin) maxBin = bin;
-
-    /* Prevent a pointer that points to the free memory from showing
-       up on the call stack later on */
-    memset(&cp, 0, sizeof(cp));
-
-    /* Update heap brackets and counters */
-    if ((PRWord*)sp->limit > _pr_gcData.highSeg) {
-      _pr_gcData.highSeg = (PRWord*) sp->limit;
-    }
-    _pr_gcData.allocMemory += allocSize;
-    _pr_gcData.freeMemory  += allocSize;
-
-    return PR_TRUE;
-  }
-  PR_DELETE(hbits);
-  return PR_FALSE;
-}
-#endif /* USE_EXTEND_HEAP */
-
-static GCSeg *GrowHeapExactly(PRInt32 requestedSize)
-{
-    GCSeg *sp = DoGrowHeap(requestedSize, PR_TRUE);
-    return sp;
-}
-
-static PRBool GrowHeap(PRInt32 requestedSize)
-{
-  void *p;
-#ifdef USE_EXTEND_HEAP
-  if (ExtendHeap(requestedSize)) {
-    return PR_TRUE;
-  }
-#endif
-  p = DoGrowHeap(requestedSize, PR_FALSE);
-  return (p != NULL ? PR_TRUE : PR_FALSE);
-}
-
-/*
-** Release a segment when it is entirely free.
-*/
-static void ShrinkGCHeap(GCSeg *sp)
-{
-#ifdef GCMETER
-    if (_pr_gcMeter & _GC_METER_GROWTH) {
-        fprintf(stderr, "[GC: free segment base=%p size=%ld]\n",
-                sp->base, (long) (sp->limit - sp->base));
-    }
-#endif    
-
-    /*
-     * Put segment onto free seginfo list (we can't call free right now
-     * because we have the GC lock and all of the other threads are
-     * suspended; if one of them has the malloc lock we would deadlock)
-     */
-    sp->info->next = freeSegs;
-    freeSegs = sp->info;
-    collectorCleanupNeeded = 1;
-    _pr_gcData.allocMemory -= sp->limit - sp->base;
-    if (sp == lastInHeap) lastInHeap = 0;
-
-    /* Squish out disappearing segment from segment table */
-    --nsegs;
-    if ((sp - segs) != nsegs) {
-        *sp = segs[nsegs];
-    } else {
-        sp->base = 0;
-        sp->limit = 0;
-        sp->hbits = 0;
-    sp->info = 0;
-    }
-
-    /* Recalculate the lowSeg and highSeg values */
-    _pr_gcData.lowSeg  = (PRWord*) segs[0].base;
-    _pr_gcData.highSeg = (PRWord*) segs[0].limit;
-    for (sp = segs; sp < &segs[nsegs]; sp++) {
-    if ((PRWord*)sp->base < _pr_gcData.lowSeg) {
-        _pr_gcData.lowSeg = (PRWord*) sp->base;
-    }
-    if ((PRWord*)sp->limit > _pr_gcData.highSeg) {
-        _pr_gcData.highSeg = (PRWord*) sp->limit;
-    }
-    }
-}
-
-static void FreeSegments(void)
-{
-    GCSegInfo *si;
-
-    while (0 != freeSegs) {
-    LOCK_GC();
-    si = freeSegs;
-    if (si) {
-        freeSegs = si->next;
-    }
-    UNLOCK_GC();
-
-    if (!si) {
-        break;
-    }
-    PR_DELETE(si->base);
-    PR_DELETE(si->hbits);
-    PR_DELETE(si);
-    }
-}
-
-/************************************************************************/
-
-void ScanScanQ(GCScanQ *iscan)
-{
-    PRWord *p;
-    PRWord **pp;
-    PRWord **epp;
-    GCScanQ nextQ, *scan, *next, *temp;
-    CollectorType *ct;
-
-    if (!iscan->queued) return;
-
-    _GCTRACE(GC_MARK, ("begin scanQ @ 0x%x (%d)", iscan, iscan->queued));
-    scan = iscan;
-    next = &nextQ;
-    while (scan->queued) {
-	_GCTRACE(GC_MARK, ("continue scanQ @ 0x%x (%d)", scan, scan->queued));
-    /*
-     * Set pointer to current scanQ so that _pr_gcData.livePointer
-     * can find it.
-     */
-    pScanQ = next;
-    next->queued = 0;
-
-    /* Now scan the scan Q */
-    pp = scan->q;
-    epp = &scan->q[scan->queued];
-    scan->queued = 0;
-    while (pp < epp) {
-        p = *pp++;
-        ct = &_pr_collectorTypes[GET_TYPEIX(p[0])];
-        PR_ASSERT(0 != ct->gctype.scan);
-        /* Scan object ... */
-        (*ct->gctype.scan)(p + 1);
-    }
-
-    /* Exchange pointers so that we scan next */
-    temp = scan;
-    scan = next;
-    next = temp;
-    }
-
-    pScanQ = iscan;
-    PR_ASSERT(nextQ.queued == 0);
-    PR_ASSERT(iscan->queued == 0);
-}
-
-/*
-** Called during root finding step to identify "root" pointers into the
-** GC heap. First validate if it is a real heap pointer and then mark the
-** object being pointed to and add it to the scan Q for eventual
-** scanning.
-*/
-static void PR_CALLBACK ProcessRootBlock(void **base, PRInt32 count)
-{
-    GCSeg *sp;
-    PRWord *p0, *p, h, tix, *low, *high, *segBase;
-    CollectorType *ct;
-#ifdef DEBUG
-    void **base0 = base;
-#endif
-
-    low = _pr_gcData.lowSeg;
-    high = _pr_gcData.highSeg;
-    while (--count >= 0) {
-        p0 = (PRWord*) *base++;
-        if (p0 < low) continue;                  /* below gc heap */
-        if (p0 >= high) continue;                /* above gc heap */
-        /* NOTE: inline expansion of InHeap */
-        /* Find segment */
-    sp = lastInHeap;
-        if (!sp || !IN_SEGMENT(sp,p0)) {
-            GCSeg *esp;
-            sp = segs;
-        esp = segs + nsegs;
-            for (; sp < esp; sp++) {
-                if (IN_SEGMENT(sp, p0)) {
-                    lastInHeap = sp;
-                    goto find_object;
-                }
-            }
-            continue;
-        }
-
-      find_object:
-        /* NOTE: Inline expansion of FindObject */
-        /* Align p to it's proper boundary before we start fiddling with it */
-        p = (PRWord*) ((PRWord)p0 & ~(PR_BYTES_PER_WORD-1L));
-        segBase = (PRWord *) sp->base;
-        do {
-            if (IS_HBIT(sp, p)) {
-                goto winner;
-            }
-            p--;
-        } while (p >= segBase);
-
-        /*
-        ** We have a pointer into the heap, but it has no header
-        ** bit. This means that somehow the very first object in the heap
-        ** doesn't have a header. This is impossible so when debugging
-        ** lets abort.
-        */
-#ifdef DEBUG
-        PR_Abort();
-#endif
-
-      winner:
-        h = p[0];
-        if ((h & MARK_BIT) == 0) {
-#ifdef DEBUG
-            _GCTRACE(GC_ROOTS,
-            ("root 0x%p (%d) base0=%p off=%d",
-             p, OBJ_BYTES(h), base0, (base-1) - base0));
-#endif
-
-            /* Mark the root we just found */
-            p[0] = h | MARK_BIT;
-
-            /*
-         * See if object we just found needs scanning. It must
-         * have a scan function to be placed on the scanQ.
-         */
-            tix = (PRWord)GET_TYPEIX(h);
-        ct = &_pr_collectorTypes[tix];
-        if (0 == ct->gctype.scan) {
-        continue;
-        }
-
-            /*
-            ** Put a pointer onto the scan Q. We use the scan Q to avoid
-            ** deep recursion on the C call stack. Objects are added to
-            ** the scan Q until the scan Q fills up. At that point we
-            ** make a call to ScanScanQ which proceeds to scan each of
-            ** the objects in the Q. This limits the recursion level by a
-            ** large amount though the stack frames get larger to hold
-            ** the GCScanQ's.
-            */
-            pScanQ->q[pScanQ->queued++] = p;
-            if (pScanQ->queued == MAX_SCAN_Q) {
-                METER(_pr_scanDepth++);
-                ScanScanQ(pScanQ);
-            }
-        }
-    }
-}
-
-static void PR_CALLBACK ProcessRootPointer(void *ptr)
-{
-  PRWord *p0, *p, h, tix, *segBase;
-  GCSeg* sp;
-  CollectorType *ct;
-
-  p0 = (PRWord*) ptr;
-
-  if (p0 < _pr_gcData.lowSeg) return;                  /* below gc heap */
-  if (p0 >= _pr_gcData.highSeg) return;                /* above gc heap */
-
-  /* NOTE: inline expansion of InHeap */
-  /* Find segment */
-  sp = lastInHeap;
-  if (!sp || !IN_SEGMENT(sp,p0)) {
-    GCSeg *esp;
-    sp = segs;
-    esp = segs + nsegs;
-    for (; sp < esp; sp++) {
-      if (IN_SEGMENT(sp, p0)) {
-    lastInHeap = sp;
-    goto find_object;
-      }
-    }
-    return;
-  }
-
- find_object:
-  /* NOTE: Inline expansion of FindObject */
-  /* Align p to it's proper boundary before we start fiddling with it */
-    p = (PRWord*) ((PRWord)p0 & ~(BYTES_PER_WORD-1L));
-    segBase = (PRWord *) sp->base;
-    do {
-      if (IS_HBIT(sp, p)) {
-    goto winner;
-      }
-      p--;
-    } while (p >= segBase);
-
-    /*
-    ** We have a pointer into the heap, but it has no header
-    ** bit. This means that somehow the very first object in the heap
-    ** doesn't have a header. This is impossible so when debugging
-    ** lets abort.
-    */
-#ifdef DEBUG
-    PR_Abort();
-#endif
-
- winner:
-  h = p[0];
-  if ((h & MARK_BIT) == 0) {
-#ifdef DEBUG
-    _GCTRACE(GC_ROOTS, ("root 0x%p (%d)", p, OBJ_BYTES(h)));
-#endif
-
-    /* Mark the root we just found */
-    p[0] = h | MARK_BIT;
-
-    /*
-     * See if object we just found needs scanning. It must
-     * have a scan function to be placed on the scanQ.
-     */
-    tix = (PRWord)GET_TYPEIX(h);
-    ct = &_pr_collectorTypes[tix];
-    if (0 == ct->gctype.scan) {
-      return;
-    }
-
-    /*
-    ** Put a pointer onto the scan Q. We use the scan Q to avoid
-    ** deep recursion on the C call stack. Objects are added to
-    ** the scan Q until the scan Q fills up. At that point we
-    ** make a call to ScanScanQ which proceeds to scan each of
-    ** the objects in the Q. This limits the recursion level by a
-    ** large amount though the stack frames get larger to hold
-    ** the GCScanQ's.
-    */
-    pScanQ->q[pScanQ->queued++] = p;
-    if (pScanQ->queued == MAX_SCAN_Q) {
-      METER(_pr_scanDepth++);
-      ScanScanQ(pScanQ);
-    }
-  }
-}
-
-/************************************************************************/
-
-/*
-** Empty the freelist for each segment. This is done to make sure that
-** the root finding step works properly (otherwise, if we had a pointer
-** into a free section, we might not find its header word and abort in
-** FindObject)
-*/
-static void EmptyFreelists(void)
-{
-    GCFreeChunk *cp;
-    GCFreeChunk *next;
-    GCSeg *sp;
-    PRWord *p;
-    PRInt32 chunkSize;
-    PRInt32 bin;
-
-    /*
-    ** Run over the freelist and make all of the free chunks look like
-    ** object debris.
-    */
-    for (bin = 0; bin <= NUM_BINS-1; bin++) {
-        cp = bins[bin];
-        while (cp) {
-            next = cp->next;
-            sp = cp->segment;
-            chunkSize = cp->chunkSize >> BYTES_PER_WORD_LOG2;
-            p = (PRWord*) cp;
-            PR_ASSERT(chunkSize != 0);
-            p[0] = MAKE_HEADER(FREE_MEMORY_TYPEIX, chunkSize);
-            SET_HBIT(sp, p);
-            cp = next;
-        }
-        bins[bin] = 0;
-    }
-    minBin = NUM_BINS - 1;
-    maxBin = 0;
-}
-
-typedef struct GCBlockEnd {
-    PRInt32	check;
-#ifdef GC_CHECK
-    PRInt32	requestedBytes;
-#endif
-#ifdef GC_STATS
-    PRInt32	bin;
-    PRInt64	allocTime; 
-#endif
-#ifdef GC_TRACEROOTS
-    PRInt32	traceGeneration;	
-#endif
-} GCBlockEnd;
-
-#define PR_BLOCK_END	0xDEADBEEF
-
-/************************************************************************/
-
-#ifdef GC_STATS
-
-typedef struct GCStat {
-    PRInt32	nallocs;
-    double	allocTime;
-    double	allocTimeVariance;
-    PRInt32	nfrees;
-    double	lifetime;
-    double	lifetimeVariance;
-} GCStat;
-
-#define GCSTAT_BINS	NUM_BINS
-
-GCStat gcstats[GCSTAT_BINS];
-
-#define GCLTFREQ_BINS	NUM_BINS
-
-PRInt32 gcltfreq[GCSTAT_BINS][GCLTFREQ_BINS];
-
-#include 
-
-static char* 
-pr_GetSizeString(PRUint32 size)
-{
-    char* sizeStr;
-    if (size < 1024)
-	sizeStr = PR_smprintf("<= %ld", size);
-    else if (size < 1024 * 1024)
-	sizeStr = PR_smprintf("<= %ldk", size / 1024);
-    else 
-	sizeStr = PR_smprintf("<= %ldM", size / (1024 * 1024));
-    return sizeStr;
-}
-
-static void
-pr_FreeSizeString(char *sizestr)
-{
-	PR_smprintf_free(sizestr);
-}
-
-
-static void
-pr_PrintGCAllocStats(FILE* out)
-{
-    PRInt32 i, j;
-    _PR_DebugPrint(out, "\n--Allocation-Stats-----------------------------------------------------------");
-    _PR_DebugPrint(out, "\n--Obj-Size----Count-----Avg-Alloc-Time-----------Avg-Lifetime---------%%Freed-\n");
-    for (i = 0; i < GCSTAT_BINS; i++) {
-	GCStat stat = gcstats[i];
-	double allocTimeMean = 0.0, allocTimeVariance = 0.0, lifetimeMean = 0.0, lifetimeVariance = 0.0;
-	PRUint32 maxSize = (1 << i);
-	char* sizeStr;
-	if (stat.nallocs != 0.0) {
-	    allocTimeMean = stat.allocTime / stat.nallocs;
-	    allocTimeVariance = fabs(stat.allocTimeVariance / stat.nallocs - allocTimeMean * allocTimeMean);
-	}
-	if (stat.nfrees != 0.0) {
-	    lifetimeMean = stat.lifetime / stat.nfrees;
-	    lifetimeVariance = fabs(stat.lifetimeVariance / stat.nfrees - lifetimeMean * lifetimeMean);
-	}
-	sizeStr = pr_GetSizeString(maxSize);
-	_PR_DebugPrint(out, "%10s %8lu %10.3f +- %10.3f %10.3f +- %10.3f (%2ld%%)\n",
-		       sizeStr, stat.nallocs,
-		       allocTimeMean, sqrt(allocTimeVariance),
-		       lifetimeMean, sqrt(lifetimeVariance),
-		       (stat.nallocs ? (stat.nfrees * 100 / stat.nallocs) : 0));
-	pr_FreeSizeString(sizeStr);
-    }
-    _PR_DebugPrint(out, "--Lifetime-Frequency-Counts----------------------------------------------------\n");
-    _PR_DebugPrint(out, "size\\cnt");
-    for (j = 0; j < GCLTFREQ_BINS; j++) {
-	_PR_DebugPrint(out, "\t%lu", j);
-    }
-    _PR_DebugPrint(out, "\n");
-    for (i = 0; i < GCSTAT_BINS; i++) {
-	PRInt32* freqs = gcltfreq[i];
-	_PR_DebugPrint(out, "%lu", (1 << i));
-	for (j = 0; j < GCLTFREQ_BINS; j++) {
-	    _PR_DebugPrint(out, "\t%lu", freqs[j]);
-	}
-	_PR_DebugPrint(out, "\n");
-    }
-    _PR_DebugPrint(out, "-------------------------------------------------------------------------------\n");
-}
-
-PR_PUBLIC_API(void)
-PR_PrintGCAllocStats(void)
-{
-    pr_PrintGCAllocStats(stderr);
-}
-
-#endif /* GC_STATS */
-
-/************************************************************************/
-
-/*
-** Sweep a segment, cleaning up all of the debris. Coallese the debris
-** into GCFreeChunk's which are added to the freelist bins.
-*/
-static PRBool SweepSegment(GCSeg *sp)
-{
-    PRWord h, tix;
-    PRWord *p;
-    PRWord *np;
-    PRWord *limit;
-    GCFreeChunk *cp;
-    PRInt32 bytes, chunkSize, segmentSize, totalFree;
-    CollectorType *ct;
-    PRInt32 bin;
-
-    /*
-    ** Now scan over the segment's memory in memory order, coallescing
-    ** all of the debris into a FreeChunk list.
-    */
-    totalFree = 0;
-    segmentSize = sp->limit - sp->base;
-    p = (PRWord *) sp->base;
-    limit = (PRWord *) sp->limit;
-    PR_ASSERT(segmentSize > 0);
-    while (p < limit) {
-    chunkSize = 0;
-    cp = (GCFreeChunk *) p;
-
-    /* Attempt to coallesce any neighboring free objects */
-    for (;;) {
-        PR_ASSERT(IS_HBIT(sp, p) != 0);
-        h = p[0];
-        bytes = OBJ_BYTES(h);
-        PR_ASSERT(bytes != 0);
-        np = (PRWord *) ((char *)p + bytes);
-        tix = (PRWord)GET_TYPEIX(h);
-        if ((h & MARK_BIT) && (tix != FREE_MEMORY_TYPEIX)) {
-#ifdef DEBUG
-        if (tix != FREE_MEMORY_TYPEIX) {
-            PR_ASSERT(_pr_collectorTypes[tix].flags != 0);
-        }
-#endif
-        p[0] = h & ~(MARK_BIT|FINAL_BIT);
-		_GCTRACE(GC_SWEEP, ("busy 0x%x (%d)", p, bytes));
-		break;
-	    }
-	    _GCTRACE(GC_SWEEP, ("free 0x%x (%d)", p, bytes));
-
-	    /* Found a free object */
-#ifdef GC_STATS
-	    {
-		PRInt32 userSize = bytes - sizeof(GCBlockEnd);
-		GCBlockEnd* end = (GCBlockEnd*)((char*)p + userSize);
-		if (userSize >= 0 && end->check == PR_BLOCK_END) {
-		    PRInt64 now = PR_Now();
-		    double nowd, delta;
-		    PRInt32 freq;
-		    LL_L2D(nowd, now);
-		    delta = nowd - end->allocTime;
-		    gcstats[end->bin].nfrees++;
-		    gcstats[end->bin].lifetime += delta;
-		    gcstats[end->bin].lifetimeVariance += delta * delta;
-
-		    InlineBinNumber(freq, delta);
-		    gcltfreq[end->bin][freq]++;
-
-		    end->check = 0;
-		}
-	    }
-#endif
-        CLEAR_HBIT(sp, p);
-        ct = &_pr_collectorTypes[tix];
-        if (0 != ct->gctype.free) {
-                (*ct->gctype.free)(p + 1);
-            }
-        chunkSize = chunkSize + bytes;
-        if (np == limit) {
-        /* Found the end of heap */
-        break;
-        }
-        PR_ASSERT(np < limit);
-        p = np;
-    }
-
-    if (chunkSize) {
-        _GCTRACE(GC_SWEEP, ("free chunk 0x%p to 0x%p (%d)",
-                   cp, (char*)cp + chunkSize - 1, chunkSize));
-        if (chunkSize < MIN_FREE_CHUNK_BYTES) {
-        /* Lost a tiny fragment until (maybe) next time */
-                METER(meter.wastedBytes += chunkSize);
-        p = (PRWord *) cp;
-        chunkSize >>= BYTES_PER_WORD_LOG2;
-        PR_ASSERT(chunkSize != 0);
-        p[0] = MAKE_HEADER(FREE_MEMORY_TYPEIX, chunkSize);
-        SET_HBIT(sp, p);
-        } else {
-                /* See if the chunk constitutes the entire segment */
-                if (chunkSize == segmentSize) {
-                    /* Free up the segment right now */
-            if (sp->info->fromMalloc) {
-                    ShrinkGCHeap(sp);
-                    return PR_TRUE;
-                }
-                }
-
-                /* Put free chunk into the appropriate bin */
-                cp->segment = sp;
-        cp->chunkSize = chunkSize;
-                InlineBinNumber(bin, chunkSize)
-                cp->next = bins[bin];
-                bins[bin] = cp;
-        if (bin < minBin) minBin = bin;
-        if (bin > maxBin) maxBin = bin;
-
-        /* Zero swept memory now */
-        memset(cp+1, 0, chunkSize - sizeof(*cp));
-                METER(meter.numFreeChunks++);
-        totalFree += chunkSize;
-        }
-    }
-
-    /* Advance to next object */
-    p = np;
-    }
-
-    PR_ASSERT(totalFree <= segmentSize);
-
-    _pr_gcData.freeMemory += totalFree;
-    _pr_gcData.busyMemory += (sp->limit - sp->base) - totalFree;
-    return PR_FALSE;
-}
-
-/************************************************************************/
-
-/* This is a list of all the objects that are finalizable. This is not
-   the list of objects that are awaiting finalization because they
-   have been collected. */
-PRCList _pr_finalizeableObjects;
-
-/* This is the list of objects that are awaiting finalization because
-   they have been collected. */
-PRCList _pr_finalQueue;
-
-/* Each object that requires finalization has one of these objects
-   allocated as well. The GCFinal objects are put on the
-   _pr_finalizeableObjects list until the object is collected at which
-   point the GCFinal object is moved to the _pr_finalQueue */
-typedef struct GCFinalStr {
-    PRCList links;
-    PRWord *object;
-} GCFinal;
-
-/* Find pointer to GCFinal struct from the list linkaged embedded in it */
-#define FinalPtr(_qp) \
-    ((GCFinal*) ((char*) (_qp) - offsetof(GCFinal,links)))
-
-static GCFinal *AllocFinalNode(void)
-{
-    return PR_NEWZAP(GCFinal);
-}
-
-static void FreeFinalNode(GCFinal *node)
-{
-    PR_DELETE(node);
-}
-
-/*
-** Prepare for finalization. At this point in the GC cycle we have
-** identified all of the live objects. For each object on the
-** _pr_finalizeableObjects list see if the object is alive or dead. If
-** it's dead, resurrect it and move it from the _pr_finalizeableObjects
-** list to the _pr_finalQueue (object's only get finalized once).
-**
-** Once _pr_finalizeableObjects has been processed we can finish the
-** GC and free up memory and release the threading lock. After that we
-** can invoke the finalization procs for each object that is on the
-** _pr_finalQueue.
-*/
-static void PrepareFinalize(void)
-{
-    PRCList *qp;
-    GCFinal *fp;
-    PRWord h;
-    PRWord *p;
-    void (PR_CALLBACK *livePointer)(void *ptr);
-#ifdef DEBUG
-    CollectorType *ct;
-#endif
-
-    /* This must be done under the same lock that the finalizer uses */
-    PR_ASSERT( GC_IS_LOCKED() );
-
-    /* cache this ptr */
-    livePointer = _pr_gcData.livePointer;
-
-    /*
-     * Pass #1: Identify objects that are to be finalized, set their
-     * FINAL_BIT.
-     */
-    qp = _pr_finalizeableObjects.next;
-    while (qp != &_pr_finalizeableObjects) {
-    fp = FinalPtr(qp);
-    qp = qp->next;
-    h = fp->object[0];        /* Grab header word */
-    if (h & MARK_BIT) {
-        /* Object is already alive */
-        continue;
-    }
-
-#ifdef DEBUG
-    ct = &_pr_collectorTypes[GET_TYPEIX(h)];
-    PR_ASSERT((0 != ct->flags) && (0 != ct->gctype.finalize));
-#endif
-    fp->object[0] |= FINAL_BIT;
-    _GCTRACE(GC_FINAL, ("moving %p (%d) to finalQueue",
-               fp->object, OBJ_BYTES(h)));
-    }
-
-    /*
-     * Pass #2: For each object that is going to be finalized, move it to
-     * the finalization queue and resurrect it
-     */
-    qp = _pr_finalizeableObjects.next;
-    while (qp != &_pr_finalizeableObjects) {
-    fp = FinalPtr(qp);
-    qp = qp->next;
-    h = fp->object[0];        /* Grab header word */
-    if ((h & FINAL_BIT) == 0) {
-        continue;
-    }
-
-    /* Resurrect the object and any objects it refers to */
-        p = &fp->object[1];
-    (*livePointer)(p);
-    PR_REMOVE_LINK(&fp->links);
-    PR_APPEND_LINK(&fp->links, &_pr_finalQueue);
-    }
-}
-
-/*
-** Scan the finalQ, marking each and every object on it live.  This is
-** necessary because we might do a GC before objects that are on the
-** final queue get finalized. Since there are no other references
-** (otherwise they would be on the final queue), we have to scan them.
-** This really only does work if we call the GC before the finalizer
-** has a chance to do its job.
-*/
-extern void PR_CALLBACK _PR_ScanFinalQueue(void *notused)
-{
-    PRCList *qp;
-    GCFinal *fp;
-    PRWord *p;
-    void ( PR_CALLBACK *livePointer)(void *ptr);
-
-    livePointer = _pr_gcData.livePointer;
-    qp = _pr_finalQueue.next;
-    while (qp != &_pr_finalQueue) {
-    fp = FinalPtr(qp);
-	_GCTRACE(GC_FINAL, ("marking 0x%x (on final queue)", fp->object));
-        p = &fp->object[1];
-    (*livePointer)(p);
-    qp = qp->next;
-    }
-}
-
-void PR_CALLBACK FinalizerLoop(void* unused)
-{
-    GCFinal *fp;
-    PRWord *p;
-    PRWord h, tix;
-    CollectorType *ct;
-
-    LOCK_GC();
-    for (;;) {
-	p = 0; h = 0;		/* don't let the gc find these pointers */
-    while (PR_CLIST_IS_EMPTY(&_pr_finalQueue))
-        PR_Wait(_pr_gcData.lock, PR_INTERVAL_NO_TIMEOUT);
-
-    _GCTRACE(GC_FINAL, ("begin finalization"));
-    while (_pr_finalQueue.next != &_pr_finalQueue) {
-        fp = FinalPtr(_pr_finalQueue.next);
-        PR_REMOVE_LINK(&fp->links);
-        p = fp->object;
-
-        h = p[0];        /* Grab header word */
-        tix = (PRWord)GET_TYPEIX(h);
-        ct = &_pr_collectorTypes[tix];
-	    _GCTRACE(GC_FINAL, ("finalize 0x%x (%d)", p, OBJ_BYTES(h)));
-
-        /*
-        ** Give up the GC lock so that other threads can allocate memory
-        ** while this finalization method is running. Get it back
-        ** afterwards so that the list remains thread safe.
-        */
-        UNLOCK_GC();
-        FreeFinalNode(fp);
-        PR_ASSERT(ct->gctype.finalize != 0);
-        (*ct->gctype.finalize)(p + 1);
-        LOCK_GC();
-    }
-    _GCTRACE(GC_FINAL, ("end finalization"));
-    PR_Notify(_pr_gcData.lock);
-    }
-}
-
-static void NotifyFinalizer(void)
-{
-    if (!PR_CLIST_IS_EMPTY(&_pr_finalQueue)) {
-    PR_ASSERT( GC_IS_LOCKED() );
-    PR_Notify(_pr_gcData.lock);
-    }
-}
-
-void _PR_CreateFinalizer(PRThreadScope scope)
-{
-    if (!_pr_gcData.finalizer) {
-    _pr_gcData.finalizer = PR_CreateThreadGCAble(PR_SYSTEM_THREAD,
-                                        FinalizerLoop, 0,
-                                        PR_PRIORITY_LOW, scope,
-                                        PR_UNJOINABLE_THREAD, 0);
-    
-    if (_pr_gcData.finalizer == NULL)
-        /* We are doomed if we can't start the finalizer */
-        PR_Abort();
-
-    }
-}
-
-void pr_FinalizeOnExit(void)
-{
-#ifdef DEBUG_warren
-    OutputDebugString("### Doing finalize-on-exit pass\n");
-#endif
-    PR_ForceFinalize();
-#ifdef DEBUG_warren
-    OutputDebugString("### Finalize-on-exit complete. Dumping object left to memory.out\n");
-    PR_DumpMemorySummary();
-    PR_DumpMemory(PR_TRUE);
-#endif
-}
-
-PR_IMPLEMENT(void) PR_ForceFinalize()
-{
-    LOCK_GC();
-    NotifyFinalizer();
-    while (!PR_CLIST_IS_EMPTY(&_pr_finalQueue)) {
-    PR_ASSERT( GC_IS_LOCKED() );
-    (void) PR_Wait(_pr_gcData.lock, PR_INTERVAL_NO_TIMEOUT);
-    }
-    UNLOCK_GC();
-
-    /* XXX I don't know how to make it wait (yet) */
-}
-
-/************************************************************************/
-
-typedef struct GCWeakStr {
-    PRCList links;
-    PRWord *object;
-} GCWeak;
-
-/*
-** Find pointer to GCWeak struct from the list linkaged embedded in it
-*/
-#define WeakPtr(_qp) \
-    ((GCWeak*) ((char*) (_qp) - offsetof(GCWeak,links)))
-
-PRCList _pr_weakLinks = PR_INIT_STATIC_CLIST(&_pr_weakLinks);
-PRCList _pr_freeWeakLinks = PR_INIT_STATIC_CLIST(&_pr_freeWeakLinks);
-
-#define WEAK_FREELIST_ISEMPTY() (_pr_freeWeakLinks.next == &_pr_freeWeakLinks)
-
-/*
- * Keep objects referred to by weak free list alive until they can be
- * freed
- */
-static void PR_CALLBACK ScanWeakFreeList(void *notused) {
-    PRCList *qp = _pr_freeWeakLinks.next;
-    while (qp != &_pr_freeWeakLinks) {
-    GCWeak *wp = WeakPtr(qp);
-    qp = qp->next;
-    ProcessRootPointer(wp->object);
-    }
-}
-
-/*
- * Empty the list of weak objects. Note that we can't call malloc/free
- * under the cover of the GC's lock (we might deadlock), so transfer the
- * list of free objects to a local list under the cover of the lock, then
- * release the lock and free up the memory.
- */
-static void EmptyWeakFreeList(void) {
-    if (!WEAK_FREELIST_ISEMPTY()) {
-    PRCList *qp, freeLinks;
-
-    PR_INIT_CLIST(&freeLinks);
-
-    /*
-     * Transfer list of free weak links from the global list to a
-     * local list.
-     */
-    LOCK_GC();
-    qp = _pr_freeWeakLinks.next;
-    while (qp != &_pr_freeWeakLinks) {
-        GCWeak *wp = WeakPtr(qp);
-        qp = qp->next;
-        PR_REMOVE_LINK(&wp->links);
-        PR_APPEND_LINK(&wp->links, &freeLinks);
-    }
-    UNLOCK_GC();
-
-    /* Free up storage now */
-    qp = freeLinks.next;
-    while (qp != &freeLinks) {
-        GCWeak *wp = WeakPtr(qp);
-        qp = qp->next;
-        PR_DELETE(wp);
-    }
-    }
-}
-
-/*
- * Allocate a new weak node in the weak objects list
- */
-static GCWeak *AllocWeakNode(void)
-{
-    EmptyWeakFreeList();
-    return PR_NEWZAP(GCWeak);
-}
-
-static void FreeWeakNode(GCWeak *node)
-{
-    PR_DELETE(node);
-}
-
-/*
- * Check the weak links for validity. Note that the list of weak links is
- * itself weak (otherwise we would keep the objects with weak links in
- * them alive forever). As we scan the list check the weak link object
- * itself and if it's not marked then remove it from the weak link list
- */
-static void CheckWeakLinks(void) {
-    PRCList *qp;
-    GCWeak *wp;
-    PRWord *p, h, tix, **weakPtrAddress;
-    CollectorType *ct;
-    PRUint32 offset;
-
-    qp = _pr_weakLinks.next;
-    while (qp != &_pr_weakLinks) {
-    wp = WeakPtr(qp);
-    qp = qp->next;
-    if ((p = wp->object) != 0) {
-        h = p[0];        /* Grab header word */
-        if ((h & MARK_BIT) == 0) {
-        /*
-         * The object that has a weak link is no longer being
-         * referenced; remove it from the chain and let it get
-         * swept away by the GC. Transfer it to the list of
-         * free weak links for later freeing.
-         */
-        PR_REMOVE_LINK(&wp->links);
-        PR_APPEND_LINK(&wp->links, &_pr_freeWeakLinks);
-        collectorCleanupNeeded = 1;
-        continue;
-        }
-        
-	    /* Examine a live object that contains weak links */
-        tix = GET_TYPEIX(h);
-        ct = &_pr_collectorTypes[tix];
-        PR_ASSERT((ct->flags != 0) && (ct->gctype.getWeakLinkOffset != 0));
-        if (0 == ct->gctype.getWeakLinkOffset) {
-        /* Heap is probably corrupted */
-        continue;
-        }
-
-        /* Get offset into the object of where the weak pointer is */
-        offset = (*ct->gctype.getWeakLinkOffset)(p + 1);
-
-        /* Check the weak pointer */
-        weakPtrAddress = (PRWord**)((char*)(p + 1) + offset);
-        p = *weakPtrAddress;
-        if (p != 0) {
-        h = p[-1];    /* Grab header word for pointed to object */
-        if (h & MARK_BIT) {
-            /* Object can't be dead */
-            continue;
-        }
-        /* Break weak link to an object that is about to be swept */
-        *weakPtrAddress = 0;
-        }
-    }
-    }
-}
-
-/************************************************************************/
-
-/*
-** Perform a complete garbage collection
-*/
-
-extern GCLockHook *_pr_GCLockHook;
-
-static void dogc(void)
-{
-    RootFinder *rf;
-    GCLockHook* lhook;
-
-    GCScanQ scanQ;
-    GCSeg *sp, *esp;
-    PRInt64 start, end, diff;
-
-#if defined(GCMETER) || defined(GCTIMINGHOOK)
-    start = PR_Now();
-#endif
-
-    /*
-    ** Stop all of the other threads. This also promises to capture the
-    ** register state of each and every thread
-    */
-
-    /* 
-    ** Get all the locks that will be need during GC after SuspendAll. We 
-    ** cannot make any locking/library calls after SuspendAll.
-    */
-    if (_pr_GCLockHook) {
-        for (lhook = _pr_GCLockHook->next; lhook != _pr_GCLockHook; 
-          lhook = lhook->next) {
-          (*lhook->func)(PR_GCBEGIN, lhook->arg);
-        }
-    }
-
-    PR_SuspendAll();
-
-#ifdef GCMETER
-    /* Reset meter info */
-    if (_pr_gcMeter & _GC_METER_STATS) {
-        fprintf(stderr,
-                "[GCSTATS: busy:%ld skipped:%ld, alloced:%ld+wasted:%ld+free:%ld = total:%ld]\n",
-                (long) _pr_gcData.busyMemory,
-                (long) meter.skippedFreeChunks,
-                (long) meter.allocBytes,
-                (long) meter.wastedBytes,
-                (long) _pr_gcData.freeMemory,
-                (long) _pr_gcData.allocMemory);
-    }        
-    memset(&meter, 0, sizeof(meter));
-#endif
-
-    PR_LOG(_pr_msgc_lm, PR_LOG_ALWAYS, ("begin mark phase; busy=%d free=%d total=%d",
-                     _pr_gcData.busyMemory, _pr_gcData.freeMemory,
-                     _pr_gcData.allocMemory));
-
-    if (_pr_beginGCHook) {
-    (*_pr_beginGCHook)(_pr_beginGCHookArg);
-    }
-
-    /*
-    ** Initialize scanQ to all zero's so that root finder doesn't walk
-    ** over it...
-    */
-    memset(&scanQ, 0, sizeof(scanQ));
-    pScanQ = &scanQ;
-
-    /******************************************/
-    /* MARK PHASE */
-
-    EmptyFreelists();
-
-    /* Find root's */
-    PR_LOG(_pr_msgc_lm, PR_LOG_WARNING,
-           ("begin mark phase; busy=%d free=%d total=%d",
-        _pr_gcData.busyMemory, _pr_gcData.freeMemory,
-            _pr_gcData.allocMemory));
-    METER(_pr_scanDepth = 0);
-    rf = _pr_rootFinders;
-    while (rf) {
-    _GCTRACE(GC_ROOTS, ("finding roots in %s", rf->name));
-    (*rf->func)(rf->arg);
-    rf = rf->next;
-    }
-    _GCTRACE(GC_ROOTS, ("done finding roots"));
-
-    /* Scan remaining object's that need scanning */
-    ScanScanQ(&scanQ);
-    PR_ASSERT(pScanQ == &scanQ);
-    PR_ASSERT(scanQ.queued == 0);
-    METER({
-    if (_pr_scanDepth > _pr_maxScanDepth) {
-        _pr_maxScanDepth = _pr_scanDepth;
-    }
-    });
-
-    /******************************************/
-    /* FINALIZATION PHASE */
-
-    METER(_pr_scanDepth = 0);
-    PrepareFinalize();
-
-    /* Scan any resurrected objects found during finalization */
-    ScanScanQ(&scanQ);
-    PR_ASSERT(pScanQ == &scanQ);
-    PR_ASSERT(scanQ.queued == 0);
-    METER({
-    if (_pr_scanDepth > _pr_maxScanDepth) {
-        _pr_maxScanDepth = _pr_scanDepth;
-    }
-    });
-    pScanQ = 0;
-
-    /******************************************/
-    /* SWEEP PHASE */
-
-    /*
-    ** Sweep each segment clean. While we are at it, figure out which
-    ** segment has the most free space and make that the current segment.
-    */
-    CheckWeakLinks();
-    _GCTRACE(GC_SWEEP, ("begin sweep phase"));
-    _pr_gcData.freeMemory = 0;
-    _pr_gcData.busyMemory = 0;
-    sp = segs;
-    esp = sp + nsegs;
-    while (sp < esp) {
-        if (SweepSegment(sp)) {
-            /*
-            ** Segment is now free and has been replaced with a different
-            ** segment object.
-            */
-            esp--;
-            continue;
-        }
-        sp++;
-    }
-
-#if defined(GCMETER) || defined(GCTIMINGHOOK)
-    end = PR_Now();
-#endif
-#ifdef GCMETER
-    LL_SUB(diff, end, start);
-    PR_LOG(GC, PR_LOG_ALWAYS,
-	   ("done; busy=%d free=%d chunks=%d total=%d time=%lldms",
-	    _pr_gcData.busyMemory, _pr_gcData.freeMemory,
-	    meter.numFreeChunks, _pr_gcData.allocMemory, diff));
-    if (_pr_gcMeter & _GC_METER_FREE_LIST) {
-        PRIntn bin;
-        fprintf(stderr, "Freelist bins:\n");
-        for (bin = 0; bin < NUM_BINS; bin++) {
-            GCFreeChunk *cp = bins[bin];
-            while (cp != NULL) {
-                fprintf(stderr, "%3d: %p %8ld\n",
-                        bin, cp, (long) cp->chunkSize);
-                cp = cp->next;
-            }
-        }
-    }
-#endif
-
-    if (_pr_endGCHook) {
-    (*_pr_endGCHook)(_pr_endGCHookArg);
-    }
-
-    /* clear the running total of the bytes allocated via BigAlloc() */
-    bigAllocBytes = 0;
-
-    /* And resume multi-threading */
-    PR_ResumeAll();
-
-    if (_pr_GCLockHook) {
-        for (lhook = _pr_GCLockHook->prev; lhook != _pr_GCLockHook; 
-          lhook = lhook->prev) {
-          (*lhook->func)(PR_GCEND, lhook->arg);
-        }
-    }
-
-    /* Kick finalizer */
-    NotifyFinalizer();
-#ifdef GCTIMINGHOOK
-    if (_pr_gcData.gcTimingHook) {
-	PRInt32 time;
-	LL_SUB(diff, end, start);
-	LL_L2I(time, diff);
-	_pr_gcData.gcTimingHook(time);
-    }
-#endif
-}
-
-PR_IMPLEMENT(void) PR_GC(void)
-{
-    LOCK_GC();
-    dogc();
-    UNLOCK_GC();
-
-    EmptyWeakFreeList();
-}
-
-/*******************************************************************************
- * Heap Walker
- ******************************************************************************/
-
-/*
-** This is yet another disgusting copy of the body of ProcessRootPointer
-** (the other being ProcessRootBlock), but we're not leveraging a single
-** function in their cases in interest of performance (avoiding the function
-** call).
-*/
-static PRInt32 PR_CALLBACK
-pr_ConservativeWalkPointer(void* ptr, PRWalkFun walkRootPointer, void* data)
-{
-  PRWord *p0, *p, *segBase;
-  GCSeg* sp;
-
-  p0 = (PRWord*) ptr;
-
-  if (p0 < _pr_gcData.lowSeg) return 0;                  /* below gc heap */
-  if (p0 >= _pr_gcData.highSeg) return 0;                /* above gc heap */
-
-  /* NOTE: inline expansion of InHeap */
-  /* Find segment */
-  sp = lastInHeap;
-  if (!sp || !IN_SEGMENT(sp,p0)) {
-    GCSeg *esp;
-    sp = segs;
-    esp = segs + nsegs;
-    for (; sp < esp; sp++) {
-      if (IN_SEGMENT(sp, p0)) {
-	lastInHeap = sp;
-	goto find_object;
-      }
-    }
-    return 0;
-  }
-
-  find_object:
-    /* NOTE: Inline expansion of FindObject */
-    /* Align p to it's proper boundary before we start fiddling with it */
-    p = (PRWord*) ((PRWord)p0 & ~(BYTES_PER_WORD-1L));
-    segBase = (PRWord *) sp->base;
-    do {
-        if (IS_HBIT(sp, p)) {
-            goto winner;
-        }
-        p--;
-    } while (p >= segBase);
-
-    /*
-    ** We have a pointer into the heap, but it has no header
-    ** bit. This means that somehow the very first object in the heap
-    ** doesn't have a header. This is impossible so when debugging
-    ** lets abort.
-    */
-#ifdef DEBUG
-    PR_Abort();
-#endif
-    return 0;
-
- winner:
-    return walkRootPointer(p, data);
-}
-
-static PRInt32 PR_CALLBACK
-pr_ConservativeWalkBlock(void **base, PRInt32 count,
-			 PRWalkFun walkRootPointer, void* data)
-{
-    PRWord *p0;
-    while (--count >= 0) {
-	PRInt32 status;
-        p0 = (PRWord*) *base++;
-	status = pr_ConservativeWalkPointer(p0, walkRootPointer, data);
-	if (status) return status;
-    }
-    return 0;
-}
-
-/******************************************************************************/
-
-typedef void (*WalkObject_t)(FILE *out, GCType* tp, PRWord *obj,
-			     size_t bytes, PRBool detailed);
-typedef void (*WalkUnknown_t)(FILE *out, GCType* tp, PRWord tix, PRWord *p,
-			      size_t bytes, PRBool detailed);
-typedef void (*WalkFree_t)(FILE *out, PRWord *p, size_t size, PRBool detailed);
-typedef void (*WalkSegment_t)(FILE *out, GCSeg* sp, PRBool detailed);
-
-static void
-pr_WalkSegment(FILE* out, GCSeg* sp, PRBool detailed,
-           char* enterMsg, char* exitMsg,
-           WalkObject_t walkObject, WalkUnknown_t walkUnknown, WalkFree_t walkFree)
-{
-    PRWord *p, *limit;
-
-    p = (PRWord *) sp->base;
-    limit = (PRWord *) sp->limit;
-    if (enterMsg)
-    fprintf(out, enterMsg, p);
-    while (p < limit)
-    {
-    if (IS_HBIT(sp, p)) /* Is this an object header? */
-    {
-        PRWord h = p[0];
-        PRWord tix = GET_TYPEIX(h);
-        size_t bytes = OBJ_BYTES(h);
-        PRWord* np = (PRWord*) ((char*)p + bytes);
-
-        GCType* tp = &_pr_collectorTypes[tix].gctype;
-        if ((0 != tp) && walkObject)
-        walkObject(out, tp, p, bytes, detailed);
-        else if (walkUnknown)
-        walkUnknown(out, tp, tix, p, bytes, detailed);
-        p = np;
-    }
-    else
-    {
-        /* Must be a freelist item */
-        size_t size = ((GCFreeChunk*)p)->chunkSize;
-        if (walkFree)
-        walkFree(out, p, size, detailed);
-        p = (PRWord*)((char*)p + size);
-    }
-    }
-    if (p != limit)
-    fprintf(out, "SEGMENT OVERRUN (end should be at 0x%p)\n", limit);
-    if (exitMsg)
-    fprintf(out, exitMsg, p);
-}
-
-static void
-pr_WalkSegments(FILE *out, WalkSegment_t walkSegment, PRBool detailed)
-{
-    GCSeg *sp = segs;
-    GCSeg *esp;
-
-    LOCK_GC();
-    esp = sp + nsegs;
-    while (sp < esp)
-    {
-    walkSegment(out, sp, detailed);
-    sp++;
-    }
-    fprintf(out, "End of heap\n");
-    UNLOCK_GC();
-}
-
-/*******************************************************************************
- * Heap Dumper
- ******************************************************************************/
-
-PR_IMPLEMENT(void)
-PR_DumpIndent(FILE *out, int indent)
-{
-    while (--indent >= 0)
-    fprintf(out, " ");
-}
-
-static void
-PR_DumpHexWords(FILE *out, PRWord *p, int nWords,
-        int indent, int nWordsPerLine)
-{
-    while (nWords > 0)
-    {
-    int i;
-
-    PR_DumpIndent(out, indent);
-    i = nWordsPerLine;
-    if (i > nWords)
-        i = nWords;
-    nWords -= i;
-    while (i--)
-    {
-        fprintf(out, "0x%.8lX", (long) *p++);
-        if (i)
-        fputc(' ', out);
-    }
-    fputc('\n', out);
-    }
-}
-
-static void PR_CALLBACK
-pr_DumpObject(FILE *out, GCType* tp, PRWord *p, 
-          size_t bytes, PRBool detailed)
-{
-    char kindChar = tp->kindChar;
-    fprintf(out, "0x%p: 0x%.6lX %c  ",
-            p, (long) bytes, kindChar ? kindChar : '?');
-    if (tp->dump)
-    (*tp->dump)(out, (void*) (p + 1), detailed, 0);
-    if (detailed)
-    PR_DumpHexWords(out, p, bytes>>2, 22, 4);
-}
-    
-static void PR_CALLBACK
-pr_DumpUnknown(FILE *out, GCType* tp, PRWord tix, PRWord *p, 
-           size_t bytes, PRBool detailed)
-{
-    char kindChar = tp->kindChar;
-    fprintf(out, "0x%p: 0x%.6lX %c  ",
-            p, (long) bytes, kindChar ? kindChar : '?');
-    fprintf(out, "UNKNOWN KIND %ld\n", (long) tix);
-    if (detailed)
-    PR_DumpHexWords(out, p, bytes>>2, 22, 4);
-}
-
-static void PR_CALLBACK
-pr_DumpFree(FILE *out, PRWord *p, size_t size, PRBool detailed)
-{
-    fprintf(out, "0x%p: 0x%.6lX -  FREE\n", p, (long) size);
-}
-
-static void PR_CALLBACK
-pr_DumpSegment(FILE* out, GCSeg* sp, PRBool detailed)
-{
-    pr_WalkSegment(out, sp, detailed,
-           "\n   Address: Length\n0x%p: Beginning of segment\n",
-           "0x%p: End of segment\n\n",
-           pr_DumpObject, pr_DumpUnknown, pr_DumpFree);
-}
-
-static void pr_DumpRoots(FILE *out);
-
-/*
-** Dump out the GC heap.
-*/
-PR_IMPLEMENT(void)
-PR_DumpGCHeap(FILE *out, PRBool detailed)
-{
-    fprintf(out, "\n"
-        "The kinds are:\n"
-        " U unscanned block\n"
-        " W weak link block\n"
-        " S scanned block\n"
-        " F scanned and final block\n"
-        " C class record\n"
-        " X context record\n"
-        " - free list item\n"
-        " ? other\n");
-    LOCK_GC();
-    pr_WalkSegments(out, pr_DumpSegment, detailed);
-    if (detailed)
-    pr_DumpRoots(out);
-    UNLOCK_GC();
-}
-
-PR_IMPLEMENT(void)
-PR_DumpMemory(PRBool detailed)
-{
-    PR_DumpToFile("memory.out", "Dumping memory", PR_DumpGCHeap, detailed);
-}
-
-/******************************************************************************/
-
-static PRInt32 PR_CALLBACK
-pr_DumpRootPointer(PRWord* p, void* data)
-{
-    PRWord h = p[0];
-    PRWord tix = GET_TYPEIX(h);
-      size_t bytes = OBJ_BYTES(h);
-      
-      GCType* tp = &_pr_collectorTypes[tix].gctype;
-      if (0 != tp)
-      pr_DumpObject(_pr_gcData.dumpOutput, tp, p, bytes, PR_FALSE);
-      else
-      pr_DumpUnknown(_pr_gcData.dumpOutput, tp, tix, p, bytes, PR_FALSE);
-    return 0;
-}
-
-static void PR_CALLBACK
-pr_ConservativeDumpRootPointer(void* ptr)
-{
-    (void)pr_ConservativeWalkPointer(ptr, (PRWalkFun) pr_DumpRootPointer, NULL);
-}
-
-static void PR_CALLBACK
-pr_ConservativeDumpRootBlock(void **base, PRInt32 count)
-{
-    (void)pr_ConservativeWalkBlock(base, count, (PRWalkFun) pr_DumpRootPointer, NULL);
-}
-
-extern int
-DumpThreadRoots(PRThread *t, int i, void *notused);
-
-static void
-pr_DumpRoots(FILE *out)
-{
-    RootFinder *rf;
-    void (*liveBlock)(void **base, PRInt32 count);
-    void (*livePointer)(void *ptr);
-    void (*processRootBlock)(void **base, PRInt32 count);
-    void (*processRootPointer)(void *ptr);
-
-    LOCK_GC();
-
-    liveBlock = _pr_gcData.liveBlock;
-    livePointer = _pr_gcData.livePointer;
-    processRootBlock = _pr_gcData.processRootBlock;
-    processRootPointer = _pr_gcData.processRootPointer;
-    
-    _pr_gcData.liveBlock = pr_ConservativeDumpRootBlock;
-    _pr_gcData.livePointer = pr_ConservativeDumpRootPointer;
-    _pr_gcData.processRootBlock = pr_ConservativeDumpRootBlock;
-    _pr_gcData.processRootPointer = pr_ConservativeDumpRootPointer;
-    _pr_gcData.dumpOutput = out;
-
-    rf = _pr_rootFinders;
-    while (rf) {
-    fprintf(out, "\n===== Roots for %s\n", rf->name);
-    (*rf->func)(rf->arg);
-    rf = rf->next;
-    }
-
-    _pr_gcData.liveBlock = liveBlock;
-    _pr_gcData.livePointer = livePointer;
-    _pr_gcData.processRootBlock = processRootBlock;
-    _pr_gcData.processRootPointer = processRootPointer;
-    _pr_gcData.dumpOutput = NULL;
-
-    UNLOCK_GC();
-}
-
-/*******************************************************************************
- * Heap Summary Dumper
- ******************************************************************************/
-
-PRSummaryPrinter summaryPrinter = NULL;
-void* summaryPrinterClosure = NULL;
-
-PR_IMPLEMENT(void) 
-PR_RegisterSummaryPrinter(PRSummaryPrinter fun, void* closure)
-{
-    summaryPrinter = fun;
-    summaryPrinterClosure = closure;
-}
-
-static void PR_CALLBACK
-pr_SummarizeObject(FILE *out, GCType* tp, PRWord *p,
-           size_t bytes, PRBool detailed)
-{
-    if (tp->summarize)
-    (*tp->summarize)((void GCPTR*)(p + 1), bytes);
-}
-
-static void PR_CALLBACK
-pr_DumpSummary(FILE* out, GCSeg* sp, PRBool detailed)
-{
-    pr_WalkSegment(out, sp, detailed, NULL, NULL,
-           pr_SummarizeObject, NULL, NULL);
-}
-
-PR_IMPLEMENT(void)
-PR_DumpGCSummary(FILE *out, PRBool detailed)
-{
-    if (summaryPrinter) {
-    pr_WalkSegments(out, pr_DumpSummary, detailed);
-    summaryPrinter(out, summaryPrinterClosure);
-    }
-#if 0
-    fprintf(out, "\nFinalizable objects:\n");
-    {
-    PRCList *qp;
-    qp = _pr_pendingFinalQueue.next;
-    while (qp != &_pr_pendingFinalQueue) {
-        GCFinal* fp = FinalPtr(qp);
-        PRWord h = fp->object[0];        /* Grab header word */
-        PRWord tix = GET_TYPEIX(h);
-        GCType* tp = _pr_gcTypes[tix];
-        size_t bytes = OBJ_BYTES(h);
-        pr_DumpObject(out, tp, fp->object, bytes, PR_FALSE);
-        qp = qp->next;
-    }
-    }
-#endif
-}
-
-PR_IMPLEMENT(void)
-PR_DumpMemorySummary(void)
-{
-    PR_DumpToFile("memory.out", "Memory Summary", PR_DumpGCSummary, PR_FALSE);
-}
-
-/*******************************************************************************
- * End Of Heap Walker 
- ******************************************************************************/
-
-#ifdef GC_TRACEROOTS
-
-PRInt32 pr_traceGen = 0;
-
-static PRBool
-pr_IsMarked(PRWord* p)
-{
-    GCBlockEnd* end = (GCBlockEnd*)((char*)p + OBJ_BYTES(p[0]) - sizeof(GCBlockEnd));
-    PR_ASSERT(end->check == PR_BLOCK_END);
-    return end->traceGeneration == pr_traceGen;
-}
-
-static void
-pr_Mark(PRWord* p)
-{
-    GCBlockEnd* end = (GCBlockEnd*)((char*)p + OBJ_BYTES(p[0]) - sizeof(GCBlockEnd));
-    PR_ASSERT(end->check == PR_BLOCK_END);
-    end->traceGeneration = pr_traceGen;
-}
-
-PRWord* pr_traceObj;	/* set this in the debugger, then execute PR_TraceRoot() */
-
-static PRInt32 PR_CALLBACK
-pr_TraceRootObject(void* obj, void* data);
-
-static PRInt32 PR_CALLBACK
-pr_TraceRootPointer(PRWord *p, void* data)
-{
-    PRInt32 printTrace = 0;
-    PRWord h = p[0];
-    PRWord tix = GET_TYPEIX(h);
-    GCType* tp = &_pr_collectorTypes[tix].gctype;
-    FILE* out = _pr_gcData.dumpOutput;
-
-    PR_ASSERT(tp);
-    if (pr_IsMarked(p))
-	return printTrace;
-
-    pr_Mark(p);
-    if (p == pr_traceObj) {
-	fprintf(out, "\n### Found path to:\n");
-	printTrace = 1;
-    }
-    else {
-	if (PR_StackSpaceLeft(PR_GetCurrentThread()) < 512) {
-	    fprintf(out, "\n### Path too deep (giving up):\n");
-	    printTrace = 1;
-	}
-	else if (tp->walk) {
-	    printTrace = tp->walk((void*)(p + 1), pr_TraceRootObject, data);
-	}
-	/* else there's no way to walk this object, so we
-	   haven't found what we're looking for */
-    }
-
-    if (printTrace == 1) {
-	PR_ASSERT(tp->dump);
-	fprintf(out, "0x%p: ", p);
-	tp->dump(out, (void*)(p + 1), PR_FALSE, 1);
-    }
-    return printTrace;
-}
-
-static PRInt32 PR_CALLBACK
-pr_TraceRootObject(void* obj, void* data)
-{
-    /* This version of pr_TraceRootPointer takes object
-       pointers, instead of gc header pointers. */
-    return pr_TraceRootPointer((PRWord*)obj - 1, data);
-}
-
-static void PR_CALLBACK
-pr_ConservativeTraceRootPointer(PRWord *p)
-{
-    PRInt32 status;
-    ++pr_traceGen;
-    status = pr_ConservativeWalkPointer(p, pr_TraceRootPointer, NULL);
-    if (status) {
-	FILE* out = _pr_gcData.dumpOutput;
-	fprintf(out, "### from root at 0x%p\n\n", p);
-    }
-}
-
-static void PR_CALLBACK
-pr_ConservativeTraceRootBlock(void **base, PRInt32 count)
-{
-    PRInt32 status;
-    ++pr_traceGen;
-    status = pr_ConservativeWalkBlock(base, count, pr_TraceRootPointer, NULL);
-    if (status) {
-	FILE* out = _pr_gcData.dumpOutput;
-	fprintf(out, "### from root in range 0x%p + 0x%lx\n\n",
-                base, (long) count);
-    }
-}
-
-static void
-PR_TraceRoot1(FILE* out, PRBool detailed)
-{
-    RootFinder *rf;
-    void (*liveBlock)(void **base, PRInt32 count);
-    void (*livePointer)(void *ptr);
-    void (*processRootBlock)(void **base, PRInt32 count);
-    void (*processRootPointer)(void *ptr);
-
-    LOCK_GC();
-
-    liveBlock = _pr_gcData.liveBlock;
-    livePointer = _pr_gcData.livePointer;
-    processRootBlock = _pr_gcData.processRootBlock;
-    processRootPointer = _pr_gcData.processRootPointer;
-    
-    _pr_gcData.liveBlock = pr_ConservativeTraceRootBlock;
-    _pr_gcData.livePointer = pr_ConservativeTraceRootPointer;
-    _pr_gcData.processRootBlock = pr_ConservativeTraceRootBlock;
-    _pr_gcData.processRootPointer = pr_ConservativeTraceRootPointer;
-    _pr_gcData.dumpOutput = out;
-
-    fprintf(out, "### Looking for paths to 0x%p\n\n", pr_traceObj);
-
-    rf = _pr_rootFinders;
-    while (rf) {
-	fprintf(out, "\n===== Roots for %s\n", rf->name);
-	(*rf->func)(rf->arg);
-	rf = rf->next;
-    }
-
-    _pr_gcData.liveBlock = liveBlock;
-    _pr_gcData.livePointer = livePointer;
-    _pr_gcData.processRootBlock = processRootBlock;
-    _pr_gcData.processRootPointer = processRootPointer;
-    _pr_gcData.dumpOutput = NULL;
-
-    UNLOCK_GC();
-}
-
-PR_PUBLIC_API(void)
-PR_TraceRoot()
-{
-    /*
-    ** How this works: 
-    ** Once you find the object you want to trace the roots of, set the
-    ** global variable pr_traceObj to point to it (the header, not the
-    ** java handle), and then call this routine (on Windows, you can set
-    ** a breakpoint at the end of a function that returns void (e.g. dogc)
-    ** and then do a "set next statement" to point to this routine and go.
-    ** This will dump a list of the paths from the roots to the object in
-    ** question to your memory.out file.
-    */
-    PR_DumpToFile("memory.out", "Tracing Roots", PR_TraceRoot1, PR_FALSE);
-}
-
-#endif /* GC_TRACEROOTS */
-
-/******************************************************************************/
-
-#if defined(DEBUG) && defined(WIN32)
-static void DumpApplicationHeap(FILE *out, HANDLE heap)
-{
-    PROCESS_HEAP_ENTRY entry;
-    DWORD err;
-
-    if (!HeapLock(heap))
-    OutputDebugString("Can't lock the heap.\n");
-    entry.lpData = 0;
-    fprintf(out, "   address:       size ovhd region\n");
-    while (HeapWalk(heap, &entry))
-    {
-    WORD flags = entry.wFlags;
-
-    fprintf(out, "0x%.8X: 0x%.8X 0x%.2X 0x%.2X  ", entry.lpData, entry.cbData,
-        entry.cbOverhead, entry.iRegionIndex);
-    if (flags & PROCESS_HEAP_REGION)
-        fprintf(out, "REGION  committedSize=0x%.8X uncommittedSize=0x%.8X firstBlock=0x%.8X lastBlock=0x%.8X",
-            entry.Region.dwCommittedSize, entry.Region.dwUnCommittedSize,
-            entry.Region.lpFirstBlock, entry.Region.lpLastBlock);
-    else if (flags & PROCESS_HEAP_UNCOMMITTED_RANGE)
-        fprintf(out, "UNCOMMITTED");
-    else if (flags & PROCESS_HEAP_ENTRY_BUSY)
-    {
-        if (flags & PROCESS_HEAP_ENTRY_DDESHARE)
-        fprintf(out, "DDEShare ");
-        if (flags & PROCESS_HEAP_ENTRY_MOVEABLE)
-        fprintf(out, "Moveable Block  handle=0x%.8X", entry.Block.hMem);
-        else
-        fprintf(out, "Block");
-    }
-    fprintf(out, "\n");
-    }
-    if ((err = GetLastError()) != ERROR_NO_MORE_ITEMS)
-    fprintf(out, "ERROR %d iterating through the heap\n", err);
-    if (!HeapUnlock(heap))
-    OutputDebugString("Can't unlock the heap.\n");
-}
-#endif
-
-#if defined(DEBUG) && defined(WIN32)
-static void DumpApplicationHeaps(FILE *out)
-{
-    HANDLE mainHeap;
-    HANDLE heaps[100];
-    DWORD nHeaps;
-    PRInt32 i;
-
-    mainHeap = GetProcessHeap();
-    nHeaps = GetProcessHeaps(100, heaps);
-    if (nHeaps > 100)
-    nHeaps = 0;
-    fprintf(out, "%ld heaps:\n", (long) nHeaps);
-    for (i = 0; ichunkSize;
-        if (chunkSize < bytes) {
-        /* Too small; skip it */
-            METER(meter.skippedFreeChunks++);
-        cpp = &cp->next;
-        continue;
-        }
-
-        /* We have found a hunk of memory large enough to use */
-        p = (PRWord*) cp;
-        sp = cp->segment;
-        cpNext = cp->next;
-#ifndef IS_64
-        if (dub && (((PRWord)p & (PR_BYTES_PER_DWORD-1)) == 0)) {
-        /*
-         * We are double aligning the memory and the current free
-         * chunk is aligned on an even boundary. Because header
-         * words are one word long we need to discard the first
-         * word of memory.
-         */
-        p[0] = MAKE_HEADER(FREE_MEMORY_TYPEIX, 1);
-        SET_HBIT(sp, p);
-        p++;
-        chunkSize -= PR_BYTES_PER_WORD;
-        bytes -= PR_BYTES_PER_WORD;
-        PR_ASSERT(((PRWord)p & (PR_BYTES_PER_DWORD-1)) != 0);
-        _pr_gcData.freeMemory -= PR_BYTES_PER_WORD;
-        _pr_gcData.busyMemory += PR_BYTES_PER_WORD;
-        }
-#endif
-        np = (PRWord*) ((char*) p + bytes);
-        remainder = chunkSize - bytes;
-        if (remainder >= MIN_FREE_CHUNK_BYTES) {
-        /* The left over memory is large enough to be freed. */
-        cp = (GCFreeChunk*) np;
-        cp->segment = sp;
-        cp->chunkSize = remainder;
-        InlineBinNumber(newbin, remainder)
-        if (newbin != bin) {
-            *cpp = (GCFreeChunk*) cpNext; /* remove */
-            cp->next = bins[newbin];      /* insert */
-            bins[newbin] = cp;
-            if (newbin < minBin) minBin = newbin;
-            if (newbin > maxBin) maxBin = newbin;
-        } else {
-            /* Leave it on the same list */
-            cp->next = cpNext;
-            *cpp = (GCFreeChunk*) np;
-        }
-        } else {
-        /*
-         * The left over memory is too small to be released. Just
-         * leave it attached to the chunk of memory being
-         * returned.
-         */
-        *cpp = cpNext;
-        bytes = chunkSize;
-        }
-        p[0] = MAKE_HEADER(cbix, (bytes >> PR_BYTES_PER_WORD_LOG2));
-        SET_HBIT(sp, p);
-        _pr_gcData.freeMemory -= bytes;
-        _pr_gcData.busyMemory += bytes;
-        return p;
-    }
-    }
-    return 0;
-}
-
-/*
-** Allocate a piece of memory that is "big" in it's own segment.  Make
-** the object consume the entire segment to avoid fragmentation.  When
-** the object is no longer referenced, the segment is freed.
-*/
-static PRWord *BigAlloc(int cbix, PRInt32 bytes, int dub)
-{
-    GCSeg *sp;
-    PRWord *p, h;
-    PRInt32 chunkSize;
-
-    /*
-    ** If the number of bytes allocated via BigAlloc() since the last GC
-    ** exceeds BIG_ALLOC_GC_SIZE then do a GC Now...
-    */
-    if (bigAllocBytes >= BIG_ALLOC_GC_SIZE) {
-        dogc();
-    }
-    bigAllocBytes += bytes;
-
-    /* Get a segment to hold this allocation */
-    sp = GrowHeapExactly(bytes);
-
-    if (sp) {
-        p = (PRWord*) sp->base;
-        chunkSize = sp->limit - sp->base;
-
-        /* All memory is double aligned on 64 bit machines... */
-#ifndef IS_64
-        if (dub && (((PRWord)p & (PR_BYTES_PER_DWORD-1)) == 0)) {
-            /*
-            ** Consume the first word of the chunk with a dummy
-            ** unreferenced object.
-            */
-            p[0] = MAKE_HEADER(FREE_MEMORY_TYPEIX, 1);
-            SET_HBIT(sp, p);
-            p++;
-            chunkSize -= PR_BYTES_PER_WORD;
-            _pr_gcData.freeMemory -= PR_BYTES_PER_WORD;
-            _pr_gcData.busyMemory += PR_BYTES_PER_WORD;
-            PR_ASSERT(((PRWord)p & (PR_BYTES_PER_DWORD-1)) != 0);
-        }
-#endif
-
-        /* Consume the *entire* segment with a single allocation */
-        h = MAKE_HEADER(cbix, (chunkSize >> PR_BYTES_PER_WORD_LOG2));
-        p[0] = h;
-        SET_HBIT(sp, p);
-        _pr_gcData.freeMemory -= chunkSize;
-        _pr_gcData.busyMemory += chunkSize;
-    return p;
-    }
-    return 0;
-}
-
-/* we disable gc allocation during low memory conditions */
-static PRBool allocationEnabled = PR_TRUE;
-
-PR_IMPLEMENT(void) PR_EnableAllocation(PRBool yesOrNo)
-{
-    allocationEnabled = yesOrNo;
-}
-
-static void CollectorCleanup(void) {
-    while (collectorCleanupNeeded) {
-    LOCK_GC();
-    collectorCleanupNeeded = 0;
-    UNLOCK_GC();
-    if (freeSegs) {
-        FreeSegments();
-    }
-    if (!WEAK_FREELIST_ISEMPTY()) {
-        EmptyWeakFreeList();
-    }
-    }
-}
-
-/******************************************************************************/
-
-#ifdef GC_CHECK
-static PRInt32 allocationCount;
-
-static void EarthShatteringKaBoom(PRInt32 whichOne) {
-    long* p = 0;
-    *p = 0;
-}
-
-/* Check a segment of heap memory. Verify that the object memory
-   hasn't been overwritten (past the end at least) */
-static void CheckSegment(GCSeg* sp) {
-    PRWord h, tix;
-    PRWord *p, *lastp, *np, *limit;
-
-    lastp = p = (PRWord *) sp->base;
-    limit = (PRWord *) sp->limit;
-    while (p < limit) {
-    if (IS_HBIT(sp, p)) {
-	    char *cp, i;
-	    GCBlockEnd* end;
-	    PRWord bytes, requestedBytes;
-
-	    h = p[0];
-	    tix = GET_TYPEIX(h);
-	    bytes = OBJ_BYTES(h);
-	    np = (PRWord *) ((char *)p + bytes);
-	    if (tix != FREE_MEMORY_TYPEIX) {
-                PRInt32 test;	/* msdev get's fooled without this local */
-		/* A live object is here. The last word in the object will
-		   contain the objects requestedSize */
-		end = (GCBlockEnd*)((char*)(p) + bytes - sizeof(GCBlockEnd));
-		test = end->check;
-		if (test != PR_BLOCK_END) {
-		    PR_ASSERT(test == PR_BLOCK_END);
-		}
-		requestedBytes = end->requestedBytes;
-		if (requestedBytes >= bytes) EarthShatteringKaBoom(0);
-		cp = (char*)(p + 1) + requestedBytes;
-		i = (char) 0xff;
-		while (cp < (char*)end) {
-            if (*cp != i) EarthShatteringKaBoom(1);
-            cp++;
-            i--;
-        }
-        }
-        lastp = p;
-        p = np;
-    } else {
-        /* Must be a freelist item */
-        GCFreeChunk *cp = (GCFreeChunk*) p;
-        if ((PRInt32)cp->chunkSize < (PRInt32)sizeof(GCFreeChunk)) {
-            EarthShatteringKaBoom(3);
-        }
-        lastp = p;
-        p = (PRWord*) ((char*)p + cp->chunkSize);
-    }
-    }
-}
-
-static void CheckHeap(void) {
-    GCSeg *sp = segs;
-    GCSeg *esp = sp + nsegs;
-    while (sp < esp) {
-    CheckSegment(sp);
-    sp++;
-    }
-}
-
-#endif /* GC_CHECK */
-
-/******************************************************************************/
-
-#ifdef DEBUG
-long gc_thrash = -1L;
-#endif
-
-/*
-** Allocate memory from the GC Heap. Performs garbage collections if
-** memory gets tight and grows the heap as needed. May return NULL if
-** memory cannot be found.
-*/
-PR_IMPLEMENT(PRWord GCPTR *)PR_AllocMemory(
-    PRWord requestedBytes, PRInt32 tix, PRWord flags)
-{
-    PRWord *p;
-    CollectorType *ct;
-    PRInt32 bytes;
-    GCFinal *final = 0;
-    GCWeak *weak = 0;
-    int dub = flags & PR_ALLOC_DOUBLE;
-    PRInt32 objBytes;
-#ifdef GC_STATS
-    PRInt64 allocTime, ldelta;
-#endif
-
-    if (!allocationEnabled) return NULL;
-
-    PR_ASSERT(requestedBytes >= 0);
-    PR_ASSERT(_pr_collectorTypes[tix].flags != 0);
-
-#ifdef DEBUG
-    if (_pr_do_a_dump) {
-    /*
-    ** Collect, pause for a second (lets finalizer run), and then GC
-    ** again.
-    */
-    PR_GC();
-    PR_Sleep(PR_MicrosecondsToInterval(1000000L));
-    PR_GC();
-    PR_DumpGCHeap(_pr_dump_file, PR_TRUE);
-    _pr_do_a_dump = 0;
-    }
-#endif
-
-#ifdef GC_STATS
-    allocTime = PR_Now();
-#endif
-    bytes = (PRInt32) requestedBytes;
-
-    /*
-    ** Align bytes to a multiple of a PRWord, then add in enough space
-    ** to hold the header word.
-    **
-    ** MSVC 1.52 crashed on the ff. code because of the "complex" shifting :-(
-    */
-    /* Check for possible overflow of bytes before performing add */
-    if ((MAX_INT - PR_BYTES_PER_WORD) < bytes ) return NULL;
-    bytes = (bytes + PR_BYTES_PER_WORD - 1) >> PR_BYTES_PER_WORD_LOG2;
-    bytes <<= PR_BYTES_PER_WORD_LOG2;
-    /* Check for possible overflow of bytes before performing add */
-    if ((MAX_INT - sizeof(PRWord)) < bytes ) return NULL;
-    bytes += sizeof(PRWord);
-    /*
-     * Add in an extra word of memory for double-aligned memory. Some
-     * percentage of the time this will waste a word of memory (too
-     * bad). Howver, it makes the allocation logic much simpler and
-     * faster.
-     */
-#ifndef IS_64
-    if (dub) {
-        /* Check for possible overflow of bytes before performing add */
-        if ((MAX_INT - PR_BYTES_PER_WORD) < bytes ) return NULL;
-        bytes += PR_BYTES_PER_WORD;
-    }
-#endif
-
-#ifdef GC_CHECK
-    if (_pr_gcData.flags & GC_CHECK) {
-        /* Bloat the allocation a bit so that we can lay down
-           a check pattern that we will validate */
-        /* Check for possible overflow of bytes before performing add */
-        if ((MAX_INT - PR_BYTES_PER_WORD * 3) < bytes ) return NULL;
-        bytes += PR_BYTES_PER_WORD * 3;
-    }
-#endif
-
-#if defined(GC_CHECK) || defined(GC_STATS) || defined(GC_TRACEROOTS)
-    if ((MAX_INT - sizeof(GCBlockEnd)) < bytes ) return NULL;
-    bytes += sizeof(GCBlockEnd);
-#endif
-
-    PR_ASSERT( bytes < MAX_ALLOC_SIZE );
-    /*
-    ** Java can ask for objects bigger than MAX_ALLOC_SIZE,
-    ** but it won't get them.
-    */
-    if (bytes >= MAX_ALLOC_SIZE) return NULL;
-
-#ifdef DEBUG
-    if (gc_thrash == -1L ? (gc_thrash = (long)PR_GetEnv("GC_THRASH")):gc_thrash) PR_GC();
-#endif
-
-    ct = &_pr_collectorTypes[tix];
-    if (ct->flags & (_GC_TYPE_FINAL|_GC_TYPE_WEAK)) {
-    if (0 != ct->gctype.finalize) {
-        /*
-        ** Allocate a GCFinal struct for this object in advance. Don't put
-        ** it on the pending list until we have allocated the object
-        */
-        final = AllocFinalNode();
-        if (!final) {
-        /* XXX THIS IS NOT ACCEPTABLE*/
-		PR_ASSERT(0);
-        return 0;
-        }
-    }
-    if (0 != ct->gctype.getWeakLinkOffset) {
-        /*
-        ** Allocate a GCWeak struct for this object in advance. Don't put
-        ** it on the weak links list until we have allocated the object
-        */
-        weak = AllocWeakNode();
-        if (!weak) {
-        /* XXX THIS IS NOT ACCEPTABLE*/
-        if (0 != final) {
-            FreeFinalNode(final);
-        }
-		PR_ASSERT(0);
-        return 0;
-        }
-    }
-    }
-
-    LOCK_GC();
-#ifdef GC_CHECK
-    if (_pr_gcData.flags & GC_CHECK) CheckHeap();
-    allocationCount++;
-#endif
-
-    /* Check for overflow of maximum size we can handle */
-    if (bytes > MAX_ALLOC) goto lost;
-
-    /* Try default allocation */
-    p = ((bytes >= BIG_ALLOC) && (nsegs < MAX_SEGS)) ?
-        BigAlloc(tix, bytes, dub) : BinAlloc(tix, bytes, dub);
-    if (0 == p) {
-#ifdef GC_STATS
-        LL_SUB(ldelta, PR_Now(), allocTime);
-#endif
-        /* Collect some memory */
-        _GCTRACE(GC_ALLOC, ("force GC: want %d", bytes));
-        dogc();
-        PR_ASSERT( GC_IS_LOCKED() );
-
-        /* After a collection we check and see if we should grow the
-        ** heap. We grow the heap when the amount of memory free is less
-        ** than a certain percentage of the heap size. We don't check to
-        ** see if the grow succeeded because our fallback strategy in
-        ** either case is to try one more time to allocate. */
-        if ((_pr_gcData.allocMemory < _pr_gcData.maxMemory)
-        && ((_pr_gcData.freeMemory <
-            ((_pr_gcData.allocMemory * MIN_FREE_THRESHOLD_AFTER_GC) / 100L))
-        || (_pr_gcData.freeMemory < bytes))) {
-            GrowHeap(PR_MAX(bytes, segmentSize));
-        }
-#ifdef GC_STATS
-        LL_ADD(allocTime, PR_Now(), ldelta);
-#endif
-
-        /* Try again */
-        p = ((bytes >= BIG_ALLOC) && (nsegs < MAX_SEGS)) ?
-            BigAlloc(tix, bytes, dub) : BinAlloc(tix, bytes, dub);
-        if (0 == p) {
-            /* Well that lost big time. Memory must be pretty well fragmented */
-            if (!GrowHeap(PR_MAX(bytes, segmentSize))) goto lost;
-            p = BinAlloc(tix, bytes, dub);
-            if (0 == p) goto lost;
-        }
-    }
-
-    /* Zero out the portion of the object memory that was used by
-       the GCFreeChunk structure (skip the first word because it
-       was already overwritten by the gc header word) */
-    objBytes = OBJ_BYTES(p[0]);
-    if (objBytes > sizeof(PRWord)) p[1] = 0;
-    if (objBytes > sizeof(PRWord)*2) p[2] = 0;
-
-    if (final) {
-	_GCTRACE(GC_ALLOC, ("alloc 0x%x (%d) final=0x%x",
-                p, bytes, final));
-    final->object = p;
-    PR_APPEND_LINK(&final->links, &_pr_finalizeableObjects);
-    } else {
-	_GCTRACE(GC_ALLOC, ("alloc 0x%x (%d)", p, bytes));
-    }
-    if (weak) {
-    weak->object = p;
-    PR_APPEND_LINK(&weak->links, &_pr_weakLinks);
-    }
-    METER(meter.allocBytes += bytes);
-    METER(meter.wastedBytes += (bytes - requestedBytes));
-    UNLOCK_GC();
-
-    if (collectorCleanupNeeded) {
-	CollectorCleanup();
-    }
-
-#if defined(GC_CHECK) || defined(GC_STATS) || defined(GC_TRACEROOTS)
-    {
-	GCBlockEnd* end = (GCBlockEnd*)((char*)p + OBJ_BYTES(p[0]) - sizeof(GCBlockEnd));
-	end->check = PR_BLOCK_END;
-    }
-#endif
-#ifdef GC_STATS
-    {
-	PRInt64 now = PR_Now();
-	double delta;
-	PRInt32 bin;
-	GCBlockEnd* end = (GCBlockEnd*)((char*)p + OBJ_BYTES(p[0]) - sizeof(GCBlockEnd));
-
-	end->allocTime = allocTime;
-	LL_SUB(ldelta, now, allocTime);
-	LL_L2D(delta, ldelta);
-	InlineBinNumber(bin, requestedBytes);
-	end->bin = bin;
-	gcstats[bin].nallocs++;
-	gcstats[bin].allocTime += delta;
-	gcstats[bin].allocTimeVariance += delta * delta;
-    }
-#endif
-#ifdef GC_CHECK
-    if (_pr_gcData.flags & GC_CHECK) {
-    /* Place a pattern in the memory that was allocated that was not
-       requested. We will check the pattern later. */
-    char* cp = (char*)(p + 1) + requestedBytes;
-	GCBlockEnd* end = (GCBlockEnd*)((char*)p + OBJ_BYTES(p[0]) - sizeof(GCBlockEnd));
-	char i = (char) 0xff;
-	while (cp < (char*)end) {
-	    *cp++ = i--;
-	}
-	end->requestedBytes = requestedBytes;
-	CheckHeap();
-    }
-#endif
-    return p + 1;
-
-  lost:
-    /* Out of memory */
-    UNLOCK_GC();
-    if (final) {
-    FreeFinalNode(final);
-    }
-    if (weak) {
-    FreeWeakNode(weak);
-    }
-    if (collectorCleanupNeeded) {
-    CollectorCleanup();
-    }
-    return 0;
-}
-
-/* Shortcut allocator for objects that do not require finalization or
-   are weak objects */
-PR_IMPLEMENT(PRWord GCPTR *)
-PR_AllocSimpleMemory(PRWord requestedBytes, PRInt32 tix)
-{
-    PRWord *p;
-    PRInt32 bytes;
-    PRInt32 objBytes;
-#ifdef GC_STATS
-    PRInt64 allocTime, ldelta;
-#endif
-
-    if (!allocationEnabled) return NULL;
-
-    PR_ASSERT(requestedBytes >= 0);
-    PR_ASSERT(_pr_collectorTypes[tix].flags != 0);
-
-#ifdef DEBUG
-    if (_pr_do_a_dump) {
-	/*
-	** Collect, pause for a second (lets finalizer run), and then GC
-	** again.
-	*/
-	PR_GC();
-	PR_Sleep(PR_MicrosecondsToInterval(1000000L));
-	PR_GC();
-	PR_DumpGCHeap(_pr_dump_file, PR_TRUE);
-	_pr_do_a_dump = 0;
-    }
-#endif
-
-#ifdef GC_STATS
-    allocTime = PR_NowMS();
-#endif
-    bytes = (PRInt32) requestedBytes;
-
-    /*
-    ** Align bytes to a multiple of a PRWord, then add in enough space
-    ** to hold the header word.
-    **
-    ** MSVC 1.52 crashed on the ff. code because of the "complex" shifting :-(
-    */
-    bytes = (bytes + PR_BYTES_PER_WORD - 1) >> PR_BYTES_PER_WORD_LOG2;
-    bytes <<= PR_BYTES_PER_WORD_LOG2;
-    bytes += sizeof(PRWord);
-    
-    /*
-     * Add in an extra word of memory for double-aligned memory. Some
-     * percentage of the time this will waste a word of memory (too
-     * bad). Howver, it makes the allocation logic much simpler and
-     * faster.
-     */
-#ifndef IS_64
-    bytes += PR_BYTES_PER_WORD;
-#endif
-
-#ifdef GC_CHECK
-    if (_pr_gcData.flags & GC_CHECK) {
-    /* Bloat the allocation a bit so that we can lay down
-       a check pattern that we will validate */
-    bytes += PR_BYTES_PER_WORD * 2;
-    }
-#endif
-
-#if defined(GC_CHECK) || defined(GC_STATS) || defined(GC_TRACEROOTS)
-    bytes += sizeof(GCBlockEnd);
-#endif
-
-    /* Java can ask for objects bigger than 4M, but it won't get them */
-    /*
-     * This check was added because there is a fundamental limit of
-     * the size field maintained by the gc code.  Going over the 4M
-     * limit caused some bits to roll over into another bit field,
-     * violating the max segment size and causing a bug.
-     */
-    if (bytes >= MAX_ALLOC_SIZE) {
-        return NULL;
-    }
-#ifdef DEBUG
-    if (gc_thrash == -1L
-	? (gc_thrash = (long)PR_GetEnv("GC_THRASH"))
-	: gc_thrash) {
-	PR_GC();
-    }
-#endif
-
-    LOCK_GC();
-#ifdef GC_CHECK
-    if (_pr_gcData.flags & GC_CHECK) {
-    CheckHeap();
-    }
-    allocationCount++;
-#endif
-
-    /* Try default allocation */
-    if ((bytes >= BIG_ALLOC) && (nsegs < MAX_SEGS)) {
-    p = BigAlloc(tix, bytes, 1);
-    } else {
-    p = BinAlloc(tix, bytes, 1);
-    }
-    if (0 == p) {
-#ifdef GC_STATS
-      LL_SUB(ldelta, PR_Now(), allocTime);
-#endif
-      /* Collect some memory */
-      _GCTRACE(GC_ALLOC, ("force GC: want %d", bytes));
-      dogc();
-      PR_ASSERT( GC_IS_LOCKED() );
-
-      /* After a collection we check and see if we should grow the
-     heap. We grow the heap when the amount of memory free is less
-     than a certain percentage of the heap size. We don't check to
-     see if the grow succeeded because our fallback strategy in
-     either case is to try one more time to allocate. */
-      if ((_pr_gcData.allocMemory < _pr_gcData.maxMemory) &&
-      (_pr_gcData.freeMemory <
-       ((_pr_gcData.allocMemory * MIN_FREE_THRESHOLD_AFTER_GC) / 100L))) {
-    GrowHeap(PR_MAX(bytes, segmentSize));
-      }
-#ifdef GC_STATS
-      LL_ADD(allocTime, PR_Now(), ldelta);
-#endif
-
-      /* Try one last time */
-      if ((bytes >= BIG_ALLOC) && (nsegs < MAX_SEGS)) {
-    p = BigAlloc(tix, bytes, 1);
-      } else {
-    p = BinAlloc(tix, bytes, 1);
-      }
-      if (0 == p) {
-    /* Well that lost big time. Memory must be pretty well fragmented */
-    if (!GrowHeap(PR_MAX(bytes, segmentSize))) {
-      goto lost;
-    }
-    p = BinAlloc(tix, bytes, 1);
-    if (0 == p) goto lost;
-      }
-    }
-
-    /* Zero out the portion of the object memory that was used by
-       the GCFreeChunk structure (skip the first word because it
-       was already overwritten by the gc header word) */
-    objBytes = OBJ_BYTES(p[0]);
-    if (objBytes > sizeof(PRWord)) p[1] = 0;
-    if (objBytes > sizeof(PRWord)*2) p[2] = 0;
-
-    METER(meter.allocBytes += bytes);
-    METER(meter.wastedBytes += (bytes - requestedBytes));
-    UNLOCK_GC();
-
-    if (collectorCleanupNeeded) {
-	CollectorCleanup();
-    }
-
-#if defined(GC_CHECK) || defined(GC_STATS) || defined(GC_TRACEROOTS)
-    {
-	GCBlockEnd* end = (GCBlockEnd*)((char*)p + OBJ_BYTES(p[0]) - sizeof(GCBlockEnd));
-	end->check = PR_BLOCK_END;
-    }
-#endif
-#ifdef GC_STATS
-    {
-	PRInt64 now = PR_Now();
-	double delta;
-	PRInt32 bin;
-	GCBlockEnd* end = (GCBlockEnd*)((char*)p + OBJ_BYTES(p[0]) - sizeof(GCBlockEnd));
-
-	end->allocTime = allocTime;
-	LL_SUB(ldelta, now, allocTime);
-	LL_L2D(delta, ldelta);
-	InlineBinNumber(bin, requestedBytes);
-	end->bin = bin;
-	gcstats[bin].nallocs++;
-	gcstats[bin].allocTime += delta;
-	gcstats[bin].allocTimeVariance += delta * delta;
-    }
-#endif
-#ifdef GC_CHECK
-    if (_pr_gcData.flags & GC_CHECK) {
-    /* Place a pattern in the memory that was allocated that was not
-       requested. We will check the pattern later. */
-    char* cp = (char*)(p + 1) + requestedBytes;
-	GCBlockEnd* end = (GCBlockEnd*)((char*)p + OBJ_BYTES(p[0]) - sizeof(GCBlockEnd));
-	char i = (char) 0xff;
-	while (cp < (char*)end) {
-	    *cp++ = i--;
-	}
-	end->requestedBytes = requestedBytes;
-	CheckHeap();
-    }
-#endif
-    return p + 1;
-
-  lost:
-    /* Out of memory */
-    UNLOCK_GC();
-    if (collectorCleanupNeeded) {
-    CollectorCleanup();
-    }
-    return 0;
-}
-
-/************************************************************************/
-
-PR_IMPLEMENT(PRWord) PR_GetObjectHeader(void *ptr) {
-    GCSeg *sp;
-    PRWord *h;
-
-    if (ptr == 0) return 0;
-    sp = InHeap(ptr);
-    if (sp == 0) return 0;
-    h = (PRWord*)FindObject(sp, (PRWord*)ptr);
-    return GC_GET_USER_BITS(h[0]);
-}
-
-PR_IMPLEMENT(PRWord) PR_SetObjectHeader(void *ptr, PRWord newUserBits) {
-    GCSeg *sp;
-    PRWord *h, rv;
-
-    if (ptr == 0) return 0;
-    sp = InHeap(ptr);
-    if (sp == 0) return 0;
-    h = (PRWord*)FindObject(sp, (PRWord*)ptr);
-    rv = GC_GET_USER_BITS(h[0]);
-    h[0] = (h[0] & ~GC_USER_BITS) |
-    ((newUserBits << GC_USER_BITS_SHIFT) & GC_USER_BITS);
-    return rv;
-}
-
-PR_IMPLEMENT(void) PR_InitGC(
-    PRWord flags, PRInt32 initialHeapSize, PRInt32 segSize, PRThreadScope scope)
-{
-    static char firstTime = 1;
-
-    if (!firstTime) return;
-    firstTime = 0;
-
-    _pr_msgc_lm = PR_NewLogModule("msgc");
-    _pr_pageShift = PR_GetPageShift();
-    _pr_pageSize = PR_GetPageSize();
-
-  /* Setup initial heap size and initial segment size */
-  if (0 != segSize) segmentSize = segSize;
-#ifdef DEBUG
-    GC = PR_NewLogModule("GC");
-    {
-    char *ev = PR_GetEnv("GC_SEGMENT_SIZE");
-    if (ev && ev[0]) {
-      PRInt32 newSegmentSize = atoi(ev);
-      if (0 != newSegmentSize) segmentSize = newSegmentSize;
-    }
-    ev = PR_GetEnv("GC_INITIAL_HEAP_SIZE");
-    if (ev && ev[0]) {
-      PRInt32 newInitialHeapSize = atoi(ev);
-      if (0 != newInitialHeapSize) initialHeapSize = newInitialHeapSize;
-    }
-    ev = PR_GetEnv("GC_FLAGS");
-    if (ev && ev[0]) {
-        flags |= atoi(ev);
-    }
-#ifdef GCMETER
-        ev = PR_GetEnv("GC_METER");
-        if (ev && ev[0]) {
-            _pr_gcMeter = atoi(ev);
-        }
-#endif
-    }
-#endif
-  if (0 == initialHeapSize) initialHeapSize = segmentSize;
-  if (initialHeapSize < segmentSize) initialHeapSize = segmentSize;
-
-  _pr_gcData.maxMemory   = MAX_SEGS * segmentSize;
-  _pr_gcData.liveBlock  = ProcessRootBlock;
-  _pr_gcData.livePointer = ProcessRootPointer;
-  _pr_gcData.processRootBlock  = ProcessRootBlock;
-  _pr_gcData.processRootPointer = ProcessRootPointer;
-  _pr_gcData.dumpOutput = NULL;
-
-  PR_INIT_CLIST(&_pr_finalizeableObjects);
-    PR_INIT_CLIST(&_pr_finalQueue);
-    _PR_InitGC(flags);
-
-    /* Create finalizer thread */
-    _PR_CreateFinalizer(scope);
-
-  /* Allocate the initial segment for the heap */
-  minBin = 31;
-  maxBin = 0;
-  GrowHeap(initialHeapSize);
-    PR_RegisterRootFinder(ScanWeakFreeList, "scan weak free list", 0);
-}
-
-/** Added by Vishy for sanity checking a few GC structures **/
-/** Can use SanityCheckGC to debug corrupted GC Heap situations **/
-
-#ifdef DEBUG
-
-static int SegmentOverlaps(int i, int j)
-{
-  return
-    (((segs[i].limit > segs[j].base) && (segs[i].base < segs[j].base)) ||
-     ((segs[j].limit > segs[i].base) && (segs[j].base < segs[i].base)));
-}
-
-static void NoSegmentOverlaps(void)
-{
-  int i,j;
-
-  for (i = 0; i < nsegs; i++)
-    for (j = i+1 ; j < nsegs ; j++)
-      PR_ASSERT(!SegmentOverlaps(i,j));
-}
-
-static void SegInfoCheck(void)
-{
-  int i;
-  for (i = 0 ; i < nsegs ; i++)
-    PR_ASSERT((segs[i].info->hbits) &&
-	      (segs[i].info->hbits == segs[i].hbits) &&
-	      (segs[i].info->base == segs[i].base) &&
-	      (segs[i].info->limit == segs[i].limit));
-}
-
-static void SanityCheckGC()
-{
-  NoSegmentOverlaps();
-  SegInfoCheck();
-}
-
-#endif
-
-#if defined(DEBUG) && defined(WIN32)
-
-extern void *baseaddr;
-extern void *lastaddr;
-
-PR_IMPLEMENT(void)
-PR_PrintGCStats(void)
-{
-    long reportedSegSpace = _pr_gcData.busyMemory + _pr_gcData.freeMemory;
-    char* msg;
-    long largeCount = 0, largeSize = 0;
-    long segCount = 0, segSize = 0;
-    long freeCount = 0, freeSize = 0;
-    GCSeg *sp, *esp;
-    GCSegInfo* si;
-
-    LOCK_GC();
-
-    sp = segs;
-    esp = sp + nsegs;
-    while (sp < esp) {
-    long size = sp->info->limit - sp->info->base;
-    segCount++;
-    segSize += size;
-        if (sp->info->fromMalloc) {
-        largeCount++;
-        largeSize += size;
-    }
-        sp++;
-    }
-
-    si = freeSegs;
-    while (si != NULL) {
-    long size = si->limit - si->base;
-    freeCount++;
-    freeSize += size;
-    si = si->next;
-    }
-    
-    msg = PR_smprintf("\
-# GC Stats:\n\
-#   vm space:\n\
-#     range:      %ld - %ld\n\
-#     size:       %ld\n\
-#   segments:\n\
-#     range:      %ld - %ld\n\
-#     count:      %ld (reported: %ld)\n\
-#     size:       %ld (reported: %ld)\n\
-#     free count: %ld\n\
-#     free size:  %ld\n\
-#     busy objs:  %ld (%ld%%)\n\
-#     free objs:  %ld (%ld%%)\n\
-#   large blocks:\n\
-#     count:      %ld\n\
-#     total size: %ld (%ld%%)\n\
-#     avg size:   %ld\n\
-",
-              /* vm space */
-              (long)baseaddr, (long)lastaddr,
-              (long)lastaddr - (long)baseaddr,
-              /* segments */
-              _pr_gcData.lowSeg, _pr_gcData.highSeg,
-              segCount, nsegs,
-              segSize, reportedSegSpace,
-              freeCount,
-              freeSize,
-              _pr_gcData.busyMemory,
-              (_pr_gcData.busyMemory * 100 / reportedSegSpace),
-              _pr_gcData.freeMemory,
-              (_pr_gcData.freeMemory * 100 / reportedSegSpace),
-              /* large blocks */
-              largeCount,
-              largeSize, (largeSize * 100 / reportedSegSpace),
-              (largeCount ? largeSize / largeCount : 0)
-              );
-    UNLOCK_GC();
-    fprintf(stderr, msg);
-    OutputDebugString(msg);
-    PR_smprintf_free(msg);
-#ifdef GC_STATS
-    PR_PrintGCAllocStats();
-#endif
-}
-#endif
-
-PR_IMPLEMENT(void)
-PR_DumpToFile(char* filename, char* msg, PRFileDumper dump, PRBool detailed)
-{
-    FILE *out;
-    OutputDebugString(msg);
-    out = fopen(filename, "a");
-    if (!out) {
-	char buf[64];
-	PR_ASSERT(strlen(filename) < sizeof(buf) - 16);
-	PR_snprintf(buf, sizeof(buf), "Can't open \"%s\"\n",
-		    filename);
-	OutputDebugString(buf);
-    }
-    else
-    {
-	struct tm *newtime;
-	time_t aclock;
-	int i;
-
-	time(&aclock);
-	newtime = localtime(&aclock);
-	fprintf(out, "%s on %s\n", msg, asctime(newtime));  /* Print current time */
-	dump(out, detailed);
-	fprintf(out, "\n\n");
-	for (i = 0; i < 80; i++)
-	    fprintf(out, "=");
-	fprintf(out, "\n\n");
-	fclose(out);
-    }
-    OutputDebugString(" done\n");
-}
-
diff --git a/nsprpub/lib/msgc/src/unixgc.c b/nsprpub/lib/msgc/src/unixgc.c
deleted file mode 100644
index cea4225ebee6..000000000000
--- a/nsprpub/lib/msgc/src/unixgc.c
+++ /dev/null
@@ -1,155 +0,0 @@
-/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape Portable Runtime (NSPR).
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1998-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "prlock.h"
-#include "prlog.h"
-#include "prmem.h"
-#include "gcint.h"
-
-#include 
-#include 
-#include 
-#include 
-#include 
-
-#define _PR_GC_VMBASE 0x40000000
-
-#if defined(SOLARIS)
-#define _MD_MMAP_FLAGS MAP_SHARED
-#elif defined(RELIANTUNIX)
-#define _MD_MMAP_FLAGS MAP_PRIVATE|MAP_FIXED
-#else
-#define _MD_MMAP_FLAGS MAP_PRIVATE
-#endif
-
-static PRInt32 zero_fd = -1;
-static PRLock *zero_fd_lock = NULL;
-
-void _MD_InitGC(void)
-{
-#ifdef DEBUG
-    /*
-     * Disable using mmap(2) if NSPR_NO_MMAP is set
-     */
-    if (getenv("NSPR_NO_MMAP")) {
-        zero_fd = -2;
-        return;
-    }
-#endif
-    zero_fd = open("/dev/zero",O_RDWR , 0);
-    zero_fd_lock = PR_NewLock();
-}
-
-/* This static variable is used by _MD_GrowGCHeap and _MD_ExtendGCHeap */
-static void *lastaddr = (void*) _PR_GC_VMBASE;
-
-void *_MD_GrowGCHeap(PRUint32 *sizep)
-{
-	void *addr;
-	PRUint32 size;
-
-	size = *sizep;
-
-	PR_Lock(zero_fd_lock);
-	if (zero_fd < 0) {
-		goto mmap_loses;
-	}
-
-	/* Extend the mapping */
-	addr = mmap(lastaddr, size, PROT_READ|PROT_WRITE|PROT_EXEC,
-	    _MD_MMAP_FLAGS,
-	    zero_fd, 0);
-	if (addr == (void*)-1) {
-		zero_fd = -1;
-		goto mmap_loses;
-	}
-	lastaddr = ((char*)addr + size);
-#ifdef DEBUG
-	PR_LOG(_pr_msgc_lm, PR_LOG_WARNING,
-	    ("GC: heap extends from %08x to %08x\n",
-	    _PR_GC_VMBASE,
-	    _PR_GC_VMBASE + (char*)lastaddr - (char*)_PR_GC_VMBASE));
-#endif
-	PR_Unlock(zero_fd_lock);
-	return addr;
-
-mmap_loses:
-	PR_Unlock(zero_fd_lock);
-	return PR_MALLOC(size);
-}
-
-/* XXX - This is disabled.  MAP_FIXED just does not work. */
-#if 0
-PRBool _MD_ExtendGCHeap(char *base, PRInt32 oldSize, PRInt32 newSize) {
-	PRBool rv = PR_FALSE;
-	void* addr;
-	PRInt32 allocSize = newSize - oldSize;
-
-	PR_Lock(zero_fd_lock);
-	addr = mmap(base + oldSize, allocSize, PROT_READ|PROT_WRITE|PROT_EXEC,
-	    _MD_MMAP_FLAGS | MAP_FIXED, zero_fd, 0);
-	if (addr == (void*)-1) {
-		goto loser;
-	}
-	if (addr != (void*) (base + oldSize)) {
-		munmap(base + oldSize, allocSize);
-		goto loser;
-	}
-	lastaddr = ((char*)base + newSize);
-	PR_LOG(_pr_msgc_lm, PR_LOG_ALWAYS,
-	    ("GC: heap now extends from %p to %p",
-	    base, base + newSize));
-	rv = PR_TRUE;
-
-loser:
-	PR_Unlock(zero_fd_lock);
-	return rv;
-}
-#else
-PRBool _MD_ExtendGCHeap(char *base, PRInt32 oldSize, PRInt32 newSize) {
-	return PR_FALSE;
-}
-#endif
-
-void _MD_FreeGCSegment(void *base, PRInt32 len)
-{
-	if (zero_fd < 0) {
-		PR_DELETE(base);
-	} else {
-		(void) munmap(base, len);
-	}
-}
diff --git a/nsprpub/lib/msgc/src/win32gc.c b/nsprpub/lib/msgc/src/win32gc.c
deleted file mode 100644
index eec83774eb19..000000000000
--- a/nsprpub/lib/msgc/src/win32gc.c
+++ /dev/null
@@ -1,129 +0,0 @@
-/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape Portable Runtime (NSPR).
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1998-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/*
- * GC related routines
- *
- */
-#include 
-#include "prlog.h"
-
-extern PRLogModuleInfo* _pr_msgc_lm;
-
-#define GC_VMBASE               0x40000000
-#define GC_VMLIMIT              0x00FFFFFF
-
-/************************************************************************/
-/*
-** Machine dependent GC Heap management routines:
-**    _MD_GrowGCHeap
-*/
-/************************************************************************/
-
-void *baseaddr = (void*) GC_VMBASE;
-void *lastaddr = (void*) GC_VMBASE;
-
-void _MD_InitGC() {}
-
-void *_MD_GrowGCHeap(PRUint32 *sizep)
-{
-    void *addr;
-    size_t size;
-
-    /* Reserve a block of memory for the GC */
-    if( lastaddr == baseaddr ) {
-        addr = VirtualAlloc( (void *)GC_VMBASE, GC_VMLIMIT, MEM_RESERVE, PAGE_READWRITE );
-
-        /* 
-        ** If the GC_VMBASE address is already mapped, then let the OS choose a 
-        ** base address that is available...
-        */
-        if (addr == NULL) {
-            addr = VirtualAlloc( NULL, GC_VMLIMIT, MEM_RESERVE, PAGE_READWRITE );
-
-            baseaddr = lastaddr = addr;
-            if (addr == NULL) {
-                PR_LOG(_pr_msgc_lm, PR_LOG_ALWAYS, ("GC: unable to allocate heap: LastError=%ld",
-                       GetLastError()));
-                return 0;
-            }
-        }
-    }
-    size = *sizep;
-
-    /* Extend the mapping */
-    addr = VirtualAlloc( lastaddr, size, MEM_COMMIT, PAGE_READWRITE );
-    if (addr == NULL) {
-        return 0;
-    }
-
-    lastaddr = ((char*)addr + size);
-    PR_LOG(_pr_msgc_lm, PR_LOG_ALWAYS,
-	   ("GC: heap extends from %08x to %08x",
-	    baseaddr, (long)baseaddr + (char*)lastaddr - (char*)baseaddr));
-
-    return addr;
-}
-
-PRBool _MD_ExtendGCHeap(char *base, PRInt32 oldSize, PRInt32 newSize) {
-  void* addr;
-
-  addr = VirtualAlloc( base + oldSize, newSize - oldSize,
-		       MEM_COMMIT, PAGE_READWRITE );
-  if (NULL == addr) {
-    PR_LOG(_pr_msgc_lm, PR_LOG_ALWAYS, ("GC: unable to extend heap: LastError=%ld",
-		     GetLastError()));
-    return PR_FALSE;
-  }
-  if (base + oldSize != (char*)addr) {
-    PR_LOG(_pr_msgc_lm, PR_LOG_ALWAYS, ("GC: segment extension returned %x instead of %x",
-		     addr, base + oldSize));
-    VirtualFree(addr, newSize - oldSize, MEM_DECOMMIT);
-    return PR_FALSE;
-  }
-  lastaddr = base + newSize;
-  PR_LOG(_pr_msgc_lm, PR_LOG_ALWAYS,
-	 ("GC: heap now extends from %p to %p",
-	  base, base + newSize));
-  return PR_TRUE;
-}
-
-
-void _MD_FreeGCSegment(void *base, PRInt32 len)
-{
-     (void)VirtualFree(base, 0, MEM_RELEASE);
-}
diff --git a/nsprpub/lib/msgc/tests/.cvsignore b/nsprpub/lib/msgc/tests/.cvsignore
deleted file mode 100644
index f3c7a7c5da68..000000000000
--- a/nsprpub/lib/msgc/tests/.cvsignore
+++ /dev/null
@@ -1 +0,0 @@
-Makefile
diff --git a/nsprpub/lib/msgc/tests/Makefile.in b/nsprpub/lib/msgc/tests/Makefile.in
deleted file mode 100644
index 51031ed39bbf..000000000000
--- a/nsprpub/lib/msgc/tests/Makefile.in
+++ /dev/null
@@ -1,270 +0,0 @@
-# 
-# ***** BEGIN LICENSE BLOCK *****
-# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-#
-# The contents of this file are subject to the Mozilla Public License Version
-# 1.1 (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-# http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS IS" basis,
-# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-# for the specific language governing rights and limitations under the
-# License.
-#
-# The Original Code is the Netscape Portable Runtime (NSPR).
-#
-# The Initial Developer of the Original Code is
-# Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1998-2000
-# the Initial Developer. All Rights Reserved.
-#
-# Contributor(s):
-#
-# Alternatively, the contents of this file may be used under the terms of
-# either the GNU General Public License Version 2 or later (the "GPL"), or
-# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-# in which case the provisions of the GPL or the LGPL are applicable instead
-# of those above. If you wish to allow use of your version of this file only
-# under the terms of either the GPL or the LGPL, and not to allow others to
-# use your version of this file under the terms of the MPL, indicate your
-# decision by deleting the provisions above and replace them with the notice
-# and other provisions required by the GPL or the LGPL. If you do not delete
-# the provisions above, a recipient may use your version of this file under
-# the terms of any one of the MPL, the GPL or the LGPL.
-#
-# ***** END LICENSE BLOCK *****
-
-#! gmake
-
-MOD_DEPTH	= ../../..
-topsrcdir	= @top_srcdir@
-srcdir		= @srcdir@
-VPATH		= @srcdir@
-
-include $(MOD_DEPTH)/config/autoconf.mk
-
-include $(topsrcdir)/config/config.mk
-
-ifeq ($(OS_TARGET), OS2)
-OS_CFLAGS = $(OS_EXE_CFLAGS)
-endif
-
-CSRCS = gc1.c thrashgc.c
-
-ifeq (,$(filter-out WINNT OS2,$(OS_ARCH)))
-PROG_SUFFIX = .exe
-else
-PROG_SUFFIX =
-endif
-
-PROGS = $(addprefix $(OBJDIR)/, $(CSRCS:.c=$(PROG_SUFFIX)))
-
-TARGETS = $(PROGS) $(OBJS)
-
-INCLUDES = -I$(dist_includedir)
-
-# Setting the variables LDOPTS and LIBPR.  We first initialize
-# them to the default values, then adjust them for some platforms.
-LDOPTS = -L$(dist_libdir)
-NSPR_VERSION = $(MOD_MAJOR_VERSION)
-GC_VERSION = $(MOD_MAJOR_VERSION)
-LIBPR = -lnspr$(NSPR_VERSION)
-LIBPLC = -lplc$(NSPR_VERSION)
-LIBGC = -lmsgc$(GC_VERSION)
-
-ifeq ($(OS_ARCH), WINNT)
-  LDOPTS = -NOLOGO -DEBUG -INCREMENTAL:NO
-  LIBPR = $(dist_libdir)/libnspr$(NSPR_VERSION).$(LIB_SUFFIX)
-  LIBPLC = $(dist_libdir)/libplc$(NSPR_VERSION).$(LIB_SUFFIX)
-  LIBGC= $(dist_libdir)/libmsgc$(GC_VERSION).$(LIB_SUFFIX)
-endif
-
-ifeq ($(OS_ARCH),OS2)
-  LDOPTS += -Zomf -Zlinker /PM:VIO
-endif
-
-ifneq ($(OS_ARCH), WINNT)
-PWD = $(shell pwd)
-endif
-
-ifeq ($(OS_ARCH), IRIX)
-LDOPTS += -rpath $(PWD)/$(dist_libdir) -rdata_shared
-
-# For 6.x machines, include this flag
-ifeq ($(basename $(OS_RELEASE)),6)
-ifeq ($(USE_N32),1)
-LDOPTS += -n32
-else
-LDOPTS += -32
-endif
-endif
-
-endif
-
-ifeq ($(OS_ARCH), OSF1)
-# I haven't figured out how to pass -rpath to cc on OSF1 V3.2, so
-# we do static linking.
-ifeq ($(OS_RELEASE), V3.2)
-  LIBPR = $(dist_libdir)/libnspr$(NSPR_VERSION).a
-  LIBPLC = $(dist_libdir)/libplc$(NSPR_VERSION).a
-  LIBGC = $(dist_libdir)/libmsgc$(GC_VERSION).a
-  EXTRA_LIBS = -lc_r
-else
-  LDOPTS += -rpath $(PWD)/$(dist_libdir)
-endif
-endif
-
-ifeq ($(OS_ARCH), HP-UX)
-LDOPTS += -z -Wl,+s,+b,$(PWD)/$(dist_libdir)
-endif
-
-# AIX
-ifeq ($(OS_ARCH),AIX)
-LDOPTS += -blibpath:$(PWD)/$(dist_libdir):/usr/lib:/lib
-ifeq ($(OS_ARCH)$(OS_RELEASE),AIX4.1)
-LIBPR = -lnspr$(NSPR_VERSION)_shr
-LIBPLC = -lplc$(NSPR_VERSION)_shr
-LIBGC = -lmsgc$(GC_VERSION)_shr
-else
-LDOPTS += -brtl
-EXTRA_LIBS = -ldl
-endif
-endif
-
-# Solaris
-ifeq ($(OS_ARCH), SunOS)
-ifneq ($(OS_RELEASE), 4.1.3_U1)
-ifdef NS_USE_GCC
-LDOPTS += -Xlinker -R -Xlinker $(PWD)/$(dist_libdir)
-else
-LDOPTS += -R $(PWD)/$(dist_libdir)
-endif
-endif
-
-# SunOS 5.5 needs to link with -lpthread, even though we already
-# linked with this system library when we built libnspr.so.
-ifeq ($(OS_RELEASE), 5.5)
-ifdef USE_PTHREADS
-EXTRA_LIBS = -lpthread
-endif
-endif
-endif # SunOS
-
-ifeq ($(OS_ARCH),NEC)
-EXTRA_LIBS = $(OS_LIBS)
-# This hardcodes in the executable programs the directory to find
-# libnspr.so etc. at program startup.  Equivalent to the -R or -rpath
-# option for ld on other platforms.
-export LD_RUN_PATH = $(PWD)/$(dist_libdir)
-endif
-
-ifeq ($(OS_ARCH), NCR)
-# XXX: We see some strange problems when we link with libnspr.so.
-# So for now we use static libraries on NCR.  The shared library
-# stuff below is commented out.
-LIBPR = $(dist_libdir)/libnspr$(NSPR_VERSION).a
-LIBPLC = $(dist_libdir)/libplc$(NSPR_VERSION).a
-LIBGC = $(dist_libdir)/libmsgc$(GC_VERSION).a
-EXTRA_LIBS = -lsocket -lnsl -ldl
-
-# NCR needs to link against -lsocket -lnsl (and -lc, which is linked
-# implicitly by $(CC)) again even though we already linked with these
-# system libraries when we built libnspr.so.
-#EXTRA_LIBS = -lsocket -lnsl
-# This hardcodes in the executable programs the directory to find
-# libnspr.so etc. at program startup.  Equivalent to the -R or -rpath 
-# option for ld on other platforms.
-#export LD_RUN_PATH = $(PWD)/$(dist_libdir)
-endif
-
-ifeq ($(OS_ARCH), Linux)
-ifeq ($(OS_RELEASE), 1.2)
-EXTRA_LIBS = -ldl
-endif
-endif
-
-ifeq ($(OS_ARCH), SCOOS)
-# SCO Unix needs to link against -lsocket again even though we
-# already linked with these system libraries when we built libnspr.so.
-EXTRA_LIBS = -lsocket
-# This hardcodes in the executable programs the directory to find
-# libnspr.so etc. at program startup.  Equivalent to the -R or -rpath 
-# option for ld on other platforms.
-export LD_RUN_PATH = $(PWD)/$(dist_libdir)
-endif
-
-ifeq ($(OS_ARCH),SINIX)
-EXTRA_LIBS = -lsocket -lnsl -lresolv -ldl
-# This hardcodes in the executable programs the directory to find
-# libnspr.so etc. at program startup.  Equivalent to the -R or -rpath
-# option for ld on other platforms.
-export LD_RUN_PATH = $(PWD)/$(dist_libdir)
-endif
-
-ifeq ($(OS_ARCH), UNIXWARE)
-export LD_RUN_PATH = $(PWD)/$(dist_libdir)
-endif
-
-ifeq ($(OS_ARCH),BSD_OS)
-EXTRA_LIBS = -ldl
-endif
-
-ifeq ($(OS_ARCH),DGUX)
-EXTRA_LIBS = -lsocket -lnsl -ldl
-endif
-
-#####################################################
-#
-# The rules
-#
-#####################################################
-
-include $(topsrcdir)/config/rules.mk
-
-AIX_PRE_4_2 = 0
-ifeq ($(OS_ARCH),AIX)
-ifneq ($(OS_RELEASE),4.2)
-ifneq ($(USE_PTHREADS), 1)
-#AIX_PRE_4_2 = 1
-endif
-endif
-endif
-
-ifeq ($(AIX_PRE_4_2),1)
-
-# AIX releases prior to 4.2 need a special two-step linking hack
-# in order to both override the system select() and be able to 
-# get at the original system select().
-#
-# We use a pattern rule in ns/nspr20/config/rules.mk to generate
-# the .$(OBJ_SUFFIX) file from the .c source file, then do the
-# two-step linking hack below.
-
-$(OBJDIR)/%: $(OBJDIR)/%.$(OBJ_SUFFIX)
-	@$(MAKE_OBJDIR)
-	rm -f $@ $(AIX_TMP)
-	$(CC) $(AIX_LINK_OPTS) -o $(AIX_TMP) $< $(dist_libdir)/libnspr$(NSPR_VERSION).a
-	$(CC) -o $@ $(AIX_TMP) $(AIX_WRAP)
-	rm -f $(AIX_TMP)
-
-else
-
-# All platforms that are not AIX pre-4.2.
-
-$(OBJDIR)/%$(PROG_SUFFIX): $(OBJDIR)/%.$(OBJ_SUFFIX)
-	@$(MAKE_OBJDIR)
-ifeq ($(OS_ARCH), WINNT)
-	link $(LDOPTS) $< $(LIBGC) $(LIBPLC) $(LIBPR) wsock32.lib -out:$@
-else
-ifeq ($(OS_ARCH),OS2)
-	$(LINK) $(LDOPTS) $< $(LIBGC) $(LIBPLC) $(LIBPR) $(OS_LIBS) $(EXTRA_LIBS) -o $@
-else
-	$(CC) $(XCFLAGS) $< $(LDOPTS) $(LIBGC) $(LIBPLC) $(LIBPR) $(EXTRA_LIBS) -o $@
-endif
-endif
-endif
-
-export:: $(TARGETS)
-clean::
-	rm -f $(TARGETS)
diff --git a/nsprpub/lib/msgc/tests/gc1.c b/nsprpub/lib/msgc/tests/gc1.c
deleted file mode 100644
index 9bd485e92489..000000000000
--- a/nsprpub/lib/msgc/tests/gc1.c
+++ /dev/null
@@ -1,242 +0,0 @@
-/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape Portable Runtime (NSPR).
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1998-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/***********************************************************************
-** Includes
-***********************************************************************/
-/* Used to get the command line option */
-#include "plgetopt.h"
-
-#include "prgc.h"
-#include "prinit.h"
-#include "prmon.h"
-#include "prinrval.h"
-#include "private/pprthred.h"
-
-#include 
-#include 
-
-static PRMonitor *mon;
-static PRInt32 threads, waiting, iterations;
-static PRInt32 scanCount, finalizeCount, freeCount;
-
-PRIntn failed_already=0;
-PRIntn debug_mode;
-
-
-typedef struct Array {
-    PRUintn size;
-    void *body[1];
-} Array;
-
-int arrayTypeIndex;
-
-static void PR_CALLBACK ScanArray(void *a)
-{
-/*	printf ("In ScanArray a = %X size = %d \n", a, a->size); */
-	scanCount++;
-}
-
-static void PR_CALLBACK FinalizeArray(void *a)
-{
-/*	printf ("In FinalizeArray a = %X size = %d \n", a, a->size); */	
-	finalizeCount++;
-}
-
-static void PR_CALLBACK FreeArray(void *a)
-{
-/*	printf ("In FreeArray\n");	*/
-	freeCount++;
-}
-
-static Array *NewArray(PRUintn size)
-{
-    Array *a;
-
-    a = (Array *)PR_AllocMemory(sizeof(Array) + size*sizeof(void*) - 1*sizeof(void*),
-                       arrayTypeIndex, PR_ALLOC_CLEAN);
-
-/*	printf ("In NewArray a = %X \n", a); */	
-
-    if (a)
-        a->size = size;
-    return a;
-}
-
-GCType arrayType = {
-    ScanArray,
-    FinalizeArray,
-    0,
-    0,
-    FreeArray,
-    0
-};
-
-static void Initialize(void)
-{
-    PR_InitGC(0, 0, 0, PR_GLOBAL_THREAD);
-    arrayTypeIndex = PR_RegisterType(&arrayType);
-}
-
-static void PR_CALLBACK AllocateLikeMad(void *arg)
-{
-    Array *prev;
-    PRInt32 i;
-	PRInt32 count;
-
-	count = (PRInt32)arg;
-    prev = 0;
-    for (i = 0; i < count; i++) {
-        Array *leak = NewArray(i & 511);
-        if ((i & 1023) == 0) {
-            prev = 0;                   /* forget */
-        } else {
-            if (i & 1) {
-                prev = leak;            /* remember */
-            }
-        }
-    }
-    PR_EnterMonitor(mon);
-    waiting++;
-    PR_Notify(mon);
-    PR_ExitMonitor(mon);
-}
-
-int main(int argc, char **argv)
-{
-    PRIntervalTime start, stop, usec;
-    double d;
-    PRIntn i, totalIterations;
-	/* The command line argument: -d is used to determine if the test is being run
-	in debug mode. The regress tool requires only one line output:PASS or FAIL.
-	All of the printfs associated with this test has been handled with a if (debug_mode)
-	test.
-	Usage: test_name -d
-	*/
-	PLOptStatus os;
-	PLOptState *opt = PL_CreateOptState(argc, argv, "dt:c:");
-
-	threads = 10;
-	iterations = 100;
-
-	while (PL_OPT_EOL != (os = PL_GetNextOpt(opt)))
-    {
-        if (PL_OPT_BAD == os) {
-            fprintf(stderr, "Invalid command-line option\n");
-            exit(1);
-        }
-        switch (opt->option)
-        {
-        case 'd':  /* debug mode */
-			debug_mode = 1;
-            break;
-        case 't':  /* number of threads */
-            threads = atoi(opt->value);
-            break;
-        case 'c':  /* iteration count */
-            iterations = atoi(opt->value);
-            break;
-        default:
-            break;
-        }
-    }
-	PL_DestroyOptState(opt);
-
-    fprintf(stderr, "t is %ld, i is %ld\n", (long) threads, (long) iterations);
-	/* main test */
-
-    PR_Init(PR_USER_THREAD, PR_PRIORITY_NORMAL, 5);
-    PR_STDIO_INIT();
-    Initialize();
-
-    /* Spin all of the allocator threads and then wait for them to exit */
-    start = PR_IntervalNow();
-    mon = PR_NewMonitor();
-    PR_EnterMonitor(mon);
-    waiting = 0;
-    for (i = 0; i < threads; i++) {
-        (void) PR_CreateThreadGCAble(PR_USER_THREAD,
-                               AllocateLikeMad, (void*)iterations,
-						      PR_PRIORITY_NORMAL,
-						      PR_LOCAL_THREAD,
-		    				  PR_UNJOINABLE_THREAD,
-						      0);
-    }
-    while (waiting != threads) {
-        PR_Wait(mon, PR_INTERVAL_NO_TIMEOUT);
-    }
-    PR_ExitMonitor(mon);
-
-	PR_GC();
-	PR_ForceFinalize();	
-
-	totalIterations = iterations * threads;
-/*
-	if (scanCount != totalIterations)
-		printf ("scanCount discrepancy scanCount = %d totalIterations = %d \n", 
-			scanCount, totalIterations);
-	if (freeCount != totalIterations)
-		printf ("freeCount discrepancy freeCount = %d totalIterations = %d \n", 
-			freeCount, totalIterations);
-	if ((finalizeCount != totalIterations) && (finalizeCount != (totalIterations-1)))
-		printf ("finalizeCount discrepancy finalizeCount = %d totalIterations = %d \n", 
-			finalizeCount,totalIterations);
-*/
-
-    stop = PR_IntervalNow();
-    
-    usec = stop = stop - start;
-    d = (double)usec;
-
-    if (debug_mode) printf("%40s: %6.2f usec\n", "GC allocation", d / (iterations * threads));
-	else {
-		if (d == 0.0) failed_already = PR_TRUE;
-
-	}
-
-    PR_Cleanup();
-	if(failed_already)	
-	{
-	    printf("FAIL\n");
-		return 1;
-	}
-	else
-	{
-	    printf("PASS\n");
-		return 0;
-	}
-}
diff --git a/nsprpub/lib/msgc/tests/thrashgc.c b/nsprpub/lib/msgc/tests/thrashgc.c
deleted file mode 100644
index a440d4949b17..000000000000
--- a/nsprpub/lib/msgc/tests/thrashgc.c
+++ /dev/null
@@ -1,242 +0,0 @@
-/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape Portable Runtime (NSPR).
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1998-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-/***********************************************************************
-** Name: thrashgc
-**
-** Description: test garbace collection functions.
-**
-** Modification History:
-** 19-May-97 AGarcia- Converted the test to accomodate the debug_mode flag.
-**	         The debug mode will print all of the printfs associated with this test.
-**			 The regress mode will be the default mode. Since the regress tool limits
-**           the output to a one line status:PASS or FAIL,all of the printf statements
-**			 have been handled with an if (debug_mode) statement.
-** 04-June-97 AGarcia removed the Test_Result function. Regress tool has been updated to
-**			recognize the return code from tha main program.
-***********************************************************************/
-/***********************************************************************
-** Includes
-***********************************************************************/
-#include "prthread.h"
-#include "prgc.h"
-#include "prprf.h"
-#include "prinrval.h"
-#include "prlock.h"
-#include "prinit.h"
-#include "prcvar.h"
-
-#include "private/pprthred.h"
-
-#include 
-#include 
-#include 
-
-
-PRIntn failed_already=0;
-PRIntn debug_mode;
-
-static char* progname;
-static PRInt32 loops = 1000;
-static int tix1, tix2, tix3;
-static GCInfo* gcInfo;
-static PRLock* stderrLock;
-
-typedef struct Type1 Type1;
-typedef struct Type2 Type2;
-
-struct Type1 {
-  Type2* atwo;
-  Type1* next;
-};
-
-struct Type2 {
-  void* buf;
-};
-
-static void PR_CALLBACK ScanType1(void *obj) {
-  gcInfo->livePointer(((Type1 *)obj)->atwo);
-  gcInfo->livePointer(((Type1 *)obj)->next);
-}
-
-static void PR_CALLBACK ScanType2(void *obj) {
-  gcInfo->livePointer(((Type2 *)obj)->buf);
-}
-
-static GCType type1 = {
-    ScanType1
-};
-
-static GCType type2 = {
-    ScanType2
-/*  (void (*)(void*)) ScanType2 */
-};
-
-static GCType type3 = {
-  0
-};
-
-Type1* NewType1(void) {
-    Type1* p = (Type1*) PR_AllocMemory(sizeof(Type1), tix1, PR_ALLOC_DOUBLE);
-    PR_ASSERT(p != NULL);
-    return p;
-}
-
-Type2* NewType2(void) {
-    Type2* p = (Type2*) PR_AllocMemory(sizeof(Type2), tix2, PR_ALLOC_DOUBLE);
-    PR_ASSERT(p != NULL);
-    return p;
-}
-
-void* NewBuffer(PRInt32 size) {
-    void* p = PR_AllocMemory(size, tix3, PR_ALLOC_DOUBLE);
-    PR_ASSERT(p != NULL);
-    return p;
-}
-
-/* Allocate alot of garbage */
-static void PR_CALLBACK AllocStuff(void *unused) {
-  PRInt32 i;
-  void* danglingRefs[50];
-  PRIntervalTime start, end;
-  char msg[100];
-
-  start = PR_IntervalNow();
-  for (i = 0; i < loops; i++) {
-    void* p;
-    if (i & 1) {
-      Type1* t1 = NewType1();
-      t1->atwo = NewType2();
-      t1->next = NewType1();
-      t1->atwo->buf = NewBuffer(100);
-      p = t1;
-    } else {
-      Type2* t2 = NewType2();
-      t2->buf = NewBuffer(i & 16383);
-      p = t2;
-    }
-    if ((i % 10) == 0) {
-      memmove(&danglingRefs[0], &danglingRefs[1], 49*sizeof(void*));
-      danglingRefs[49] = p;
-    }
-  }
-  end = PR_IntervalNow();
-  if (debug_mode) PR_snprintf(msg, sizeof(msg), "Thread %p: %ld allocations took %ld ms",
-	      PR_GetCurrentThread(), loops,
-	      PR_IntervalToMilliseconds((PRIntervalTime) (end - start)));
-  PR_Lock(stderrLock);
-  fprintf(stderr, "%s\n", msg);
-  PR_Unlock(stderrLock);
-  }
-
-static void usage(char *progname) {
-  fprintf(stderr, "Usage: %s [-t threads] [-l loops]\n", progname);
-  exit(-1);
-}
-
-static int realMain(int argc, char **argv, char *notused) {
-  int i;
-  int threads = 0;
-
-  progname = strrchr(argv[0], '/');
-  if (progname == 0) progname = argv[0];
-  for (i = 1; i < argc; i++) {
-    if (strcmp(argv[i], "-t") == 0) {
-      if (i == argc - 1) {
-	usage(progname);
-      }
-      threads = atoi(argv[++i]);
-      if (threads < 0) threads = 0;
-      if (threads > 10000) threads = 10000;
-      continue;
-    }
-    if (strcmp(argv[i], "-l") == 0) {
-      if (i == argc - 1) {
-	usage(progname);
-      }
-      loops = atoi(argv[++i]);
-      continue;
-    }
-    usage(progname);
-  }
-
-  for (i = 0; i < threads; i++) {
-    PRThread* thread;
-
-    /* XXXXX */
-    thread = PR_CreateThreadGCAble(PR_USER_THREAD,  /* thread type */
-			     AllocStuff,  /* start function */
-			     NULL,  /* arg */
-			     PR_PRIORITY_NORMAL,  /* priority */
-			     PR_LOCAL_THREAD,  /* thread scope */
-			     PR_UNJOINABLE_THREAD,  /* thread state */
-			     0);   /* stack size */
-    if (thread == 0) {
-      fprintf(stderr, "%s: no more threads (only %d were created)\n",
-	      progname, i);
-      break;
-    }
-  }
-  AllocStuff(NULL);
-  return 0;
-}
-
-static int padMain(int argc, char **argv) {
-  char pad[512];
-  return realMain(argc, argv, pad);
-}
-
-int main(int argc, char **argv) {
-  int rv;
-
-  debug_mode = 1;
-  
-  PR_Init(PR_USER_THREAD, PR_PRIORITY_NORMAL, 0);
-  PR_SetThreadGCAble();
-
-  PR_InitGC(0, 0, 0, PR_GLOBAL_THREAD);
-  PR_STDIO_INIT();
-  stderrLock = PR_NewLock();
-  tix1 = PR_RegisterType(&type1);
-  tix2 = PR_RegisterType(&type2);
-  tix3 = PR_RegisterType(&type3);
-  gcInfo = PR_GetGCInfo();
-  rv = padMain(argc, argv);
-  printf("PASS\n");
-  PR_Cleanup();
-  return rv;
-}
diff --git a/nsprpub/pr/include/md/_darwin.h b/nsprpub/pr/include/md/_darwin.h
index fc377984a3ba..619b43ae4c7e 100644
--- a/nsprpub/pr/include/md/_darwin.h
+++ b/nsprpub/pr/include/md/_darwin.h
@@ -42,8 +42,9 @@
 
 #include 
 
-#ifdef XP_MACOSX
+#ifdef __APPLE__
 #include 
+#include 
 #endif
 
 #define PR_LINKER_ARCH	"darwin"
@@ -54,6 +55,8 @@
 #define _PR_SI_ARCHITECTURE "x86-64"
 #elif defined(__ppc__)
 #define _PR_SI_ARCHITECTURE "ppc"
+#elif defined(__arm__)
+#define _PR_SI_ARCHITECTURE "arm"
 #endif
 #define PR_DLL_SUFFIX		".dylib"
 
@@ -64,7 +67,7 @@
 
 #undef  HAVE_STACK_GROWING_UP
 #define HAVE_DLL
-#ifdef __x86_64__
+#if defined(__x86_64__) || TARGET_OS_IPHONE
 #define USE_DLFCN
 #else
 #define USE_MACH_DYLD
diff --git a/nsprpub/pr/include/prinit.h b/nsprpub/pr/include/prinit.h
index 64abb344d406..e53b82143e1a 100644
--- a/nsprpub/pr/include/prinit.h
+++ b/nsprpub/pr/include/prinit.h
@@ -63,11 +63,11 @@ PR_BEGIN_EXTERN_C
 ** The format of the version string is
 **     ".[.] []"
 */
-#define PR_VERSION  "4.8.9"
+#define PR_VERSION  "4.9 Beta"
 #define PR_VMAJOR   4
-#define PR_VMINOR   8
-#define PR_VPATCH   9
-#define PR_BETA     PR_FALSE
+#define PR_VMINOR   9
+#define PR_VPATCH   0
+#define PR_BETA     PR_TRUE
 
 /*
 ** PRVersionCheck
diff --git a/nsprpub/pr/include/prtypes.h b/nsprpub/pr/include/prtypes.h
index be9f79d1da67..9cd5e257af67 100644
--- a/nsprpub/pr/include/prtypes.h
+++ b/nsprpub/pr/include/prtypes.h
@@ -343,6 +343,17 @@ typedef long PRInt32;
 **      architectures and even different compilers have varying support for
 **      64 bit values. The only guaranteed portability requires the use of
 **      the LL_ macros (see prlong.h).
+**
+** MACROS:      PR_INT64
+**              PR_UINT64
+** DESCRIPTION:
+**  The PR_INT64 and PR_UINT64 macros provide a portable way for
+**      specifying 64-bit integer constants. They can only be used if
+**      PRInt64 and PRUint64 are defined as compiler-supported 64-bit
+**      integer types (i.e., if HAVE_LONG_LONG is defined, which is true
+**      for all the supported compilers topday). If PRInt64 and PRUint64
+**      are defined as structs, the LL_INIT macro defined in prlong.h has
+**      to be used.
 ************************************************************************/
 #ifdef HAVE_LONG_LONG
 /* Keep this in sync with prlong.h. */
@@ -354,12 +365,18 @@ typedef long PRInt32;
 #if PR_BYTES_PER_LONG == 8 && !defined(__APPLE__)
 typedef long PRInt64;
 typedef unsigned long PRUint64;
+#define PR_INT64(x)  x ## L
+#define PR_UINT64(x) x ## UL
 #elif defined(WIN32) && !defined(__GNUC__)
 typedef __int64  PRInt64;
 typedef unsigned __int64 PRUint64;
+#define PR_INT64(x)  x ## i64
+#define PR_UINT64(x) x ## ui64
 #else
 typedef long long PRInt64;
 typedef unsigned long long PRUint64;
+#define PR_INT64(x)  x ## LL
+#define PR_UINT64(x) x ## ULL
 #endif /* PR_BYTES_PER_LONG == 8 */
 #else  /* !HAVE_LONG_LONG */
 typedef struct {
diff --git a/nsprpub/pr/src/md/unix/uxproces.c b/nsprpub/pr/src/md/unix/uxproces.c
index 364301c8d53b..afb96b0fdb5f 100644
--- a/nsprpub/pr/src/md/unix/uxproces.c
+++ b/nsprpub/pr/src/md/unix/uxproces.c
@@ -48,7 +48,9 @@
 #endif
 
 #if defined(DARWIN)
+#if defined(HAVE_CRT_EXTERNS_H)
 #include 
+#endif
 #else
 PR_IMPORT_DATA(char **) environ;
 #endif
@@ -185,11 +187,18 @@ ForkAndExec(
 
         if (NULL == childEnvp) {
 #ifdef DARWIN
+#ifdef HAVE_CRT_EXTERNS_H
             childEnvp = *(_NSGetEnviron());
+#else
+            PR_DELETE(process);
+            PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0);
+            return NULL;
+#endif
 #else
             childEnvp = environ;
 #endif
         }
+
         for (nEnv = 0; childEnvp[nEnv]; nEnv++) {
         }
         newEnvp = (char **) PR_MALLOC((nEnv + 2) * sizeof(char *));
diff --git a/nsprpub/pr/tests/vercheck.c b/nsprpub/pr/tests/vercheck.c
index 70791e08a374..c3ac66d161ad 100644
--- a/nsprpub/pr/tests/vercheck.c
+++ b/nsprpub/pr/tests/vercheck.c
@@ -52,10 +52,9 @@
 #include 
 
 /*
- * This release (4.8.9) is backward compatible with the
+ * This release (4.9) is backward compatible with the
  * 4.0.x, 4.1.x, 4.2.x, 4.3.x, 4.4.x, 4.5.x, 4.6.x, 4.7.x,
- * 4.8, 4.8.1, 4.8.2, 4.8.3, 4.8.4, 4.8.5, 4.8.6, 4.8.7, and
- * 4.8.8 releases.  It, of course, is compatible with itself.
+ * and 4.8.x releases.  It, of course, is compatible with itself.
  */
 static char *compatible_version[] = {
     "4.0", "4.0.1", "4.1", "4.1.1", "4.1.2", "4.1.3",
@@ -66,7 +65,8 @@ static char *compatible_version[] = {
     "4.7", "4.7.1", "4.7.2", "4.7.3", "4.7.4", "4.7.5",
     "4.7.6",
     "4.8", "4.8.1", "4.8.2", "4.8.3", "4.8.4", "4.8.5",
-    "4.8.6", "4.8.7", "4.8.8", PR_VERSION
+    "4.8.6", "4.8.7", "4.8.8", "4.8.9",
+    PR_VERSION
 };
 
 /*
@@ -81,8 +81,8 @@ static char *incompatible_version[] = {
     "3.0", "3.0.1",
     "3.1", "3.1.1", "3.1.2", "3.1.3",
     "3.5", "3.5.1",
-    "4.8.10",
-    "4.9", "4.9.1",
+    "4.9.1",
+    "4.10", "4.10.1",
     "10.0", "11.1", "12.14.20"
 };
 
diff --git a/other-licenses/android/APKOpen.cpp b/other-licenses/android/APKOpen.cpp
index 14de579f4f38..a13c7049fbdd 100644
--- a/other-licenses/android/APKOpen.cpp
+++ b/other-licenses/android/APKOpen.cpp
@@ -233,6 +233,7 @@ Java_org_mozilla_gecko_GeckoAppShell_ ## name(JNIEnv *jenv, jclass jc, type1 one
 SHELL_WRAPPER0(nativeInit)
 SHELL_WRAPPER1(nativeRun, jstring)
 SHELL_WRAPPER1(notifyGeckoOfEvent, jobject)
+SHELL_WRAPPER0(processNextNativeEvent)
 SHELL_WRAPPER1(setSurfaceView, jobject)
 SHELL_WRAPPER0(onResume)
 SHELL_WRAPPER0(onLowMemory)
@@ -676,6 +677,7 @@ loadLibs(const char *apkName)
   GETFUNC(nativeInit);
   GETFUNC(nativeRun);
   GETFUNC(notifyGeckoOfEvent);
+  GETFUNC(processNextNativeEvent);
   GETFUNC(setSurfaceView);
   GETFUNC(onResume);
   GETFUNC(onLowMemory);
diff --git a/security/coreconf/Darwin.mk b/security/coreconf/Darwin.mk
index 110d89f2ae13..5524100f916d 100644
--- a/security/coreconf/Darwin.mk
+++ b/security/coreconf/Darwin.mk
@@ -37,10 +37,10 @@
 
 include $(CORE_DEPTH)/coreconf/UNIX.mk
 
-DEFAULT_COMPILER = cc
+DEFAULT_COMPILER = gcc
 
-CC		= cc
-CCC		= c++
+CC		= gcc
+CCC		= g++
 RANLIB		= ranlib
 
 ifndef CPU_ARCH
@@ -52,9 +52,11 @@ endif
 ifeq (,$(filter-out i%86,$(CPU_ARCH)))
 ifdef USE_64
 CC              += -arch x86_64
+override CPU_ARCH	= x86_64
 else
 OS_REL_CFLAGS	= -Di386
 CC              += -arch i386
+override CPU_ARCH	= x86
 endif
 else
 OS_REL_CFLAGS	= -Dppc
@@ -107,7 +109,7 @@ endif
 # definitions so that the linker can catch multiply-defined symbols.
 # Also, common symbols are not allowed with Darwin dynamic libraries.
 
-OS_CFLAGS	= $(DSO_CFLAGS) $(OS_REL_CFLAGS) -Wmost -fpascal-strings -fno-common -pipe -DDARWIN -DHAVE_STRERROR -DHAVE_BSD_FLOCK $(DARWIN_SDK_CFLAGS)
+OS_CFLAGS	= $(DSO_CFLAGS) $(OS_REL_CFLAGS) -Wall -fno-common -pipe -DDARWIN -DHAVE_STRERROR -DHAVE_BSD_FLOCK $(DARWIN_SDK_CFLAGS)
 
 ifdef BUILD_OPT
 ifeq (11,$(ALLOW_OPT_CODE_SIZE)$(OPT_CODE_SIZE))
diff --git a/security/coreconf/Linux.mk b/security/coreconf/Linux.mk
index 3d48f998716b..edea4d835312 100644
--- a/security/coreconf/Linux.mk
+++ b/security/coreconf/Linux.mk
@@ -202,8 +202,5 @@ PROCESS_MAP_FILE = grep -v ';-' $< | \
         sed -e 's,;+,,' -e 's; DATA ;;' -e 's,;;,,' -e 's,;.*,;,' > $@
 
 ifeq ($(OS_RELEASE),2.4)
-# Softoken 3.13 uses NO_FORK_CHECK only.
-# Softoken 3.12 uses NO_FORK_CHECK and NO_CHECK_FORK.
-# Don't use NO_CHECK_FORK in new code.
-DEFINES += -DNO_FORK_CHECK -DNO_CHECK_FORK
+DEFINES += -DNO_FORK_CHECK
 endif
diff --git a/security/coreconf/WIN32.mk b/security/coreconf/WIN32.mk
index 6f880169840a..da9689ea83e4 100644
--- a/security/coreconf/WIN32.mk
+++ b/security/coreconf/WIN32.mk
@@ -143,7 +143,8 @@ ifdef NS_USE_GCC
 	DEFINES    += -DDEBUG -D_DEBUG -UNDEBUG -DDEBUG_$(USERNAME)
     endif
 else # !NS_USE_GCC
-    OS_CFLAGS += -W3 -nologo -D_CRT_SECURE_NO_WARNINGS
+    OS_CFLAGS += -W3 -nologo -D_CRT_SECURE_NO_WARNINGS \
+		 -D_CRT_NONSTDC_NO_WARNINGS
     OS_DLLFLAGS += -nologo -DLL -SUBSYSTEM:WINDOWS
     ifeq ($(_MSC_VER),$(_MSC_VER_6))
     ifndef MOZ_DEBUG_SYMBOLS
diff --git a/security/coreconf/coreconf.dep b/security/coreconf/coreconf.dep
index b536cfc01b91..4c796e94d275 100644
--- a/security/coreconf/coreconf.dep
+++ b/security/coreconf/coreconf.dep
@@ -43,3 +43,4 @@
 
 #error "Do not include this header file."
 
+
diff --git a/security/manager/pki/resources/content/viewCertDetails.js b/security/manager/pki/resources/content/viewCertDetails.js
index 99d61bf2c374..1740befb5660 100644
--- a/security/manager/pki/resources/content/viewCertDetails.js
+++ b/security/manager/pki/resources/content/viewCertDetails.js
@@ -259,7 +259,7 @@ function DisplayVerificationData(cert, result)
     verifystr = bundle.GetStringFromName('certNotVerified_Unknown');
   }
   var verified=document.getElementById('verified');
-  verified.setAttribute("value", verifystr);
+  verified.textContent = verifystr;
   if (count > 0) {
     var verifyInfoBox = document.getElementById('verify_info_box');
     for (var i=0; idata, sdder->len);
     PK11_HashBuf(SEC_OID_MD5, md5_hash, sdder->data, sdder->len);
     printf("\n# Trust for Certificate \"%s\"\n",nickname);
-    printf("CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST\n");
+    printf("CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST\n");
     printf("CKA_TOKEN CK_BBOOL CK_TRUE\n");
     printf("CKA_PRIVATE CK_BBOOL CK_FALSE\n");
     printf("CKA_MODIFIABLE CK_BBOOL CK_FALSE\n");
@@ -159,13 +159,13 @@ ConvertCertificate(SECItem *sdder, char *nickname, CERTCertTrust *trust)
     printf("CKA_TRUST_CODE_SIGNING CK_TRUST %s\n",
 				 getTrustString(trust->objectSigningFlags));
 #ifdef notdef
-    printf("CKA_TRUST_CLIENT_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED\n");*/
-    printf("CKA_TRUST_DIGITAL_SIGNATURE CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR\n");
-    printf("CKA_TRUST_NON_REPUDIATION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR\n");
-    printf("CKA_TRUST_KEY_ENCIPHERMENT CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR\n");
-    printf("CKA_TRUST_DATA_ENCIPHERMENT CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR\n");
-    printf("CKA_TRUST_KEY_AGREEMENT CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR\n");
-    printf("CKA_TRUST_KEY_CERT_SIGN CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR\n");
+    printf("CKA_TRUST_CLIENT_AUTH CK_TRUST CKT_NSS_TRUSTED\n");
+    printf("CKA_TRUST_DIGITAL_SIGNATURE CK_TRUST CKT_NSS_TRUSTED_DELEGATOR\n");
+    printf("CKA_TRUST_NON_REPUDIATION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR\n");
+    printf("CKA_TRUST_KEY_ENCIPHERMENT CK_TRUST CKT_NSS_TRUSTED_DELEGATOR\n");
+    printf("CKA_TRUST_DATA_ENCIPHERMENT CK_TRUST CKT_NSS_TRUSTED_DELEGATOR\n");
+    printf("CKA_TRUST_KEY_AGREEMENT CK_TRUST CKT_NSS_TRUSTED_DELEGATOR\n");
+    printf("CKA_TRUST_KEY_CERT_SIGN CK_TRUST CKT_NSS_TRUSTED_DELEGATOR\n");
 #endif
     printf("CKA_TRUST_STEP_UP_APPROVED CK_BBOOL %s\n",
                 trust->sslFlags & CERTDB_GOVT_APPROVED_CA ? 
@@ -215,7 +215,7 @@ void printheader() {
 "#\n"
 "# ***** END LICENSE BLOCK *****\n"
      "#\n"
-     "CVS_ID \"@(#) $RCSfile: addbuiltin.c,v $ $Revision: 1.14.68.1 $ $Date: 2011/03/23 20:07:57 $\"\n"
+     "CVS_ID \"@(#) $RCSfile: addbuiltin.c,v $ $Revision: 1.16 $ $Date: 2011/04/13 00:10:21 $\"\n"
      "\n"
      "#\n"
      "# certdata.txt\n"
@@ -239,7 +239,7 @@ void printheader() {
      "#  CKA_ISSUER               DER+base64              (varies)\n"
      "#  CKA_SERIAL_NUMBER        DER+base64              (varies)\n"
      "#  CKA_VALUE                DER+base64              (varies)\n"
-     "#  CKA_NETSCAPE_EMAIL       ASCII7                  (unused here)\n"
+     "#  CKA_NSS_EMAIL            ASCII7                  (unused here)\n"
      "#\n"
      "#    Trust\n"
      "#\n"
@@ -276,7 +276,7 @@ void printheader() {
      "# have to go looking for others.\n"
      "#\n"
      "BEGINDATA\n"
-     "CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_BUILTIN_ROOT_LIST\n"
+     "CKA_CLASS CK_OBJECT_CLASS CKO_NSS_BUILTIN_ROOT_LIST\n"
      "CKA_TOKEN CK_BBOOL CK_TRUE\n"
      "CKA_PRIVATE CK_BBOOL CK_FALSE\n"
      "CKA_MODIFIABLE CK_BBOOL CK_FALSE\n"
diff --git a/security/nss/cmd/bltest/blapitest.c b/security/nss/cmd/bltest/blapitest.c
index a7a48867c249..6bcfef05bbac 100644
--- a/security/nss/cmd/bltest/blapitest.c
+++ b/security/nss/cmd/bltest/blapitest.c
@@ -50,7 +50,7 @@
 #include "plgetopt.h"
 #include "softoken.h"
 #include "nspr.h"
-#include "nss.h"
+#include "nssutil.h"
 #include "secoid.h"
 
 #ifdef NSS_ENABLE_ECC
@@ -78,7 +78,7 @@ char *testdir = NULL;
     if (rv) { \
 	PRErrorCode prerror = PR_GetError(); \
 	PR_fprintf(PR_STDERR, "%s: ERR %d (%s) at line %d.\n", progName, \
-                   prerror, SECU_Strerror(prerror), ln); \
+	prerror, NSS_Strerror(prerror,formatSimple), ln); \
 	exit(-1); \
     }
 
@@ -692,6 +692,7 @@ typedef enum {
     bltestMD2,		  /* Hash algorithms	   */
     bltestMD5,		  /* .			   */
     bltestSHA1,           /* .			   */
+    bltestSHA224,         /* .			   */
     bltestSHA256,         /* .			   */
     bltestSHA384,         /* .			   */
     bltestSHA512,         /* .			   */
@@ -726,6 +727,7 @@ static char *mode_strings[] =
     "md2",
     "md5",
     "sha1",
+    "sha224",
     "sha256",
     "sha384",
     "sha512",
@@ -1765,6 +1767,46 @@ finish:
     return rv;
 }
 
+SECStatus
+SHA224_restart(unsigned char *dest, const unsigned char *src, uint32 src_length)
+{
+    SECStatus rv = SECSuccess;
+    SHA224Context *cx, *cx_cpy;
+    unsigned char *cxbytes;
+    unsigned int len;
+    unsigned int i, quarter;
+    cx = SHA224_NewContext();
+    SHA224_Begin(cx);
+    /* divide message by 4, restarting 3 times */
+    quarter = (src_length + 3) / 4;
+    for (i=0; i < 4 && src_length > 0; i++) {
+	SHA224_Update(cx, src + i*quarter, PR_MIN(quarter, src_length));
+	len = SHA224_FlattenSize(cx);
+	cxbytes = PORT_Alloc(len);
+	SHA224_Flatten(cx, cxbytes);
+	cx_cpy = SHA224_Resurrect(cxbytes, NULL);
+	if (!cx_cpy) {
+	    PR_fprintf(PR_STDERR, "%s: SHA224_Resurrect failed!\n", progName);
+	    rv = SECFailure;
+	    goto finish;
+	}
+	rv = PORT_Memcmp(cx, cx_cpy, len);
+	if (rv) {
+	    SHA224_DestroyContext(cx_cpy, PR_TRUE);
+	    PR_fprintf(PR_STDERR, "%s: SHA224_restart failed!\n", progName);
+	    goto finish;
+	}
+	
+	SHA224_DestroyContext(cx_cpy, PR_TRUE);
+	PORT_Free(cxbytes);
+	src_length -= quarter;
+    }
+    SHA224_End(cx, dest, &len, MD5_LENGTH);
+finish:
+    SHA224_DestroyContext(cx, PR_TRUE);
+    return rv;
+}
+
 SECStatus
 SHA256_restart(unsigned char *dest, const unsigned char *src, uint32 src_length)
 {
@@ -2057,6 +2099,14 @@ cipherInit(bltestCipherInfo *cipherInfo, PRBool encrypt)
 	cipherInfo->cipher.hashCipher = (restart) ? sha1_restart : SHA1_HashBuf;
 	return SECSuccess;
 	break;
+    case bltestSHA224:
+	restart = cipherInfo->params.hash.restart;
+	SECITEM_AllocItem(cipherInfo->arena, &cipherInfo->output.buf,
+			  SHA224_LENGTH);
+	cipherInfo->cipher.hashCipher = (restart) ? SHA224_restart 
+	                                          : SHA224_HashBuf;
+	return SECSuccess;
+	break;
     case bltestSHA256:
 	restart = cipherInfo->params.hash.restart;
 	SECITEM_AllocItem(cipherInfo->arena, &cipherInfo->output.buf,
@@ -2498,6 +2548,7 @@ cipherFinish(bltestCipherInfo *cipherInfo)
     case bltestMD2: /* hash contexts are ephemeral */
     case bltestMD5:
     case bltestSHA1:
+    case bltestSHA224:
     case bltestSHA256:
     case bltestSHA384:
     case bltestSHA512:
@@ -2851,6 +2902,7 @@ get_params(PRArenaPool *arena, bltestParams *params,
     case bltestMD2:
     case bltestMD5:
     case bltestSHA1:
+    case bltestSHA224:
     case bltestSHA256:
     case bltestSHA384:
     case bltestSHA512:
diff --git a/security/nss/cmd/bltest/tests/sha224/ciphertext0 b/security/nss/cmd/bltest/tests/sha224/ciphertext0
new file mode 100644
index 000000000000..dfc3d279c57b
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/sha224/ciphertext0
@@ -0,0 +1,2 @@
+Iwl9IjQF2CKGQqR3vaJVsyqtvOS9oLP342ydpw==
+
diff --git a/security/nss/cmd/bltest/tests/sha224/ciphertext1 b/security/nss/cmd/bltest/tests/sha224/ciphertext1
new file mode 100644
index 000000000000..bef4714bbea3
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/sha224/ciphertext1
@@ -0,0 +1,2 @@
+dTiLFlEndsxdul2h/YkBULDGRVy09YsZUlIlJQ==
+
diff --git a/security/nss/cmd/bltest/tests/sha224/numtests b/security/nss/cmd/bltest/tests/sha224/numtests
new file mode 100644
index 000000000000..0cfbf08886fc
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/sha224/numtests
@@ -0,0 +1 @@
+2
diff --git a/security/nss/cmd/bltest/tests/sha224/plaintext0 b/security/nss/cmd/bltest/tests/sha224/plaintext0
new file mode 100644
index 000000000000..8baef1b4abc4
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/sha224/plaintext0
@@ -0,0 +1 @@
+abc
diff --git a/security/nss/cmd/bltest/tests/sha224/plaintext1 b/security/nss/cmd/bltest/tests/sha224/plaintext1
new file mode 100644
index 000000000000..afb5dce5d461
--- /dev/null
+++ b/security/nss/cmd/bltest/tests/sha224/plaintext1
@@ -0,0 +1 @@
+abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq
diff --git a/security/nss/cmd/certutil/certutil.c b/security/nss/cmd/certutil/certutil.c
index 4b890446fde4..4a3e9063ec3e 100644
--- a/security/nss/cmd/certutil/certutil.c
+++ b/security/nss/cmd/certutil/certutil.c
@@ -1106,8 +1106,8 @@ static void luCommonDetailsAE()
         "   -t trustargs");
     FPS "%-25s trustargs is of the form x,y,z where x is for SSL, y is for S/MIME,\n", "");
     FPS "%-25s and z is for code signing. Use ,, for no explicit trust.\n", "");
-    FPS "%-25s p \t valid peer\n", "");
-    FPS "%-25s P \t trusted peer (implies p)\n", "");
+    FPS "%-25s p \t prohibited\n", "");
+    FPS "%-25s P \t trusted peer\n", "");
     FPS "%-25s c \t valid CA\n", "");
     FPS "%-25s T \t trusted CA to issue client certs (implies c)\n", "");
     FPS "%-25s C \t trusted CA to issue server certs (implies c)\n", "");
diff --git a/security/nss/cmd/chktest/Makefile b/security/nss/cmd/chktest/Makefile
new file mode 100644
index 000000000000..3e49e05b65a1
--- /dev/null
+++ b/security/nss/cmd/chktest/Makefile
@@ -0,0 +1,79 @@
+#! gmake
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+include ../platlibs.mk
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+include ../platrules.mk
diff --git a/nsprpub/lib/msgc/src/os2gc.c b/security/nss/cmd/chktest/chktest.c
similarity index 63%
rename from nsprpub/lib/msgc/src/os2gc.c
rename to security/nss/cmd/chktest/chktest.c
index f99bb678661d..6fbc3d9f9410 100644
--- a/nsprpub/lib/msgc/src/os2gc.c
+++ b/security/nss/cmd/chktest/chktest.c
@@ -1,4 +1,3 @@
-/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
 /* ***** BEGIN LICENSE BLOCK *****
  * Version: MPL 1.1/GPL 2.0/LGPL 2.1
  *
@@ -12,14 +11,15 @@
  * for the specific language governing rights and limitations under the
  * License.
  *
- * The Original Code is the Netscape Portable Runtime (NSPR).
+ * The Original Code is the Netscape security libraries.
  *
  * The Initial Developer of the Original Code is
  * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1998-2000
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
  * the Initial Developer. All Rights Reserved.
  *
  * Contributor(s):
+ *   Kai Engert 
  *
  * Alternatively, the contents of this file may be used under the terms of
  * either the GNU General Public License Version 2 or later (the "GPL"), or
@@ -35,49 +35,42 @@
  *
  * ***** END LICENSE BLOCK ***** */
 
-/*
- * GC related routines
- *
- */
-#include "prlog.h"
-
+#include 
 #include 
 
-/* Leave a bit of room for any malloc header bytes... */
-#define MAX_SEGMENT_SIZE    (65536L - 4096L)
+#include "blapi.h"
+#include "secutil.h"
 
-/************************************************************************/
-/*
-** Machine dependent GC Heap management routines:
-**    _MD_GrowGCHeap
-*/
-/************************************************************************/
-void _MD_InitGC() {}
-
-void *_MD_GrowGCHeap(PRUint32 *sizep)
+static int Usage()
 {
-    void *addr;
+    fprintf(stderr, "Usage:  chktest \n");
+    fprintf(stderr, "        Will test for valid chk file.\n");
+    fprintf(stderr, "        Will print SUCCESS or FAILURE.\n");
+    exit(1);
+}
 
-    if ( *sizep > MAX_SEGMENT_SIZE )
-    {
-        *sizep = MAX_SEGMENT_SIZE;
+int main(int argc, char **argv)
+{
+    SECStatus rv = SECFailure;
+    PRBool good_result = PR_FALSE;
+
+    if (argc != 2)
+      return Usage();
+    
+    rv = RNG_RNGInit();
+    if (rv != SECSuccess) {
+        SECU_PrintPRandOSError("");
+        return -1;
     }
+    rv = BL_Init();
+    if (rv != SECSuccess) {
+        SECU_PrintPRandOSError("");
+        return -1;
+    }
+    RNG_SystemInfoForRNG();
 
-    addr = malloc((size_t)*sizep);
-    return addr;
-}
-
-
-PRBool _MD_ExtendGCHeap(char *base, PRInt32 oldSize, PRInt32 newSize) {
-  /* Not sure about this.  Todd?  */
-  return PR_FALSE;
-}
-
-
-void _MD_FreeGCSegment(void *base, PRInt32 len)
-{
-   if (base)
-   {
-       free(base);
-   }
+    good_result = BLAPI_SHVerifyFile(argv[1]);
+    printf("%s\n", 
+      (good_result ? "SUCCESS" : "FAILURE"));
+    return (good_result) ? SECSuccess : SECFailure;
 }
diff --git a/nsprpub/lib/msgc/Makefile.in b/security/nss/cmd/chktest/manifest.mn
similarity index 83%
rename from nsprpub/lib/msgc/Makefile.in
rename to security/nss/cmd/chktest/manifest.mn
index d7299b2bb56e..6a0fe45f44a6 100644
--- a/nsprpub/lib/msgc/Makefile.in
+++ b/security/nss/cmd/chktest/manifest.mn
@@ -12,11 +12,11 @@
 # for the specific language governing rights and limitations under the
 # License.
 #
-# The Original Code is the Netscape Portable Runtime (NSPR).
+# The Original Code is the Netscape security libraries.
 #
 # The Initial Developer of the Original Code is
 # Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1998-2000
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
 # the Initial Developer. All Rights Reserved.
 #
 # Contributor(s):
@@ -34,19 +34,26 @@
 # the terms of any one of the MPL, the GPL or the LGPL.
 #
 # ***** END LICENSE BLOCK *****
+CORE_DEPTH = ../../..
 
-MOD_DEPTH	= ../..
-topsrcdir	= @top_srcdir@
-srcdir		= @srcdir@
-VPATH		= @srcdir@
+MODULE = nss
 
-include $(MOD_DEPTH)/config/autoconf.mk
+#REQUIRES = seccmd dbm softoken
+REQUIRES = seccmd dbm
 
-include $(topsrcdir)/config/config.mk
+#INCLUDES += -I$(CORE_DEPTH)/nss/lib/softoken
 
-DIRS = include src tests
+PROGRAM = chktest
 
-include $(topsrcdir)/config/rules.mk
+ USE_STATIC_LIBS = 1
 
-export:: $(TARGETS)
+EXPORTS = \
+	$(NULL)
+
+PRIVATE_EXPORTS = \
+	$(NULL)
+
+CSRCS = \
+	chktest.c \
+	$(NULL)
 
diff --git a/security/nss/cmd/lib/Makefile b/security/nss/cmd/lib/Makefile
index 54ef29fdf751..5786fbcf05e0 100644
--- a/security/nss/cmd/lib/Makefile
+++ b/security/nss/cmd/lib/Makefile
@@ -78,5 +78,4 @@ include $(CORE_DEPTH)/coreconf/rules.mk
 
 export:: private_export
 
-$(OBJDIR)/secerror$(OBJ_SUFFIX): NSPRerrs.h SECerrs.h SSLerrs.h 
 
diff --git a/security/nss/cmd/lib/NSPRerrs.h b/security/nss/cmd/lib/NSPRerrs.h
deleted file mode 100644
index b11169847c1c..000000000000
--- a/security/nss/cmd/lib/NSPRerrs.h
+++ /dev/null
@@ -1,153 +0,0 @@
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* General NSPR 2.0 errors */
-/* Caller must #include "prerror.h" */
-
-ER2( PR_OUT_OF_MEMORY_ERROR, 	"Memory allocation attempt failed." )
-ER2( PR_BAD_DESCRIPTOR_ERROR, 	"Invalid file descriptor." )
-ER2( PR_WOULD_BLOCK_ERROR, 	"The operation would have blocked." )
-ER2( PR_ACCESS_FAULT_ERROR, 	"Invalid memory address argument." )
-ER2( PR_INVALID_METHOD_ERROR, 	"Invalid function for file type." )
-ER2( PR_ILLEGAL_ACCESS_ERROR, 	"Invalid memory address argument." )
-ER2( PR_UNKNOWN_ERROR, 		"Some unknown error has occurred." )
-ER2( PR_PENDING_INTERRUPT_ERROR,"Operation interrupted by another thread." )
-ER2( PR_NOT_IMPLEMENTED_ERROR, 	"function not implemented." )
-ER2( PR_IO_ERROR, 		"I/O function error." )
-ER2( PR_IO_TIMEOUT_ERROR, 	"I/O operation timed out." )
-ER2( PR_IO_PENDING_ERROR, 	"I/O operation on busy file descriptor." )
-ER2( PR_DIRECTORY_OPEN_ERROR, 	"The directory could not be opened." )
-ER2( PR_INVALID_ARGUMENT_ERROR, "Invalid function argument." )
-ER2( PR_ADDRESS_NOT_AVAILABLE_ERROR, "Network address not available (in use?)." )
-ER2( PR_ADDRESS_NOT_SUPPORTED_ERROR, "Network address type not supported." )
-ER2( PR_IS_CONNECTED_ERROR, 	"Already connected." )
-ER2( PR_BAD_ADDRESS_ERROR, 	"Network address is invalid." )
-ER2( PR_ADDRESS_IN_USE_ERROR, 	"Local Network address is in use." )
-ER2( PR_CONNECT_REFUSED_ERROR, 	"Connection refused by peer." )
-ER2( PR_NETWORK_UNREACHABLE_ERROR, "Network address is presently unreachable." )
-ER2( PR_CONNECT_TIMEOUT_ERROR, 	"Connection attempt timed out." )
-ER2( PR_NOT_CONNECTED_ERROR, 	"Network file descriptor is not connected." )
-ER2( PR_LOAD_LIBRARY_ERROR, 	"Failure to load dynamic library." )
-ER2( PR_UNLOAD_LIBRARY_ERROR, 	"Failure to unload dynamic library." )
-ER2( PR_FIND_SYMBOL_ERROR, 	
-"Symbol not found in any of the loaded dynamic libraries." )
-ER2( PR_INSUFFICIENT_RESOURCES_ERROR, "Insufficient system resources." )
-ER2( PR_DIRECTORY_LOOKUP_ERROR, 	
-"A directory lookup on a network address has failed." )
-ER2( PR_TPD_RANGE_ERROR, 		
-"Attempt to access a TPD key that is out of range." )
-ER2( PR_PROC_DESC_TABLE_FULL_ERROR, "Process open FD table is full." )
-ER2( PR_SYS_DESC_TABLE_FULL_ERROR, "System open FD table is full." )
-ER2( PR_NOT_SOCKET_ERROR, 	
-"Network operation attempted on non-network file descriptor." )
-ER2( PR_NOT_TCP_SOCKET_ERROR, 	
-"TCP-specific function attempted on a non-TCP file descriptor." )
-ER2( PR_SOCKET_ADDRESS_IS_BOUND_ERROR, "TCP file descriptor is already bound." )
-ER2( PR_NO_ACCESS_RIGHTS_ERROR, "Access Denied." )
-ER2( PR_OPERATION_NOT_SUPPORTED_ERROR, 
-"The requested operation is not supported by the platform." )
-ER2( PR_PROTOCOL_NOT_SUPPORTED_ERROR, 
-"The host operating system does not support the protocol requested." )
-ER2( PR_REMOTE_FILE_ERROR, 	"Access to the remote file has been severed." )
-ER2( PR_BUFFER_OVERFLOW_ERROR, 	
-"The value requested is too large to be stored in the data buffer provided." )
-ER2( PR_CONNECT_RESET_ERROR, 	"TCP connection reset by peer." )
-ER2( PR_RANGE_ERROR, 		"Unused." )
-ER2( PR_DEADLOCK_ERROR, 	"The operation would have deadlocked." )
-ER2( PR_FILE_IS_LOCKED_ERROR, 	"The file is already locked." )
-ER2( PR_FILE_TOO_BIG_ERROR, 	
-"Write would result in file larger than the system allows." )
-ER2( PR_NO_DEVICE_SPACE_ERROR, 	"The device for storing the file is full." )
-ER2( PR_PIPE_ERROR, 		"Unused." )
-ER2( PR_NO_SEEK_DEVICE_ERROR, 	"Unused." )
-ER2( PR_IS_DIRECTORY_ERROR, 	
-"Cannot perform a normal file operation on a directory." )
-ER2( PR_LOOP_ERROR, 		"Symbolic link loop." )
-ER2( PR_NAME_TOO_LONG_ERROR, 	"File name is too long." )
-ER2( PR_FILE_NOT_FOUND_ERROR, 	"File not found." )
-ER2( PR_NOT_DIRECTORY_ERROR, 	
-"Cannot perform directory operation on a normal file." )
-ER2( PR_READ_ONLY_FILESYSTEM_ERROR, 
-"Cannot write to a read-only file system." )
-ER2( PR_DIRECTORY_NOT_EMPTY_ERROR, 
-"Cannot delete a directory that is not empty." )
-ER2( PR_FILESYSTEM_MOUNTED_ERROR, 
-"Cannot delete or rename a file object while the file system is busy." )
-ER2( PR_NOT_SAME_DEVICE_ERROR, 	
-"Cannot rename a file to a file system on another device." )
-ER2( PR_DIRECTORY_CORRUPTED_ERROR, 
-"The directory object in the file system is corrupted." )
-ER2( PR_FILE_EXISTS_ERROR, 	
-"Cannot create or rename a filename that already exists." )
-ER2( PR_MAX_DIRECTORY_ENTRIES_ERROR, 
-"Directory is full.  No additional filenames may be added." )
-ER2( PR_INVALID_DEVICE_STATE_ERROR, 
-"The required device was in an invalid state." )
-ER2( PR_DEVICE_IS_LOCKED_ERROR, "The device is locked." )
-ER2( PR_NO_MORE_FILES_ERROR, 	"No more entries in the directory." )
-ER2( PR_END_OF_FILE_ERROR, 	"Encountered end of file." )
-ER2( PR_FILE_SEEK_ERROR, 	"Seek error." )
-ER2( PR_FILE_IS_BUSY_ERROR, 	"The file is busy." )
-ER2( PR_IN_PROGRESS_ERROR,
-"Operation is still in progress (probably a non-blocking connect)." )
-ER2( PR_ALREADY_INITIATED_ERROR,
-"Operation has already been initiated (probably a non-blocking connect)." )
-
-#ifdef PR_GROUP_EMPTY_ERROR
-ER2( PR_GROUP_EMPTY_ERROR, 	"The wait group is empty." )
-#endif
-
-#ifdef PR_INVALID_STATE_ERROR
-ER2( PR_INVALID_STATE_ERROR, 	"Object state improper for request." )
-#endif
-
-#ifdef PR_NETWORK_DOWN_ERROR
-ER2( PR_NETWORK_DOWN_ERROR,	"Network is down." )
-#endif
-
-#ifdef PR_SOCKET_SHUTDOWN_ERROR
-ER2( PR_SOCKET_SHUTDOWN_ERROR,	"The socket was previously shut down." )
-#endif
-
-#ifdef PR_CONNECT_ABORTED_ERROR
-ER2( PR_CONNECT_ABORTED_ERROR,	"TCP Connection aborted." )
-#endif
-
-#ifdef PR_HOST_UNREACHABLE_ERROR
-ER2( PR_HOST_UNREACHABLE_ERROR,	"Host is unreachable." )
-#endif
-
-/* always last */
-ER2( PR_MAX_ERROR, 		"Placeholder for the end of the list" )
diff --git a/security/nss/cmd/lib/manifest.mn b/security/nss/cmd/lib/manifest.mn
index 767b58a10332..8ea950495de2 100644
--- a/security/nss/cmd/lib/manifest.mn
+++ b/security/nss/cmd/lib/manifest.mn
@@ -44,9 +44,6 @@ MODULE		= nss
 DEFINES		= -DNSPR20
 
 PRIVATE_EXPORTS	= secutil.h \
-		  NSPRerrs.h \
-		  SECerrs.h \
-		  SSLerrs.h \
 		  pk11table.h \
 		  $(NULL)
 
@@ -60,6 +57,4 @@ CSRCS		= secutil.c \
 		pk11table.c \
 		$(NULL)
 
-REQUIRES	= dbm
-
 NO_MD_RELEASE	= 1
diff --git a/security/nss/cmd/lib/pk11table.c b/security/nss/cmd/lib/pk11table.c
index 5ec551fb2b93..1016fe593a87 100644
--- a/security/nss/cmd/lib/pk11table.c
+++ b/security/nss/cmd/lib/pk11table.c
@@ -155,10 +155,10 @@ const Constant _consts[] = {
 	mkEntry(CKO_HW_FEATURE, Object),
 	mkEntry(CKO_DOMAIN_PARAMETERS, Object),
 	mkEntry(CKO_KG_PARAMETERS, Object),
-	mkEntry(CKO_NETSCAPE_CRL, Object),
-	mkEntry(CKO_NETSCAPE_SMIME, Object),
-	mkEntry(CKO_NETSCAPE_TRUST, Object),
-	mkEntry(CKO_NETSCAPE_BUILTIN_ROOT_LIST, Object),
+	mkEntry(CKO_NSS_CRL, Object),
+	mkEntry(CKO_NSS_SMIME, Object),
+	mkEntry(CKO_NSS_TRUST, Object),
+	mkEntry(CKO_NSS_BUILTIN_ROOT_LIST, Object),
 
 	mkEntry(CKH_MONOTONIC_COUNTER, Hardware),
 	mkEntry(CKH_CLOCK, Hardware),
@@ -188,7 +188,7 @@ const Constant _consts[] = {
 	mkEntry(CKK_CDMF, KeyType),
 	mkEntry(CKK_AES, KeyType),
 	mkEntry(CKK_CAMELLIA, KeyType),
-	mkEntry(CKK_NETSCAPE_PKCS8, KeyType),
+	mkEntry(CKK_NSS_PKCS8, KeyType),
 
 	mkEntry(CKC_X_509, CertType),
 	mkEntry(CKC_X_509_ATTR_CERT, CertType),
@@ -252,18 +252,18 @@ const Constant _consts[] = {
 	mkEntry2(CKA_HW_FEATURE_TYPE, Attribute, Hardware),
 	mkEntry2(CKA_RESET_ON_INIT, Attribute, Bool),
 	mkEntry2(CKA_HAS_RESET, Attribute, Bool),
-	mkEntry2(CKA_NETSCAPE_URL, Attribute, None),
-	mkEntry2(CKA_NETSCAPE_EMAIL, Attribute, None),
-	mkEntry2(CKA_NETSCAPE_SMIME_INFO, Attribute, None),
-	mkEntry2(CKA_NETSCAPE_SMIME_TIMESTAMP, Attribute, None),
-	mkEntry2(CKA_NETSCAPE_PKCS8_SALT, Attribute, None),
-	mkEntry2(CKA_NETSCAPE_PASSWORD_CHECK, Attribute, None),
-	mkEntry2(CKA_NETSCAPE_EXPIRES, Attribute, None),
-	mkEntry2(CKA_NETSCAPE_KRL, Attribute, None),
-	mkEntry2(CKA_NETSCAPE_PQG_COUNTER, Attribute, None),
-	mkEntry2(CKA_NETSCAPE_PQG_SEED, Attribute, None),
-	mkEntry2(CKA_NETSCAPE_PQG_H, Attribute, None),
-	mkEntry2(CKA_NETSCAPE_PQG_SEED_BITS, Attribute, None),
+	mkEntry2(CKA_NSS_URL, Attribute, None),
+	mkEntry2(CKA_NSS_EMAIL, Attribute, None),
+	mkEntry2(CKA_NSS_SMIME_INFO, Attribute, None),
+	mkEntry2(CKA_NSS_SMIME_TIMESTAMP, Attribute, None),
+	mkEntry2(CKA_NSS_PKCS8_SALT, Attribute, None),
+	mkEntry2(CKA_NSS_PASSWORD_CHECK, Attribute, None),
+	mkEntry2(CKA_NSS_EXPIRES, Attribute, None),
+	mkEntry2(CKA_NSS_KRL, Attribute, None),
+	mkEntry2(CKA_NSS_PQG_COUNTER, Attribute, None),
+	mkEntry2(CKA_NSS_PQG_SEED, Attribute, None),
+	mkEntry2(CKA_NSS_PQG_H, Attribute, None),
+	mkEntry2(CKA_NSS_PQG_SEED_BITS, Attribute, None),
 	mkEntry2(CKA_TRUST_DIGITAL_SIGNATURE, Attribute, Trust),
 	mkEntry2(CKA_TRUST_NON_REPUDIATION, Attribute, Trust),
 	mkEntry2(CKA_TRUST_KEY_ENCIPHERMENT, Attribute, Trust),
@@ -492,8 +492,8 @@ const Constant _consts[] = {
 	mkEntry(CKM_SEED_CBC_ENCRYPT_DATA, Mechanism),
 	mkEntry(CKM_DSA_PARAMETER_GEN, Mechanism),
 	mkEntry(CKM_DH_PKCS_PARAMETER_GEN, Mechanism),
-	mkEntry(CKM_NETSCAPE_AES_KEY_WRAP, Mechanism),
-	mkEntry(CKM_NETSCAPE_AES_KEY_WRAP_PAD, Mechanism),
+	mkEntry(CKM_NSS_AES_KEY_WRAP, Mechanism),
+	mkEntry(CKM_NSS_AES_KEY_WRAP_PAD, Mechanism),
 	mkEntry(CKM_NETSCAPE_PBE_SHA1_DES_CBC, Mechanism),
 	mkEntry(CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC, Mechanism),
 	mkEntry(CKM_NETSCAPE_PBE_SHA1_40_BIT_RC2_CBC, Mechanism),
@@ -593,13 +593,12 @@ const Constant _consts[] = {
 	mkEntry(CKR_MUTEX_NOT_LOCKED, Result),
 	mkEntry(CKR_VENDOR_DEFINED, Result),
 
-	mkEntry(CKT_NETSCAPE_TRUSTED, Trust),
-	mkEntry(CKT_NETSCAPE_TRUSTED_DELEGATOR, Trust),
-	mkEntry(CKT_NETSCAPE_UNTRUSTED, Trust),
-	mkEntry(CKT_NETSCAPE_MUST_VERIFY, Trust),
-	mkEntry(CKT_NETSCAPE_TRUST_UNKNOWN, Trust),
-	mkEntry(CKT_NETSCAPE_VALID, Trust),
-	mkEntry(CKT_NETSCAPE_VALID_DELEGATOR, Trust),
+	mkEntry(CKT_NSS_TRUSTED, Trust),
+	mkEntry(CKT_NSS_TRUSTED_DELEGATOR, Trust),
+	mkEntry(CKT_NSS_NOT_TRUSTED, Trust),
+	mkEntry(CKT_NSS_MUST_VERIFY_TRUST, Trust),
+	mkEntry(CKT_NSS_TRUST_UNKNOWN, Trust),
+	mkEntry(CKT_NSS_VALID_DELEGATOR, Trust),
 
 	mkEntry(CK_EFFECTIVELY_INFINITE, AvailableSizes),
 	mkEntry(CK_UNAVAILABLE_INFORMATION, CurrentSize),
@@ -1252,7 +1251,7 @@ const Commands _commands[] = {
 	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
     {"NewMechanism", F_NewMechanism,
 "NewMechanism varName mechanismType\n\n"
-"Create a new CK_MECHANISM object with type NULL paramters and specified type\n"
+"Create a new CK_MECHANISM object with type NULL parameters and specified type\n"
 " varName        variable name of the new mechansim\n"
 " mechanismType  CKM_ mechanism type value to set int the type field\n",
 	{ArgVar|ArgNew, ArgULong, ArgNone, ArgNone, ArgNone, 
diff --git a/security/nss/cmd/lib/secerror.c b/security/nss/cmd/lib/secerror.c
index 651cf5520194..f1182961d374 100644
--- a/security/nss/cmd/lib/secerror.c
+++ b/security/nss/cmd/lib/secerror.c
@@ -33,78 +33,13 @@
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
-#include "nspr.h"
-
-struct tuple_str {
-    PRErrorCode	 errNum;
-    const char * errString;
-};
-
-typedef struct tuple_str tuple_str;
-
-#define ER2(a,b)   {a, b},
-#define ER3(a,b,c) {a, c},
-
-#include "secerr.h"
-#include "sslerr.h"
-
-const tuple_str errStrings[] = {
-
-/* keep this list in asceding order of error numbers */
-#include "SSLerrs.h"
-#include "SECerrs.h"
-#include "NSPRerrs.h"
-
-};
-
-const PRInt32 numStrings = sizeof(errStrings) / sizeof(tuple_str);
+#include "prtypes.h"
+#include "nssutil.h"
 
 /* Returns a UTF-8 encoded constant error string for "errNum".
- * Returns NULL of errNum is unknown.
+ * Returns NULL if errNum is unknown.
  */
 const char *
 SECU_Strerror(PRErrorCode errNum) {
-    PRInt32 low  = 0;
-    PRInt32 high = numStrings - 1;
-    PRInt32 i;
-    PRErrorCode num;
-    static int initDone;
-
-    /* make sure table is in ascending order.
-     * binary search depends on it.
-     */
-    if (!initDone) {
-	PRErrorCode lastNum = ((PRInt32)0x80000000);
-    	for (i = low; i <= high; ++i) {
-	    num = errStrings[i].errNum;
-	    if (num <= lastNum) {
-	    	fprintf(stderr, 
-"sequence error in error strings at item %d\n"
-"error %d (%s)\n"
-"should come after \n"
-"error %d (%s)\n",
-		        i, lastNum, errStrings[i-1].errString, 
-			num, errStrings[i].errString);
-	    }
-	    lastNum = num;
-	}
-	initDone = 1;
-    }
-
-    /* Do binary search of table. */
-    while (low + 1 < high) {
-    	i = (low + high) / 2;
-	num = errStrings[i].errNum;
-	if (errNum == num) 
-	    return errStrings[i].errString;
-        if (errNum < num)
-	    high = i;
-	else 
-	    low = i;
-    }
-    if (errNum == errStrings[low].errNum)
-    	return errStrings[low].errString;
-    if (errNum == errStrings[high].errNum)
-    	return errStrings[high].errString;
-    return NULL;
+    return NSS_Strerror(errNum, formatSimple);
 }
diff --git a/security/nss/cmd/lib/secutil.c b/security/nss/cmd/lib/secutil.c
index 2a7d1052af4a..6a0c533dcde8 100644
--- a/security/nss/cmd/lib/secutil.c
+++ b/security/nss/cmd/lib/secutil.c
@@ -83,15 +83,9 @@ static char consoleName[] =  {
 #endif
 };
 
+#include "nssutil.h"
+#include "ssl.h"
 
-char *
-SECU_GetString(int16 error_number)
-{
-
-    static char errString[80];
-    sprintf(errString, "Unknown error string (%d)", error_number);
-    return errString;
-}
 
 void 
 SECU_PrintErrMsg(FILE *out, int level, char *progName, char *msg, ...)
@@ -1515,6 +1509,70 @@ const SEC_ASN1Template secuPBEV2Params[] =
     { 0 }
 };
 
+void
+secu_PrintRSAPSSParams(FILE *out, SECItem *value, char *m, int level)
+{
+    PRArenaPool *pool = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    SECStatus rv;
+    SECKEYRSAPSSParams param;
+    SECAlgorithmID maskHashAlg;
+
+    if (m) {
+	SECU_Indent(out, level);
+	fprintf (out, "%s:\n", m);
+    }
+
+    if (!pool) {
+	SECU_Indent(out, level);
+	fprintf(out, "Out of memory\n");
+	return;
+    }
+
+    PORT_Memset(¶m, 0, sizeof param);
+
+    rv = SEC_QuickDERDecodeItem(pool, ¶m,
+				SEC_ASN1_GET(SECKEY_RSAPSSParamsTemplate),
+				value);
+    if (rv == SECSuccess) {
+	if (!param.hashAlg) {
+	    SECU_Indent(out, level+1);
+	    fprintf(out, "Hash algorithm: default, SHA-1\n");
+	} else {
+	    SECU_PrintObjectID(out, ¶m.hashAlg->algorithm,
+			       "Hash algorithm", level+1);
+	}
+	if (!param.maskAlg) {
+	    SECU_Indent(out, level+1);
+	    fprintf(out, "Mask algorithm: default, MGF1\n");
+	    SECU_Indent(out, level+1);
+	    fprintf(out, "Mask hash algorithm: default, SHA-1\n");
+	} else {
+	    SECU_PrintObjectID(out, ¶m.maskAlg->algorithm,
+			       "Mask algorithm", level+1);
+	    rv = SEC_QuickDERDecodeItem(pool, &maskHashAlg,
+		     SEC_ASN1_GET(SECOID_AlgorithmIDTemplate),
+		     ¶m.maskAlg->parameters);
+	    if (rv == SECSuccess) {
+		SECU_PrintObjectID(out, &maskHashAlg.algorithm,
+				   "Mask hash algorithm", level+1);
+	    } else {
+		SECU_Indent(out, level+1);
+		fprintf(out, "Invalid mask generation algorithm parameters\n");
+	    }
+	}
+	if (!param.saltLength.data) {
+	    SECU_Indent(out, level+1);
+	    fprintf(out, "Salt length: default, %i (0x%2X)\n", 20, 20);
+	} else {
+	    SECU_PrintInteger(out, ¶m.saltLength, "Salt Length", level+1);
+	}
+    } else {
+	SECU_Indent(out, level+1);
+	fprintf(out, "Invalid RSA-PSS parameters\n");
+    }
+    PORT_FreeArena(pool, PR_FALSE);
+}
+
 void
 secu_PrintKDF2Params(FILE *out, SECItem *value, char *m, int level)
 {
@@ -1625,7 +1683,11 @@ SECU_PrintAlgorithmID(FILE *out, SECAlgorithmID *a, char *m, int level)
 	}
 	return;
     }
-	
+
+    if (algtag == SEC_OID_PKCS1_RSA_PSS_SIGNATURE) {
+	secu_PrintRSAPSSParams(out, &a->parameters, "Parameters", level+1);
+	return;
+    }
 
     if (a->parameters.len == 0
 	|| (a->parameters.len == 2
@@ -2384,7 +2446,7 @@ printflags(char *trusts, unsigned int flags)
 	if (!(flags & CERTDB_TRUSTED_CA) &&
 	    !(flags & CERTDB_TRUSTED_CLIENT_CA))
 	    PORT_Strcat(trusts, "c");
-    if (flags & CERTDB_VALID_PEER)
+    if (flags & CERTDB_TERMINAL_RECORD)
 	if (!(flags & CERTDB_TRUSTED))
 	    PORT_Strcat(trusts, "p");
     if (flags & CERTDB_TRUSTED_CA)
@@ -3209,8 +3271,8 @@ SECU_PrintPKCS7ContentInfo(FILE *out, SECItem *der, char *m, int level)
 void
 printFlags(FILE *out, unsigned int flags, int level)
 {
-    if ( flags & CERTDB_VALID_PEER ) {
-	SECU_Indent(out, level); fprintf(out, "Valid Peer\n");
+    if ( flags & CERTDB_TERMINAL_RECORD ) {
+	SECU_Indent(out, level); fprintf(out, "Terminal Record\n");
     }
     if ( flags & CERTDB_TRUSTED ) {
 	SECU_Indent(out, level); fprintf(out, "Trusted\n");
@@ -3250,6 +3312,29 @@ SECU_PrintTrustFlags(FILE *out, CERTCertTrust *trust, char *m, int level)
     printFlags(out, trust->objectSigningFlags, level+2);
 }
 
+int SECU_PrintDERName(FILE *out, SECItem *der, const char *m, int level)
+{
+    PRArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    CERTName *name;
+    int rv = SEC_ERROR_NO_MEMORY;
+
+    if (!arena)
+	return rv;
+
+    name = PORT_ArenaZNew(arena, CERTName);
+    if (!name)
+	goto loser;
+
+    rv = SEC_ASN1DecodeItem(arena, name, SEC_ASN1_GET(CERT_NameTemplate), der);
+    if (rv)
+	goto loser;
+
+    SECU_PrintName(out, name, m, level);
+loser:
+    PORT_FreeArena(arena, PR_FALSE);
+    return rv;
+}
+
 int SECU_PrintSignedData(FILE *out, SECItem *der, const char *m,
 			   int level, SECU_PPFunc inner)
 {
@@ -3281,7 +3366,6 @@ int SECU_PrintSignedData(FILE *out, SECItem *der, const char *m,
 loser:
     PORT_FreeArena(arena, PR_FALSE);
     return rv;
-
 }
 
 SECStatus
@@ -3511,123 +3595,6 @@ SECU_GetOptionArg(const secuCommand *cmd, int optionNum)
 		return NULL;
 }
 
-static char SECUErrorBuf[64];
-
-char *
-SECU_ErrorStringRaw(int16 err)
-{
-    if (err == 0)
-	SECUErrorBuf[0] = '\0';
-    else if (err == SEC_ERROR_BAD_DATA)
-	sprintf(SECUErrorBuf, "Bad data");
-    else if (err == SEC_ERROR_BAD_DATABASE)
-	sprintf(SECUErrorBuf, "Problem with database");
-    else if (err == SEC_ERROR_BAD_DER)
-	sprintf(SECUErrorBuf, "Problem with DER");
-    else if (err == SEC_ERROR_BAD_KEY)
-	sprintf(SECUErrorBuf, "Problem with key");
-    else if (err == SEC_ERROR_BAD_PASSWORD)
-	sprintf(SECUErrorBuf, "Incorrect password");
-    else if (err == SEC_ERROR_BAD_SIGNATURE)
-	sprintf(SECUErrorBuf, "Bad signature");
-    else if (err == SEC_ERROR_EXPIRED_CERTIFICATE)
-	sprintf(SECUErrorBuf, "Expired certificate");
-    else if (err == SEC_ERROR_EXTENSION_VALUE_INVALID)
-	sprintf(SECUErrorBuf, "Invalid extension value");
-    else if (err == SEC_ERROR_INPUT_LEN)
-	sprintf(SECUErrorBuf, "Problem with input length");
-    else if (err == SEC_ERROR_INVALID_ALGORITHM)
-	sprintf(SECUErrorBuf, "Invalid algorithm");
-    else if (err == SEC_ERROR_INVALID_ARGS)
-	sprintf(SECUErrorBuf, "Invalid arguments");
-    else if (err == SEC_ERROR_INVALID_AVA)
-	sprintf(SECUErrorBuf, "Invalid AVA");
-    else if (err == SEC_ERROR_INVALID_TIME)
-	sprintf(SECUErrorBuf, "Invalid time");
-    else if (err == SEC_ERROR_IO)
-	sprintf(SECUErrorBuf, "Security I/O error");
-    else if (err == SEC_ERROR_LIBRARY_FAILURE)
-	sprintf(SECUErrorBuf, "Library failure");
-    else if (err == SEC_ERROR_NO_MEMORY)
-	sprintf(SECUErrorBuf, "Out of memory");
-    else if (err == SEC_ERROR_OLD_CRL)
-	sprintf(SECUErrorBuf, "CRL is older than the current one");
-    else if (err == SEC_ERROR_OUTPUT_LEN)
-	sprintf(SECUErrorBuf, "Problem with output length");
-    else if (err == SEC_ERROR_UNKNOWN_ISSUER)
-	sprintf(SECUErrorBuf, "Unknown issuer");
-    else if (err == SEC_ERROR_UNTRUSTED_CERT)
-	sprintf(SECUErrorBuf, "Untrusted certificate");
-    else if (err == SEC_ERROR_UNTRUSTED_ISSUER)
-	sprintf(SECUErrorBuf, "Untrusted issuer");
-    else if (err == SSL_ERROR_BAD_CERTIFICATE)
-	sprintf(SECUErrorBuf, "Bad certificate");
-    else if (err == SSL_ERROR_BAD_CLIENT)
-	sprintf(SECUErrorBuf, "Bad client");
-    else if (err == SSL_ERROR_BAD_SERVER)
-	sprintf(SECUErrorBuf, "Bad server");
-    else if (err == SSL_ERROR_EXPORT_ONLY_SERVER)
-	sprintf(SECUErrorBuf, "Export only server");
-    else if (err == SSL_ERROR_NO_CERTIFICATE)
-	sprintf(SECUErrorBuf, "No certificate");
-    else if (err == SSL_ERROR_NO_CYPHER_OVERLAP)
-	sprintf(SECUErrorBuf, "No cypher overlap");
-    else if (err == SSL_ERROR_UNSUPPORTED_CERTIFICATE_TYPE)
-	sprintf(SECUErrorBuf, "Unsupported certificate type");
-    else if (err == SSL_ERROR_UNSUPPORTED_VERSION)
-	sprintf(SECUErrorBuf, "Unsupported version");
-    else if (err == SSL_ERROR_US_ONLY_SERVER)
-	sprintf(SECUErrorBuf, "U.S. only server");
-    else if (err == PR_IO_ERROR)
-	sprintf(SECUErrorBuf, "I/O error");
-
-    else if (err == SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE)
-        sprintf (SECUErrorBuf, "Expired Issuer Certificate");
-    else if (err == SEC_ERROR_REVOKED_CERTIFICATE)
-        sprintf (SECUErrorBuf, "Revoked certificate");
-    else if (err == SEC_ERROR_NO_KEY)
-        sprintf (SECUErrorBuf, "No private key in database for this cert");
-    else if (err == SEC_ERROR_CERT_NOT_VALID)
-        sprintf (SECUErrorBuf, "Certificate is not valid");
-    else if (err == SEC_ERROR_EXTENSION_NOT_FOUND)
-        sprintf (SECUErrorBuf, "Certificate extension was not found");
-    else if (err == SEC_ERROR_EXTENSION_VALUE_INVALID)
-        sprintf (SECUErrorBuf, "Certificate extension value invalid");
-    else if (err == SEC_ERROR_CA_CERT_INVALID)
-        sprintf (SECUErrorBuf, "Issuer certificate is invalid");
-    else if (err == SEC_ERROR_CERT_USAGES_INVALID)
-        sprintf (SECUErrorBuf, "Certificate usages is invalid");
-    else if (err == SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION)
-        sprintf (SECUErrorBuf, "Certificate has unknown critical extension");
-    else if (err == SEC_ERROR_PKCS7_BAD_SIGNATURE)
-        sprintf (SECUErrorBuf, "Bad PKCS7 signature");
-    else if (err == SEC_ERROR_INADEQUATE_KEY_USAGE)
-        sprintf (SECUErrorBuf, "Certificate not approved for this operation");
-    else if (err == SEC_ERROR_INADEQUATE_CERT_TYPE)
-        sprintf (SECUErrorBuf, "Certificate not approved for this operation");
-
-    return SECUErrorBuf;
-}
-
-char *
-SECU_ErrorString(int16 err)
-{
-    char *error_string;
-
-    *SECUErrorBuf = 0;
-    SECU_ErrorStringRaw (err);
-
-    if (*SECUErrorBuf == 0) { 
-	error_string = SECU_GetString(err);
-	if (error_string == NULL || *error_string == '\0') 
-	    sprintf(SECUErrorBuf, "No error string found for %d.",  err);
-	else
-	    return error_string;
-    }
-
-    return SECUErrorBuf;
-}
-
 
 void 
 SECU_PrintPRandOSError(char *progName) 
diff --git a/security/nss/cmd/lib/secutil.h b/security/nss/cmd/lib/secutil.h
index 8a6ab3cd6ba6..c482431b7054 100644
--- a/security/nss/cmd/lib/secutil.h
+++ b/security/nss/cmd/lib/secutil.h
@@ -52,6 +52,7 @@
 #define SEC_CT_CERTIFICATE_REQUEST	"certificate-request"
 #define SEC_CT_PKCS7			"pkcs7"
 #define SEC_CT_CRL			"crl"
+#define SEC_CT_NAME			"name"
 
 #define NS_CERTREQ_HEADER "-----BEGIN NEW CERTIFICATE REQUEST-----"
 #define NS_CERTREQ_TRAILER "-----END NEW CERTIFICATE REQUEST-----"
@@ -259,6 +260,9 @@ extern int SECU_PrintCertificateRequest(FILE *out, SECItem *der, char *m,
 /* Dump contents of certificate */
 extern int SECU_PrintCertificate(FILE *out, SECItem *der, char *m, int level);
 
+/* Dump contents of a DER certificate name (issuer or subject) */
+extern int SECU_PrintDERName(FILE *out, SECItem *der, const char *m, int level);
+
 /* print trust flags on a cert */
 extern void SECU_PrintTrustFlags(FILE *out, CERTCertTrust *trust, char *m, 
                                  int level);
@@ -442,12 +446,6 @@ SECU_GetOptionArg(const secuCommand *cmd, int optionNum);
  *
  */
 
-/* Return informative error string */
-char *SECU_ErrorString(int16 err);
-
-/* Return informative error string. Does not call XP_GetString */
-char *SECU_ErrorStringRaw(int16 err);
-
 void printflags(char *trusts, unsigned int flags);
 
 #if !defined(XP_UNIX) && !defined(XP_OS2)
diff --git a/security/nss/cmd/manifest.mn b/security/nss/cmd/manifest.mn
index 4032e8131501..f71680fe9ebb 100644
--- a/security/nss/cmd/manifest.mn
+++ b/security/nss/cmd/manifest.mn
@@ -48,6 +48,7 @@ DIRS = lib  \
  certcgi \
  certutil  \
  checkcert  \
+ chktest  \
  crlutil  \
  crmftest \
  dbtest \
diff --git a/security/nss/cmd/modutil/install.c b/security/nss/cmd/modutil/install.c
index 10819190c4d7..9f170e2b3bcb 100644
--- a/security/nss/cmd/modutil/install.c
+++ b/security/nss/cmd/modutil/install.c
@@ -36,6 +36,7 @@
 
 #include "install.h"
 #include "install-ds.h"
+#include 
 #include 
 #include 
 #include 
@@ -61,7 +62,7 @@ extern /*"C"*/
 short Pk11Install_UserVerifyJar(JAR *jar, PRFileDesc *out,
 	PRBool query);
 extern /*"C"*/
-const char* mySECU_ErrorString(int16);
+const char* mySECU_ErrorString(PRErrorCode errnum);
 extern 
 int Pk11Install_yyparse();
 
@@ -418,7 +419,7 @@ Pk11Install_DoInstall(char *jarFile, const char *installDir,
 			error(PK11_INSTALL_JAR_ERROR, jarFile, JAR_get_error(status));
 		} else {
 			error(PK11_INSTALL_JAR_ERROR, jarFile,
-			  mySECU_ErrorString((int16) PORT_GetError()) );
+			  mySECU_ErrorString(PORT_GetError()));
 		}
 		ret=PK11_INSTALL_JAR_ERROR;
 		goto loser;
@@ -470,7 +471,7 @@ Pk11Install_DoInstall(char *jarFile, const char *installDir,
 			error(PK11_INSTALL_JAR_EXTRACT, installer, JAR_get_error(status));
 		} else {
 			error(PK11_INSTALL_JAR_EXTRACT, installer,
-			  mySECU_ErrorString((int16) PORT_GetError()) );
+			  mySECU_ErrorString(PORT_GetError()));
 		}
 		ret = PK11_INSTALL_JAR_EXTRACT;
 		goto loser;
@@ -692,7 +693,7 @@ DoInstall(JAR *jar, const char *installDir, const char *tempDir,
                   JAR_get_error(status));
 			} else {
 				error(PK11_INSTALL_JAR_EXTRACT, file->jarPath,
-				  mySECU_ErrorString((int16) PORT_GetError()) );
+				  mySECU_ErrorString(PORT_GetError()));
 			}
 			ret=PK11_INSTALL_JAR_EXTRACT;
 			goto loser;
diff --git a/security/nss/cmd/modutil/instsec.c b/security/nss/cmd/modutil/instsec.c
index cfc0082342d4..9914b2f323e0 100644
--- a/security/nss/cmd/modutil/instsec.c
+++ b/security/nss/cmd/modutil/instsec.c
@@ -35,6 +35,7 @@
  * ***** END LICENSE BLOCK ***** */
 
 #include 
+#include 
 #include 
 #include 
 #include 
@@ -175,7 +176,7 @@ PR_fgets(char *buf, int size, PRFileDesc *file)
  * m y S E C U _ E r r o r S t r i n g
  *
  */
-const char* mySECU_ErrorString(int16 errnum)
+const char* mySECU_ErrorString(PRErrorCode errnum)
 {
 	return SECU_Strerror(errnum);
 }
diff --git a/security/nss/cmd/pk11mode/pk11mode.c b/security/nss/cmd/pk11mode/pk11mode.c
index 279809f6ceed..761eb5402256 100644
--- a/security/nss/cmd/pk11mode/pk11mode.c
+++ b/security/nss/cmd/pk11mode/pk11mode.c
@@ -883,18 +883,21 @@ CK_RV PKM_KeyTests(CK_FUNCTION_LIST_PTR pFunctionList,
 
     mech_str digestMechs[] = {
         {CKM_SHA_1, "CKM_SHA_1 "},
+        {CKM_SHA224, "CKM_SHA224"},
         {CKM_SHA256, "CKM_SHA256"},
         {CKM_SHA384, "CKM_SHA384"},
         {CKM_SHA512, "CKM_SHA512"}
     };
     mech_str hmacMechs[] = {
         {CKM_SHA_1_HMAC, "CKM_SHA_1_HMAC"}, 
+        {CKM_SHA224_HMAC, "CKM_SHA224_HMAC"},
         {CKM_SHA256_HMAC, "CKM_SHA256_HMAC"},
         {CKM_SHA384_HMAC, "CKM_SHA384_HMAC"},
         {CKM_SHA512_HMAC, "CKM_SHA512_HMAC"}
     };
     mech_str sigRSAMechs[] = {
         {CKM_SHA1_RSA_PKCS, "CKM_SHA1_RSA_PKCS"}, 
+        {CKM_SHA224_RSA_PKCS, "CKM_SHA224_RSA_PKCS"},
         {CKM_SHA256_RSA_PKCS, "CKM_SHA256_RSA_PKCS"},
         {CKM_SHA384_RSA_PKCS, "CKM_SHA384_RSA_PKCS"},
         {CKM_SHA512_RSA_PKCS, "CKM_SHA512_RSA_PKCS"}
@@ -5123,7 +5126,7 @@ CK_RV PKM_Digest(CK_FUNCTION_LIST_PTR pFunctionList,
     CK_BYTE digest2[MAX_DIGEST_SZ];
     CK_ULONG digest2Len = 0;
 
-    /* Tested with CKM_SHA_1, CKM_SHA256, CKM_SHA384, CKM_SHA512 */
+    /* Tested with CKM_SHA_1, CKM_SHA224, CKM_SHA256, CKM_SHA384, CKM_SHA512 */
 
     memset(digest1, 0, sizeof(digest1));
     memset(digest2, 0, sizeof(digest2));
diff --git a/security/nss/cmd/pk12util/pk12util.c b/security/nss/cmd/pk12util/pk12util.c
index 686d9036c465..bdca3c8f490a 100644
--- a/security/nss/cmd/pk12util/pk12util.c
+++ b/security/nss/cmd/pk12util/pk12util.c
@@ -560,17 +560,17 @@ loser:
 static void
 p12u_DoPKCS12ExportErrors()
 {
-    int error_value;
+    PRErrorCode error_value;
 
     error_value = PORT_GetError();
     if ((error_value == SEC_ERROR_PKCS12_UNABLE_TO_EXPORT_KEY) ||
 	(error_value == SEC_ERROR_PKCS12_UNABLE_TO_LOCATE_OBJECT_BY_NAME) ||
 	(error_value == SEC_ERROR_PKCS12_UNABLE_TO_WRITE)) {
-	fputs(SECU_ErrorStringRaw((int16)error_value), stderr);
+	fputs(SECU_Strerror(error_value), stderr);
     } else if(error_value == SEC_ERROR_USER_CANCELLED) {
 	;
     } else {
-	fputs(SECU_ErrorStringRaw(SEC_ERROR_EXPORTING_CERTIFICATES), stderr);
+	fputs(SECU_Strerror(SEC_ERROR_EXPORTING_CERTIFICATES), stderr);
     }
 }
 
diff --git a/security/nss/cmd/pp/pp.c b/security/nss/cmd/pp/pp.c
index 1d3b2c0819cf..dc777b207e35 100644
--- a/security/nss/cmd/pp/pp.c
+++ b/security/nss/cmd/pp/pp.c
@@ -38,7 +38,7 @@
  * Pretty-print some well-known BER or DER encoded data (e.g. certificates,
  * keys, pkcs7)
  *
- * $Id: pp.c,v 1.9 2007/09/25 03:46:23 nelson%bolyard.com Exp $
+ * $Id: pp.c,v 1.10 2010/09/03 19:25:02 nelson%bolyard.com Exp $
  */
 
 #include "secutil.h"
@@ -62,7 +62,8 @@ static void Usage(char *progName)
 	    "-t type", SEC_CT_PRIVATE_KEY);
     fprintf(stderr, "%-20s %s, %s, %s,\n", "", SEC_CT_PUBLIC_KEY,
 	    SEC_CT_CERTIFICATE, SEC_CT_CERTIFICATE_REQUEST);
-    fprintf(stderr, "%-20s %s or %s)\n", "", SEC_CT_PKCS7, SEC_CT_CRL);    
+    fprintf(stderr, "%-20s %s, %s or %s)\n", "", SEC_CT_PKCS7, SEC_CT_CRL,
+            SEC_CT_NAME);    
     fprintf(stderr, "%-20s Input is in ascii encoded form (RFC1113)\n",
 	    "-a");
     fprintf(stderr, "%-20s Define an input file to use (default is stdin)\n",
@@ -166,6 +167,8 @@ int main(int argc, char **argv)
     } else if (PORT_Strcmp(typeTag, SEC_CT_PKCS7) == 0) {
 	rv = SECU_PrintPKCS7ContentInfo(outFile, &data,
 					"PKCS #7 Content Info", 0);
+    } else if (PORT_Strcmp(typeTag, SEC_CT_NAME) == 0) {
+	rv = SECU_PrintDERName(outFile, &data, "Name", 0);
     } else {
 	fprintf(stderr, "%s: don't know how to print out '%s' files\n",
 		progName, typeTag);
diff --git a/security/nss/cmd/ppcertdata/Makefile b/security/nss/cmd/ppcertdata/Makefile
new file mode 100644
index 000000000000..8abac8cdbc5d
--- /dev/null
+++ b/security/nss/cmd/ppcertdata/Makefile
@@ -0,0 +1,80 @@
+#! gmake
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2010
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+include ../platlibs.mk
+
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+
+include ../platrules.mk
+
diff --git a/nsprpub/lib/msgc/include/Makefile.in b/security/nss/cmd/ppcertdata/manifest.mn
similarity index 76%
rename from nsprpub/lib/msgc/include/Makefile.in
rename to security/nss/cmd/ppcertdata/manifest.mn
index 86e152a590b7..1912208bb2a8 100644
--- a/nsprpub/lib/msgc/include/Makefile.in
+++ b/security/nss/cmd/ppcertdata/manifest.mn
@@ -12,14 +12,15 @@
 # for the specific language governing rights and limitations under the
 # License.
 #
-# The Original Code is the Netscape Portable Runtime (NSPR).
+# The Original Code is the Netscape security libraries.
 #
 # The Initial Developer of the Original Code is
 # Netscape Communications Corporation.
-# Portions created by the Initial Developer are Copyright (C) 1998-2000
+# Portions created by the Initial Developer are Copyright (C) 1994-2010
 # the Initial Developer. All Rights Reserved.
 #
 # Contributor(s):
+#	Nelson Bolyard 
 #
 # Alternatively, the contents of this file may be used under the terms of
 # either the GNU General Public License Version 2 or later (the "GPL"), or
@@ -35,23 +36,20 @@
 #
 # ***** END LICENSE BLOCK *****
 
-#! gmake
+CORE_DEPTH	= ../../..
 
-MOD_DEPTH	= ../../..
-topsrcdir	= @top_srcdir@
-srcdir		= @srcdir@
-VPATH		= @srcdir@
+# MODULE public and private header  directories are implicitly REQUIRED.
+MODULE = nss 
 
-include $(MOD_DEPTH)/config/autoconf.mk
-include $(topsrcdir)/config/config.mk
+# This next line is used by .mk files
+# and gets translated into $LINCS in manifest.mnw
+# The MODULE is always implicitly required.
+# Listing it here in REQUIRES makes it appear twice in the cc command line.
+REQUIRES = seccmd 
 
-EXPORT_HEADERS = prgc.h
-HEADERS = $(EXPORT_HEADERS) gcint.h
+#DEFINES = -DNSPR20
 
-RELEASE_HEADERS = $(EXPORT_HEADERS)
-RELEASE_HEADERS_DEST = $(RELEASE_INCLUDE_DIR)
+CSRCS = ppcertdata.c
 
-include $(topsrcdir)/config/rules.mk
+PROGRAM	= ppcertdata
 
-export:: $(EXPORT_HEADERS)
-	$(INSTALL) -m 444 $(EXPORT_HEADERS) $(dist_includedir)
diff --git a/security/nss/cmd/ppcertdata/ppcertdata.c b/security/nss/cmd/ppcertdata/ppcertdata.c
new file mode 100644
index 000000000000..0e74c046aa87
--- /dev/null
+++ b/security/nss/cmd/ppcertdata/ppcertdata.c
@@ -0,0 +1,132 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the CertData.txt review helper program.
+ *
+ * The Initial Developer of the Original Code is
+ * Nelson Bolyard
+ * Portions created by the Initial Developer are Copyright (C) 2009-2010
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include 
+#include 
+#include 
+#include 
+#include "secutil.h"
+#include "nss.h"
+
+unsigned char  binary_line[64 * 1024];
+
+int
+main(int argc, const char ** argv)
+{
+    int            skip_count = 0;
+    int            bytes_read;
+    char           line[133];
+
+    if (argc > 1) {
+    	skip_count = atoi(argv[1]);
+    }
+    if (argc > 2 || skip_count < 0) {
+        printf("Usage: %s [ skip_columns ] \n", argv[0]);
+	return 1;
+    }
+
+    NSS_NoDB_Init(NULL);
+
+    while (fgets(line, 132, stdin) && (bytes_read = strlen(line)) > 0 ) {
+	int    bytes_written;
+	char * found;
+	char * in          = line       + skip_count; 
+	int    left        = bytes_read - skip_count;
+	int    is_cert;
+	int    is_serial;
+	int    is_name;
+	int    is_hash;
+	int    use_pp      = 0;
+	int    out = 0;
+	SECItem der = {siBuffer, NULL, 0 };
+
+	line[bytes_read] = 0;
+	if (bytes_read <= skip_count) 
+	    continue;
+	fwrite(in, 1, left, stdout);
+	found = strstr(in, "MULTILINE_OCTAL");
+	if (!found) 
+	    continue;
+	fflush(stdout);
+
+	is_cert   = (NULL != strstr(in, "CKA_VALUE"));
+	is_serial = (NULL != strstr(in, "CKA_SERIAL_NUMBER"));
+	is_name   = (NULL != strstr(in, "CKA_ISSUER")) ||
+		    (NULL != strstr(in, "CKA_SUBJECT"));
+	is_hash   = (NULL != strstr(in, "_HASH"));
+	while (fgets(line, 132, stdin) && 
+	       (bytes_read = strlen(line)) > 0 ) {
+	    in   = line       + skip_count; 
+	    left = bytes_read - skip_count;
+
+	    if ((left >= 3) && !strncmp(in, "END", 3))
+		break;
+	    while (left >= 4) {
+		if (in[0] == '\\'  && isdigit(in[1]) && 
+		    isdigit(in[2]) && isdigit(in[3])) {
+		    left -= 4;
+		    binary_line[out++] = ((in[1] - '0') << 6) |
+					 ((in[2] - '0') << 3) | 
+					  (in[3] - '0');
+		    in += 4;
+		} else 
+		    break;
+	    }
+	}
+	der.data = binary_line;
+	der.len  = out;
+	if (is_cert)
+	    SECU_PrintSignedData(stdout, &der, "Certificate", 0,
+				 SECU_PrintCertificate);
+	else if (is_name)
+	    SECU_PrintDERName(stdout, &der, "Name", 0);
+	else if (is_serial) {
+	    if (out > 2 && binary_line[0] == 2 &&
+	        out == 2 + binary_line[1]) {
+		der.data += 2;
+		der.len  -= 2;
+		SECU_PrintInteger(stdout, &der, "DER Serial Number", 0);
+	    } else
+		SECU_PrintInteger(stdout, &der, "Raw Serial Number", 0);
+	} else if (is_hash) 
+	    SECU_PrintAsHex(stdout, &der, "Hash", 0);
+	else 
+	    SECU_PrintBuf(stdout, "Other", binary_line, out);
+    }
+    NSS_Shutdown();
+    return 0;
+}
+
diff --git a/security/nss/cmd/selfserv/selfserv.c b/security/nss/cmd/selfserv/selfserv.c
index bd1d47b4cedc..d78881de2548 100644
--- a/security/nss/cmd/selfserv/selfserv.c
+++ b/security/nss/cmd/selfserv/selfserv.c
@@ -1491,18 +1491,14 @@ getBoundListenSocket(unsigned short port)
     PRStatus	       prStatus;
     PRNetAddr          addr;
     PRSocketOptionData opt;
-    PRUint16           socketDomain = PR_AF_INET;
 
     addr.inet.family = PR_AF_INET;
     addr.inet.ip     = PR_INADDR_ANY;
     addr.inet.port   = PR_htons(port);
 
-    if (PR_GetEnv("NSS_USE_SDP")) {
-        socketDomain = PR_AF_INET_SDP;
-    }
-    listen_sock = PR_OpenTCPSocket(socketDomain);
+    listen_sock = PR_NewTCPSocket();
     if (listen_sock == NULL) {
-        errExit("PR_OpenTCPSocket error");
+	errExit("PR_NewTCPSocket");
     }
 
     opt.option = PR_SockOpt_Nonblocking;
diff --git a/security/nss/cmd/shlibsign/manifest.mn b/security/nss/cmd/shlibsign/manifest.mn
index ca460771fd65..27c88e65e297 100644
--- a/security/nss/cmd/shlibsign/manifest.mn
+++ b/security/nss/cmd/shlibsign/manifest.mn
@@ -46,9 +46,6 @@ CSRCS = \
 	shlibsign.c \
 	$(NULL)
 
-# headers for the MODULE (defined above) are implicitly required.
-REQUIRES = dbm seccmd
-
 # WINNT uses EXTRA_LIBS as the list of libs to link in.
 # Unix uses     OS_LIBS for that purpose.
 # We can solve this via conditional makefile code, but 
diff --git a/security/nss/cmd/shlibsign/shlibsign.c b/security/nss/cmd/shlibsign/shlibsign.c
index 722cb15a5b35..e4bf4c79bf82 100644
--- a/security/nss/cmd/shlibsign/shlibsign.c
+++ b/security/nss/cmd/shlibsign/shlibsign.c
@@ -46,7 +46,7 @@
  * compute the checksum for the NSS cryptographic boundary libraries
  * and compare the checksum with the value in .chk file.
  *
- * $Id: shlibsign.c,v 1.18.20.1 2011/04/08 04:04:27 wtc%google.com Exp $
+ * $Id: shlibsign.c,v 1.19 2011/04/08 04:02:53 wtc%google.com Exp $
  */
 
 #ifdef XP_UNIX
diff --git a/security/nss/cmd/signtool/sign.c b/security/nss/cmd/signtool/sign.c
index 93b2d552ac27..a987846d8d48 100644
--- a/security/nss/cmd/signtool/sign.c
+++ b/security/nss/cmd/signtool/sign.c
@@ -306,7 +306,7 @@ create_pk7 (char *dir, char *keyName, int *keyType)
 
     if (status) {
 	PR_fprintf(errorFD, "%s: PROBLEM signing data (%s)\n",
-	    PROGRAM_NAME, SECU_ErrorString ((int16) PORT_GetError()));
+	    PROGRAM_NAME, SECU_Strerror(PORT_GetError()));
 	errorCount++;
 	return - 1;
     }
diff --git a/security/nss/cmd/signtool/util.c b/security/nss/cmd/signtool/util.c
index be780d29b293..395ce29e0861 100644
--- a/security/nss/cmd/signtool/util.c
+++ b/security/nss/cmd/signtool/util.c
@@ -50,7 +50,7 @@ long	*mozilla_event_queue = 0;
 #ifndef XP_WIN
 char	*XP_GetString (int i)
 {
-    return SECU_ErrorStringRaw ((int16) i);
+    return SECU_Strerror (i);
 }
 #endif
 
diff --git a/security/nss/cmd/signtool/verify.c b/security/nss/cmd/signtool/verify.c
index 302e9d4971af..a3f698bb6c07 100644
--- a/security/nss/cmd/signtool/verify.c
+++ b/security/nss/cmd/signtool/verify.c
@@ -84,7 +84,7 @@ VerifyJar(char *filename)
 	    if (status >= JAR_BASE && status <= JAR_BASE_END) {
 		errtext = JAR_get_error (status);
 	    } else {
-		errtext = SECU_ErrorString ((int16) PORT_GetError());
+		errtext = SECU_Strerror(PORT_GetError());
 	    }
 
 	    PR_fprintf(outputFD, "  (reported reason: %s)\n\n",
@@ -315,7 +315,7 @@ JarWho(char *filename)
 	    if (status >= JAR_BASE && status <= JAR_BASE_END) {
 		errtext = JAR_get_error (status);
 	    } else {
-		errtext = SECU_ErrorString ((int16) PORT_GetError());
+		errtext = SECU_Strerror(PORT_GetError());
 	    }
 
 	    PR_fprintf(outputFD, "  (reported reason: %s)\n\n", errtext);
diff --git a/security/nss/cmd/signver/signver.c b/security/nss/cmd/signver/signver.c
index cff5272f0dc5..cf1fc485d57c 100644
--- a/security/nss/cmd/signver/signver.c
+++ b/security/nss/cmd/signver/signver.c
@@ -320,7 +320,7 @@ int main(int argc, char **argv)
 		fprintf(outFile, "no");
 		if (verbose) {
 		    fprintf(outFile, ":%s",
-			    SECU_ErrorString((int16)PORT_GetError()));
+			    SECU_Strerror(PORT_GetError()));
 		}
 	    }
 	    fprintf(outFile, "\n");
diff --git a/security/nss/cmd/strsclnt/strsclnt.c b/security/nss/cmd/strsclnt/strsclnt.c
index 2e768ec4b775..b54d2e25547d 100644
--- a/security/nss/cmd/strsclnt/strsclnt.c
+++ b/security/nss/cmd/strsclnt/strsclnt.c
@@ -280,7 +280,7 @@ mySSLAuthCertificate(void *arg, PRFileDesc *fd, PRBool checkSig,
 static SECStatus
 myBadCertHandler( void *arg, PRFileDesc *fd)
 {
-    int err = PR_GetError();
+    PRErrorCode err = PR_GetError();
     if (!MakeCertOK)
 	fprintf(stderr, 
 	    "strsclnt: -- SSL: Server Certificate Invalid, err %d.\n%s\n", 
@@ -360,7 +360,7 @@ printSecurityInfo(PRFileDesc *fd)
 
 #define MAX_THREADS 128
 
-typedef int startFn(void *a, void *b, int c, int d);
+typedef int startFn(void *a, void *b, int c);
 
 
 static PRInt32     numConnected;
@@ -374,7 +374,6 @@ typedef struct perThreadStr {
     startFn  *  startFunc;
     PRThread *  prThread;
     PRBool	inUse;
-    PRInt32     socketDomain;
 } perThread;
 
 perThread threads[MAX_THREADS];
@@ -430,8 +429,7 @@ thread_wrapper(void * arg)
         }
         PR_Unlock(threadLock);
         if (doop) {
-            slot->rv = (* slot->startFunc)(slot->a, slot->b, slot->tid,
-                                           slot->socketDomain);
+            slot->rv = (* slot->startFunc)(slot->a, slot->b, slot->tid);
             PRINTF("strsclnt: Thread in slot %d returned %d\n", 
                    slot->tid, slot->rv);
         }
@@ -446,8 +444,7 @@ launch_thread(
     startFn *	startFunc,
     void *	a,
     void *	b,
-    int         tid,
-    int         sockDom)
+    int         tid)
 {
     PRUint32 i;
     perThread * slot;
@@ -465,8 +462,7 @@ launch_thread(
     slot->a = a;
     slot->b = b;
     slot->tid = tid;
-    slot->socketDomain = sockDom;
-    
+
     slot->startFunc = startFunc;
 
     slot->prThread      = PR_CreateThread(PR_USER_THREAD,
@@ -589,8 +585,7 @@ int
 do_writes(
     void *       a,
     void *       b,
-    int          c,
-    int          d)
+    int          c)
 {
     PRFileDesc *	ssl_sock	= (PRFileDesc *)a;
     lockedVars *	lv 		= (lockedVars *)b;
@@ -632,7 +627,7 @@ handle_fdx_connection( PRFileDesc * ssl_sock, int connection)
     lockedVars_AddToCount(&lv, 1);
 
     /* Attempt to launch the writer thread. */
-    result = launch_thread(do_writes, ssl_sock, &lv, connection, -1 /*not used*/);
+    result = launch_thread(do_writes, ssl_sock, &lv, connection);
 
     if (result != SECSuccess) 
     	goto cleanup;
@@ -751,8 +746,7 @@ int
 do_connects(
     void *	a,
     void *	b,
-    int         tid,
-    PRInt32     socketDomain)
+    int         tid)
 {
     PRNetAddr  *        addr		= (PRNetAddr *)  a;
     PRFileDesc *        model_sock	= (PRFileDesc *) b;
@@ -766,7 +760,7 @@ do_connects(
 
 retry:
 
-    tcp_sock = PR_OpenTCPSocket(socketDomain);
+    tcp_sock = PR_OpenTCPSocket(addr->raw.family);
     if (tcp_sock == NULL) {
 	errExit("PR_OpenTCPSocket");
     }
@@ -1094,7 +1088,6 @@ client_main(
     int         rv;
     PRStatus    status;
     PRNetAddr   addr;
-    PRInt32    socketDomain;
 
     status = PR_StringToNetAddr(hostName, &addr);
     if (status == PR_SUCCESS) {
@@ -1122,13 +1115,6 @@ client_main(
 	}
     }
 
-    /* check if SDP is going to be used */
-    if (!PR_GetEnv("NSS_USE_SDP")) {
-        socketDomain = addr.raw.family;
-    } else {
-        socketDomain = PR_AF_INET_SDP;
-    }
-
     /* all suites except RSA_NULL_MD5 are enabled by Domestic Policy */
     NSS_SetDomesticPolicy();
 
@@ -1185,8 +1171,8 @@ client_main(
     }
 
     /* configure model SSL socket. */
-    
-    model_sock = PR_OpenTCPSocket(socketDomain);
+
+    model_sock = PR_OpenTCPSocket(addr.raw.family);
     if (model_sock == NULL) {
 	errExit("PR_OpenTCPSocket for model socket");
     }
@@ -1290,7 +1276,7 @@ client_main(
 
     if (!NoReuse) {
         remaining_connections = 1;
-	rv = launch_thread(do_connects, &addr, model_sock, 0, socketDomain);
+	rv = launch_thread(do_connects, &addr, model_sock, 0);
 	/* wait for the first connection to terminate, then launch the rest. */
 	reap_threads();
         remaining_connections = total_connections - 1 ;
@@ -1299,7 +1285,7 @@ client_main(
         active_threads  = PR_MIN(active_threads, remaining_connections);
 	/* Start up the threads */
 	for (i=0;i
+
+#include "secasn1.h"
+
+struct TestCase {
+    long value;
+    unsigned char data[5];
+    unsigned int len;
+};
+
+static struct TestCase testCase[] = {
+    /* XXX NSS doesn't generate the shortest encoding for negative values. */
+#if 0
+    { -128, { 0x80 }, 1 },
+    { -129, { 0xFF, 0x7F }, 2 },
+#endif
+
+    { 0, { 0x00 }, 1 },
+    { 127, { 0x7F }, 1 },
+    { 128, { 0x00, 0x80 }, 2 },
+    { 256, { 0x01, 0x00 }, 2 },
+    { 32768, { 0x00, 0x80, 0x00 }, 3 }
+};
+
+int main()
+{
+    PRBool failed = PR_FALSE;
+    unsigned int i;
+    unsigned int j;
+
+    for (i = 0; i < sizeof(testCase)/sizeof(testCase[0]); i++) {
+        SECItem encoded;
+        if (SEC_ASN1EncodeInteger(NULL, &encoded, testCase[i].value) == NULL) {
+            fprintf(stderr, "SEC_ASN1EncodeInteger failed\n");
+            failed = PR_TRUE;
+            continue;
+        }
+        if (encoded.len != testCase[i].len ||
+            memcmp(encoded.data, testCase[i].data, encoded.len) != 0) {
+            fprintf(stderr, "Encoding of %ld is incorrect:",
+                    testCase[i].value);
+            for (j = 0; j < encoded.len; j++) {
+                fprintf(stderr, " 0x%02X", (unsigned int)encoded.data[j]);
+            } 
+            fputs("\n", stderr);
+            failed = PR_TRUE;
+        }
+        PORT_Free(encoded.data);
+    }
+
+    if (failed) {
+        fprintf(stderr, "FAIL\n");
+        return 1;
+    }
+    printf("PASS\n");
+    return 0;
+}
diff --git a/security/nss/cmd/tests/manifest.mn b/security/nss/cmd/tests/manifest.mn
index efe5bf21fbe9..cce740b8ecd4 100644
--- a/security/nss/cmd/tests/manifest.mn
+++ b/security/nss/cmd/tests/manifest.mn
@@ -44,6 +44,7 @@ CSRCS = \
 	baddbdir.c \
 	conflict.c \
 	dertimetest.c \
+	encodeinttest.c \
 	nonspr10.c \
 	remtest.c \
 	$(NULL)
diff --git a/security/nss/cmd/tstclnt/tstclnt.c b/security/nss/cmd/tstclnt/tstclnt.c
index 1e0453145f24..55684e685fa4 100644
--- a/security/nss/cmd/tstclnt/tstclnt.c
+++ b/security/nss/cmd/tstclnt/tstclnt.c
@@ -538,7 +538,6 @@ int main(int argc, char **argv)
     PLOptState *optstate;
     PLOptStatus optstatus;
     PRStatus prStatus;
-    PRUint16           socketDomain;
 
     progName = strrchr(argv[0], '/');
     if (!progName)
@@ -700,17 +699,11 @@ int main(int argc, char **argv)
 
     printHostNameAndAddr(host, &addr);
 
-    /* check if SDP is going to be used */
-    if (!PR_GetEnv("NSS_USE_SDP")) {
-        socketDomain = addr.raw.family;
-    } else {
-        socketDomain = PR_AF_INET_SDP;
-    }
     if (pingServerFirst) {
 	int iter = 0;
 	PRErrorCode err;
 	do {
-	    s = PR_OpenTCPSocket(socketDomain);
+	    s = PR_OpenTCPSocket(addr.raw.family);
 	    if (s == NULL) {
 		SECU_PrintError(progName, "Failed to create a TCP socket");
 	    }
@@ -748,7 +741,7 @@ int main(int argc, char **argv)
     }
 
     /* Create socket */
-    s = PR_OpenTCPSocket(socketDomain);
+    s = PR_OpenTCPSocket(addr.raw.family);
     if (s == NULL) {
 	SECU_PrintError(progName, "error creating socket");
 	return 1;
diff --git a/security/nss/cmd/vfychain/vfychain.c b/security/nss/cmd/vfychain/vfychain.c
index 32612e3efe43..9bf6ca643222 100644
--- a/security/nss/cmd/vfychain/vfychain.c
+++ b/security/nss/cmd/vfychain/vfychain.c
@@ -129,11 +129,8 @@ Usage(const char *progName)
 void
 errWarn(char *function)
 {
-    PRErrorCode  errorNumber = PR_GetError();
-    const char * errorString = SECU_Strerror(errorNumber);
-
-    fprintf(stderr, "Error in function %s: %d\n - %s\n",
-		    function, errorNumber, errorString);
+    fprintf(stderr, "Error in function %s: %s\n",
+		    function, SECU_Strerror(PR_GetError()));
 }
 
 void
@@ -210,7 +207,7 @@ getCert(const char *name, PRBool isAscii, const char * progName)
      * open a file with such name and get the cert from there.*/
     fd = PR_Open(name, PR_RDONLY, 0777); 
     if (!fd) {
-	PRIntn err = PR_GetError();
+	PRErrorCode err = PR_GetError();
     	fprintf(stderr, "open of %s failed, %d = %s\n", 
 	        name, err, SECU_Strerror(err));
 	return cert;
@@ -233,7 +230,7 @@ getCert(const char *name, PRBool isAscii, const char * progName)
                                    PR_FALSE /* isPerm */, 
 				   PR_TRUE  /* copyDER */);
     if (!cert) {
-	PRIntn err = PR_GetError();
+	PRErrorCode err = PR_GetError();
 	fprintf(stderr, "couldn't import %s, %d = %s\n",
 	        name, err, SECU_Strerror(err));
     }
@@ -538,12 +535,12 @@ breakout:
     if (usePkix < 2) {
         if (oidStr) {
             fprintf(stderr, "Policy oid(-o) can be used only with"
-                    " CERT_PKIXVerifyChain(-pp) function.\n");
+                    " CERT_PKIXVerifyCert(-pp) function.\n");
             Usage(progName);
         }
         if (trusted) {
             fprintf(stderr, "Cert trust flag can be used only with"
-                    " CERT_PKIXVerifyChain(-pp) function.\n");
+                    " CERT_PKIXVerifyCert(-pp) function.\n");
             Usage(progName);
         }
     }
@@ -586,7 +583,7 @@ breakout:
 	case  0  : /* positional parameter */
             if (usePkix < 2 && trusted) {
                 fprintf(stderr, "Cert trust flag can be used only with"
-                        " CERT_PKIXVerifyChain(-pp) function.\n");
+                        " CERT_PKIXVerifyCert(-pp) function.\n");
                 Usage(progName);
             }
 	    cert = getCert(optstate->value, isAscii, progName);
@@ -788,6 +785,7 @@ punt:
     if (pwdata.data) {
         PORT_Free(pwdata.data);
     }
+    PL_ArenaFinish();
     PR_Cleanup();
     return rv;
 }
diff --git a/security/nss/lib/certdb/alg1485.c b/security/nss/lib/certdb/alg1485.c
index 74f6868d8f74..80f343273a81 100644
--- a/security/nss/lib/certdb/alg1485.c
+++ b/security/nss/lib/certdb/alg1485.c
@@ -103,12 +103,19 @@ static const NameToKind name2kinds[] = {
 
 /* legacy keywords */
     { "E",             128, SEC_OID_PKCS9_EMAIL_ADDRESS,SEC_ASN1_IA5_STRING},
-
-#if 0 /* removed.  Not yet in any IETF draft or RFC. */
+    { "STREET",        128, SEC_OID_AVA_STREET_ADDRESS, SEC_ASN1_DS},
     { "pseudonym",      64, SEC_OID_AVA_PSEUDONYM,      SEC_ASN1_DS},
-#endif
 
-    { 0,           256, SEC_OID_UNKNOWN                      , 0},
+/* values defined by the CAB Forum for EV */
+    { "incorporationLocality", 128, SEC_OID_EV_INCORPORATION_LOCALITY,
+                                                        SEC_ASN1_DS},
+    { "incorporationState",    128, SEC_OID_EV_INCORPORATION_STATE,
+                                                        SEC_ASN1_DS},
+    { "incorporationCountry",    2, SEC_OID_EV_INCORPORATION_COUNTRY,
+                                                    SEC_ASN1_PRINTABLE_STRING},
+    { "businessCategory",       64, SEC_OID_BUSINESS_CATEGORY, SEC_ASN1_DS},
+
+    { 0,               256, SEC_OID_UNKNOWN,            0},
 };
 
 /* Table facilitates conversion of ASCII hex to binary. */
diff --git a/security/nss/lib/certdb/cert.h b/security/nss/lib/certdb/cert.h
index 790abfb0213f..4b02f08ea82f 100644
--- a/security/nss/lib/certdb/cert.h
+++ b/security/nss/lib/certdb/cert.h
@@ -37,7 +37,7 @@
 /*
  * cert.h - public data structures and prototypes for the certificate library
  *
- * $Id: cert.h,v 1.80.2.3 2011/04/08 22:54:34 kaie%kuix.de Exp $
+ * $Id: cert.h,v 1.86 2011/07/24 13:48:09 wtc%google.com Exp $
  */
 
 #ifndef _CERT_H_
@@ -297,13 +297,6 @@ CERT_GetCertificateRequestExtensions(CERTCertificateRequest *req,
 */
 extern SECKEYPublicKey *CERT_ExtractPublicKey(CERTCertificate *cert);
 
-/*
- * used to get a public key with Key Material ID. Only used for fortezza V1
- * certificates.
- */
-extern SECKEYPublicKey *CERT_KMIDPublicKey(CERTCertificate *cert);
-
-
 /*
 ** Retrieve the Key Type associated with the cert we're dealing with
 */
@@ -450,12 +443,12 @@ extern SECStatus CERT_AddOKDomainName(CERTCertificate *cert, const char *hostnam
 extern CERTCertificate *
 CERT_DecodeDERCertificate (SECItem *derSignedCert, PRBool copyDER, char *nickname);
 /*
-** Decode a DER encoded CRL/KRL into an CERTSignedCrl structure
-**	"derSignedCrl" is the DER encoded signed crl/krl.
-**	"type" is this a CRL or KRL.
+** Decode a DER encoded CRL into a CERTSignedCrl structure
+**	"derSignedCrl" is the DER encoded signed CRL.
+**	"type" must be SEC_CRL_TYPE.
 */
 #define SEC_CRL_TYPE	1
-#define SEC_KRL_TYPE	0
+#define SEC_KRL_TYPE	0 /* deprecated */
 
 extern CERTSignedCrl *
 CERT_DecodeDERCrl (PLArenaPool *arena, SECItem *derSignedCrl,int type);
@@ -521,12 +514,6 @@ SECStatus CERT_CacheCRL(CERTCertDBHandle* dbhandle, SECItem* newcrl);
 */
 SECStatus CERT_UncacheCRL(CERTCertDBHandle* dbhandle, SECItem* oldcrl);
 
-/*
-** Decode a certificate and put it into the temporary certificate database
-*/
-extern CERTCertificate *
-CERT_DecodeCertificate (SECItem *derCert, char *nickname,PRBool copyDER);
-
 /*
 ** Find a certificate in the database
 **	"key" is the database key to look for
@@ -1306,9 +1293,6 @@ CERTGeneralName *
 CERT_GetConstrainedCertificateNames(CERTCertificate *cert, PLArenaPool *arena,
                                     PRBool includeSubjectCommonName);
 
-char *
-CERT_GetNickName(CERTCertificate   *cert, CERTCertDBHandle *handle, PLArenaPool *nicknameArena);
-
 /*
  * Creates or adds to a list of all certs with a give subject name, sorted by
  * validity time, newest first.  Invalid certs are considered older than
diff --git a/security/nss/lib/certdb/certdb.c b/security/nss/lib/certdb/certdb.c
index a4b6dd64cb1e..ad821150e218 100644
--- a/security/nss/lib/certdb/certdb.c
+++ b/security/nss/lib/certdb/certdb.c
@@ -39,7 +39,7 @@
 /*
  * Certificate handling code
  *
- * $Id: certdb.c,v 1.104.2.5 2011/08/05 01:16:27 wtc%google.com Exp $
+ * $Id: certdb.c,v 1.116 2011/08/05 01:13:14 wtc%google.com Exp $
  */
 
 #include "nssilock.h"
@@ -481,57 +481,6 @@ GetKeyUsage(CERTCertificate *cert)
 }
 
 
-/*
- * determine if a fortezza V1 Cert is a CA or not.
- */
-static PRBool
-fortezzaIsCA( CERTCertificate *cert) {
-    PRBool isCA = PR_FALSE;
-    CERTSubjectPublicKeyInfo *spki = &cert->subjectPublicKeyInfo;
-    int tag;
-
-    tag = SECOID_GetAlgorithmTag(&spki->algorithm);
-    if ((tag == SEC_OID_MISSI_KEA_DSS_OLD) ||
-       (tag == SEC_OID_MISSI_KEA_DSS) ||
-       (tag == SEC_OID_MISSI_DSS_OLD) ||
-       (tag == SEC_OID_MISSI_DSS) ) {
-	SECItem rawkey;
-	unsigned char *rawptr;
-	unsigned char *end;
-	int len;
-
-	rawkey = spki->subjectPublicKey;
-	DER_ConvertBitString(&rawkey);
-	rawptr = rawkey.data;
-	end = rawkey.data + rawkey.len;
-
-	/* version */	
-	rawptr += sizeof(((SECKEYPublicKey*)0)->u.fortezza.KMID)+2;
-
-	/* clearance (the string up to the first byte with the hi-bit on */
-	while ((rawptr < end) && (*rawptr++ & 0x80));
-	if (rawptr >= end) { return PR_FALSE; }
-
-	/* KEAPrivilege (the string up to the first byte with the hi-bit on */
-	while ((rawptr < end) && (*rawptr++ & 0x80));
-	if (rawptr >= end) { return PR_FALSE; }
-
-	/* skip the key */
-	len = (*rawptr << 8) | rawptr[1];
-	rawptr += 2 + len;
-
-	/* shared key */
-	if (rawptr >= end) { return PR_FALSE; }
-	/* DSS Version is next */
-	rawptr += 2;
-
-	/* DSSPrivilege (the string up to the first byte with the hi-bit on */
-	if (*rawptr & 0x30) isCA = PR_TRUE;
-	
-   }
-   return isCA;
-}
-
 static SECStatus
 findOIDinOIDSeqByTagNum(CERTOidSequence *seq, SECOidTag tagnum)
 {
@@ -703,12 +652,6 @@ cert_ComputeCertType(CERTCertificate *cert)
 	/* allow any ssl or email (no ca or object signing. */
 	nsCertType |= NS_CERT_TYPE_SSL_CLIENT | NS_CERT_TYPE_SSL_SERVER |
 	              NS_CERT_TYPE_EMAIL;
-
-	/* if the cert is a fortezza CA cert, then allow SSL CA and EMAIL CA */
-	if (fortezzaIsCA(cert)) {
-		nsCertType |= NS_CERT_TYPE_SSL_CA;
-		nsCertType |= NS_CERT_TYPE_EMAIL_CA;
-	}
     }
 
     if (encodedExtKeyUsage.data != NULL) {
@@ -728,7 +671,6 @@ cert_GetKeyID(CERTCertificate *cert)
 {
     SECItem tmpitem;
     SECStatus rv;
-    SECKEYPublicKey *key;
     
     cert->subjectKeyID.len = 0;
 
@@ -745,26 +687,6 @@ cert_GetKeyID(CERTCertificate *cert)
 	PORT_Free(tmpitem.data);
     }
     
-    /* if the cert doesn't have a key identifier extension and the cert is
-     * a V1 fortezza certificate, use the cert's 8 byte KMID as the
-     * key identifier.  */
-    key = CERT_KMIDPublicKey(cert);
-
-    if (key != NULL) {
-	
-	if (key->keyType == fortezzaKey) {
-
-	    cert->subjectKeyID.data = (unsigned char *)PORT_ArenaAlloc(cert->arena, 8);
-	    if ( cert->subjectKeyID.data != NULL ) {
-		PORT_Memcpy(cert->subjectKeyID.data, key->u.fortezza.KMID, 8);
-		cert->subjectKeyID.len = 8;
-		cert->keyIDGenerated = PR_FALSE;
-	    }
-	}
-		
-	SECKEY_DestroyPublicKey(key);
-    }
-
     /* if the cert doesn't have a key identifier extension, then generate one*/
     if ( cert->subjectKeyID.len == 0 ) {
 	/*
@@ -1346,8 +1268,6 @@ CERT_CheckKeyUsage(CERTCertificate *cert, unsigned int requiredUsage)
 	case dsaKey:
 	    requiredUsage |= KU_DIGITAL_SIGNATURE;
 	    break;
-	case fortezzaKey:
-	case keaKey:
 	case dhKey:
 	    requiredUsage |= KU_KEY_AGREEMENT;
 	    break;
@@ -1664,8 +1584,7 @@ finish:
  *   - return value is NULL
  */
 CERTGeneralName *
-cert_GetSubjectAltNameList(CERTCertificate *cert,
-                           PRArenaPool *arena)
+cert_GetSubjectAltNameList(CERTCertificate *cert, PRArenaPool *arena)
 {
     CERTGeneralName * nameList       = NULL;
     SECStatus         rv             = SECFailure;
@@ -2067,80 +1986,68 @@ CERT_MakeCANickname(CERTCertificate *cert)
     char *nickname = NULL;
     int count;
     CERTCertificate *dummycert;
-    CERTCertDBHandle *handle;
     
-    handle = cert->dbhandle;
-    
-    nickname = CERT_GetNickName(cert, handle, cert->arena);
-    if (nickname == NULL) {
-	firstname = CERT_GetCommonName(&cert->subject);
-	if ( firstname == NULL ) {
-	    firstname = CERT_GetOrgUnitName(&cert->subject);
-	}
+    firstname = CERT_GetCommonName(&cert->subject);
+    if ( firstname == NULL ) {
+	firstname = CERT_GetOrgUnitName(&cert->subject);
+    }
 
-	org = CERT_GetOrgName(&cert->issuer);
+    org = CERT_GetOrgName(&cert->issuer);
+    if (org == NULL) {
+	org = CERT_GetDomainComponentName(&cert->issuer);
 	if (org == NULL) {
-	    org = CERT_GetDomainComponentName(&cert->issuer);
-	    if (org == NULL) {
-		if (firstname) {
-		    org = firstname;
-		    firstname = NULL;
-		} else {
-		    org = PORT_Strdup("Unknown CA");
-		}
-	    }
-	}
-
-	/* can only fail if PORT_Strdup fails, in which case
-	 * we're having memory problems. */
-	if (org == NULL) {
-	    goto loser;
-	}
-
-    
-	count = 1;
-	while ( 1 ) {
-
-	    if ( firstname ) {
-		if ( count == 1 ) {
-		    nickname = PR_smprintf("%s - %s", firstname, org);
-		} else {
-		    nickname = PR_smprintf("%s - %s #%d", firstname, org, count);
-		}
+	    if (firstname) {
+		org = firstname;
+		firstname = NULL;
 	    } else {
-		if ( count == 1 ) {
-		    nickname = PR_smprintf("%s", org);
-		} else {
-		    nickname = PR_smprintf("%s #%d", org, count);
-		}
+		org = PORT_Strdup("Unknown CA");
 	    }
-	    if ( nickname == NULL ) {
-		goto loser;
-	    }
-
-	    /* look up the nickname to make sure it isn't in use already */
-	    dummycert = CERT_FindCertByNickname(handle, nickname);
-
-	    if ( dummycert == NULL ) {
-		goto done;
-	    }
-	
-	    /* found a cert, destroy it and loop */
-	    CERT_DestroyCertificate(dummycert);
-
-	    /* free the nickname */
-	    PORT_Free(nickname);
-
-	    count++;
 	}
     }
-loser:
-    if ( nickname ) {
-	PORT_Free(nickname);
+
+    /* can only fail if PORT_Strdup fails, in which case
+     * we're having memory problems. */
+    if (org == NULL) {
+	goto done;
     }
 
-    nickname = NULL;
     
+    count = 1;
+    while ( 1 ) {
+
+	if ( firstname ) {
+	    if ( count == 1 ) {
+		nickname = PR_smprintf("%s - %s", firstname, org);
+	    } else {
+		nickname = PR_smprintf("%s - %s #%d", firstname, org, count);
+	    }
+	} else {
+	    if ( count == 1 ) {
+		nickname = PR_smprintf("%s", org);
+	    } else {
+		nickname = PR_smprintf("%s #%d", org, count);
+	    }
+	}
+	if ( nickname == NULL ) {
+	    goto done;
+	}
+
+	/* look up the nickname to make sure it isn't in use already */
+	dummycert = CERT_FindCertByNickname(cert->dbhandle, nickname);
+
+	if ( dummycert == NULL ) {
+	    goto done;
+	}
+	
+	/* found a cert, destroy it and loop */
+	CERT_DestroyCertificate(dummycert);
+
+	/* free the nickname */
+	PORT_Free(nickname);
+
+	count++;
+    }
+
 done:
     if ( firstname ) {
 	PORT_Free(firstname);
@@ -2181,7 +2088,7 @@ cert_ComputeTrustOverrides(CERTCertificate *cert, unsigned int cType)
 		  trust->emailFlags |
 		  trust->objectSigningFlags)) {
 
-	if (trust->sslFlags & (CERTDB_VALID_PEER|CERTDB_TRUSTED)) 
+	if (trust->sslFlags & (CERTDB_TERMINAL_RECORD|CERTDB_TRUSTED)) 
 	    cType |= NS_CERT_TYPE_SSL_SERVER|NS_CERT_TYPE_SSL_CLIENT;
 	if (trust->sslFlags & (CERTDB_VALID_CA|CERTDB_TRUSTED_CA)) 
 	    cType |= NS_CERT_TYPE_SSL_CA;
@@ -2190,7 +2097,7 @@ cert_ComputeTrustOverrides(CERTCertificate *cert, unsigned int cType)
 	    cType &= ~(NS_CERT_TYPE_SSL_SERVER|NS_CERT_TYPE_SSL_CLIENT|
 	               NS_CERT_TYPE_SSL_CA);
 #endif
-	if (trust->emailFlags & (CERTDB_VALID_PEER|CERTDB_TRUSTED)) 
+	if (trust->emailFlags & (CERTDB_TERMINAL_RECORD|CERTDB_TRUSTED)) 
 	    cType |= NS_CERT_TYPE_EMAIL;
 	if (trust->emailFlags & (CERTDB_VALID_CA|CERTDB_TRUSTED_CA)) 
 	    cType |= NS_CERT_TYPE_EMAIL_CA;
@@ -2198,7 +2105,7 @@ cert_ComputeTrustOverrides(CERTCertificate *cert, unsigned int cType)
 	if (trust->emailFlags & CERTDB_NOT_TRUSTED) 
 	    cType &= ~(NS_CERT_TYPE_EMAIL|NS_CERT_TYPE_EMAIL_CA);
 #endif
-	if (trust->objectSigningFlags & (CERTDB_VALID_PEER|CERTDB_TRUSTED)) 
+	if (trust->objectSigningFlags & (CERTDB_TERMINAL_RECORD|CERTDB_TRUSTED)) 
 	    cType |= NS_CERT_TYPE_OBJECT_SIGNING;
 	if (trust->objectSigningFlags & (CERTDB_VALID_CA|CERTDB_TRUSTED_CA)) 
 	    cType |= NS_CERT_TYPE_OBJECT_SIGNING_CA;
@@ -2235,10 +2142,9 @@ CERT_IsCACert(CERTCertificate *cert, unsigned int *rettype)
 	} 
     }
 
-    /* finally check if it's an X.509 v1 root or FORTEZZA V1 CA */
+    /* finally check if it's an X.509 v1 root CA */
     if (!ret && 
-        ((cert->isRoot && cert_Version(cert) < SEC_CERTIFICATE_VERSION_3) ||
-    	 fortezzaIsCA(cert) )) {
+        (cert->isRoot && cert_Version(cert) < SEC_CERTIFICATE_VERSION_3)) {
 	ret = PR_TRUE;
 	cType |= (NS_CERT_TYPE_SSL_CA | NS_CERT_TYPE_EMAIL_CA);
     }
@@ -2449,11 +2355,11 @@ CERT_DecodeTrustString(CERTCertTrust *trust, const char *trusts)
     for (i=0; i < PORT_Strlen(trusts); i++) {
 	switch (trusts[i]) {
 	  case 'p':
-	      *pflags = *pflags | CERTDB_VALID_PEER;
+	      *pflags = *pflags | CERTDB_TERMINAL_RECORD;
 	      break;
 
 	  case 'P':
-	      *pflags = *pflags | CERTDB_TRUSTED | CERTDB_VALID_PEER;
+	      *pflags = *pflags | CERTDB_TRUSTED | CERTDB_TERMINAL_RECORD;
 	      break;
 
 	  case 'w':
@@ -2505,7 +2411,7 @@ EncodeFlags(char *trusts, unsigned int flags)
 	if (!(flags & CERTDB_TRUSTED_CA) &&
 	    !(flags & CERTDB_TRUSTED_CLIENT_CA))
 	    PORT_Strcat(trusts, "c");
-    if (flags & CERTDB_VALID_PEER)
+    if (flags & CERTDB_TERMINAL_RECORD)
 	if (!(flags & CERTDB_TRUSTED))
 	    PORT_Strcat(trusts, "p");
     if (flags & CERTDB_TRUSTED_CA)
@@ -2589,18 +2495,16 @@ CERT_ImportCerts(CERTCertDBHandle *certdb, SECCertUsage usage,
 	if ( keepCerts ) {
 	    for ( i = 0; i < fcerts; i++ ) {
                 char* canickname = NULL;
-                PRBool freeNickname = PR_FALSE;
+                PRBool isCA;
 
 		SECKEY_UpdateCertPQG(certs[i]);
                 
-                if ( CERT_IsCACert(certs[i], NULL) ) {
+                isCA = CERT_IsCACert(certs[i], NULL);
+                if ( isCA ) {
                     canickname = CERT_MakeCANickname(certs[i]);
-                    if ( canickname != NULL ) {
-                        freeNickname = PR_TRUE;
-                    }
                 }
 
-		if(CERT_IsCACert(certs[i], NULL) && (fcerts > 1)) {
+		if(isCA && (fcerts > 1)) {
 		    /* if we are importing only a single cert and specifying
 		     * a nickname, we want to use that nickname if it a CA,
 		     * otherwise if there are more than one cert, we don't
@@ -2613,9 +2517,7 @@ CERT_ImportCerts(CERTCertDBHandle *certdb, SECCertUsage usage,
                                                 nickname?nickname:canickname, NULL);
 		}
 
-                if (PR_TRUE == freeNickname) {
-                    PORT_Free(canickname);
-                }
+                PORT_Free(canickname);
 		/* don't care if it fails - keep going */
 	    }
 	}
@@ -3124,6 +3026,8 @@ CERT_SetStatusConfig(CERTCertDBHandle *handle, CERTStatusConfig *statusConfig)
 
 static PLHashTable *gSubjKeyIDHash = NULL;
 static PRLock      *gSubjKeyIDLock = NULL;
+static PLHashTable *gSubjKeyIDSlotCheckHash = NULL;
+static PRLock      *gSubjKeyIDSlotCheckLock = NULL;
 
 static void *cert_AllocTable(void *pool, PRSize size)
 {
@@ -3153,6 +3057,31 @@ static PLHashAllocOps cert_AllocOps = {
     cert_AllocTable, cert_FreeTable, cert_AllocEntry, cert_FreeEntry
 };
 
+SECStatus
+cert_CreateSubjectKeyIDSlotCheckHash(void)
+{
+    /*
+     * This hash is used to remember the series of a slot
+     * when we last checked for user certs
+     */
+    gSubjKeyIDSlotCheckHash = PL_NewHashTable(0, SECITEM_Hash,
+                                             SECITEM_HashCompare,
+                                             SECITEM_HashCompare,
+                                             &cert_AllocOps, NULL);
+    if (!gSubjKeyIDSlotCheckHash) {
+        PORT_SetError(SEC_ERROR_NO_MEMORY);
+        return SECFailure;
+    }
+    gSubjKeyIDSlotCheckLock = PR_NewLock();
+    if (!gSubjKeyIDSlotCheckLock) {
+        PL_HashTableDestroy(gSubjKeyIDSlotCheckHash);
+        gSubjKeyIDSlotCheckHash = NULL;
+        PORT_SetError(SEC_ERROR_NO_MEMORY);
+        return SECFailure;
+    }
+    return SECSuccess;
+}
+
 SECStatus
 cert_CreateSubjectKeyIDHashTable(void)
 {
@@ -3170,8 +3099,12 @@ cert_CreateSubjectKeyIDHashTable(void)
         PORT_SetError(SEC_ERROR_NO_MEMORY);
         return SECFailure;
     }
+    /* initialize the companion hash (for remembering slot series) */
+    if (cert_CreateSubjectKeyIDSlotCheckHash() != SECSuccess) {
+	cert_DestroySubjectKeyIDHashTable();
+	return SECFailure;
+    }
     return SECSuccess;
-
 }
 
 SECStatus
@@ -3229,6 +3162,93 @@ cert_RemoveSubjectKeyIDMapping(SECItem *subjKeyID)
     return rv;
 }
 
+SECStatus
+cert_UpdateSubjectKeyIDSlotCheck(SECItem *slotid, int series)
+{
+    SECItem *oldSeries, *newSlotid, *newSeries;
+    SECStatus rv = SECFailure;
+
+    if (!gSubjKeyIDSlotCheckLock) {
+	return rv;
+    }
+
+    newSlotid = SECITEM_DupItem(slotid);
+    newSeries = SECITEM_AllocItem(NULL, NULL, sizeof(int));
+    if (!newSlotid || !newSeries ) {
+        PORT_SetError(SEC_ERROR_NO_MEMORY);
+        goto loser;
+    }
+    PORT_Memcpy(newSeries->data, &series, sizeof(int));
+
+    PR_Lock(gSubjKeyIDSlotCheckLock);
+    oldSeries = (SECItem *)PL_HashTableLookup(gSubjKeyIDSlotCheckHash, slotid);
+    if (oldSeries) {
+	/* 
+	 * make sure we don't leak the key of an existing entry
+	 * (similar to cert_AddSubjectKeyIDMapping, see comment there)
+	 */
+        PL_HashTableRemove(gSubjKeyIDSlotCheckHash, slotid);
+    }
+    rv = (PL_HashTableAdd(gSubjKeyIDSlotCheckHash, newSlotid, newSeries)) ?
+         SECSuccess : SECFailure;
+    PR_Unlock(gSubjKeyIDSlotCheckLock);
+    if (rv == SECSuccess) {
+	return rv;
+    }
+
+loser:
+    if (newSlotid) {
+        SECITEM_FreeItem(newSlotid, PR_TRUE);
+    }
+    if (newSeries) {
+        SECITEM_FreeItem(newSeries, PR_TRUE);
+    }
+    return rv;
+}
+
+int
+cert_SubjectKeyIDSlotCheckSeries(SECItem *slotid)
+{
+    SECItem *seriesItem = NULL;
+    int series;
+
+    if (!gSubjKeyIDSlotCheckLock) {
+	PORT_SetError(SEC_ERROR_NOT_INITIALIZED);
+	return -1;
+    }
+
+    PR_Lock(gSubjKeyIDSlotCheckLock);
+    seriesItem = (SECItem *)PL_HashTableLookup(gSubjKeyIDSlotCheckHash, slotid);
+    PR_Unlock(gSubjKeyIDSlotCheckLock);
+     /* getting a null series just means we haven't registered one yet, 
+      * just return 0 */
+    if (seriesItem == NULL) {
+	return 0;
+    }
+    /* if we got a series back, assert if it's not the proper length. */
+    PORT_Assert(seriesItem->len == sizeof(int));
+    if (seriesItem->len != sizeof(int)) {
+	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+	return -1;
+    }
+    PORT_Memcpy(&series, seriesItem->data, sizeof(int));
+    return series;
+}
+
+SECStatus
+cert_DestroySubjectKeyIDSlotCheckHash(void)
+{
+    if (gSubjKeyIDSlotCheckHash) {
+        PR_Lock(gSubjKeyIDSlotCheckLock);
+        PL_HashTableDestroy(gSubjKeyIDSlotCheckHash);
+        gSubjKeyIDSlotCheckHash = NULL;
+        PR_Unlock(gSubjKeyIDSlotCheckLock);
+        PR_DestroyLock(gSubjKeyIDSlotCheckLock);
+        gSubjKeyIDSlotCheckLock = NULL;
+    }
+    return SECSuccess;
+}
+
 SECStatus
 cert_DestroySubjectKeyIDHashTable(void)
 {
@@ -3240,6 +3260,7 @@ cert_DestroySubjectKeyIDHashTable(void)
         PR_DestroyLock(gSubjKeyIDLock);
         gSubjKeyIDLock = NULL;
     }
+    cert_DestroySubjectKeyIDSlotCheckHash();
     return SECSuccess;
 }
 
diff --git a/security/nss/lib/certdb/certdb.h b/security/nss/lib/certdb/certdb.h
index c489b0f89ee1..be00bb2d271f 100644
--- a/security/nss/lib/certdb/certdb.h
+++ b/security/nss/lib/certdb/certdb.h
@@ -39,7 +39,7 @@
 
 
 /* common flags for all types of certificates */
-#define CERTDB_VALID_PEER	(1<<0)
+#define CERTDB_TERMINAL_RECORD	(1<<0)
 #define CERTDB_TRUSTED		(1<<1)
 #define CERTDB_SEND_WARN	(1<<2)
 #define CERTDB_VALID_CA		(1<<3)
@@ -50,6 +50,24 @@
 #define CERTDB_INVISIBLE_CA	(1<<8) /* don't show in UI */
 #define CERTDB_GOVT_APPROVED_CA	(1<<9) /* can do strong crypto in export ver */
 
+/* old usage, to keep old programs compiling */
+/* On Windows, Mac, and Linux (and other gcc platforms), we can give compile
+ * time deprecation warnings when applications use the old CERTDB_VALID_PEER
+ * define */
+#if __GNUC__ > 3
+#if (__GNUC__ == 4) && (__GNUC_MINOR__ < 5)
+typedef unsigned int __CERTDB_VALID_PEER __attribute__((deprecated));
+#else
+typedef unsigned int __CERTDB_VALID_PEER __attribute__((deprecated
+    ("CERTDB_VALID_PEER is now CERTDB_TERMINAL_RECORD")));
+#endif
+#define CERTDB_VALID_PEER  ((__CERTDB_VALID_PEER) CERTDB_TERMINAL_RECORD)
+#else
+#ifdef _WIN32
+#pragma deprecated(CERTDB_VALID_PEER)
+#endif
+#define CERTDB_VALID_PEER  CERTDB_TERMINAL_RECORD 
+#endif
 
 SEC_BEGIN_PROTOS
 
diff --git a/security/nss/lib/certdb/certi.h b/security/nss/lib/certdb/certi.h
index 2b8e5585735d..08229ec03651 100644
--- a/security/nss/lib/certdb/certi.h
+++ b/security/nss/lib/certdb/certi.h
@@ -36,7 +36,7 @@
 /*
  * certi.h - private data structures for the certificate library
  *
- * $Id: certi.h,v 1.34 2010/05/21 00:43:51 wtc%google.com Exp $
+ * $Id: certi.h,v 1.35 2011/01/29 22:17:20 nelson%bolyard.com Exp $
  */
 #ifndef _CERTI_H_
 #define _CERTI_H_
@@ -235,7 +235,8 @@ SECStatus ShutdownCRLCache(void);
 extern char * cert_GetCertificateEmailAddresses(CERTCertificate *cert);
 
 /*
- * These functions are used to map subjectKeyID extension values to certs.
+ * These functions are used to map subjectKeyID extension values to certs
+ * and to keep track of the checks for user certificates in each slot
  */
 SECStatus
 cert_CreateSubjectKeyIDHashTable(void);
@@ -243,6 +244,12 @@ cert_CreateSubjectKeyIDHashTable(void);
 SECStatus
 cert_AddSubjectKeyIDMapping(SECItem *subjKeyID, CERTCertificate *cert);
 
+SECStatus
+cert_UpdateSubjectKeyIDSlotCheck(SECItem *slotid, int series);
+
+int
+cert_SubjectKeyIDSlotCheckSeries(SECItem *slotid);
+
 /*
  * Call this function to remove an entry from the mapping table.
  */
diff --git a/security/nss/lib/certdb/certt.h b/security/nss/lib/certdb/certt.h
index ecf3d629fdc8..f510e5ebcdfe 100644
--- a/security/nss/lib/certdb/certt.h
+++ b/security/nss/lib/certdb/certt.h
@@ -36,7 +36,7 @@
 /*
  * certt.h - public data structures for the certificate library
  *
- * $Id: certt.h,v 1.54.2.1 2011/07/28 22:19:57 wtc%google.com Exp $
+ * $Id: certt.h,v 1.55 2011/07/28 21:38:14 wtc%google.com Exp $
  */
 #ifndef _CERTT_H_
 #define _CERTT_H_
diff --git a/security/nss/lib/certdb/crl.c b/security/nss/lib/certdb/crl.c
index 313ac189137a..38075465a66b 100644
--- a/security/nss/lib/certdb/crl.c
+++ b/security/nss/lib/certdb/crl.c
@@ -37,7 +37,7 @@
 /*
  * Moved from secpkcs7.c
  *
- * $Id: crl.c,v 1.71 2010/05/21 00:43:51 wtc%google.com Exp $
+ * $Id: crl.c,v 1.72 2011/07/24 13:48:10 wtc%google.com Exp $
  */
  
 #include "cert.h"
@@ -75,9 +75,8 @@ static const SEC_ASN1Template SEC_CERTExtensionsTemplate[] = {
 };
 
 /*
- * XXX Also, these templates, especially the Krl/FORTEZZA ones, need to
- * be tested; Lisa did the obvious translation but they still should be
- * verified.
+ * XXX Also, these templates need to be tested; Lisa did the obvious
+ * translation but they still should be verified.
  */
 
 const SEC_ASN1Template CERT_IssuerAndSNTemplate[] = {
@@ -93,56 +92,9 @@ const SEC_ASN1Template CERT_IssuerAndSNTemplate[] = {
     { 0 }
 };
 
-static const SEC_ASN1Template cert_KrlEntryTemplate[] = {
-    { SEC_ASN1_SEQUENCE,
-	  0, NULL, sizeof(CERTCrlEntry) },
-    { SEC_ASN1_OCTET_STRING,
-	  offsetof(CERTCrlEntry,serialNumber) },
-    { SEC_ASN1_UTC_TIME,
-	  offsetof(CERTCrlEntry,revocationDate) },
-    { 0 }
-};
-
 SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate)
 SEC_ASN1_MKSUB(CERT_TimeChoiceTemplate)
 
-static const SEC_ASN1Template cert_KrlTemplate[] = {
-    { SEC_ASN1_SEQUENCE,
-	  0, NULL, sizeof(CERTCrl) },
-    { SEC_ASN1_INLINE | SEC_ASN1_XTRN,
-	  offsetof(CERTCrl,signatureAlg),
-	  SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
-    { SEC_ASN1_SAVE,
-	  offsetof(CERTCrl,derName) },
-    { SEC_ASN1_INLINE,
-	  offsetof(CERTCrl,name),
-	  CERT_NameTemplate },
-    { SEC_ASN1_UTC_TIME,
-	  offsetof(CERTCrl,lastUpdate) },
-    { SEC_ASN1_UTC_TIME,
-	  offsetof(CERTCrl,nextUpdate) },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_SEQUENCE_OF,
-	  offsetof(CERTCrl,entries),
-	  cert_KrlEntryTemplate },
-    { 0 }
-};
-
-static const SEC_ASN1Template cert_SignedKrlTemplate[] = {
-    { SEC_ASN1_SEQUENCE,
-	  0, NULL, sizeof(CERTSignedCrl) },
-    { SEC_ASN1_SAVE,
-	  offsetof(CERTSignedCrl,signatureWrap.data) },
-    { SEC_ASN1_INLINE,
-	  offsetof(CERTSignedCrl,crl),
-	  cert_KrlTemplate },
-    { SEC_ASN1_INLINE | SEC_ASN1_XTRN,
-	  offsetof(CERTSignedCrl,signatureWrap.signatureAlgorithm),
-	  SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
-    { SEC_ASN1_BIT_STRING,
-	  offsetof(CERTSignedCrl,signatureWrap.signature) },
-    { 0 }
-};
-
 static const SEC_ASN1Template cert_CrlKeyTemplate[] = {
     { SEC_ASN1_SEQUENCE,
 	  0, NULL, sizeof(CERTCrlKey) },
@@ -470,7 +422,7 @@ SECStatus CERT_CompleteCRLDecodeEntries(CERTSignedCrl* crl)
 }
 
 /*
- * take a DER CRL or KRL  and decode it into a CRL structure
+ * take a DER CRL and decode it into a CRL structure
  * allow reusing the input DER without making a copy
  */
 CERTSignedCrl *
@@ -578,11 +530,8 @@ CERT_DecodeDERCrlWithFlags(PRArenaPool *narena, SECItem *derSignedCrl,
 
         break;
 
-    case SEC_KRL_TYPE:
-	rv = SEC_QuickDERDecodeItem
-	     (arena, crl, cert_SignedKrlTemplate, derSignedCrl);
-	break;
     default:
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
 	rv = SECFailure;
 	break;
     }
@@ -614,7 +563,7 @@ loser:
 }
 
 /*
- * take a DER CRL or KRL  and decode it into a CRL structure
+ * take a DER CRL and decode it into a CRL structure
  */
 CERTSignedCrl *
 CERT_DecodeDERCrl(PRArenaPool *narena, SECItem *derSignedCrl, int type)
@@ -716,6 +665,12 @@ crl_storeCRL (PK11SlotInfo *slot,char *url,
 
     PORT_Assert(newCrl);
     PORT_Assert(derCrl);
+    PORT_Assert(type == SEC_CRL_TYPE);
+
+    if (type != SEC_CRL_TYPE) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return NULL;
+    }
 
     /* we can't use the cache here because we must look in the same
        token */
@@ -739,21 +694,7 @@ crl_storeCRL (PK11SlotInfo *slot,char *url,
 	    goto done;
 	}
         if (!SEC_CrlIsNewer(&newCrl->crl,&oldCrl->crl)) {
-
-            if (type == SEC_CRL_TYPE) {
-                PORT_SetError(SEC_ERROR_OLD_CRL);
-            } else {
-                PORT_SetError(SEC_ERROR_OLD_KRL);
-            }
-
-            goto done;
-        }
-
-        if ((SECITEM_CompareItem(&newCrl->crl.derName,
-                &oldCrl->crl.derName) != SECEqual) &&
-            (type == SEC_KRL_TYPE) ) {
-
-            PORT_SetError(SEC_ERROR_CKL_CONFLICT);
+            PORT_SetError(SEC_ERROR_OLD_CRL);
             goto done;
         }
 
diff --git a/security/nss/lib/certdb/genname.c b/security/nss/lib/certdb/genname.c
index a7cebd125eb8..0c2e1c6da39f 100644
--- a/security/nss/lib/certdb/genname.c
+++ b/security/nss/lib/certdb/genname.c
@@ -1685,111 +1685,6 @@ done:
     return rv;
 }
 
-/* Search the cert for an X509_SUBJECT_ALT_NAME extension.
-** ASN1 Decode it into a list of alternate names.
-** Search the list of alternate names for one with the NETSCAPE_NICKNAME OID.
-** ASN1 Decode that name.  Turn the result into a zString.  
-** Look for duplicate nickname already in the certdb. 
-** If one is found, create a nickname string that is not a duplicate.
-*/
-char *
-CERT_GetNickName(CERTCertificate   *cert,
- 		 CERTCertDBHandle  *handle,
-		 PRArenaPool      *nicknameArena)
-{ 
-    CERTGeneralName  *current;
-    CERTGeneralName  *names;
-    char             *nickname   = NULL;
-    char             *returnName = NULL;
-    char             *basename   = NULL;
-    PRArenaPool      *arena      = NULL;
-    CERTCertificate  *tmpcert;
-    SECStatus        rv;
-    int              count;
-    int              found = 0;
-    SECItem          altNameExtension;
-    SECItem          nick;
-
-    if (handle == NULL) {
-	handle = CERT_GetDefaultCertDB();
-    }
-    altNameExtension.data = NULL;
-    rv = CERT_FindCertExtension(cert, SEC_OID_X509_SUBJECT_ALT_NAME, 
-				&altNameExtension);
-    if (rv != SECSuccess) { 
-	goto loser; 
-    }
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if (arena == NULL) {
-	goto loser;
-    }
-    names = CERT_DecodeAltNameExtension(arena, &altNameExtension);
-    if (names == NULL) {
-	goto loser;
-    } 
-    current = names;
-    do {
-	if (current->type == certOtherName && 
-	    SECOID_FindOIDTag(¤t->name.OthName.oid) == 
-	      SEC_OID_NETSCAPE_NICKNAME) {
-	    found = 1;
-	    break;
-	}
-	current = CERT_GetNextGeneralName(current);
-    } while (current != names);
-    if (!found)
-    	goto loser;
-
-    rv = SEC_QuickDERDecodeItem(arena, &nick,
-                            SEC_ASN1_GET(SEC_IA5StringTemplate),
-			    ¤t->name.OthName.name);
-    if (rv != SECSuccess) {
-	goto loser;
-    }
-
-    /* make a null terminated string out of nick, with room enough at
-    ** the end to add on a number of up to 21 digits in length, (a signed
-    ** 64-bit number in decimal) plus a space and a "#". 
-    */
-    nickname = (char*)PORT_ZAlloc(nick.len + 24);
-    if (!nickname) 
-	goto loser;
-    PORT_Strncpy(nickname, (char *)nick.data, nick.len);
-
-    /* Don't let this cert's nickname duplicate one already in the DB.
-    ** If it does, create a variant of the nickname that doesn't.
-    */
-    count = 0;
-    while ((tmpcert = CERT_FindCertByNickname(handle, nickname)) != NULL) {
-	CERT_DestroyCertificate(tmpcert);
-	if (!basename) {
-	    basename = PORT_Strdup(nickname);
-	    if (!basename)
-		goto loser;
-	}
-	count++;
-	sprintf(nickname, "%s #%d", basename, count);
-    }
-
-    /* success */
-    if (nicknameArena) {
-	returnName =  PORT_ArenaStrdup(nicknameArena, nickname);
-    } else {
-	returnName = nickname;
-	nickname = NULL;
-    }
-loser:
-    if (arena != NULL) 
-	PORT_FreeArena(arena, PR_FALSE);
-    if (nickname)
-	PORT_Free(nickname);
-    if (basename)
-	PORT_Free(basename);
-    if (altNameExtension.data)
-    	PORT_Free(altNameExtension.data);
-    return returnName;
-}
-
 #if 0
 /* not exported from shared libs, not used.  Turn on if we ever need it. */
 SECStatus
diff --git a/security/nss/lib/certdb/manifest.mn b/security/nss/lib/certdb/manifest.mn
index 258af04b6f80..a2b92eb73752 100644
--- a/security/nss/lib/certdb/manifest.mn
+++ b/security/nss/lib/certdb/manifest.mn
@@ -66,8 +66,6 @@ CSRCS = \
 	xconst.c \
 	$(NULL)
 
-REQUIRES = dbm
-
 LIBRARY_NAME = certdb
 
 # This part of the code, including all sub-dirs, can be optimized for size
diff --git a/security/nss/lib/certhigh/certhtml.c b/security/nss/lib/certhigh/certhtml.c
index 50ced4f65e32..13a4177f81a4 100644
--- a/security/nss/lib/certhigh/certhtml.c
+++ b/security/nss/lib/certhigh/certhtml.c
@@ -37,7 +37,7 @@
 /*
  * certhtml.c --- convert a cert to html
  *
- * $Id: certhtml.c,v 1.8.66.1 2010/08/28 19:49:28 nelson%bolyard.com Exp $
+ * $Id: certhtml.c,v 1.10 2010/08/28 18:00:28 nelson%bolyard.com Exp $
  */
 
 #include "seccomon.h"
diff --git a/security/nss/lib/certhigh/certvfy.c b/security/nss/lib/certhigh/certvfy.c
index da83899cde77..02d0a38f145d 100644
--- a/security/nss/lib/certhigh/certvfy.c
+++ b/security/nss/lib/certhigh/certvfy.c
@@ -579,6 +579,14 @@ cert_VerifyCertChainOld(CERTCertDBHandle *handle, CERTCertificate *cert,
 	        if (flags & CERTDB_VALID_CA) {
 	            validCAOverride = PR_TRUE;
 	        }
+		/* is it explicitly distrusted? */
+		if ((flags & CERTDB_TERMINAL_RECORD) && 
+			((flags & (CERTDB_VALID_CA|CERTDB_TRUSTED)) == 0)) {
+		    /* untrusted -- the cert is explicitly untrusted, not
+		     * just that it doesn't chain to a trusted cert */
+		    PORT_SetError(SEC_ERROR_UNTRUSTED_CERT);
+		    LOG_ERROR_OR_EXIT(log,issuerCert,count+1,flags);
+		}
 	    } else {
                 /* Check if we have any valid trust when cheching for
                  * certUsageAnyCA or certUsageStatusResponder. */
@@ -592,6 +600,22 @@ cert_VerifyCertChainOld(CERTCertDBHandle *handle, CERTCertificate *cert,
                     if (flags & CERTDB_VALID_CA)
                         validCAOverride = PR_TRUE;
                 }
+		/* We have 2 separate loops because we want any single trust
+		 * bit to allow this usage to return trusted. Only if none of
+		 * the trust bits are on do we check to see if the cert is 
+		 * untrusted */
+                for (trustType = trustSSL; trustType < trustTypeNone;
+                     trustType++) {
+                    flags = SEC_GET_TRUST_FLAGS(issuerCert->trust, trustType);
+		    /* is it explicitly distrusted? */
+		    if ((flags & CERTDB_TERMINAL_RECORD) && 
+			((flags & (CERTDB_VALID_CA|CERTDB_TRUSTED)) == 0)) {
+			/* untrusted -- the cert is explicitly untrusted, not
+			 * just that it doesn't chain to a trusted cert */
+			PORT_SetError(SEC_ERROR_UNTRUSTED_CERT);
+			LOG_ERROR_OR_EXIT(log,issuerCert,count+1,flags);
+		    }
+                }
             }
         }
 
@@ -826,6 +850,14 @@ CERT_VerifyCACertForUsage(CERTCertDBHandle *handle, CERTCertificate *cert,
 	if (flags & CERTDB_VALID_CA) {
 	    validCAOverride = PR_TRUE;
 	}
+	/* is it explicitly distrusted? */
+	if ((flags & CERTDB_TERMINAL_RECORD) && 
+		((flags & (CERTDB_VALID_CA|CERTDB_TRUSTED)) == 0)) {
+	    /* untrusted -- the cert is explicitly untrusted, not
+	     * just that it doesn't chain to a trusted cert */
+	    PORT_SetError(SEC_ERROR_UNTRUSTED_CERT);
+	    LOG_ERROR_OR_EXIT(log,cert,0,flags);
+	}
     }
     if (!validCAOverride) {
 	/*
@@ -889,6 +921,154 @@ done:
     NEXT_USAGE(); \
 }
 
+/*
+ * check the leaf cert against trust and usage. 
+ *   returns success if the cert is not distrusted. If the cert is
+ *       trusted, then the trusted bool will be true.
+ *   returns failure if the cert is distrusted. If failure, flags
+ *       will return the flag bits that indicated distrust.
+ */
+SECStatus
+cert_CheckLeafTrust(CERTCertificate *cert, SECCertUsage certUsage,
+	            unsigned int *failedFlags, PRBool *trusted)
+{
+    unsigned int flags;
+
+    *failedFlags = 0;
+    *trusted = PR_FALSE;
+			
+    /* check trust flags to see if this cert is directly trusted */
+    if ( cert->trust ) { 
+	switch ( certUsage ) {
+	  case certUsageSSLClient:
+	  case certUsageSSLServer:
+	    flags = cert->trust->sslFlags;
+	    
+	    /* is the cert directly trusted or not trusted ? */
+	    if ( flags & CERTDB_TERMINAL_RECORD) { /* the trust record is 
+						    * authoritative */
+		if ( flags & CERTDB_TRUSTED ) {	/* trust this cert */
+		    *trusted = PR_TRUE;
+		    return SECSuccess;
+		} else { /* don't trust this cert */
+		    *failedFlags = flags;
+		    return SECFailure;
+		}
+	    }
+	    break;
+	  case certUsageSSLServerWithStepUp:
+	    /* XXX - step up certs can't be directly trusted, only distrust */
+	    flags = cert->trust->sslFlags;
+	    if ( flags & CERTDB_TERMINAL_RECORD) { /* the trust record is 
+						    * authoritative */
+		if (( flags & CERTDB_TRUSTED ) == 0) {	
+		    /* don't trust this cert */
+		    *failedFlags = flags;
+		    return SECFailure;
+		}
+	    }
+	    break;
+	  case certUsageSSLCA:
+	    flags = cert->trust->sslFlags;
+	    /* we probably should also not explicitly fail the cert 
+	     * if only the trusted DELEGATOR flag is set */
+	    if ( flags & CERTDB_TERMINAL_RECORD) { /* the trust record is 
+						    * authoritative */
+		if (( flags & CERTDB_TRUSTED_CA ) == 0) {	
+		    /* don't trust this cert */
+		    *failedFlags = flags;
+		    return SECFailure;
+		}
+	    }
+	    break;
+	  case certUsageEmailSigner:
+	  case certUsageEmailRecipient:
+	    flags = cert->trust->emailFlags;
+	    if ( flags & CERTDB_TERMINAL_RECORD) { /* the trust record is 
+						    * authoritative */
+		if ( flags & CERTDB_TRUSTED ) {	/* trust this cert */
+		    *trusted = PR_TRUE;
+		    return SECSuccess;
+		} 
+		else { /* don't trust this cert */
+		    *failedFlags = flags;
+		    return SECFailure;
+		}
+	    }
+	    
+	    break;
+	  case certUsageObjectSigner:
+	    flags = cert->trust->objectSigningFlags;
+
+	    if ( flags & CERTDB_TERMINAL_RECORD) { /* the trust record is 
+						    * authoritative */
+		if ( flags & CERTDB_TRUSTED ) {	/* trust this cert */
+		    *trusted = PR_TRUE;
+		    return SECSuccess;
+		} else { /* don't trust this cert */
+		    *failedFlags = flags;
+		    return SECFailure;
+		}
+	    }
+	    break;
+	  case certUsageVerifyCA:
+	  case certUsageStatusResponder:
+	    flags = cert->trust->sslFlags;
+	    /* is the cert directly trusted or not trusted ? */
+	    if ( ( flags & ( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) ==
+		( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) {
+		*trusted = PR_TRUE;
+		return SECSuccess;
+	    }
+	    flags = cert->trust->emailFlags;
+	    /* is the cert directly trusted or not trusted ? */
+	    if ( ( flags & ( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) ==
+		( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) {
+		*trusted = PR_TRUE;
+		return SECSuccess;
+	    }
+	    flags = cert->trust->objectSigningFlags;
+	    /* is the cert directly trusted or not trusted ? */
+	    if ( ( flags & ( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) ==
+		( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) {
+		*trusted = PR_TRUE;
+		return SECSuccess;
+	    }
+	    /* fall through to test distrust */
+	  case certUsageAnyCA:
+	  case certUsageUserCertImport:
+	    /* do we distrust these certs explicitly */
+	    flags = cert->trust->sslFlags;
+	    if ( flags & CERTDB_TERMINAL_RECORD) { /* the trust record is 
+						    * authoritative */
+		if ((flags & CERTDB_TRUSTED_CA) == 0) {
+		    *failedFlags = flags;
+		    return SECFailure;
+		}
+	    }
+	    flags = cert->trust->emailFlags;
+	    if ( flags & CERTDB_TERMINAL_RECORD) { /* the trust record is 
+						    * authoritative */
+		if ((flags & CERTDB_TRUSTED_CA) == 0) {
+		    *failedFlags = flags;
+		    return SECFailure;
+		}
+	    }
+	  case certUsageProtectedObjectSigner:
+	    flags = cert->trust->objectSigningFlags;
+	    if ( flags & CERTDB_TERMINAL_RECORD) { /* the trust record is 
+						    * authoritative */
+		if ((flags & CERTDB_TRUSTED_CA) == 0) {
+		    *failedFlags = flags;
+		    return SECFailure;
+		}
+	    }
+	    break;
+	}
+    }
+    return SECSuccess;
+}
+
 /*
  * verify a certificate by checking if it's valid and that we
  * trust the issuer.
@@ -921,6 +1101,7 @@ CERT_VerifyCertificate(CERTCertDBHandle *handle, CERTCertificate *cert,
     PRBool checkAllUsages = PR_FALSE;
     PRBool revoked = PR_FALSE;
     PRBool sigerror = PR_FALSE;
+    PRBool trusted = PR_FALSE;
 
     if (!requiredUsages) {
         /* there are no required usages, so the user probably wants to
@@ -1008,91 +1189,21 @@ CERT_VerifyCertificate(CERTCertDBHandle *handle, CERTCertificate *cert,
             INVALID_USAGE();
         }
 
-        /* check trust flags to see if this cert is directly trusted */
-        if ( cert->trust ) { /* the cert is in the DB */
-            switch ( certUsage ) {
-              case certUsageSSLClient:
-              case certUsageSSLServer:
-                flags = cert->trust->sslFlags;
+	rv = cert_CheckLeafTrust(cert, certUsage, &flags, &trusted);
+	if (rv == SECFailure) {
+	    if (PR_TRUE == requiredUsage) {
+		PORT_SetError(SEC_ERROR_UNTRUSTED_CERT);
+	    }
+	    LOG_ERROR(log, cert, 0, flags);
+	    INVALID_USAGE();
+	}
+	if (trusted) {
+	    VALID_USAGE();
+	}
 
-                /* is the cert directly trusted or not trusted ? */
-                if ( flags & CERTDB_VALID_PEER ) {/*the trust record is valid*/
-                    if ( flags & CERTDB_TRUSTED ) {	/* trust this cert */
-                        VALID_USAGE();
-                    } else { /* don't trust this cert */
-                        if (PR_TRUE == requiredUsage) {
-                            PORT_SetError(SEC_ERROR_UNTRUSTED_CERT);
-                        }
-                        LOG_ERROR(log,cert,0,flags);
-                        INVALID_USAGE();
-                    }
-                }
-                break;
-              case certUsageSSLServerWithStepUp:
-                /* XXX - step up certs can't be directly trusted */
-                break;
-              case certUsageSSLCA:
-                break;
-              case certUsageEmailSigner:
-              case certUsageEmailRecipient:
-                flags = cert->trust->emailFlags;
-
-                /* is the cert directly trusted or not trusted ? */
-                if ( ( flags & ( CERTDB_VALID_PEER | CERTDB_TRUSTED ) ) ==
-                    ( CERTDB_VALID_PEER | CERTDB_TRUSTED ) ) {
-                    VALID_USAGE();
-                }
-                break;
-              case certUsageObjectSigner:
-                flags = cert->trust->objectSigningFlags;
-
-                /* is the cert directly trusted or not trusted ? */
-                if ( flags & CERTDB_VALID_PEER ) {/*the trust record is valid*/
-                    if ( flags & CERTDB_TRUSTED ) {	/* trust this cert */
-                        VALID_USAGE();
-                    } else { /* don't trust this cert */
-                        if (PR_TRUE == requiredUsage) {
-                            PORT_SetError(SEC_ERROR_UNTRUSTED_CERT);
-                        }
-                        LOG_ERROR(log,cert,0,flags);
-                        INVALID_USAGE();
-                    }
-                }
-                break;
-              case certUsageVerifyCA:
-              case certUsageStatusResponder:
-                flags = cert->trust->sslFlags;
-                /* is the cert directly trusted or not trusted ? */
-                if ( ( flags & ( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) ==
-                    ( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) {
-                    VALID_USAGE();
-                }
-                flags = cert->trust->emailFlags;
-                /* is the cert directly trusted or not trusted ? */
-                if ( ( flags & ( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) ==
-                    ( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) {
-                    VALID_USAGE();
-                }
-                flags = cert->trust->objectSigningFlags;
-                /* is the cert directly trusted or not trusted ? */
-                if ( ( flags & ( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) ==
-                    ( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) {
-                    VALID_USAGE();
-                }
-                break;
-              case certUsageAnyCA:
-              case certUsageProtectedObjectSigner:
-              case certUsageUserCertImport:
-                /* XXX to make the compiler happy.  Should these be
-                 * explicitly handled?
-                 */
-                break;
-            }
-        }
-
-        if (PR_TRUE == revoked || PR_TRUE == sigerror) {
-            INVALID_USAGE();
-        }
+	if (PR_TRUE == revoked || PR_TRUE == sigerror) {
+	    INVALID_USAGE();
+	}
 
         rv = cert_VerifyCertChain(handle, cert,
             checkSig, &sigerror,
@@ -1146,6 +1257,7 @@ CERT_VerifyCert(CERTCertDBHandle *handle, CERTCertificate *cert,
     unsigned int requiredCertType;
     unsigned int flags;
     unsigned int certType;
+    PRBool       trusted;
     PRBool       allowOverride;
     SECCertTimeValidity validity;
     CERTStatusConfig *statusConfig;
@@ -1212,81 +1324,15 @@ CERT_VerifyCert(CERTCertDBHandle *handle, CERTCertificate *cert,
 	LOG_ERROR_OR_EXIT(log,cert,0,requiredCertType);
     }
 
-    /* check trust flags to see if this cert is directly trusted */
-    if ( cert->trust ) { /* the cert is in the DB */
-	switch ( certUsage ) {
-	  case certUsageSSLClient:
-	  case certUsageSSLServer:
-	    flags = cert->trust->sslFlags;
-	    
-	    /* is the cert directly trusted or not trusted ? */
-	    if ( flags & CERTDB_VALID_PEER ) {/*the trust record is valid*/
-		if ( flags & CERTDB_TRUSTED ) {	/* trust this cert */
-		    goto winner;
-		} else { /* don't trust this cert */
-		    PORT_SetError(SEC_ERROR_UNTRUSTED_CERT);
-		    LOG_ERROR_OR_EXIT(log,cert,0,flags);
-		}
-	    }
-	    break;
-	  case certUsageSSLServerWithStepUp:
-	    /* XXX - step up certs can't be directly trusted */
-	    break;
-	  case certUsageSSLCA:
-	    break;
-	  case certUsageEmailSigner:
-	  case certUsageEmailRecipient:
-	    flags = cert->trust->emailFlags;
-	    
-	    /* is the cert directly trusted or not trusted ? */
-	    if ( ( flags & ( CERTDB_VALID_PEER | CERTDB_TRUSTED ) ) ==
-		( CERTDB_VALID_PEER | CERTDB_TRUSTED ) ) {
-		goto winner;
-	    }
-	    break;
-	  case certUsageObjectSigner:
-	    flags = cert->trust->objectSigningFlags;
-
-	    /* is the cert directly trusted or not trusted ? */
-	    if ( flags & CERTDB_VALID_PEER ) {/*the trust record is valid*/
-		if ( flags & CERTDB_TRUSTED ) {	/* trust this cert */
-		    goto winner;
-		} else { /* don't trust this cert */
-		    PORT_SetError(SEC_ERROR_UNTRUSTED_CERT);
-		    LOG_ERROR_OR_EXIT(log,cert,0,flags);
-		}
-	    }
-	    break;
-	  case certUsageVerifyCA:
-	  case certUsageStatusResponder:
-	    flags = cert->trust->sslFlags;
-	    /* is the cert directly trusted or not trusted ? */
-	    if ( ( flags & ( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) ==
-		( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) {
-		goto winner;
-	    }
-	    flags = cert->trust->emailFlags;
-	    /* is the cert directly trusted or not trusted ? */
-	    if ( ( flags & ( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) ==
-		( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) {
-		goto winner;
-	    }
-	    flags = cert->trust->objectSigningFlags;
-	    /* is the cert directly trusted or not trusted ? */
-	    if ( ( flags & ( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) ==
-		( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) {
-		goto winner;
-	    }
-	    break;
-	  case certUsageAnyCA:
-	  case certUsageProtectedObjectSigner:
-	  case certUsageUserCertImport:
-	    /* XXX to make the compiler happy.  Should these be
-	     * explicitly handled?
-	     */
-	    break;
-	}
+    rv = cert_CheckLeafTrust(cert,certUsage, &flags, &trusted);
+    if (rv  == SECFailure) {
+	PORT_SetError(SEC_ERROR_UNTRUSTED_CERT);
+	LOG_ERROR_OR_EXIT(log,cert,0,flags);
     }
+    if (trusted) {
+	goto winner;
+    }
+
 
     rv = CERT_VerifyCertChain(handle, cert, checkSig, certUsage,
 			      t, wincx, log);
diff --git a/security/nss/lib/certhigh/manifest.mn b/security/nss/lib/certhigh/manifest.mn
index 9c4b42679b4e..ed88a8875886 100644
--- a/security/nss/lib/certhigh/manifest.mn
+++ b/security/nss/lib/certhigh/manifest.mn
@@ -60,8 +60,6 @@ CSRCS = \
  	xcrldist.c \
 	$(NULL)
 
-REQUIRES = dbm
-
 LIBRARY_NAME = certhi
 
 # This part of the code, including all sub-dirs, can be optimized for size
diff --git a/security/nss/lib/certhigh/ocsp.c b/security/nss/lib/certhigh/ocsp.c
index e0b352ff54cd..eec9748f7070 100644
--- a/security/nss/lib/certhigh/ocsp.c
+++ b/security/nss/lib/certhigh/ocsp.c
@@ -39,7 +39,7 @@
  * Implementation of OCSP services, for both client and server.
  * (XXX, really, mostly just for client right now, but intended to do both.)
  *
- * $Id: ocsp.c,v 1.65.2.1 2011/07/13 11:13:55 kaie%kuix.de Exp $
+ * $Id: ocsp.c,v 1.67 2011/08/10 12:31:52 kaie%kuix.de Exp $
  */
 
 #include "prerror.h"
@@ -2950,6 +2950,7 @@ ocsp_SendEncodedRequest(char *location, SECItem *encodedRequest)
     PRFileDesc *sock = NULL;
     PRFileDesc *returnSock = NULL;
     char *header = NULL;
+    char portstr[16];
 
     /*
      * Take apart the location, getting the hostname, port, and path.
@@ -2965,11 +2966,16 @@ ocsp_SendEncodedRequest(char *location, SECItem *encodedRequest)
     if (sock == NULL)
 	goto loser;
 
+    portstr[0] = '\0';
+    if (port != 80) {
+        PR_snprintf(portstr, sizeof(portstr), ":%d", port);
+    }
+
     header = PR_smprintf("POST %s HTTP/1.0\r\n"
-			 "Host: %s:%d\r\n"
+			 "Host: %s%s\r\n"
 			 "Content-Type: application/ocsp-request\r\n"
 			 "Content-Length: %u\r\n\r\n",
-			 path, hostname, port, encodedRequest->len);
+			 path, hostname, portstr, encodedRequest->len);
     if (header == NULL)
 	goto loser;
 
diff --git a/security/nss/lib/certhigh/ocsp.h b/security/nss/lib/certhigh/ocsp.h
index b47243fad2ef..a442ab3e95e0 100644
--- a/security/nss/lib/certhigh/ocsp.h
+++ b/security/nss/lib/certhigh/ocsp.h
@@ -37,7 +37,7 @@
 /*
  * Interface to the OCSP implementation.
  *
- * $Id: ocsp.h,v 1.17.2.1 2010/09/27 21:22:20 wtc%google.com Exp $
+ * $Id: ocsp.h,v 1.19 2011/01/15 19:47:11 nelson%bolyard.com Exp $
  */
 
 #ifndef _OCSP_H_
@@ -588,7 +588,7 @@ CERT_CacheOCSPResponseFromSideChannel(CERTCertDBHandle *handle,
 
 /*
  * FUNCTION: CERT_GetOCSPStatusForCertID
- *  Returns the OCSP status contained in the passed in paramter response
+ *  Returns the OCSP status contained in the passed in parameter response
  *  that corresponds to the certID passed in.
  * INPUTS:
  *  CERTCertDBHandle *handle
diff --git a/security/nss/lib/ckfw/builtins/certdata.c b/security/nss/lib/ckfw/builtins/certdata.c
index 563012188981..5603a2d50f52 100644
--- a/security/nss/lib/ckfw/builtins/certdata.c
+++ b/security/nss/lib/ckfw/builtins/certdata.c
@@ -35,7 +35,7 @@
  *
  * ***** END LICENSE BLOCK ***** */
 #ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile: certdata.c,v $ $Revision: 1.67.2.10 $ $Date: 2011/08/01 06:40:03 $""; @(#) $RCSfile: certdata.c,v $ $Revision: 1.67.2.10 $ $Date: 2011/08/01 06:40:03 $";
+static const char CVS_ID[] = "@(#) $RCSfile: certdata.c,v $ $Revision: 1.78 $ $Date: 2011/08/01 06:33:46 $""; @(#) $RCSfile: certdata.c,v $ $Revision: 1.78 $ $Date: 2011/08/01 06:33:46 $";
 #endif /* DEBUG */
 
 #ifndef BUILTINS_H
@@ -47,12 +47,12 @@ static const CK_BBOOL ck_true = CK_TRUE;
 static const CK_CERTIFICATE_TYPE ckc_x_509 = CKC_X_509;
 static const CK_OBJECT_CLASS cko_certificate = CKO_CERTIFICATE;
 static const CK_OBJECT_CLASS cko_data = CKO_DATA;
-static const CK_OBJECT_CLASS cko_netscape_builtin_root_list = CKO_NETSCAPE_BUILTIN_ROOT_LIST;
-static const CK_OBJECT_CLASS cko_netscape_trust = CKO_NETSCAPE_TRUST;
-static const CK_TRUST ckt_netscape_trust_unknown = CKT_NETSCAPE_TRUST_UNKNOWN;
-static const CK_TRUST ckt_netscape_trusted_delegator = CKT_NETSCAPE_TRUSTED_DELEGATOR;
-static const CK_TRUST ckt_netscape_untrusted = CKT_NETSCAPE_UNTRUSTED;
-static const CK_TRUST ckt_netscape_valid = CKT_NETSCAPE_VALID;
+static const CK_OBJECT_CLASS cko_nss_builtin_root_list = CKO_NSS_BUILTIN_ROOT_LIST;
+static const CK_OBJECT_CLASS cko_nss_trust = CKO_NSS_TRUST;
+static const CK_TRUST ckt_nss_must_verify_trust = CKT_NSS_MUST_VERIFY_TRUST;
+static const CK_TRUST ckt_nss_not_trusted = CKT_NSS_NOT_TRUSTED;
+static const CK_TRUST ckt_nss_trust_unknown = CKT_NSS_TRUST_UNKNOWN;
+static const CK_TRUST ckt_nss_trusted_delegator = CKT_NSS_TRUSTED_DELEGATOR;
 #ifdef DEBUG
 static const CK_ATTRIBUTE_TYPE nss_builtins_types_0 [] = {
  CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_APPLICATION,  CKA_VALUE
@@ -1053,11 +1053,11 @@ static const NSSItem nss_builtins_items_0 [] = {
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)"CVS ID", (PRUint32)7 },
   { (void *)"NSS", (PRUint32)4 },
-  { (void *)"@(#) $RCSfile: certdata.c,v $ $Revision: 1.67.2.10 $ $Date: 2011/08/01 06:40:03 $""; @(#) $RCSfile: certdata.c,v $ $Revision: 1.67.2.10 $ $Date: 2011/08/01 06:40:03 $", (PRUint32)164 }
+  { (void *)"@(#) $RCSfile: certdata.c,v $ $Revision: 1.78 $ $Date: 2011/08/01 06:33:46 $""; @(#) $RCSfile: certdata.c,v $ $Revision: 1.78 $ $Date: 2011/08/01 06:33:46 $", (PRUint32)160 }
 };
 #endif /* DEBUG */
 static const NSSItem nss_builtins_items_1 [] = {
-  { (void *)&cko_netscape_builtin_root_list, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_builtin_root_list, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -1132,7 +1132,7 @@ static const NSSItem nss_builtins_items_2 [] = {
 , (PRUint32)606 }
 };
 static const NSSItem nss_builtins_items_3 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -1153,9 +1153,9 @@ static const NSSItem nss_builtins_items_3 [] = {
 , (PRUint32)119 },
   { (void *)"\002\002\001\245"
 , (PRUint32)4 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_4 [] = {
@@ -1249,7 +1249,7 @@ static const NSSItem nss_builtins_items_4 [] = {
 , (PRUint32)791 }
 };
 static const NSSItem nss_builtins_items_5 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -1275,9 +1275,9 @@ static const NSSItem nss_builtins_items_5 [] = {
 , (PRUint32)199 },
   { (void *)"\002\001\001"
 , (PRUint32)3 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_6 [] = {
@@ -1374,7 +1374,7 @@ static const NSSItem nss_builtins_items_6 [] = {
 , (PRUint32)811 }
 };
 static const NSSItem nss_builtins_items_7 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -1401,9 +1401,9 @@ static const NSSItem nss_builtins_items_7 [] = {
 , (PRUint32)209 },
   { (void *)"\002\001\001"
 , (PRUint32)3 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_8 [] = {
@@ -1482,7 +1482,7 @@ static const NSSItem nss_builtins_items_8 [] = {
 , (PRUint32)804 }
 };
 static const NSSItem nss_builtins_items_9 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -1500,9 +1500,9 @@ static const NSSItem nss_builtins_items_9 [] = {
 , (PRUint32)80 },
   { (void *)"\002\004\065\336\364\317"
 , (PRUint32)6 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_10 [] = {
@@ -1581,7 +1581,7 @@ static const NSSItem nss_builtins_items_10 [] = {
 , (PRUint32)813 }
 };
 static const NSSItem nss_builtins_items_11 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -1599,9 +1599,9 @@ static const NSSItem nss_builtins_items_11 [] = {
 , (PRUint32)72 },
   { (void *)"\002\004\066\160\025\226"
 , (PRUint32)6 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_12 [] = {
@@ -1680,7 +1680,7 @@ static const NSSItem nss_builtins_items_12 [] = {
 , (PRUint32)813 }
 };
 static const NSSItem nss_builtins_items_13 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -1698,9 +1698,9 @@ static const NSSItem nss_builtins_items_13 [] = {
 , (PRUint32)72 },
   { (void *)"\002\004\066\156\323\316"
 , (PRUint32)6 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_14 [] = {
@@ -1770,7 +1770,7 @@ static const NSSItem nss_builtins_items_14 [] = {
 , (PRUint32)577 }
 };
 static const NSSItem nss_builtins_items_15 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -1791,9 +1791,9 @@ static const NSSItem nss_builtins_items_15 [] = {
   { (void *)"\002\021\000\315\272\177\126\360\337\344\274\124\376\042\254\263"
 "\162\252\125"
 , (PRUint32)19 },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_16 [] = {
@@ -1862,7 +1862,7 @@ static const NSSItem nss_builtins_items_16 [] = {
 , (PRUint32)576 }
 };
 static const NSSItem nss_builtins_items_17 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -1883,9 +1883,9 @@ static const NSSItem nss_builtins_items_17 [] = {
   { (void *)"\002\020\055\033\374\112\027\215\243\221\353\347\377\365\213\105"
 "\276\013"
 , (PRUint32)18 },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_18 [] = {
@@ -1954,7 +1954,7 @@ static const NSSItem nss_builtins_items_18 [] = {
 , (PRUint32)576 }
 };
 static const NSSItem nss_builtins_items_19 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -1975,9 +1975,9 @@ static const NSSItem nss_builtins_items_19 [] = {
   { (void *)"\002\020\160\272\344\035\020\331\051\064\266\070\312\173\003\314"
 "\272\277"
 , (PRUint32)18 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_20 [] = {
@@ -2071,7 +2071,7 @@ static const NSSItem nss_builtins_items_20 [] = {
 , (PRUint32)774 }
 };
 static const NSSItem nss_builtins_items_21 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -2098,9 +2098,9 @@ static const NSSItem nss_builtins_items_21 [] = {
   { (void *)"\002\020\114\307\352\252\230\076\161\323\223\020\370\075\072\211"
 "\221\222"
 , (PRUint32)18 },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_22 [] = {
@@ -2194,7 +2194,7 @@ static const NSSItem nss_builtins_items_22 [] = {
 , (PRUint32)775 }
 };
 static const NSSItem nss_builtins_items_23 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -2221,9 +2221,9 @@ static const NSSItem nss_builtins_items_23 [] = {
   { (void *)"\002\021\000\271\057\140\314\210\237\241\172\106\011\270\133\160"
 "\154\212\257"
 , (PRUint32)19 },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_24 [] = {
@@ -2317,7 +2317,7 @@ static const NSSItem nss_builtins_items_24 [] = {
 , (PRUint32)774 }
 };
 static const NSSItem nss_builtins_items_25 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -2344,9 +2344,9 @@ static const NSSItem nss_builtins_items_25 [] = {
   { (void *)"\002\020\175\331\376\007\317\250\036\267\020\171\147\373\247\211"
 "\064\306"
 , (PRUint32)18 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_26 [] = {
@@ -2440,7 +2440,7 @@ static const NSSItem nss_builtins_items_26 [] = {
 , (PRUint32)774 }
 };
 static const NSSItem nss_builtins_items_27 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -2467,9 +2467,9 @@ static const NSSItem nss_builtins_items_27 [] = {
   { (void *)"\002\020\062\210\216\232\322\365\353\023\107\370\177\304\040\067"
 "\045\370"
 , (PRUint32)18 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_28 [] = {
@@ -2555,7 +2555,7 @@ static const NSSItem nss_builtins_items_28 [] = {
 , (PRUint32)889 }
 };
 static const NSSItem nss_builtins_items_29 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -2574,9 +2574,9 @@ static const NSSItem nss_builtins_items_29 [] = {
 , (PRUint32)89 },
   { (void *)"\002\013\004\000\000\000\000\001\025\113\132\303\224"
 , (PRUint32)13 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_30 [] = {
@@ -2664,7 +2664,7 @@ static const NSSItem nss_builtins_items_30 [] = {
 , (PRUint32)958 }
 };
 static const NSSItem nss_builtins_items_31 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -2682,9 +2682,9 @@ static const NSSItem nss_builtins_items_31 [] = {
 , (PRUint32)78 },
   { (void *)"\002\013\004\000\000\000\000\001\017\206\046\346\015"
 , (PRUint32)13 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_32 [] = {
@@ -2773,7 +2773,7 @@ static const NSSItem nss_builtins_items_32 [] = {
 , (PRUint32)747 }
 };
 static const NSSItem nss_builtins_items_33 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -2798,9 +2798,9 @@ static const NSSItem nss_builtins_items_33 [] = {
 , (PRUint32)190 },
   { (void *)"\002\001\001"
 , (PRUint32)3 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_34 [] = {
@@ -2889,7 +2889,7 @@ static const NSSItem nss_builtins_items_34 [] = {
 , (PRUint32)747 }
 };
 static const NSSItem nss_builtins_items_35 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -2914,9 +2914,9 @@ static const NSSItem nss_builtins_items_35 [] = {
 , (PRUint32)190 },
   { (void *)"\002\001\001"
 , (PRUint32)3 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_36 [] = {
@@ -3005,7 +3005,7 @@ static const NSSItem nss_builtins_items_36 [] = {
 , (PRUint32)747 }
 };
 static const NSSItem nss_builtins_items_37 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -3030,9 +3030,9 @@ static const NSSItem nss_builtins_items_37 [] = {
 , (PRUint32)190 },
   { (void *)"\002\001\001"
 , (PRUint32)3 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_38 [] = {
@@ -3143,7 +3143,7 @@ static const NSSItem nss_builtins_items_38 [] = {
 , (PRUint32)1054 }
 };
 static const NSSItem nss_builtins_items_39 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -3170,9 +3170,9 @@ static const NSSItem nss_builtins_items_39 [] = {
   { (void *)"\002\021\000\213\133\165\126\204\124\205\013\000\317\257\070\110"
 "\316\261\244"
 , (PRUint32)19 },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_40 [] = {
@@ -3283,7 +3283,7 @@ static const NSSItem nss_builtins_items_40 [] = {
 , (PRUint32)1053 }
 };
 static const NSSItem nss_builtins_items_41 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -3310,9 +3310,9 @@ static const NSSItem nss_builtins_items_41 [] = {
   { (void *)"\002\020\141\160\313\111\214\137\230\105\051\347\260\246\331\120"
 "\133\172"
 , (PRUint32)18 },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_42 [] = {
@@ -3423,7 +3423,7 @@ static const NSSItem nss_builtins_items_42 [] = {
 , (PRUint32)1054 }
 };
 static const NSSItem nss_builtins_items_43 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -3450,9 +3450,9 @@ static const NSSItem nss_builtins_items_43 [] = {
   { (void *)"\002\021\000\233\176\006\111\243\076\142\271\325\356\220\110\161"
 "\051\357\127"
 , (PRUint32)19 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_44 [] = {
@@ -3563,7 +3563,7 @@ static const NSSItem nss_builtins_items_44 [] = {
 , (PRUint32)1054 }
 };
 static const NSSItem nss_builtins_items_45 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -3590,9 +3590,9 @@ static const NSSItem nss_builtins_items_45 [] = {
   { (void *)"\002\021\000\354\240\247\213\156\165\152\001\317\304\174\314\057"
 "\224\136\327"
 , (PRUint32)19 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_46 [] = {
@@ -3714,7 +3714,7 @@ static const NSSItem nss_builtins_items_46 [] = {
 , (PRUint32)1244 }
 };
 static const NSSItem nss_builtins_items_47 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -3740,9 +3740,9 @@ static const NSSItem nss_builtins_items_47 [] = {
 , (PRUint32)198 },
   { (void *)"\002\004\067\112\322\103"
 , (PRUint32)6 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_48 [] = {
@@ -3854,7 +3854,7 @@ static const NSSItem nss_builtins_items_48 [] = {
 , (PRUint32)1120 }
 };
 static const NSSItem nss_builtins_items_49 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -3879,9 +3879,9 @@ static const NSSItem nss_builtins_items_49 [] = {
 , (PRUint32)183 },
   { (void *)"\002\004\070\143\271\146"
 , (PRUint32)6 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_50 [] = {
@@ -3967,7 +3967,7 @@ static const NSSItem nss_builtins_items_50 [] = {
 , (PRUint32)891 }
 };
 static const NSSItem nss_builtins_items_51 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -3986,9 +3986,9 @@ static const NSSItem nss_builtins_items_51 [] = {
 , (PRUint32)92 },
   { (void *)"\002\004\002\000\000\271"
 , (PRUint32)6 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_52 [] = {
@@ -4060,7 +4060,7 @@ static const NSSItem nss_builtins_items_52 [] = {
 , (PRUint32)660 }
 };
 static const NSSItem nss_builtins_items_53 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -4079,9 +4079,9 @@ static const NSSItem nss_builtins_items_53 [] = {
 , (PRUint32)92 },
   { (void *)"\002\001\001"
 , (PRUint32)3 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_54 [] = {
@@ -4152,7 +4152,7 @@ static const NSSItem nss_builtins_items_54 [] = {
 , (PRUint32)646 }
 };
 static const NSSItem nss_builtins_items_55 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -4171,9 +4171,9 @@ static const NSSItem nss_builtins_items_55 [] = {
 , (PRUint32)85 },
   { (void *)"\002\001\004"
 , (PRUint32)3 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_56 [] = {
@@ -4252,7 +4252,7 @@ static const NSSItem nss_builtins_items_56 [] = {
 , (PRUint32)804 }
 };
 static const NSSItem nss_builtins_items_57 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -4270,9 +4270,9 @@ static const NSSItem nss_builtins_items_57 [] = {
 , (PRUint32)80 },
   { (void *)"\002\004\067\160\317\265"
 , (PRUint32)6 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_58 [] = {
@@ -4370,7 +4370,7 @@ static const NSSItem nss_builtins_items_58 [] = {
 , (PRUint32)1052 }
 };
 static const NSSItem nss_builtins_items_59 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -4390,9 +4390,9 @@ static const NSSItem nss_builtins_items_59 [] = {
 , (PRUint32)103 },
   { (void *)"\002\001\001"
 , (PRUint32)3 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_60 [] = {
@@ -4494,7 +4494,7 @@ static const NSSItem nss_builtins_items_60 [] = {
 , (PRUint32)1082 }
 };
 static const NSSItem nss_builtins_items_61 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -4515,9 +4515,9 @@ static const NSSItem nss_builtins_items_61 [] = {
 , (PRUint32)113 },
   { (void *)"\002\001\001"
 , (PRUint32)3 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_62 [] = {
@@ -4615,7 +4615,7 @@ static const NSSItem nss_builtins_items_62 [] = {
 , (PRUint32)1049 }
 };
 static const NSSItem nss_builtins_items_63 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -4635,9 +4635,9 @@ static const NSSItem nss_builtins_items_63 [] = {
 , (PRUint32)102 },
   { (void *)"\002\001\001"
 , (PRUint32)3 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_64 [] = {
@@ -4736,7 +4736,7 @@ static const NSSItem nss_builtins_items_64 [] = {
 , (PRUint32)1058 }
 };
 static const NSSItem nss_builtins_items_65 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -4756,9 +4756,9 @@ static const NSSItem nss_builtins_items_65 [] = {
 , (PRUint32)105 },
   { (void *)"\002\001\001"
 , (PRUint32)3 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_66 [] = {
@@ -4874,7 +4874,7 @@ static const NSSItem nss_builtins_items_66 [] = {
 , (PRUint32)1173 }
 };
 static const NSSItem nss_builtins_items_67 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -4899,9 +4899,9 @@ static const NSSItem nss_builtins_items_67 [] = {
 , (PRUint32)179 },
   { (void *)"\002\004\105\153\120\124"
 , (PRUint32)6 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_68 [] = {
@@ -4983,7 +4983,7 @@ static const NSSItem nss_builtins_items_68 [] = {
 , (PRUint32)869 }
 };
 static const NSSItem nss_builtins_items_69 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -5001,9 +5001,9 @@ static const NSSItem nss_builtins_items_69 [] = {
   { (void *)"\002\020\012\001\001\001\000\000\002\174\000\000\000\012\000\000"
 "\000\002"
 , (PRUint32)18 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_70 [] = {
@@ -5085,7 +5085,7 @@ static const NSSItem nss_builtins_items_70 [] = {
 , (PRUint32)856 }
 };
 static const NSSItem nss_builtins_items_71 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -5103,9 +5103,9 @@ static const NSSItem nss_builtins_items_71 [] = {
 , (PRUint32)68 },
   { (void *)"\002\003\002\064\126"
 , (PRUint32)5 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_72 [] = {
@@ -5188,7 +5188,7 @@ static const NSSItem nss_builtins_items_72 [] = {
 , (PRUint32)874 }
 };
 static const NSSItem nss_builtins_items_73 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -5206,9 +5206,9 @@ static const NSSItem nss_builtins_items_73 [] = {
 , (PRUint32)70 },
   { (void *)"\002\001\001"
 , (PRUint32)3 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_74 [] = {
@@ -5323,7 +5323,7 @@ static const NSSItem nss_builtins_items_74 [] = {
 , (PRUint32)1388 }
 };
 static const NSSItem nss_builtins_items_75 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -5341,9 +5341,9 @@ static const NSSItem nss_builtins_items_75 [] = {
 , (PRUint32)71 },
   { (void *)"\002\001\001"
 , (PRUint32)3 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_76 [] = {
@@ -5458,7 +5458,7 @@ static const NSSItem nss_builtins_items_76 [] = {
 , (PRUint32)1392 }
 };
 static const NSSItem nss_builtins_items_77 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -5476,9 +5476,9 @@ static const NSSItem nss_builtins_items_77 [] = {
 , (PRUint32)73 },
   { (void *)"\002\001\001"
 , (PRUint32)3 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_78 [] = {
@@ -5590,7 +5590,7 @@ static const NSSItem nss_builtins_items_78 [] = {
 , (PRUint32)1128 }
 };
 static const NSSItem nss_builtins_items_79 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -5615,9 +5615,9 @@ static const NSSItem nss_builtins_items_79 [] = {
   { (void *)"\002\020\104\276\014\213\120\000\044\264\021\323\066\060\113\300"
 "\063\167"
 , (PRUint32)18 },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_80 [] = {
@@ -5708,7 +5708,7 @@ static const NSSItem nss_builtins_items_80 [] = {
 , (PRUint32)936 }
 };
 static const NSSItem nss_builtins_items_81 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -5728,9 +5728,9 @@ static const NSSItem nss_builtins_items_81 [] = {
 , (PRUint32)101 },
   { (void *)"\002\001\001"
 , (PRUint32)3 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_82 [] = {
@@ -5853,7 +5853,7 @@ static const NSSItem nss_builtins_items_82 [] = {
 , (PRUint32)1448 }
 };
 static const NSSItem nss_builtins_items_83 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -5873,9 +5873,9 @@ static const NSSItem nss_builtins_items_83 [] = {
 , (PRUint32)101 },
   { (void *)"\002\001\001"
 , (PRUint32)3 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_84 [] = {
@@ -5967,7 +5967,7 @@ static const NSSItem nss_builtins_items_84 [] = {
 , (PRUint32)934 }
 };
 static const NSSItem nss_builtins_items_85 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -5988,9 +5988,9 @@ static const NSSItem nss_builtins_items_85 [] = {
   { (void *)"\002\020\023\206\065\115\035\077\006\362\301\371\145\005\325\220"
 "\034\142"
 , (PRUint32)18 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_86 [] = {
@@ -6086,7 +6086,7 @@ static const NSSItem nss_builtins_items_86 [] = {
 , (PRUint32)864 }
 };
 static const NSSItem nss_builtins_items_87 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -6111,9 +6111,9 @@ static const NSSItem nss_builtins_items_87 [] = {
 , (PRUint32)191 },
   { (void *)"\002\002\003\352"
 , (PRUint32)4 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_88 [] = {
@@ -6209,7 +6209,7 @@ static const NSSItem nss_builtins_items_88 [] = {
 , (PRUint32)864 }
 };
 static const NSSItem nss_builtins_items_89 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -6234,9 +6234,9 @@ static const NSSItem nss_builtins_items_89 [] = {
 , (PRUint32)191 },
   { (void *)"\002\002\003\353"
 , (PRUint32)4 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_90 [] = {
@@ -6311,7 +6311,7 @@ static const NSSItem nss_builtins_items_90 [] = {
 , (PRUint32)784 }
 };
 static const NSSItem nss_builtins_items_91 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -6328,9 +6328,9 @@ static const NSSItem nss_builtins_items_91 [] = {
 , (PRUint32)64 },
   { (void *)"\002\003\001\000\040"
 , (PRUint32)5 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_92 [] = {
@@ -6432,7 +6432,7 @@ static const NSSItem nss_builtins_items_92 [] = {
 , (PRUint32)1078 }
 };
 static const NSSItem nss_builtins_items_93 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -6453,9 +6453,9 @@ static const NSSItem nss_builtins_items_93 [] = {
 , (PRUint32)125 },
   { (void *)"\002\001\001"
 , (PRUint32)3 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_94 [] = {
@@ -6558,7 +6558,7 @@ static const NSSItem nss_builtins_items_94 [] = {
 , (PRUint32)1091 }
 };
 static const NSSItem nss_builtins_items_95 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -6579,9 +6579,9 @@ static const NSSItem nss_builtins_items_95 [] = {
 , (PRUint32)128 },
   { (void *)"\002\001\001"
 , (PRUint32)3 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_96 [] = {
@@ -6686,7 +6686,7 @@ static const NSSItem nss_builtins_items_96 [] = {
 , (PRUint32)1095 }
 };
 static const NSSItem nss_builtins_items_97 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -6708,9 +6708,9 @@ static const NSSItem nss_builtins_items_97 [] = {
 , (PRUint32)129 },
   { (void *)"\002\001\001"
 , (PRUint32)3 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_98 [] = {
@@ -6840,7 +6840,7 @@ static const NSSItem nss_builtins_items_98 [] = {
 , (PRUint32)1492 }
 };
 static const NSSItem nss_builtins_items_99 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -6862,9 +6862,9 @@ static const NSSItem nss_builtins_items_99 [] = {
 , (PRUint32)129 },
   { (void *)"\002\004\072\266\120\213"
 , (PRUint32)6 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_100 [] = {
@@ -6984,7 +6984,7 @@ static const NSSItem nss_builtins_items_100 [] = {
 , (PRUint32)1467 }
 };
 static const NSSItem nss_builtins_items_101 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -7002,9 +7002,9 @@ static const NSSItem nss_builtins_items_101 [] = {
 , (PRUint32)71 },
   { (void *)"\002\002\005\011"
 , (PRUint32)4 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_102 [] = {
@@ -7139,7 +7139,7 @@ static const NSSItem nss_builtins_items_102 [] = {
 , (PRUint32)1697 }
 };
 static const NSSItem nss_builtins_items_103 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -7157,9 +7157,9 @@ static const NSSItem nss_builtins_items_103 [] = {
 , (PRUint32)71 },
   { (void *)"\002\002\005\306"
 , (PRUint32)4 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_104 [] = {
@@ -7243,7 +7243,7 @@ static const NSSItem nss_builtins_items_104 [] = {
 , (PRUint32)862 }
 };
 static const NSSItem nss_builtins_items_105 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -7262,9 +7262,9 @@ static const NSSItem nss_builtins_items_105 [] = {
 , (PRUint32)82 },
   { (void *)"\002\001\000"
 , (PRUint32)3 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_106 [] = {
@@ -7341,7 +7341,7 @@ static const NSSItem nss_builtins_items_106 [] = {
 , (PRUint32)804 }
 };
 static const NSSItem nss_builtins_items_107 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -7358,9 +7358,9 @@ static const NSSItem nss_builtins_items_107 [] = {
 , (PRUint32)59 },
   { (void *)"\002\001\044"
 , (PRUint32)3 },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_108 [] = {
@@ -7437,7 +7437,7 @@ static const NSSItem nss_builtins_items_108 [] = {
 , (PRUint32)804 }
 };
 static const NSSItem nss_builtins_items_109 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -7454,9 +7454,9 @@ static const NSSItem nss_builtins_items_109 [] = {
 , (PRUint32)59 },
   { (void *)"\002\001\035"
 , (PRUint32)3 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_110 [] = {
@@ -7546,7 +7546,7 @@ static const NSSItem nss_builtins_items_110 [] = {
 , (PRUint32)958 }
 };
 static const NSSItem nss_builtins_items_111 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -7565,9 +7565,9 @@ static const NSSItem nss_builtins_items_111 [] = {
 , (PRUint32)87 },
   { (void *)"\002\004\000\230\226\212"
 , (PRUint32)6 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_112 [] = {
@@ -7662,7 +7662,7 @@ static const NSSItem nss_builtins_items_112 [] = {
 , (PRUint32)1071 }
 };
 static const NSSItem nss_builtins_items_113 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -7680,9 +7680,9 @@ static const NSSItem nss_builtins_items_113 [] = {
 , (PRUint32)69 },
   { (void *)"\002\004\072\314\245\114"
 , (PRUint32)6 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_114 [] = {
@@ -7790,7 +7790,7 @@ static const NSSItem nss_builtins_items_114 [] = {
 , (PRUint32)1309 }
 };
 static const NSSItem nss_builtins_items_115 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -7807,9 +7807,9 @@ static const NSSItem nss_builtins_items_115 [] = {
 , (PRUint32)51 },
   { (void *)"\002\004\076\110\275\304"
 , (PRUint32)6 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_116 [] = {
@@ -7919,7 +7919,7 @@ static const NSSItem nss_builtins_items_116 [] = {
 , (PRUint32)1122 }
 };
 static const NSSItem nss_builtins_items_117 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -7943,9 +7943,9 @@ static const NSSItem nss_builtins_items_117 [] = {
   { (void *)"\002\020\104\276\014\213\120\000\041\264\021\323\052\150\006\251"
 "\255\151"
 , (PRUint32)18 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_118 [] = {
@@ -8063,7 +8063,7 @@ static const NSSItem nss_builtins_items_118 [] = {
 , (PRUint32)1190 }
 };
 static const NSSItem nss_builtins_items_119 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -8089,9 +8089,9 @@ static const NSSItem nss_builtins_items_119 [] = {
   { (void *)"\002\020\104\276\014\213\120\000\044\264\021\323\066\045\045\147"
 "\311\211"
 , (PRUint32)18 },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_120 [] = {
@@ -8202,7 +8202,7 @@ static const NSSItem nss_builtins_items_120 [] = {
 , (PRUint32)1144 }
 };
 static const NSSItem nss_builtins_items_121 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -8226,9 +8226,9 @@ static const NSSItem nss_builtins_items_121 [] = {
   { (void *)"\002\020\104\276\014\213\120\000\044\264\021\323\066\052\376\145"
 "\012\375"
 , (PRUint32)18 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_122 [] = {
@@ -8338,7 +8338,7 @@ static const NSSItem nss_builtins_items_122 [] = {
 , (PRUint32)1130 }
 };
 static const NSSItem nss_builtins_items_123 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -8362,9 +8362,9 @@ static const NSSItem nss_builtins_items_123 [] = {
   { (void *)"\002\020\104\276\014\213\120\000\044\264\021\323\066\055\340\263"
 "\137\033"
 , (PRUint32)18 },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_124 [] = {
@@ -8477,7 +8477,7 @@ static const NSSItem nss_builtins_items_124 [] = {
 , (PRUint32)1217 }
 };
 static const NSSItem nss_builtins_items_125 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -8499,9 +8499,9 @@ static const NSSItem nss_builtins_items_125 [] = {
 , (PRUint32)129 },
   { (void *)"\002\001\000"
 , (PRUint32)3 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_126 [] = {
@@ -8612,7 +8612,7 @@ static const NSSItem nss_builtins_items_126 [] = {
 , (PRUint32)1225 }
 };
 static const NSSItem nss_builtins_items_127 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -8633,9 +8633,9 @@ static const NSSItem nss_builtins_items_127 [] = {
 , (PRUint32)127 },
   { (void *)"\002\001\000"
 , (PRUint32)3 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_128 [] = {
@@ -8789,7 +8789,7 @@ static const NSSItem nss_builtins_items_128 [] = {
 , (PRUint32)1749 }
 };
 static const NSSItem nss_builtins_items_129 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -8815,9 +8815,9 @@ static const NSSItem nss_builtins_items_129 [] = {
 , (PRUint32)204 },
   { (void *)"\002\001\173"
 , (PRUint32)3 },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_130 [] = {
@@ -8964,7 +8964,7 @@ static const NSSItem nss_builtins_items_130 [] = {
 , (PRUint32)1665 }
 };
 static const NSSItem nss_builtins_items_131 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -8989,9 +8989,9 @@ static const NSSItem nss_builtins_items_131 [] = {
 , (PRUint32)178 },
   { (void *)"\002\002\001\003"
 , (PRUint32)4 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_132 [] = {
@@ -9114,7 +9114,7 @@ static const NSSItem nss_builtins_items_132 [] = {
 , (PRUint32)1359 }
 };
 static const NSSItem nss_builtins_items_133 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -9137,9 +9137,9 @@ static const NSSItem nss_builtins_items_133 [] = {
 , (PRUint32)156 },
   { (void *)"\002\001\151"
 , (PRUint32)3 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_134 [] = {
@@ -9263,7 +9263,7 @@ static const NSSItem nss_builtins_items_134 [] = {
 , (PRUint32)1363 }
 };
 static const NSSItem nss_builtins_items_135 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -9286,9 +9286,9 @@ static const NSSItem nss_builtins_items_135 [] = {
 , (PRUint32)158 },
   { (void *)"\002\001\150"
 , (PRUint32)3 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_136 [] = {
@@ -9393,7 +9393,7 @@ static const NSSItem nss_builtins_items_136 [] = {
 , (PRUint32)1076 }
 };
 static const NSSItem nss_builtins_items_137 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -9416,9 +9416,9 @@ static const NSSItem nss_builtins_items_137 [] = {
   { (void *)"\002\020\120\224\154\354\030\352\325\234\115\325\227\357\165\217"
 "\240\255"
 , (PRUint32)18 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_138 [] = {
@@ -9515,7 +9515,7 @@ static const NSSItem nss_builtins_items_138 [] = {
 , (PRUint32)1028 }
 };
 static const NSSItem nss_builtins_items_139 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -9535,9 +9535,9 @@ static const NSSItem nss_builtins_items_139 [] = {
 , (PRUint32)101 },
   { (void *)"\002\001\000"
 , (PRUint32)3 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_140 [] = {
@@ -9635,7 +9635,7 @@ static const NSSItem nss_builtins_items_140 [] = {
 , (PRUint32)1043 }
 };
 static const NSSItem nss_builtins_items_141 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -9655,9 +9655,9 @@ static const NSSItem nss_builtins_items_141 [] = {
 , (PRUint32)106 },
   { (void *)"\002\001\000"
 , (PRUint32)3 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_142 [] = {
@@ -9816,7 +9816,7 @@ static const NSSItem nss_builtins_items_142 [] = {
 , (PRUint32)1997 }
 };
 static const NSSItem nss_builtins_items_143 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -9837,9 +9837,9 @@ static const NSSItem nss_builtins_items_143 [] = {
 , (PRUint32)127 },
   { (void *)"\002\001\001"
 , (PRUint32)3 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_144 [] = {
@@ -9956,7 +9956,7 @@ static const NSSItem nss_builtins_items_144 [] = {
 , (PRUint32)1398 }
 };
 static const NSSItem nss_builtins_items_145 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -9975,9 +9975,9 @@ static const NSSItem nss_builtins_items_145 [] = {
   { (void *)"\002\020\037\235\131\132\327\057\302\006\104\245\200\010\151\343"
 "\136\366"
 , (PRUint32)18 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_146 [] = {
@@ -10085,7 +10085,7 @@ static const NSSItem nss_builtins_items_146 [] = {
 , (PRUint32)1115 }
 };
 static const NSSItem nss_builtins_items_147 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -10108,9 +10108,9 @@ static const NSSItem nss_builtins_items_147 [] = {
 , (PRUint32)160 },
   { (void *)"\002\001\001"
 , (PRUint32)3 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_148 [] = {
@@ -10209,7 +10209,7 @@ static const NSSItem nss_builtins_items_148 [] = {
 , (PRUint32)1001 }
 };
 static const NSSItem nss_builtins_items_149 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -10231,9 +10231,9 @@ static const NSSItem nss_builtins_items_149 [] = {
 , (PRUint32)133 },
   { (void *)"\002\004\071\344\227\236"
 , (PRUint32)6 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_150 [] = {
@@ -10360,7 +10360,7 @@ static const NSSItem nss_builtins_items_150 [] = {
 , (PRUint32)1501 }
 };
 static const NSSItem nss_builtins_items_151 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -10381,9 +10381,9 @@ static const NSSItem nss_builtins_items_151 [] = {
   { (void *)"\002\020\134\013\205\134\013\347\131\101\337\127\314\077\177\235"
 "\250\066"
 , (PRUint32)18 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_152 [] = {
@@ -10476,7 +10476,7 @@ static const NSSItem nss_builtins_items_152 [] = {
 , (PRUint32)955 }
 };
 static const NSSItem nss_builtins_items_153 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -10497,9 +10497,9 @@ static const NSSItem nss_builtins_items_153 [] = {
   { (void *)"\002\020\014\347\340\345\027\330\106\376\217\345\140\374\033\360"
 "\060\071"
 , (PRUint32)18 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_154 [] = {
@@ -10592,7 +10592,7 @@ static const NSSItem nss_builtins_items_154 [] = {
 , (PRUint32)947 }
 };
 static const NSSItem nss_builtins_items_155 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -10613,9 +10613,9 @@ static const NSSItem nss_builtins_items_155 [] = {
   { (void *)"\002\020\010\073\340\126\220\102\106\261\241\165\152\311\131\221"
 "\307\112"
 , (PRUint32)18 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_156 [] = {
@@ -10709,7 +10709,7 @@ static const NSSItem nss_builtins_items_156 [] = {
 , (PRUint32)969 }
 };
 static const NSSItem nss_builtins_items_157 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -10730,9 +10730,9 @@ static const NSSItem nss_builtins_items_157 [] = {
   { (void *)"\002\020\002\254\134\046\152\013\100\233\217\013\171\362\256\106"
 "\045\167"
 , (PRUint32)18 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_158 [] = {
@@ -10817,7 +10817,7 @@ static const NSSItem nss_builtins_items_158 [] = {
 , (PRUint32)918 }
 };
 static const NSSItem nss_builtins_items_159 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -10835,9 +10835,9 @@ static const NSSItem nss_builtins_items_159 [] = {
   { (void *)"\002\021\000\205\275\113\363\330\332\343\151\366\224\327\137\303"
 "\245\104\043"
 , (PRUint32)19 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_160 [] = {
@@ -10919,7 +10919,7 @@ static const NSSItem nss_builtins_items_160 [] = {
 , (PRUint32)846 }
 };
 static const NSSItem nss_builtins_items_161 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -10938,9 +10938,9 @@ static const NSSItem nss_builtins_items_161 [] = {
   { (void *)"\002\020\104\257\260\200\326\243\047\272\211\060\071\206\056\370"
 "\100\153"
 , (PRUint32)18 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_162 [] = {
@@ -11036,7 +11036,7 @@ static const NSSItem nss_builtins_items_162 [] = {
 , (PRUint32)1037 }
 };
 static const NSSItem nss_builtins_items_163 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -11056,9 +11056,9 @@ static const NSSItem nss_builtins_items_163 [] = {
   { (void *)"\002\020\015\136\231\012\326\235\267\170\354\330\007\126\073\206"
 "\025\331"
 , (PRUint32)18 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_164 [] = {
@@ -11164,7 +11164,7 @@ static const NSSItem nss_builtins_items_164 [] = {
 , (PRUint32)1023 }
 };
 static const NSSItem nss_builtins_items_165 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -11189,9 +11189,9 @@ static const NSSItem nss_builtins_items_165 [] = {
 , (PRUint32)186 },
   { (void *)"\002\001\001"
 , (PRUint32)3 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_166 [] = {
@@ -11303,7 +11303,7 @@ static const NSSItem nss_builtins_items_166 [] = {
 , (PRUint32)1088 }
 };
 static const NSSItem nss_builtins_items_167 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -11329,9 +11329,9 @@ static const NSSItem nss_builtins_items_167 [] = {
 , (PRUint32)193 },
   { (void *)"\002\001\001"
 , (PRUint32)3 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_168 [] = {
@@ -11452,7 +11452,7 @@ static const NSSItem nss_builtins_items_168 [] = {
 , (PRUint32)1477 }
 };
 static const NSSItem nss_builtins_items_169 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -11470,9 +11470,9 @@ static const NSSItem nss_builtins_items_169 [] = {
 , (PRUint32)75 },
   { (void *)"\002\010\116\262\000\147\014\003\135\117"
 , (PRUint32)10 },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_170 [] = {
@@ -11592,7 +11592,7 @@ static const NSSItem nss_builtins_items_170 [] = {
 , (PRUint32)1470 }
 };
 static const NSSItem nss_builtins_items_171 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -11610,9 +11610,9 @@ static const NSSItem nss_builtins_items_171 [] = {
 , (PRUint32)71 },
   { (void *)"\002\011\000\273\100\034\103\365\136\117\260"
 , (PRUint32)11 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_172 [] = {
@@ -11733,7 +11733,7 @@ static const NSSItem nss_builtins_items_172 [] = {
 , (PRUint32)1473 }
 };
 static const NSSItem nss_builtins_items_173 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -11751,9 +11751,9 @@ static const NSSItem nss_builtins_items_173 [] = {
 , (PRUint32)73 },
   { (void *)"\002\010\117\033\324\057\124\273\057\113"
 , (PRUint32)10 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_174 [] = {
@@ -11840,7 +11840,7 @@ static const NSSItem nss_builtins_items_174 [] = {
 , (PRUint32)896 }
 };
 static const NSSItem nss_builtins_items_175 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -11860,9 +11860,9 @@ static const NSSItem nss_builtins_items_175 [] = {
   { (void *)"\002\020\030\254\265\152\375\151\266\025\072\143\154\257\332\372"
 "\304\241"
 , (PRUint32)18 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_176 [] = {
@@ -11970,7 +11970,7 @@ static const NSSItem nss_builtins_items_176 [] = {
 , (PRUint32)1060 }
 };
 static const NSSItem nss_builtins_items_177 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -11995,9 +11995,9 @@ static const NSSItem nss_builtins_items_177 [] = {
   { (void *)"\002\020\064\116\325\127\040\325\355\354\111\364\057\316\067\333"
 "\053\155"
 , (PRUint32)18 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_178 [] = {
@@ -12120,7 +12120,7 @@ static const NSSItem nss_builtins_items_178 [] = {
 , (PRUint32)1239 }
 };
 static const NSSItem nss_builtins_items_179 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -12147,9 +12147,9 @@ static const NSSItem nss_builtins_items_179 [] = {
   { (void *)"\002\020\030\332\321\236\046\175\350\273\112\041\130\315\314\153"
 "\073\112"
 , (PRUint32)18 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_180 [] = {
@@ -12238,7 +12238,7 @@ static const NSSItem nss_builtins_items_180 [] = {
 , (PRUint32)956 }
 };
 static const NSSItem nss_builtins_items_181 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -12257,9 +12257,9 @@ static const NSSItem nss_builtins_items_181 [] = {
   { (void *)"\002\020\014\360\216\134\010\026\245\255\102\177\360\353\047\030"
 "\131\320"
 , (PRUint32)18 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_182 [] = {
@@ -12348,7 +12348,7 @@ static const NSSItem nss_builtins_items_182 [] = {
 , (PRUint32)960 }
 };
 static const NSSItem nss_builtins_items_183 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -12367,9 +12367,9 @@ static const NSSItem nss_builtins_items_183 [] = {
   { (void *)"\002\020\007\126\042\244\350\324\212\211\115\364\023\310\360\370"
 "\352\245"
 , (PRUint32)18 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_184 [] = {
@@ -12473,7 +12473,7 @@ static const NSSItem nss_builtins_items_184 [] = {
 , (PRUint32)1057 }
 };
 static const NSSItem nss_builtins_items_185 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -12496,9 +12496,9 @@ static const NSSItem nss_builtins_items_185 [] = {
   { (void *)"\002\020\116\201\055\212\202\145\340\013\002\356\076\065\002\106"
 "\345\075"
 , (PRUint32)18 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_186 [] = {
@@ -12620,7 +12620,7 @@ static const NSSItem nss_builtins_items_186 [] = {
 , (PRUint32)1422 }
 };
 static const NSSItem nss_builtins_items_187 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -12641,9 +12641,9 @@ static const NSSItem nss_builtins_items_187 [] = {
   { (void *)"\002\020\014\166\332\234\221\014\116\054\236\376\025\320\130\223"
 "\074\114"
 , (PRUint32)18 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_188 [] = {
@@ -12739,7 +12739,7 @@ static const NSSItem nss_builtins_items_188 [] = {
 , (PRUint32)1002 }
 };
 static const NSSItem nss_builtins_items_189 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -12760,9 +12760,9 @@ static const NSSItem nss_builtins_items_189 [] = {
   { (void *)"\002\020\127\313\063\157\302\134\026\346\107\026\027\343\220\061"
 "\150\340"
 , (PRUint32)18 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_190 [] = {
@@ -12875,7 +12875,7 @@ static const NSSItem nss_builtins_items_190 [] = {
 , (PRUint32)1217 }
 };
 static const NSSItem nss_builtins_items_191 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -12897,9 +12897,9 @@ static const NSSItem nss_builtins_items_191 [] = {
 , (PRUint32)136 },
   { (void *)"\002\001\001"
 , (PRUint32)3 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_192 [] = {
@@ -12977,7 +12977,7 @@ static const NSSItem nss_builtins_items_192 [] = {
 , (PRUint32)653 }
 };
 static const NSSItem nss_builtins_items_193 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -13000,9 +13000,9 @@ static const NSSItem nss_builtins_items_193 [] = {
   { (void *)"\002\020\037\107\257\252\142\000\160\120\124\114\001\236\233\143"
 "\231\052"
 , (PRUint32)18 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_194 [] = {
@@ -13098,7 +13098,7 @@ static const NSSItem nss_builtins_items_194 [] = {
 , (PRUint32)1078 }
 };
 static const NSSItem nss_builtins_items_195 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -13117,9 +13117,9 @@ static const NSSItem nss_builtins_items_195 [] = {
 , (PRUint32)92 },
   { (void *)"\002\001\102"
 , (PRUint32)3 },
-  { (void *)&ckt_netscape_untrusted, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_untrusted, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_untrusted, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_not_trusted, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_not_trusted, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_not_trusted, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_196 [] = {
@@ -13220,7 +13220,7 @@ static const NSSItem nss_builtins_items_196 [] = {
 , (PRUint32)1030 }
 };
 static const NSSItem nss_builtins_items_197 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -13242,9 +13242,9 @@ static const NSSItem nss_builtins_items_197 [] = {
 , (PRUint32)136 },
   { (void *)"\002\005\071\021\105\020\224"
 , (PRUint32)7 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_198 [] = {
@@ -13333,7 +13333,7 @@ static const NSSItem nss_builtins_items_198 [] = {
 , (PRUint32)897 }
 };
 static const NSSItem nss_builtins_items_199 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -13353,9 +13353,9 @@ static const NSSItem nss_builtins_items_199 [] = {
 , (PRUint32)98 },
   { (void *)"\002\001\000"
 , (PRUint32)3 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_200 [] = {
@@ -13456,7 +13456,7 @@ static const NSSItem nss_builtins_items_200 [] = {
 , (PRUint32)1013 }
 };
 static const NSSItem nss_builtins_items_201 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -13479,9 +13479,9 @@ static const NSSItem nss_builtins_items_201 [] = {
   { (void *)"\002\020\101\075\162\307\364\153\037\201\103\175\361\322\050\124"
 "\337\232"
 , (PRUint32)18 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_202 [] = {
@@ -13596,7 +13596,7 @@ static const NSSItem nss_builtins_items_202 [] = {
 , (PRUint32)1151 }
 };
 static const NSSItem nss_builtins_items_203 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -13622,9 +13622,9 @@ static const NSSItem nss_builtins_items_203 [] = {
   { (void *)"\002\020\067\031\030\346\123\124\174\032\265\270\313\131\132\333"
 "\065\267"
 , (PRUint32)18 },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_204 [] = {
@@ -13782,7 +13782,7 @@ static const NSSItem nss_builtins_items_204 [] = {
 , (PRUint32)1964 }
 };
 static const NSSItem nss_builtins_items_205 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -13804,9 +13804,9 @@ static const NSSItem nss_builtins_items_205 [] = {
   { (void *)"\002\021\000\314\270\347\277\116\051\032\375\242\334\146\245\034"
 "\054\017\021"
 , (PRUint32)19 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_206 [] = {
@@ -13891,7 +13891,7 @@ static const NSSItem nss_builtins_items_206 [] = {
 , (PRUint32)940 }
 };
 static const NSSItem nss_builtins_items_207 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -13908,9 +13908,9 @@ static const NSSItem nss_builtins_items_207 [] = {
 , (PRUint32)54 },
   { (void *)"\002\011\000\376\334\343\001\017\311\110\377"
 , (PRUint32)11 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_208 [] = {
@@ -14048,7 +14048,7 @@ static const NSSItem nss_builtins_items_208 [] = {
 , (PRUint32)1642 }
 };
 static const NSSItem nss_builtins_items_209 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -14070,9 +14070,9 @@ static const NSSItem nss_builtins_items_209 [] = {
   { (void *)"\002\017\007\176\122\223\173\340\025\343\127\360\151\214\313\354"
 "\014"
 , (PRUint32)17 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_210 [] = {
@@ -14181,7 +14181,7 @@ static const NSSItem nss_builtins_items_210 [] = {
 , (PRUint32)1198 }
 };
 static const NSSItem nss_builtins_items_211 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -14202,9 +14202,9 @@ static const NSSItem nss_builtins_items_211 [] = {
 , (PRUint32)120 },
   { (void *)"\002\016\056\152\000\001\000\002\037\327\122\041\054\021\134\073"
 , (PRUint32)16 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_212 [] = {
@@ -14313,7 +14313,7 @@ static const NSSItem nss_builtins_items_212 [] = {
 , (PRUint32)1198 }
 };
 static const NSSItem nss_builtins_items_213 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -14334,9 +14334,9 @@ static const NSSItem nss_builtins_items_213 [] = {
 , (PRUint32)120 },
   { (void *)"\002\016\112\107\000\001\000\002\345\240\135\326\077\000\121\277"
 , (PRUint32)16 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_214 [] = {
@@ -14433,7 +14433,7 @@ static const NSSItem nss_builtins_items_214 [] = {
 , (PRUint32)993 }
 };
 static const NSSItem nss_builtins_items_215 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -14454,9 +14454,9 @@ static const NSSItem nss_builtins_items_215 [] = {
 , (PRUint32)123 },
   { (void *)"\002\016\035\242\000\001\000\002\354\267\140\200\170\215\266\006"
 , (PRUint32)16 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_216 [] = {
@@ -14549,7 +14549,7 @@ static const NSSItem nss_builtins_items_216 [] = {
 , (PRUint32)931 }
 };
 static const NSSItem nss_builtins_items_217 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -14570,9 +14570,9 @@ static const NSSItem nss_builtins_items_217 [] = {
 , (PRUint32)115 },
   { (void *)"\002\001\046"
 , (PRUint32)3 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_218 [] = {
@@ -14657,7 +14657,7 @@ static const NSSItem nss_builtins_items_218 [] = {
 , (PRUint32)919 }
 };
 static const NSSItem nss_builtins_items_219 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -14675,9 +14675,9 @@ static const NSSItem nss_builtins_items_219 [] = {
   { (void *)"\002\020\024\023\226\203\024\125\214\352\173\143\345\374\064\207"
 "\167\104"
 , (PRUint32)18 },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_220 [] = {
@@ -14763,7 +14763,7 @@ static const NSSItem nss_builtins_items_220 [] = {
 , (PRUint32)943 }
 };
 static const NSSItem nss_builtins_items_221 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -14781,9 +14781,9 @@ static const NSSItem nss_builtins_items_221 [] = {
   { (void *)"\002\021\000\307\050\107\011\263\270\154\105\214\035\372\044\365"
 "\066\116\351"
 , (PRUint32)19 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_222 [] = {
@@ -14868,7 +14868,7 @@ static const NSSItem nss_builtins_items_222 [] = {
 , (PRUint32)933 }
 };
 static const NSSItem nss_builtins_items_223 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -14885,9 +14885,9 @@ static const NSSItem nss_builtins_items_223 [] = {
 , (PRUint32)61 },
   { (void *)"\002\013\004\000\000\000\000\001\017\205\252\055\110"
 , (PRUint32)13 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_224 [] = {
@@ -15010,7 +15010,7 @@ static const NSSItem nss_builtins_items_224 [] = {
 , (PRUint32)1460 }
 };
 static const NSSItem nss_builtins_items_225 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -15030,9 +15030,9 @@ static const NSSItem nss_builtins_items_225 [] = {
   { (void *)"\002\020\025\310\275\145\107\134\257\270\227\000\136\344\006\322"
 "\274\235"
 , (PRUint32)18 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_226 [] = {
@@ -15170,7 +15170,7 @@ static const NSSItem nss_builtins_items_226 [] = {
 , (PRUint32)1307 }
 };
 static const NSSItem nss_builtins_items_227 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -15202,9 +15202,9 @@ static const NSSItem nss_builtins_items_227 [] = {
 , (PRUint32)303 },
   { (void *)"\002\001\021"
 , (PRUint32)3 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_228 [] = {
@@ -15286,7 +15286,7 @@ static const NSSItem nss_builtins_items_228 [] = {
 , (PRUint32)855 }
 };
 static const NSSItem nss_builtins_items_229 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -15304,9 +15304,9 @@ static const NSSItem nss_builtins_items_229 [] = {
 , (PRUint32)77 },
   { (void *)"\002\001\001"
 , (PRUint32)3 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_230 [] = {
@@ -15388,7 +15388,7 @@ static const NSSItem nss_builtins_items_230 [] = {
 , (PRUint32)855 }
 };
 static const NSSItem nss_builtins_items_231 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -15406,9 +15406,9 @@ static const NSSItem nss_builtins_items_231 [] = {
 , (PRUint32)77 },
   { (void *)"\002\001\002"
 , (PRUint32)3 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_232 [] = {
@@ -15539,7 +15539,7 @@ static const NSSItem nss_builtins_items_232 [] = {
 , (PRUint32)1515 }
 };
 static const NSSItem nss_builtins_items_233 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -15561,9 +15561,9 @@ static const NSSItem nss_builtins_items_233 [] = {
 , (PRUint32)131 },
   { (void *)"\002\010\114\257\163\102\034\216\164\002"
 , (PRUint32)10 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_234 [] = {
@@ -15641,7 +15641,7 @@ static const NSSItem nss_builtins_items_234 [] = {
 , (PRUint32)828 }
 };
 static const NSSItem nss_builtins_items_235 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -15658,9 +15658,9 @@ static const NSSItem nss_builtins_items_235 [] = {
 , (PRUint32)61 },
   { (void *)"\002\006\040\006\005\026\160\002"
 , (PRUint32)8 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_236 [] = {
@@ -15740,7 +15740,7 @@ static const NSSItem nss_builtins_items_236 [] = {
 , (PRUint32)857 }
 };
 static const NSSItem nss_builtins_items_237 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -15757,9 +15757,9 @@ static const NSSItem nss_builtins_items_237 [] = {
 , (PRUint32)52 },
   { (void *)"\002\004\111\063\000\001"
 , (PRUint32)6 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_238 [] = {
@@ -15846,7 +15846,7 @@ static const NSSItem nss_builtins_items_238 [] = {
 , (PRUint32)932 }
 };
 static const NSSItem nss_builtins_items_239 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -15864,9 +15864,9 @@ static const NSSItem nss_builtins_items_239 [] = {
 , (PRUint32)69 },
   { (void *)"\002\001\061"
 , (PRUint32)3 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_240 [] = {
@@ -15970,7 +15970,7 @@ static const NSSItem nss_builtins_items_240 [] = {
 , (PRUint32)1026 }
 };
 static const NSSItem nss_builtins_items_241 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -15994,9 +15994,9 @@ static const NSSItem nss_builtins_items_241 [] = {
   { (void *)"\002\020\025\254\156\224\031\262\171\113\101\366\047\251\303\030"
 "\017\037"
 , (PRUint32)18 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_242 [] = {
@@ -16074,7 +16074,7 @@ static const NSSItem nss_builtins_items_242 [] = {
 , (PRUint32)652 }
 };
 static const NSSItem nss_builtins_items_243 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -16097,9 +16097,9 @@ static const NSSItem nss_builtins_items_243 [] = {
   { (void *)"\002\020\065\374\046\134\331\204\117\311\075\046\075\127\233\256"
 "\327\126"
 , (PRUint32)18 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_244 [] = {
@@ -16209,7 +16209,7 @@ static const NSSItem nss_builtins_items_244 [] = {
 , (PRUint32)1070 }
 };
 static const NSSItem nss_builtins_items_245 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -16235,9 +16235,9 @@ static const NSSItem nss_builtins_items_245 [] = {
   { (void *)"\002\020\140\001\227\267\106\247\352\264\264\232\326\113\057\367"
 "\220\373"
 , (PRUint32)18 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_246 [] = {
@@ -16320,7 +16320,7 @@ static const NSSItem nss_builtins_items_246 [] = {
 , (PRUint32)690 }
 };
 static const NSSItem nss_builtins_items_247 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -16344,9 +16344,9 @@ static const NSSItem nss_builtins_items_247 [] = {
   { (void *)"\002\020\074\262\364\110\012\000\342\376\353\044\073\136\140\076"
 "\303\153"
 , (PRUint32)18 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_248 [] = {
@@ -16465,7 +16465,7 @@ static const NSSItem nss_builtins_items_248 [] = {
 , (PRUint32)1213 }
 };
 static const NSSItem nss_builtins_items_249 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -16491,9 +16491,9 @@ static const NSSItem nss_builtins_items_249 [] = {
   { (void *)"\002\020\100\032\304\144\041\263\023\041\003\016\273\344\022\032"
 "\305\035"
 , (PRUint32)18 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_250 [] = {
@@ -16595,7 +16595,7 @@ static const NSSItem nss_builtins_items_250 [] = {
 , (PRUint32)904 }
 };
 static const NSSItem nss_builtins_items_251 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -16622,9 +16622,9 @@ static const NSSItem nss_builtins_items_251 [] = {
   { (void *)"\002\020\057\200\376\043\214\016\042\017\110\147\022\050\221\207"
 "\254\263"
 , (PRUint32)18 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_252 [] = {
@@ -16730,7 +16730,7 @@ static const NSSItem nss_builtins_items_252 [] = {
 , (PRUint32)1049 }
 };
 static const NSSItem nss_builtins_items_253 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -16754,9 +16754,9 @@ static const NSSItem nss_builtins_items_253 [] = {
 , (PRUint32)170 },
   { (void *)"\002\006\111\101\054\344\000\020"
 , (PRUint32)8 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_254 [] = {
@@ -16879,7 +16879,7 @@ static const NSSItem nss_builtins_items_254 [] = {
 , (PRUint32)1486 }
 };
 static const NSSItem nss_builtins_items_255 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -16898,9 +16898,9 @@ static const NSSItem nss_builtins_items_255 [] = {
 , (PRUint32)92 },
   { (void *)"\002\004\000\230\226\214"
 , (PRUint32)6 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_256 [] = {
@@ -16994,7 +16994,7 @@ static const NSSItem nss_builtins_items_256 [] = {
 , (PRUint32)1043 }
 };
 static const NSSItem nss_builtins_items_257 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -17012,9 +17012,9 @@ static const NSSItem nss_builtins_items_257 [] = {
 , (PRUint32)76 },
   { (void *)"\002\001\001"
 , (PRUint32)3 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_258 [] = {
@@ -17123,7 +17123,7 @@ static const NSSItem nss_builtins_items_258 [] = {
 , (PRUint32)1258 }
 };
 static const NSSItem nss_builtins_items_259 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -17142,9 +17142,9 @@ static const NSSItem nss_builtins_items_259 [] = {
 , (PRUint32)95 },
   { (void *)"\002\004\073\216\113\374"
 , (PRUint32)6 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_260 [] = {
@@ -17224,7 +17224,7 @@ static const NSSItem nss_builtins_items_260 [] = {
 , (PRUint32)820 }
 };
 static const NSSItem nss_builtins_items_261 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -17242,9 +17242,9 @@ static const NSSItem nss_builtins_items_261 [] = {
 , (PRUint32)73 },
   { (void *)"\002\002\003\350"
 , (PRUint32)4 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_262 [] = {
@@ -17330,7 +17330,7 @@ static const NSSItem nss_builtins_items_262 [] = {
 , (PRUint32)881 }
 };
 static const NSSItem nss_builtins_items_263 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -17349,9 +17349,9 @@ static const NSSItem nss_builtins_items_263 [] = {
 , (PRUint32)90 },
   { (void *)"\002\001\001"
 , (PRUint32)3 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_264 [] = {
@@ -17471,7 +17471,7 @@ static const NSSItem nss_builtins_items_264 [] = {
 , (PRUint32)1465 }
 };
 static const NSSItem nss_builtins_items_265 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -17489,9 +17489,9 @@ static const NSSItem nss_builtins_items_265 [] = {
 , (PRUint32)70 },
   { (void *)"\002\010\141\215\307\206\073\001\202\005"
 , (PRUint32)10 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_266 [] = {
@@ -17560,7 +17560,7 @@ static const NSSItem nss_builtins_items_266 [] = {
 , (PRUint32)576 }
 };
 static const NSSItem nss_builtins_items_267 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -17581,9 +17581,9 @@ static const NSSItem nss_builtins_items_267 [] = {
   { (void *)"\002\020\077\151\036\201\234\360\232\112\363\163\377\271\110\242"
 "\344\335"
 , (PRUint32)18 },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_268 [] = {
@@ -17652,7 +17652,7 @@ static const NSSItem nss_builtins_items_268 [] = {
 , (PRUint32)576 }
 };
 static const NSSItem nss_builtins_items_269 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -17673,9 +17673,9 @@ static const NSSItem nss_builtins_items_269 [] = {
   { (void *)"\002\020\074\221\061\313\037\366\320\033\016\232\270\320\104\277"
 "\022\276"
 , (PRUint32)18 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_270 [] = {
@@ -17776,7 +17776,7 @@ static const NSSItem nss_builtins_items_270 [] = {
 , (PRUint32)1038 }
 };
 static const NSSItem nss_builtins_items_271 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -17798,9 +17798,9 @@ static const NSSItem nss_builtins_items_271 [] = {
 , (PRUint32)133 },
   { (void *)"\002\011\000\302\176\103\004\116\107\077\031"
 , (PRUint32)11 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_272 [] = {
@@ -17895,7 +17895,7 @@ static const NSSItem nss_builtins_items_272 [] = {
 , (PRUint32)954 }
 };
 static const NSSItem nss_builtins_items_273 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -17917,9 +17917,9 @@ static const NSSItem nss_builtins_items_273 [] = {
   { (void *)"\002\020\104\231\215\074\300\003\047\275\234\166\225\271\352\333"
 "\254\265"
 , (PRUint32)18 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_274 [] = {
@@ -18002,7 +18002,7 @@ static const NSSItem nss_builtins_items_274 [] = {
 , (PRUint32)867 }
 };
 static const NSSItem nss_builtins_items_275 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -18020,9 +18020,9 @@ static const NSSItem nss_builtins_items_275 [] = {
 , (PRUint32)78 },
   { (void *)"\002\013\004\000\000\000\000\001\041\130\123\010\242"
 , (PRUint32)13 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_276 [] = {
@@ -18119,7 +18119,7 @@ static const NSSItem nss_builtins_items_276 [] = {
 , (PRUint32)997 }
 };
 static const NSSItem nss_builtins_items_277 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -18140,9 +18140,9 @@ static const NSSItem nss_builtins_items_277 [] = {
 , (PRUint32)125 },
   { (void *)"\002\016\143\045\000\001\000\002\024\215\063\025\002\344\154\364"
 , (PRUint32)16 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_278 [] = {
@@ -18270,7 +18270,7 @@ static const NSSItem nss_builtins_items_278 [] = {
 , (PRUint32)1560 }
 };
 static const NSSItem nss_builtins_items_279 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -18289,9 +18289,9 @@ static const NSSItem nss_builtins_items_279 [] = {
 , (PRUint32)83 },
   { (void *)"\002\010\123\354\073\356\373\262\110\137"
 , (PRUint32)10 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_280 [] = {
@@ -18414,7 +18414,7 @@ static const NSSItem nss_builtins_items_280 [] = {
 , (PRUint32)1525 }
 };
 static const NSSItem nss_builtins_items_281 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -18432,9 +18432,9 @@ static const NSSItem nss_builtins_items_281 [] = {
   { (void *)"\002\020\000\260\267\132\026\110\137\277\341\313\365\213\327\031"
 "\346\175"
 , (PRUint32)18 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_282 [] = {
@@ -18594,7 +18594,7 @@ static const NSSItem nss_builtins_items_282 [] = {
 , (PRUint32)1875 }
 };
 static const NSSItem nss_builtins_items_283 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -18619,9 +18619,9 @@ static const NSSItem nss_builtins_items_283 [] = {
 , (PRUint32)177 },
   { (void *)"\002\011\000\243\332\102\176\244\261\256\332"
 , (PRUint32)11 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_284 [] = {
@@ -18778,7 +18778,7 @@ static const NSSItem nss_builtins_items_284 [] = {
 , (PRUint32)1869 }
 };
 static const NSSItem nss_builtins_items_285 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -18802,9 +18802,9 @@ static const NSSItem nss_builtins_items_285 [] = {
 , (PRUint32)175 },
   { (void *)"\002\011\000\311\315\323\351\325\175\043\316"
 , (PRUint32)11 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_286 [] = {
@@ -18944,7 +18944,7 @@ static const NSSItem nss_builtins_items_286 [] = {
 , (PRUint32)1532 }
 };
 static const NSSItem nss_builtins_items_287 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -18968,9 +18968,9 @@ static const NSSItem nss_builtins_items_287 [] = {
   { (void *)"\002\021\000\222\071\325\064\217\100\321\151\132\164\124\160\341"
 "\362\077\103"
 , (PRUint32)19 },
-  { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_not_trusted, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_not_trusted, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_not_trusted, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_288 [] = {
@@ -19125,7 +19125,7 @@ static const NSSItem nss_builtins_items_288 [] = {
 , (PRUint32)1761 }
 };
 static const NSSItem nss_builtins_items_289 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -19149,9 +19149,9 @@ static const NSSItem nss_builtins_items_289 [] = {
   { (void *)"\002\021\000\330\363\137\116\267\207\053\055\253\006\222\343\025"
 "\070\057\260"
 , (PRUint32)19 },
-  { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_not_trusted, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_not_trusted, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_not_trusted, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_290 [] = {
@@ -19291,7 +19291,7 @@ static const NSSItem nss_builtins_items_290 [] = {
 , (PRUint32)1522 }
 };
 static const NSSItem nss_builtins_items_291 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -19315,9 +19315,9 @@ static const NSSItem nss_builtins_items_291 [] = {
   { (void *)"\002\020\004\176\313\351\374\245\137\173\320\236\256\066\341\014"
 "\256\036"
 , (PRUint32)18 },
-  { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_not_trusted, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_not_trusted, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_not_trusted, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_292 [] = {
@@ -19456,7 +19456,7 @@ static const NSSItem nss_builtins_items_292 [] = {
 , (PRUint32)1512 }
 };
 static const NSSItem nss_builtins_items_293 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -19480,9 +19480,9 @@ static const NSSItem nss_builtins_items_293 [] = {
   { (void *)"\002\021\000\365\310\152\363\141\142\361\072\144\365\117\155\311"
 "\130\174\006"
 , (PRUint32)19 },
-  { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_not_trusted, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_not_trusted, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_not_trusted, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_294 [] = {
@@ -19622,7 +19622,7 @@ static const NSSItem nss_builtins_items_294 [] = {
 , (PRUint32)1523 }
 };
 static const NSSItem nss_builtins_items_295 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -19646,9 +19646,9 @@ static const NSSItem nss_builtins_items_295 [] = {
   { (void *)"\002\021\000\351\002\213\225\170\344\025\334\032\161\012\053\210"
 "\025\104\107"
 , (PRUint32)19 },
-  { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_not_trusted, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_not_trusted, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_not_trusted, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_296 [] = {
@@ -19788,7 +19788,7 @@ static const NSSItem nss_builtins_items_296 [] = {
 , (PRUint32)1523 }
 };
 static const NSSItem nss_builtins_items_297 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -19812,9 +19812,9 @@ static const NSSItem nss_builtins_items_297 [] = {
   { (void *)"\002\021\000\327\125\217\332\365\361\020\133\262\023\050\053\160"
 "\167\051\243"
 , (PRUint32)19 },
-  { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_not_trusted, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_not_trusted, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_not_trusted, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_298 [] = {
@@ -19952,7 +19952,7 @@ static const NSSItem nss_builtins_items_298 [] = {
 , (PRUint32)1501 }
 };
 static const NSSItem nss_builtins_items_299 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -19976,9 +19976,9 @@ static const NSSItem nss_builtins_items_299 [] = {
   { (void *)"\002\020\071\052\103\117\016\007\337\037\212\243\005\336\064\340"
 "\302\051"
 , (PRUint32)18 },
-  { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_not_trusted, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_not_trusted, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_not_trusted, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_300 [] = {
@@ -20116,7 +20116,7 @@ static const NSSItem nss_builtins_items_300 [] = {
 , (PRUint32)1501 }
 };
 static const NSSItem nss_builtins_items_301 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -20140,9 +20140,9 @@ static const NSSItem nss_builtins_items_301 [] = {
   { (void *)"\002\020\076\165\316\324\153\151\060\041\041\210\060\256\206\250"
 "\052\161"
 , (PRUint32)18 },
-  { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_not_trusted, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_not_trusted, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_not_trusted, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_302 [] = {
@@ -20281,7 +20281,7 @@ static const NSSItem nss_builtins_items_302 [] = {
 , (PRUint32)1520 }
 };
 static const NSSItem nss_builtins_items_303 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -20305,9 +20305,9 @@ static const NSSItem nss_builtins_items_303 [] = {
   { (void *)"\002\021\000\260\267\023\076\320\226\371\265\157\256\221\310\164"
 "\275\072\300"
 , (PRUint32)19 },
-  { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_not_trusted, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_not_trusted, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_not_trusted, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_304 [] = {
@@ -20439,7 +20439,7 @@ static const NSSItem nss_builtins_items_304 [] = {
 , (PRUint32)1392 }
 };
 static const NSSItem nss_builtins_items_305 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -20463,9 +20463,9 @@ static const NSSItem nss_builtins_items_305 [] = {
   { (void *)"\002\020\162\003\041\005\305\014\010\127\075\216\245\060\116\376"
 "\350\260"
 , (PRUint32)18 },
-  { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_not_trusted, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_not_trusted, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_not_trusted, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_306 [] = {
@@ -20562,7 +20562,7 @@ static const NSSItem nss_builtins_items_306 [] = {
 , (PRUint32)969 }
 };
 static const NSSItem nss_builtins_items_307 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -20584,9 +20584,9 @@ static const NSSItem nss_builtins_items_307 [] = {
 , (PRUint32)134 },
   { (void *)"\002\001\000"
 , (PRUint32)3 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_308 [] = {
@@ -20687,7 +20687,7 @@ static const NSSItem nss_builtins_items_308 [] = {
 , (PRUint32)993 }
 };
 static const NSSItem nss_builtins_items_309 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -20710,9 +20710,9 @@ static const NSSItem nss_builtins_items_309 [] = {
 , (PRUint32)146 },
   { (void *)"\002\001\000"
 , (PRUint32)3 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_310 [] = {
@@ -20814,7 +20814,7 @@ static const NSSItem nss_builtins_items_310 [] = {
 , (PRUint32)1011 }
 };
 static const NSSItem nss_builtins_items_311 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -20837,9 +20837,9 @@ static const NSSItem nss_builtins_items_311 [] = {
 , (PRUint32)155 },
   { (void *)"\002\001\000"
 , (PRUint32)3 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_312 [] = {
@@ -20920,7 +20920,7 @@ static const NSSItem nss_builtins_items_312 [] = {
 , (PRUint32)848 }
 };
 static const NSSItem nss_builtins_items_313 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -20938,9 +20938,9 @@ static const NSSItem nss_builtins_items_313 [] = {
 , (PRUint32)70 },
   { (void *)"\002\010\167\167\006\047\046\251\261\174"
 , (PRUint32)10 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_314 [] = {
@@ -21021,7 +21021,7 @@ static const NSSItem nss_builtins_items_314 [] = {
 , (PRUint32)848 }
 };
 static const NSSItem nss_builtins_items_315 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -21039,9 +21039,9 @@ static const NSSItem nss_builtins_items_315 [] = {
 , (PRUint32)70 },
   { (void *)"\002\010\174\117\004\071\034\324\231\055"
 , (PRUint32)10 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_316 [] = {
@@ -21154,7 +21154,7 @@ static const NSSItem nss_builtins_items_316 [] = {
 , (PRUint32)1354 }
 };
 static const NSSItem nss_builtins_items_317 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -21172,9 +21172,9 @@ static const NSSItem nss_builtins_items_317 [] = {
 , (PRUint32)67 },
   { (void *)"\002\010\155\214\024\106\261\246\012\356"
 , (PRUint32)10 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_318 [] = {
@@ -21235,7 +21235,7 @@ static const NSSItem nss_builtins_items_318 [] = {
 , (PRUint32)514 }
 };
 static const NSSItem nss_builtins_items_319 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -21253,9 +21253,9 @@ static const NSSItem nss_builtins_items_319 [] = {
 , (PRUint32)71 },
   { (void *)"\002\010\164\227\045\212\307\077\172\124"
 , (PRUint32)10 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_320 [] = {
@@ -21349,7 +21349,7 @@ static const NSSItem nss_builtins_items_320 [] = {
 , (PRUint32)959 }
 };
 static const NSSItem nss_builtins_items_321 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -21370,9 +21370,9 @@ static const NSSItem nss_builtins_items_321 [] = {
 , (PRUint32)128 },
   { (void *)"\002\003\004\104\300"
 , (PRUint32)5 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_322 [] = {
@@ -21494,7 +21494,7 @@ static const NSSItem nss_builtins_items_322 [] = {
 , (PRUint32)1440 }
 };
 static const NSSItem nss_builtins_items_323 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -21514,9 +21514,9 @@ static const NSSItem nss_builtins_items_323 [] = {
 , (PRUint32)101 },
   { (void *)"\002\001\001"
 , (PRUint32)3 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_must_verify_trust, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_must_verify_trust, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_324 [] = {
@@ -21653,7 +21653,7 @@ static const NSSItem nss_builtins_items_324 [] = {
 , (PRUint32)1679 }
 };
 static const NSSItem nss_builtins_items_325 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -21673,9 +21673,9 @@ static const NSSItem nss_builtins_items_325 [] = {
 , (PRUint32)106 },
   { (void *)"\002\004\073\105\345\150"
 , (PRUint32)6 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_326 [] = {
@@ -21773,7 +21773,7 @@ static const NSSItem nss_builtins_items_326 [] = {
 , (PRUint32)979 }
 };
 static const NSSItem nss_builtins_items_327 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -21795,9 +21795,9 @@ static const NSSItem nss_builtins_items_327 [] = {
 , (PRUint32)144 },
   { (void *)"\002\003\001\154\036"
 , (PRUint32)5 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_must_verify_trust, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_must_verify_trust, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 static const NSSItem nss_builtins_items_328 [] = {
@@ -21885,7 +21885,7 @@ static const NSSItem nss_builtins_items_328 [] = {
 , (PRUint32)895 }
 };
 static const NSSItem nss_builtins_items_329 [] = {
-  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
   { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
@@ -21905,9 +21905,9 @@ static const NSSItem nss_builtins_items_329 [] = {
 , (PRUint32)97 },
   { (void *)"\002\001\001"
 , (PRUint32)3 },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
-  { (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_must_verify_trust, (PRUint32)sizeof(CK_TRUST) },
   { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
 
diff --git a/security/nss/lib/ckfw/builtins/certdata.txt b/security/nss/lib/ckfw/builtins/certdata.txt
index 2d9fef59c705..4cd6b243f0e0 100644
--- a/security/nss/lib/ckfw/builtins/certdata.txt
+++ b/security/nss/lib/ckfw/builtins/certdata.txt
@@ -34,7 +34,7 @@
 # the terms of any one of the MPL, the GPL or the LGPL.
 #
 # ***** END LICENSE BLOCK *****
-CVS_ID "@(#) $RCSfile: certdata.txt,v $ $Revision: 1.64.2.10 $ $Date: 2011/08/01 06:40:04 $"
+CVS_ID "@(#) $RCSfile: certdata.txt,v $ $Revision: 1.75 $ $Date: 2011/08/01 06:33:47 $"
 
 #
 # certdata.txt
@@ -58,7 +58,7 @@ CVS_ID "@(#) $RCSfile: certdata.txt,v $ $Revision: 1.64.2.10 $ $Date: 2011/08/01
 #  CKA_ISSUER               DER+base64              (varies)
 #  CKA_SERIAL_NUMBER        DER+base64              (varies)
 #  CKA_VALUE                DER+base64              (varies)
-#  CKA_NETSCAPE_EMAIL       ASCII7                  (unused here)
+#  CKA_NSS_EMAIL            ASCII7                  (unused here)
 #
 #    Trust
 #
@@ -96,7 +96,7 @@ CVS_ID "@(#) $RCSfile: certdata.txt,v $ $Revision: 1.64.2.10 $ $Date: 2011/08/01
 # have to go looking for others.
 #
 BEGINDATA
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_BUILTIN_ROOT_LIST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_BUILTIN_ROOT_LIST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -177,7 +177,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "GTE CyberTrust Global Root"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -202,9 +202,9 @@ END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\002\001\245
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -304,7 +304,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "Thawte Server CA"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -334,9 +334,9 @@ END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\001\001
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUST_UNKNOWN
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -439,7 +439,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "Thawte Premium Server CA"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -470,9 +470,9 @@ END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\001\001
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUST_UNKNOWN
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -557,7 +557,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "Equifax Secure CA"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -579,9 +579,9 @@ END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\004\065\336\364\317
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -666,7 +666,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "Digital Signature Trust Co. Global CA 1"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -688,9 +688,9 @@ END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\004\066\160\025\226
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -775,7 +775,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "Digital Signature Trust Co. Global CA 3"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -797,9 +797,9 @@ END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\004\066\156\323\316
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -875,7 +875,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "Verisign Class 1 Public Primary Certification Authority"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -900,9 +900,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\021\000\315\272\177\126\360\337\344\274\124\376\042\254\263
 \162\252\125
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUST_UNKNOWN
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUST_UNKNOWN
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -977,7 +977,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "Verisign Class 2 Public Primary Certification Authority"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -1002,9 +1002,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\020\055\033\374\112\027\215\243\221\353\347\377\365\213\105
 \276\013
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUST_UNKNOWN
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -1079,7 +1079,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "Verisign Class 3 Public Primary Certification Authority"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -1104,9 +1104,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\020\160\272\344\035\020\331\051\064\266\070\312\173\003\314
 \272\277
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -1206,7 +1206,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "Verisign Class 1 Public Primary Certification Authority - G2"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -1237,9 +1237,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\020\114\307\352\252\230\076\161\323\223\020\370\075\072\211
 \221\222
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUST_UNKNOWN
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUST_UNKNOWN
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -1339,7 +1339,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "Verisign Class 2 Public Primary Certification Authority - G2"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -1370,9 +1370,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\021\000\271\057\140\314\210\237\241\172\106\011\270\133\160
 \154\212\257
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUST_UNKNOWN
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -1472,7 +1472,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "Verisign Class 3 Public Primary Certification Authority - G2"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -1503,9 +1503,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\020\175\331\376\007\317\250\036\267\020\171\147\373\247\211
 \064\306
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -1605,7 +1605,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "Verisign Class 4 Public Primary Certification Authority - G2"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -1636,9 +1636,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\020\062\210\216\232\322\365\353\023\107\370\177\304\040\067
 \045\370
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -1730,7 +1730,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "GlobalSign Root CA"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -1753,9 +1753,9 @@ END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\013\004\000\000\000\000\001\025\113\132\303\224
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -1849,7 +1849,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "GlobalSign Root CA - R2"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -1871,9 +1871,9 @@ END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\013\004\000\000\000\000\001\017\206\046\346\015
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -1968,7 +1968,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "ValiCert Class 1 VA"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -1997,9 +1997,9 @@ END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\001\001
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -2094,7 +2094,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "ValiCert Class 2 VA"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -2123,9 +2123,9 @@ END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\001\001
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -2220,7 +2220,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "RSA Root Certificate 1"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -2249,9 +2249,9 @@ END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\001\001
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -2368,7 +2368,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "Verisign Class 1 Public Primary Certification Authority - G3"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -2399,9 +2399,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\021\000\213\133\165\126\204\124\205\013\000\317\257\070\110
 \316\261\244
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUST_UNKNOWN
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUST_UNKNOWN
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -2518,7 +2518,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "Verisign Class 2 Public Primary Certification Authority - G3"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -2549,9 +2549,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\020\141\160\313\111\214\137\230\105\051\347\260\246\331\120
 \133\172
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUST_UNKNOWN
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -2668,7 +2668,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "Verisign Class 3 Public Primary Certification Authority - G3"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -2699,9 +2699,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\021\000\233\176\006\111\243\076\142\271\325\356\220\110\161
 \051\357\127
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -2818,7 +2818,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "Verisign Class 4 Public Primary Certification Authority - G3"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -2849,9 +2849,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\021\000\354\240\247\213\156\165\152\001\317\304\174\314\057
 \224\136\327
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -2979,7 +2979,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "Entrust.net Secure Server CA"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -3009,9 +3009,9 @@ END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\004\067\112\322\103
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -3129,7 +3129,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "Entrust.net Premium 2048 Secure Server CA"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -3158,9 +3158,9 @@ END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\004\070\143\271\146
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -3252,7 +3252,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "Baltimore CyberTrust Root"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -3275,9 +3275,9 @@ END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\004\002\000\000\271
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUST_UNKNOWN
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -3355,7 +3355,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "Equifax Secure Global eBusiness CA"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -3378,9 +3378,9 @@ END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\001\001
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -3457,7 +3457,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "Equifax Secure eBusiness CA 1"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -3480,9 +3480,9 @@ END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\001\004
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -3567,7 +3567,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "Equifax Secure eBusiness CA 2"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -3589,9 +3589,9 @@ END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\004\067\160\317\265
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -3695,7 +3695,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "AddTrust Low-Value Services Root"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -3719,9 +3719,9 @@ END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\001\001
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUST_UNKNOWN
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -3829,7 +3829,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "AddTrust External Root"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -3854,9 +3854,9 @@ END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\001\001
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -3960,7 +3960,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "AddTrust Public Services Root"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -3984,9 +3984,9 @@ END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\001\001
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -4091,7 +4091,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "AddTrust Qualified Certificates Root"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -4115,9 +4115,9 @@ END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\001\001
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -4239,7 +4239,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "Entrust Root Certification Authority"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -4268,9 +4268,9 @@ END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\004\105\153\120\124
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUST_UNKNOWN
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUST_UNKNOWN
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -4358,7 +4358,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "RSA Security 2048 v3"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -4380,9 +4380,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\020\012\001\001\001\000\000\002\174\000\000\000\012\000\000
 \000\002
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -4470,7 +4470,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "GeoTrust Global CA"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -4492,9 +4492,9 @@ END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\003\002\064\126
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -4583,7 +4583,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "GeoTrust Global CA 2"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -4605,9 +4605,9 @@ END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\001\001
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -4728,7 +4728,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "GeoTrust Universal CA"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -4750,9 +4750,9 @@ END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\001\001
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -4873,7 +4873,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "GeoTrust Universal CA 2"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -4895,9 +4895,9 @@ END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\001\001
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -5015,7 +5015,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "UTN-USER First-Network Applications"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -5044,9 +5044,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\020\104\276\014\213\120\000\044\264\021\323\066\060\113\300
 \063\167
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUST_UNKNOWN
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUST_UNKNOWN
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUST_UNKNOWN
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -5143,7 +5143,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "America Online Root Certification Authority 1"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -5167,9 +5167,9 @@ END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\001\001
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -5298,7 +5298,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "America Online Root Certification Authority 2"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -5322,9 +5322,9 @@ END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\001\001
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -5422,7 +5422,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "Visa eCommerce Root"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -5447,9 +5447,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\020\023\206\065\115\035\077\006\362\301\371\145\005\325\220
 \034\142
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -5551,7 +5551,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "TC TrustCenter, Germany, Class 2 CA"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -5580,9 +5580,9 @@ END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\002\003\352
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -5684,7 +5684,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "TC TrustCenter, Germany, Class 3 CA"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -5713,9 +5713,9 @@ END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\002\003\353
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -5796,7 +5796,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "Certum Root CA"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -5817,9 +5817,9 @@ END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\003\001\000\040
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -5927,7 +5927,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "Comodo AAA Services root"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -5952,9 +5952,9 @@ END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\001\001
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -6063,7 +6063,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "Comodo Secure Services root"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -6088,9 +6088,9 @@ END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\001\001
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -6201,7 +6201,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "Comodo Trusted Services root"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -6227,9 +6227,9 @@ END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\001\001
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -6365,7 +6365,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "QuoVadis Root CA"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -6391,9 +6391,9 @@ END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\004\072\266\120\213
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -6519,7 +6519,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "QuoVadis Root CA 2"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -6541,9 +6541,9 @@ END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\002\005\011
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -6684,7 +6684,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "QuoVadis Root CA 3"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -6706,9 +6706,9 @@ END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\002\005\306
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -6798,7 +6798,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "Security Communication Root CA"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -6821,9 +6821,9 @@ END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\001\000
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -6906,7 +6906,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "Sonera Class 1 Root CA"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -6927,9 +6927,9 @@ END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\001\044
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUST_UNKNOWN
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUST_UNKNOWN
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -7012,7 +7012,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "Sonera Class 2 Root CA"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -7033,9 +7033,9 @@ END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\001\035
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -7131,7 +7131,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "Staat der Nederlanden Root CA"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -7154,9 +7154,9 @@ END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\004\000\230\226\212
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -7257,7 +7257,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "TDC Internet Root CA"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -7279,9 +7279,9 @@ END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\004\072\314\245\114
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -7395,7 +7395,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "TDC OCES Root CA"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -7416,9 +7416,9 @@ END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\004\076\110\275\304
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -7534,7 +7534,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "UTN DATACorp SGC Root CA"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -7562,9 +7562,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\020\104\276\014\213\120\000\041\264\021\323\052\150\006\251
 \255\151
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUST_UNKNOWN
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUST_UNKNOWN
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -7688,7 +7688,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "UTN USERFirst Email Root CA"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -7718,9 +7718,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\020\104\276\014\213\120\000\044\264\021\323\066\045\045\147
 \311\211
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUST_UNKNOWN
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUST_UNKNOWN
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -7837,7 +7837,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "UTN USERFirst Hardware Root CA"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -7865,9 +7865,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\020\104\276\014\213\120\000\044\264\021\323\066\052\376\145
 \012\375
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUST_UNKNOWN
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUST_UNKNOWN
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -7983,7 +7983,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "UTN USERFirst Object Root CA"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -8011,9 +8011,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\020\104\276\014\213\120\000\044\264\021\323\066\055\340\263
 \137\033
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUST_UNKNOWN
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUST_UNKNOWN
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -8132,7 +8132,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "Camerfirma Chambers of Commerce Root"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -8158,9 +8158,9 @@ END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\001\000
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -8277,7 +8277,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "Camerfirma Global Chambersign Root"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -8302,9 +8302,9 @@ END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\001\000
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -8464,7 +8464,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "NetLock Qualified (Class QA) Root"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -8494,9 +8494,9 @@ END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\001\173
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUST_UNKNOWN
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -8649,7 +8649,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "NetLock Notary (Class A) Root"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -8678,9 +8678,9 @@ END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\002\001\003
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -8809,7 +8809,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "NetLock Business (Class B) Root"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -8836,9 +8836,9 @@ END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\001\151
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -8968,7 +8968,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "NetLock Express (Class C) Root"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -8995,9 +8995,9 @@ END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\001\150
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -9108,7 +9108,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "XRamp Global CA Root"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -9135,9 +9135,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\020\120\224\154\354\030\352\325\234\115\325\227\357\165\217
 \240\255
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -9240,7 +9240,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "Go Daddy Class 2 CA"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -9264,9 +9264,9 @@ END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\001\000
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -9370,7 +9370,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "Starfield Class 2 CA"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -9394,9 +9394,9 @@ END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\001\000
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -9561,7 +9561,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "StartCom Certification Authority"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -9586,9 +9586,9 @@ END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\001\001
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -9711,7 +9711,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "Taiwan GRCA"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -9734,9 +9734,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\020\037\235\131\132\327\057\302\006\104\245\200\010\151\343
 \136\366
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -9850,7 +9850,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "Firmaprofesional Root CA"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -9877,9 +9877,9 @@ END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\001\001
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUST_UNKNOWN
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -9984,7 +9984,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "Wells Fargo Root CA"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -10010,9 +10010,9 @@ END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\004\071\344\227\236
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -10145,7 +10145,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "Swisscom Root CA 1"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -10170,9 +10170,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\020\134\013\205\134\013\347\131\101\337\127\314\077\177\235
 \250\066
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -10271,7 +10271,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "DigiCert Assured ID Root CA"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -10296,9 +10296,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\020\014\347\340\345\027\330\106\376\217\345\140\374\033\360
 \060\071
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -10397,7 +10397,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "DigiCert Global Root CA"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -10422,9 +10422,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\020\010\073\340\126\220\102\106\261\241\165\152\311\131\221
 \307\112
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -10524,7 +10524,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "DigiCert High Assurance EV Root CA"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -10549,9 +10549,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\020\002\254\134\046\152\013\100\233\217\013\171\362\256\106
 \045\167
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -10642,7 +10642,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "Certplus Class 2 Primary CA"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -10664,9 +10664,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\021\000\205\275\113\363\330\332\343\151\366\224\327\137\303
 \245\104\043
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUST_UNKNOWN
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -10754,7 +10754,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "DST Root CA X3"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -10777,9 +10777,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\020\104\257\260\200\326\243\047\272\211\060\071\206\056\370
 \100\153
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUST_UNKNOWN
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUST_UNKNOWN
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -10881,7 +10881,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "DST ACES CA X6"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -10905,9 +10905,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\020\015\136\231\012\326\235\267\170\354\330\007\126\073\206
 \025\331
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUST_UNKNOWN
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUST_UNKNOWN
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -11019,7 +11019,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "TURKTRUST Certificate Services Provider Root 1"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -11048,9 +11048,9 @@ END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\001\001
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -11168,7 +11168,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "TURKTRUST Certificate Services Provider Root 2"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -11198,9 +11198,9 @@ END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\001\001
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -11327,7 +11327,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "SwissSign Platinum CA - G2"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -11349,9 +11349,9 @@ END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\010\116\262\000\147\014\003\135\117
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUST_UNKNOWN
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -11477,7 +11477,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "SwissSign Gold CA - G2"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -11499,9 +11499,9 @@ END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\011\000\273\100\034\103\365\136\117\260
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -11628,7 +11628,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "SwissSign Silver CA - G2"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -11650,9 +11650,9 @@ END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\010\117\033\324\057\124\273\057\113
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -11745,7 +11745,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "GeoTrust Primary Certification Authority"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -11769,9 +11769,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\020\030\254\265\152\375\151\266\025\072\143\154\257\332\372
 \304\241
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUST_UNKNOWN
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUST_UNKNOWN
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -11885,7 +11885,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "thawte Primary Root CA"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -11914,9 +11914,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\020\064\116\325\127\040\325\355\354\111\364\057\316\067\333
 \053\155
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUST_UNKNOWN
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUST_UNKNOWN
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -12045,7 +12045,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "VeriSign Class 3 Public Primary Certification Authority - G5"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -12076,9 +12076,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\020\030\332\321\236\046\175\350\273\112\041\130\315\314\153
 \073\112
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUST_UNKNOWN
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUST_UNKNOWN
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -12173,7 +12173,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "SecureTrust CA"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -12196,9 +12196,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\020\014\360\216\134\010\026\245\255\102\177\360\353\047\030
 \131\320
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUST_UNKNOWN
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -12293,7 +12293,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "Secure Global CA"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -12316,9 +12316,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\020\007\126\042\244\350\324\212\211\115\364\023\310\360\370
 \352\245
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -12428,7 +12428,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "COMODO Certification Authority"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -12455,9 +12455,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\020\116\201\055\212\202\145\340\013\002\356\076\065\002\106
 \345\075
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -12585,7 +12585,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "DigiNotar Root CA"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -12610,9 +12610,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\020\014\166\332\234\221\014\116\054\236\376\025\320\130\223
 \074\114
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUST_UNKNOWN
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -12714,7 +12714,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "Network Solutions Certificate Authority"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -12739,9 +12739,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\020\127\313\063\157\302\134\026\346\107\026\027\343\220\061
 \150\340
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUST_UNKNOWN
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUST_UNKNOWN
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -12860,7 +12860,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "WellsSecure Public Root Certificate Authority"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -12886,9 +12886,9 @@ END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\001\001
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUST_UNKNOWN
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUST_UNKNOWN
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -12972,7 +12972,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "COMODO ECC Certification Authority"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -12999,9 +12999,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\020\037\107\257\252\142\000\160\120\124\114\001\236\233\143
 \231\052
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -13103,7 +13103,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "MD5 Collisions Forged Rogue CA 25c3"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -13126,9 +13126,9 @@ END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\001\102
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_UNTRUSTED
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_UNTRUSTED
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_UNTRUSTED
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -13235,7 +13235,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "IGC/A"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -13261,9 +13261,9 @@ END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\005\071\021\105\020\224
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -13358,7 +13358,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "Security Communication EV RootCA1"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -13382,9 +13382,9 @@ END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\001\000
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUST_UNKNOWN
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUST_UNKNOWN
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -13491,7 +13491,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "OISTE WISeKey Global Root GA CA"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -13518,9 +13518,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\020\101\075\162\307\364\153\037\201\103\175\361\322\050\124
 \337\232
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUST_UNKNOWN
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -13641,7 +13641,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "S-TRUST Authentication and Encryption Root CA 2005 PN"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -13671,9 +13671,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\020\067\031\030\346\123\124\174\032\265\270\313\131\132\333
 \065\267
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUST_UNKNOWN
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUST_UNKNOWN
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -13837,7 +13837,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "Microsec e-Szigno Root CA"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -13863,9 +13863,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\021\000\314\270\347\277\116\051\032\375\242\334\146\245\034
 \054\017\021
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -13956,7 +13956,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "Certigna"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -13977,9 +13977,9 @@ END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\011\000\376\334\343\001\017\311\110\377
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUST_UNKNOWN
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -14123,7 +14123,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "AC Raiz Certicamara S.A."
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -14149,9 +14149,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\017\007\176\122\223\173\340\025\343\127\360\151\214\313\354
 \014
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -14266,7 +14266,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "TC TrustCenter Class 2 CA II"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -14291,9 +14291,9 @@ END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\016\056\152\000\001\000\002\037\327\122\041\054\021\134\073
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -14408,7 +14408,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "TC TrustCenter Class 3 CA II"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -14433,9 +14433,9 @@ END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\016\112\107\000\001\000\002\345\240\135\326\077\000\121\277
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -14538,7 +14538,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "TC TrustCenter Universal CA I"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -14563,9 +14563,9 @@ END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\016\035\242\000\001\000\002\354\267\140\200\170\215\266\006
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -14664,7 +14664,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "Deutsche Telekom Root CA 2"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -14689,9 +14689,9 @@ END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\001\046
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -14782,7 +14782,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "ComSign CA"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -14804,9 +14804,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\020\024\023\226\203\024\125\214\352\173\143\345\374\064\207
 \167\104
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUST_UNKNOWN
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUST_UNKNOWN
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -14898,7 +14898,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "ComSign Secured CA"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -14920,9 +14920,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\021\000\307\050\107\011\263\270\154\105\214\035\372\044\365
 \066\116\351
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUST_UNKNOWN
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -15013,7 +15013,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "Cybertrust Global Root"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -15034,9 +15034,9 @@ END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\013\004\000\000\000\000\001\017\205\252\055\110
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUST_UNKNOWN
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUST_UNKNOWN
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -15165,7 +15165,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "ePKI Root Certification Authority"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -15189,9 +15189,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\020\025\310\275\145\107\134\257\270\227\000\136\344\006\322
 \274\235
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -15335,7 +15335,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "TUBITAK UEKAE Kok Sertifika Hizmet Saglayicisi - Surum 3"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -15371,9 +15371,9 @@ END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\001\021
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -15461,7 +15461,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "Buypass Class 2 CA 1"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -15483,9 +15483,9 @@ END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\001\001
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUST_UNKNOWN
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUST_UNKNOWN
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -15573,7 +15573,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "Buypass Class 3 CA 1"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -15595,9 +15595,9 @@ END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\001\002
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUST_UNKNOWN
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUST_UNKNOWN
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -15734,7 +15734,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "EBG Elektronik Sertifika Hizmet Saglayicisi"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -15760,9 +15760,9 @@ END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\010\114\257\163\102\034\216\164\002
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -15846,7 +15846,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "certSIGN ROOT CA"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -15867,9 +15867,9 @@ END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\006\040\006\005\026\160\002
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -15955,7 +15955,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "CNNIC ROOT"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -15976,9 +15976,9 @@ END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\004\111\063\000\001
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUST_UNKNOWN
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUST_UNKNOWN
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -16071,7 +16071,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "ApplicationCA - Japanese Government"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -16093,9 +16093,9 @@ END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\001\061
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUST_UNKNOWN
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -16205,7 +16205,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "GeoTrust Primary Certification Authority - G3"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -16233,9 +16233,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\020\025\254\156\224\031\262\171\113\101\366\047\251\303\030
 \017\037
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -16319,7 +16319,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "thawte Primary Root CA - G2"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -16346,9 +16346,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\020\065\374\046\134\331\204\117\311\075\046\075\127\233\256
 \327\126
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUST_UNKNOWN
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -16464,7 +16464,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "thawte Primary Root CA - G3"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -16494,9 +16494,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\020\140\001\227\267\106\247\352\264\264\232\326\113\057\367
 \220\373
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUST_UNKNOWN
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -16585,7 +16585,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "GeoTrust Primary Certification Authority - G2"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -16613,9 +16613,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\020\074\262\364\110\012\000\342\376\353\044\073\136\140\076
 \303\153
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -16740,7 +16740,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "VeriSign Universal Root Certification Authority"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -16770,9 +16770,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\020\100\032\304\144\041\263\023\041\003\016\273\344\022\032
 \305\035
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -16880,7 +16880,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "VeriSign Class 3 Public Primary Certification Authority - G4"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -16911,9 +16911,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\020\057\200\376\043\214\016\042\017\110\147\022\050\221\207
 \254\263
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -17025,7 +17025,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "NetLock Arany (Class Gold) Főtanúsítvány"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -17053,9 +17053,9 @@ END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\006\111\101\054\344\000\020
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -17184,7 +17184,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "Staat der Nederlanden Root CA - G2"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -17207,9 +17207,9 @@ END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\004\000\230\226\214
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -17309,7 +17309,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "CA Disig"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -17331,9 +17331,9 @@ END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\001\001
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -17448,7 +17448,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "Juur-SK"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -17471,9 +17471,9 @@ END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\004\073\216\113\374
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUST_UNKNOWN
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -17559,7 +17559,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "Hongkong Post Root CA 1"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -17581,9 +17581,9 @@ END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\002\003\350
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUST_UNKNOWN
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUST_UNKNOWN
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -17675,7 +17675,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "SecureSign RootCA11"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -17698,9 +17698,9 @@ END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\001\001
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUST_UNKNOWN
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUST_UNKNOWN
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -17826,7 +17826,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "ACEDICOM Root"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -17848,9 +17848,9 @@ END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\010\141\215\307\206\073\001\202\005
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 
@@ -17926,7 +17926,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "Verisign Class 1 Public Primary Certification Authority"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -17951,9 +17951,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\020\077\151\036\201\234\360\232\112\363\163\377\271\110\242
 \344\335
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUST_UNKNOWN
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUST_UNKNOWN
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -18028,7 +18028,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "Verisign Class 3 Public Primary Certification Authority"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -18053,9 +18053,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\020\074\221\061\313\037\366\320\033\016\232\270\320\104\277
 \022\276
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -18162,7 +18162,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "Microsec e-Szigno Root CA 2009"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -18188,9 +18188,9 @@ END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\011\000\302\176\103\004\116\107\077\031
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -18291,7 +18291,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "E-Guven Kok Elektronik Sertifika Hizmet Saglayicisi"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -18317,9 +18317,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\020\104\231\215\074\300\003\047\275\234\166\225\271\352\333
 \254\265
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUST_UNKNOWN
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -18408,7 +18408,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "GlobalSign Root CA - R3"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -18430,9 +18430,9 @@ END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\013\004\000\000\000\000\001\041\130\123\010\242
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -18535,7 +18535,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "TC TrustCenter Universal CA III"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -18560,9 +18560,9 @@ END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\016\143\045\000\001\000\002\024\215\063\025\002\344\154\364
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -18696,7 +18696,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "Autoridad de Certificacion Firmaprofesional CIF A62634068"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -18719,9 +18719,9 @@ END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\010\123\354\073\356\373\262\110\137
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -18850,7 +18850,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "Izenpe.com"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -18872,9 +18872,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\020\000\260\267\132\026\110\137\277\341\313\365\213\327\031
 \346\175
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUST_UNKNOWN
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -19040,7 +19040,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "Chambers of Commerce Root - 2008"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -19069,9 +19069,9 @@ END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\011\000\243\332\102\176\244\261\256\332
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -19234,7 +19234,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "Global Chambersign Root - 2008"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -19262,9 +19262,9 @@ END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\011\000\311\315\323\351\325\175\043\316
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -19410,7 +19410,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "Bogus Mozilla Addons"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -19438,9 +19438,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\021\000\222\071\325\064\217\100\321\151\132\164\124\160\341
 \362\077\103
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_VALID
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_VALID
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_VALID
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -19601,7 +19601,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "Bogus Global Trustee"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -19629,9 +19629,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\021\000\330\363\137\116\267\207\053\055\253\006\222\343\025
 \070\057\260
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_VALID
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_VALID
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_VALID
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -19777,7 +19777,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "Bogus GMail"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -19805,9 +19805,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\020\004\176\313\351\374\245\137\173\320\236\256\066\341\014
 \256\036
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_VALID
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_VALID
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_VALID
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -19952,7 +19952,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "Bogus Google"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -19980,9 +19980,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\021\000\365\310\152\363\141\142\361\072\144\365\117\155\311
 \130\174\006
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_VALID
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_VALID
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_VALID
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -20128,7 +20128,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "Bogus Skype"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -20156,9 +20156,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\021\000\351\002\213\225\170\344\025\334\032\161\012\053\210
 \025\104\107
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_VALID
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_VALID
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_VALID
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -20304,7 +20304,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "Bogus Yahoo 1"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -20332,9 +20332,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\021\000\327\125\217\332\365\361\020\133\262\023\050\053\160
 \167\051\243
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_VALID
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_VALID
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_VALID
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -20478,7 +20478,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "Bogus Yahoo 2"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -20506,9 +20506,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\020\071\052\103\117\016\007\337\037\212\243\005\336\064\340
 \302\051
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_VALID
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_VALID
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_VALID
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -20652,7 +20652,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "Bogus Yahoo 3"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -20680,9 +20680,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\020\076\165\316\324\153\151\060\041\041\210\060\256\206\250
 \052\161
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_VALID
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_VALID
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_VALID
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -20827,7 +20827,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "Bogus live.com"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -20855,9 +20855,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\021\000\260\267\023\076\320\226\371\265\157\256\221\310\164
 \275\072\300
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_VALID
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_VALID
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_VALID
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -20995,7 +20995,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "Bogus kuix.de"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -21023,9 +21023,9 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\020\162\003\041\005\305\014\010\127\075\216\245\060\116\376
 \350\260
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_VALID
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_VALID
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_VALID
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -21128,7 +21128,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "Go Daddy Root Certificate Authority - G2"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -21154,9 +21154,9 @@ END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\001\000
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUST_UNKNOWN
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -21263,7 +21263,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "Starfield Root Certificate Authority - G2"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -21290,9 +21290,9 @@ END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\001\000
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUST_UNKNOWN
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -21400,7 +21400,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "Starfield Services Root Certificate Authority - G2"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -21427,9 +21427,9 @@ END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\001\000
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUST_UNKNOWN
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -21516,7 +21516,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "AffirmTrust Commercial"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -21538,9 +21538,9 @@ END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\010\167\167\006\047\046\251\261\174
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUST_UNKNOWN
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUST_UNKNOWN
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -21627,7 +21627,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "AffirmTrust Networking"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -21649,9 +21649,9 @@ END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\010\174\117\004\071\034\324\231\055
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUST_UNKNOWN
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUST_UNKNOWN
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -21770,7 +21770,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "AffirmTrust Premium"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -21792,9 +21792,9 @@ END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\010\155\214\024\106\261\246\012\356
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUST_UNKNOWN
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUST_UNKNOWN
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -21861,7 +21861,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "AffirmTrust Premium ECC"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -21883,9 +21883,9 @@ END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\010\164\227\045\212\307\077\172\124
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUST_UNKNOWN
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUST_UNKNOWN
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -21985,7 +21985,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "Certum Trusted Network CA"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -22010,9 +22010,9 @@ END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\003\004\104\300
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -22140,7 +22140,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "Certinomis - Autorité Racine"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -22164,9 +22164,9 @@ END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\001\001
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -22309,7 +22309,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "Root CA Generalitat Valenciana"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -22333,9 +22333,9 @@ END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\004\073\105\345\150
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -22439,7 +22439,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "A-Trust-nQual-03"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -22465,9 +22465,9 @@ END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\003\001\154\036
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@@ -22561,7 +22561,7 @@ CKA_VALUE MULTILINE_OCTAL
 END
 
 # Trust for Certificate "TWCA Root Certification Authority"
-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
@@ -22585,7 +22585,7 @@ END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\001\001
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
diff --git a/security/nss/lib/ckfw/capi/cfind.c b/security/nss/lib/ckfw/capi/cfind.c
index fd055e65b165..95310c93a1ae 100644
--- a/security/nss/lib/ckfw/capi/cfind.c
+++ b/security/nss/lib/ckfw/capi/cfind.c
@@ -36,7 +36,7 @@
  *
  * ***** END LICENSE BLOCK ***** */
 #ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile: cfind.c,v $ $Revision: 1.3 $ $Date: 2005/12/16 00:48:02 $";
+static const char CVS_ID[] = "@(#) $RCSfile: cfind.c,v $ $Revision: 1.4 $ $Date: 2011/02/02 17:13:40 $";
 #endif /* DEBUG */
 
 #ifndef CKCAPI_H
@@ -136,7 +136,7 @@ ckcapi_attrmatch
   if( a->ulValueLen != b->size ) {
     /* match a decoded serial number */
     if ((a->type == CKA_SERIAL_NUMBER) && (a->ulValueLen < b->size)) {
-	int len;
+	unsigned int len;
 	unsigned char *data;
 
 	data = nss_ckcapi_DERUnwrap(b->data, b->size, &len, NULL);
diff --git a/security/nss/lib/ckfw/capi/ckcapi.h b/security/nss/lib/ckfw/capi/ckcapi.h
index 4ddd49153bbe..41dd47399335 100644
--- a/security/nss/lib/ckfw/capi/ckcapi.h
+++ b/security/nss/lib/ckfw/capi/ckcapi.h
@@ -40,7 +40,7 @@
 #define CKCAPI_H 1
 
 #ifdef DEBUG
-static const char CKCAPI_CVS_ID[] = "@(#) $RCSfile: ckcapi.h,v $ $Revision: 1.3 $ $Date: 2008/08/11 08:14:10 $";
+static const char CKCAPI_CVS_ID[] = "@(#) $RCSfile: ckcapi.h,v $ $Revision: 1.4 $ $Date: 2011/02/02 17:13:40 $";
 #endif /* DEBUG */
 
 #include "nssckmdt.h"
@@ -248,13 +248,13 @@ ckcapi_ReverseData
 /*
  * unwrap a single DER value
  */
-char *
+unsigned char *
 nss_ckcapi_DERUnwrap
 (
-  char *src, 
-  int size, 
-  int *outSize, 
-  char **next
+  unsigned char *src, 
+  unsigned int size, 
+  unsigned int *outSize, 
+  unsigned char **next
 );
 
 /*
diff --git a/security/nss/lib/ckfw/capi/cobject.c b/security/nss/lib/ckfw/capi/cobject.c
index 5e8eb6ee2655..2a95d2350d89 100644
--- a/security/nss/lib/ckfw/capi/cobject.c
+++ b/security/nss/lib/ckfw/capi/cobject.c
@@ -20,7 +20,8 @@
  * Portions created by Red Hat, Inc, are Copyright (C) 2005
  *
  * Contributor(s):
- *   Bob Relyea (rrelyea@redhat.com)
+ *   Bob Relyea 
+ *   Muzaffar Mahkamov 
  *
  * Alternatively, the contents of this file may be used under the terms of
  * either the GNU General Public License Version 2 or later (the "GPL"), or
@@ -36,7 +37,7 @@
  *
  * ***** END LICENSE BLOCK ***** */
 #ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile: cobject.c,v $ $Revision: 1.6 $ $Date: 2009/07/29 20:15:19 $";
+static const char CVS_ID[] = "@(#) $RCSfile: cobject.c,v $ $Revision: 1.9 $ $Date: 2011/02/02 17:13:40 $";
 #endif /* DEBUG */
 
 #include "ckcapi.h"
@@ -137,13 +138,13 @@ static const NSSItem ckcapi_emptyItem = {
 /*
  * unwrap a single DER value
  */
-char *
+unsigned char *
 nss_ckcapi_DERUnwrap
 (
-  char *src, 
-  int size, 
-  int *outSize, 
-  char **next
+  unsigned char *src, 
+  unsigned int size, 
+  unsigned int *outSize, 
+  unsigned char **next
 )
 {
   unsigned char *start = src;
@@ -159,11 +160,11 @@ nss_ckcapi_DERUnwrap
   if (size < 2) {
     return start;
   }
-  src ++ ; /* skip the tag -- should check it against an expected value! */
+  src++; /* skip the tag -- should check it against an expected value! */
   len = (unsigned) *src++;
   if (len & 0x80) {
-    int count = len & 0x7f;
-    len =0;
+    unsigned int count = len & 0x7f;
+    len = 0;
 
     if (count+2 > size) {
       return start;
@@ -172,7 +173,7 @@ nss_ckcapi_DERUnwrap
       len = (len << 8) | (unsigned) *src++;
     }
   }
-  if (len + ((unsigned char *)src-start) > (unsigned int)size) {
+  if (len + (src-start) > size) {
     return start;
   }
   if (next) {
@@ -360,7 +361,8 @@ nss_ckcapi_GetStringAttribute
 }
 
 /*
- * Return the size in bytes of a wide string
+ * Return the size in bytes of a wide string, including the terminating null
+ * character
  */
 int
 nss_ckcapi_WideSize
@@ -374,7 +376,7 @@ nss_ckcapi_WideSize
     return 0;
   }
   size = wcslen(wide)+1;
-  return size*2;
+  return size*sizeof(WCHAR);
 }
 
 /*
@@ -386,7 +388,6 @@ nss_ckcapi_WideToUTF8
   LPCWSTR wide 
 )
 {
-  DWORD len;
   DWORD size;
   char *buf;
 
@@ -394,14 +395,12 @@ nss_ckcapi_WideToUTF8
     return (char *)NULL;
   }
 
-  len = nss_ckcapi_WideSize(wide);
-
-  size = WideCharToMultiByte(CP_UTF8, 0, wide, len, NULL, 0, NULL, 0);
+  size = WideCharToMultiByte(CP_UTF8, 0, wide, -1, NULL, 0, NULL, 0);
   if (size == 0) {
     return (char *)NULL;
   }
   buf = nss_ZNEWARRAY(NULL, char, size);
-  size = WideCharToMultiByte(CP_UTF8, 0, wide, len, buf, size, NULL, 0);
+  size = WideCharToMultiByte(CP_UTF8, 0, wide, -1, buf, size, NULL, 0);
   if (size == 0) {
     nss_ZFreeIf(buf);
     return (char *)NULL;
@@ -418,20 +417,20 @@ nss_ckcapi_WideDup
   LPCWSTR wide
 )
 {
-  DWORD len = nss_ckcapi_WideSize(wide);
+  DWORD len;
   LPWSTR buf;
 
   if ((LPWSTR)NULL == wide) {
     return (LPWSTR)NULL;
   }
 
-  len = nss_ckcapi_WideSize(wide);
+  len = wcslen(wide)+1;
 
-  buf = (LPWSTR) nss_ZNEWARRAY(NULL, char, len);
+  buf = nss_ZNEWARRAY(NULL, WCHAR, len);
   if ((LPWSTR) NULL == buf) {
     return buf;
   }
-  nsslibc_memcpy(buf, wide, len);
+  nsslibc_memcpy(buf, wide, len*sizeof(WCHAR));
   return buf;
 }
 
@@ -445,21 +444,18 @@ nss_ckcapi_UTF8ToWide
 )
 {
   DWORD size;
-  DWORD len = strlen(buf)+1;
   LPWSTR wide;
 
   if ((char *)NULL == buf) {
     return (LPWSTR) NULL;
   }
     
-  len = strlen(buf)+1;
-
-  size = MultiByteToWideChar(CP_UTF8, 0, buf, len, NULL, 0);
+  size = MultiByteToWideChar(CP_UTF8, 0, buf, -1, NULL, 0);
   if (size == 0) {
     return (LPWSTR) NULL;
   }
   wide = nss_ZNEWARRAY(NULL, WCHAR, size);
-  size = MultiByteToWideChar(CP_UTF8, 0, buf, len, wide, size);
+  size = MultiByteToWideChar(CP_UTF8, 0, buf, -1, wide, size);
   if (size == 0) {
     nss_ZFreeIf(wide);
     return (LPWSTR) NULL;
@@ -572,10 +568,12 @@ ckcapi_CertPopulateModulusExponent
 {
   ckcapiKeyParams *kp = &io->u.cert.key;
   PCCERT_CONTEXT certContext = io->u.cert.certContext;
-  char *pkData = certContext->pCertInfo->SubjectPublicKeyInfo.PublicKey.pbData;
-  CK_ULONG size= certContext->pCertInfo->SubjectPublicKeyInfo.PublicKey.cbData;
-  CK_ULONG newSize;
-  char *ptr, *newptr;
+  unsigned char *pkData =
+      certContext->pCertInfo->SubjectPublicKeyInfo.PublicKey.pbData;
+  unsigned int size=
+      certContext->pCertInfo->SubjectPublicKeyInfo.PublicKey.cbData;
+  unsigned int newSize;
+  unsigned char *ptr, *newptr;
 
   /* find the start of the modulus -- this will not give good results if
    * the key isn't an rsa key! */
@@ -1420,7 +1418,6 @@ ckcapi_mdObject_Destroy
       goto loser;
     }
     rc = CertDeleteCertificateFromStore(certContext);
-    CertFreeCertificateContext(certContext);
   } else {
     char *provName = NULL;
     char *containerName = NULL;
@@ -2299,7 +2296,7 @@ nss_ckcapi_CreateObject
 )
 {
   CK_OBJECT_CLASS objClass;
-  ckcapiInternalObject *io;
+  ckcapiInternalObject *io = NULL;
   CK_BBOOL isToken;
 
   /*
diff --git a/security/nss/lib/ckfw/capi/crsa.c b/security/nss/lib/ckfw/capi/crsa.c
index 7f3bacbf5ac1..bbca590193e0 100644
--- a/security/nss/lib/ckfw/capi/crsa.c
+++ b/security/nss/lib/ckfw/capi/crsa.c
@@ -36,7 +36,7 @@
  * ***** END LICENSE BLOCK ***** */
 
 #ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile: crsa.c,v $ $Revision: 1.4 $ $Date: 2010/04/25 23:37:40 $";
+static const char CVS_ID[] = "@(#) $RCSfile: crsa.c,v $ $Revision: 1.5 $ $Date: 2011/02/02 17:13:40 $";
 #endif /* DEBUG */
 
 #include "ckcapi.h"
@@ -88,7 +88,7 @@ static char *
 nss_ckcapi_GetOidString
 (
   unsigned char *oidTag,
-  int oidTagSize,
+  unsigned int oidTagSize,
   CK_RV *pError
 )
 {
@@ -96,7 +96,7 @@ nss_ckcapi_GetOidString
   char *oidStr;
   char *cstr;
   unsigned long value;
-  int oidSize;
+  unsigned int oidSize;
 
   if (DER_OBJECT_ID != *oidTag) {
     /* wasn't an oid */
@@ -164,8 +164,8 @@ ckcapi_GetRawHash
    unsigned char *hashData;
    char *oidStr;
    CK_RV error;
-   int oidSize;
-   int size;
+   unsigned int oidSize;
+   unsigned int size;
    /*
     * there are 2 types of hashes NSS typically tries to sign, regular
     * RSA signature format (with encoded DER_OIDS), and SSL3 Signed hashes.
diff --git a/security/nss/lib/ckfw/hash.c b/security/nss/lib/ckfw/hash.c
index 6fd25c3d075f..81a1f583592d 100644
--- a/security/nss/lib/ckfw/hash.c
+++ b/security/nss/lib/ckfw/hash.c
@@ -35,7 +35,7 @@
  * ***** END LICENSE BLOCK ***** */
 
 #ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile: hash.c,v $ $Revision: 1.4 $ $Date: 2009/02/09 07:55:52 $";
+static const char CVS_ID[] = "@(#) $RCSfile: hash.c,v $ $Revision: 1.5 $ $Date: 2010/09/09 21:14:24 $";
 #endif /* DEBUG */
 
 /*
@@ -123,6 +123,7 @@ nssCKFWHash_Create
   rv->mutex = nssCKFWInstance_CreateMutex(fwInstance, arena, pError);
   if (!rv->mutex) {
     if( CKR_OK == *pError ) {
+      (void)nss_ZFreeIf(rv);
       *pError = CKR_GENERAL_ERROR;
     }
     return (nssCKFWHash *)NULL;
diff --git a/security/nss/lib/ckfw/session.c b/security/nss/lib/ckfw/session.c
index 0dd32b4f65bf..1da6e42eaf67 100644
--- a/security/nss/lib/ckfw/session.c
+++ b/security/nss/lib/ckfw/session.c
@@ -35,7 +35,7 @@
  * ***** END LICENSE BLOCK ***** */
 
 #ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile: session.c,v $ $Revision: 1.13 $ $Date: 2009/02/09 07:55:53 $";
+static const char CVS_ID[] = "@(#) $RCSfile: session.c,v $ $Revision: 1.14 $ $Date: 2010/09/09 21:14:24 $";
 #endif /* DEBUG */
 
 /*
@@ -1515,14 +1515,14 @@ nssCKFWSession_CopyObject
     CK_ATTRIBUTE_TYPE_PTR oldTypes;
     NSSCKFWObject *rv;
     
-    tmpArena = NSSArena_Create();
-    if (!tmpArena) {
-      *pError = CKR_HOST_MEMORY;
+    n = nssCKFWObject_GetAttributeCount(fwObject, pError);
+    if( (0 == n) && (CKR_OK != *pError) ) {
       return (NSSCKFWObject *)NULL;
     }
 
-    n = nssCKFWObject_GetAttributeCount(fwObject, pError);
-    if( (0 == n) && (CKR_OK != *pError) ) {
+    tmpArena = NSSArena_Create();
+    if (!tmpArena) {
+      *pError = CKR_HOST_MEMORY;
       return (NSSCKFWObject *)NULL;
     }
 
diff --git a/security/nss/lib/crmf/cmmf.h b/security/nss/lib/crmf/cmmf.h
index fdaa850fc080..0d39af79c611 100644
--- a/security/nss/lib/crmf/cmmf.h
+++ b/security/nss/lib/crmf/cmmf.h
@@ -637,7 +637,7 @@ extern int
  *    inIndex
  *        The index of the CMMFCertResponse the user wants a copy of.
  * NOTES:
- *    This funciton creates a copy of the CMMFCertResponse at the index 
+ *    This function creates a copy of the CMMFCertResponse at the index 
  *    corresponding to the parameter 'inIndex'.  Indexing is done like a
  *    traditional C array, ie the valid indexes are (0...numResponses-1).
  *    The user must call CMMF_DestroyCertResponse after the return value is 
diff --git a/security/nss/lib/crmf/crmf.h b/security/nss/lib/crmf/crmf.h
index 78f8ecb13a7b..6b92bdd7e099 100644
--- a/security/nss/lib/crmf/crmf.h
+++ b/security/nss/lib/crmf/crmf.h
@@ -84,7 +84,7 @@ extern SECStatus
  *    The function fn will be called, probably multiple times whenever 
  *    the ASN1 encoder wants to write out DER-encoded bytes.  Look at the 
  *    comments in crmft.h where the CRMFEncoderOutputCallback type is
- *    defined for information on proper behavior of the funciton fn.
+ *    defined for information on proper behavior of the function fn.
  * RETURN:
  *    SECSuccess if encoding was successful.  Any other return value 
  *    indicates an error occurred during encoding.
@@ -116,7 +116,7 @@ extern SECStatus CRMF_EncodeCertRequest (CRMFCertRequest           *inCertReq,
  * OUTPUT:
  *    The function fn will be called, probably multiple times.  Look at the 
  *    comments in crmft.h where the CRMFEncoderOutputCallback type is
- *    defined for information on proper behavior of the funciton fn.
+ *    defined for information on proper behavior of the function fn.
  *
  * RETURN:
  * SECSuccess if encoding the Certificate Request Messages was successful. 
@@ -616,7 +616,7 @@ extern SECStatus CRMF_CertReqMsgSetRAVerifiedPOP(CRMFCertReqMsg *inCertReqMsg);
  *
  * The last 3 arguments are for future compatibility in case we ever want to
  * support generating POPOSigningKeyInput.  Pass in NULL for all 3 if you 
- * definitely don't want the funciton to even try to generate 
+ * definitely don't want the function to even try to generate 
  * POPOSigningKeyInput.  If you try to use POPOSigningKeyInput, the function
  * will fail.
  *
@@ -655,10 +655,10 @@ extern SECStatus
  * Adds Proof Of Possession using the keyEncipherment field of
  * ProofOfPossession.
  *
- * The funciton looks at the the inKeyChoice parameter and interprets it in
+ * The function looks at the the inKeyChoice parameter and interprets it in
  * in the following manner.
  *
- * If a parameter is not mentioned under interpretation, the funciton will not
+ * If a parameter is not mentioned under interpretation, the function will not
  * look at its value when implementing that case.
  *
  * inKeyChoice          Interpretation
@@ -709,10 +709,10 @@ extern SECStatus
  * Adds Proof Of Possession using the keyAgreement field of
  * ProofOfPossession.
  *
- * The funciton looks at the the inKeyChoice parameter and interprets it in
+ * The function looks at the the inKeyChoice parameter and interprets it in
  * in the following manner.
  *
- * If a parameter is not mentioned under interpretation, the funciton will not
+ * If a parameter is not mentioned under interpretation, the function will not
  * look at its value when implementing that case.
  *
  * inKeyChoice          Interpretation
@@ -954,7 +954,7 @@ extern SECStatus
  * RETURN:
  * If the issuer is present in the cert request cert template, the function 
  * returns SECSuccess and places a  copy of the issuer in *destIssuer.
- * If there is no issuer present, the funciton returns SECFailure and the
+ * If there is no issuer present, the function returns SECFailure and the
  * value at *destIssuer is unchanged.
  */
 extern SECStatus 
@@ -1766,7 +1766,7 @@ extern SECStatus
 
 /* Helper functions that can be used by other libraries. */
 /*
- * A quick helper funciton to get the best wrap mechanism.
+ * A quick helper function to get the best wrap mechanism.
  */
 extern CK_MECHANISM_TYPE CRMF_GetBestWrapPadMechanism(PK11SlotInfo *slot); 
 
diff --git a/security/nss/lib/crmf/crmffut.h b/security/nss/lib/crmf/crmffut.h
index 561681a939d1..4aeea94d505f 100644
--- a/security/nss/lib/crmf/crmffut.h
+++ b/security/nss/lib/crmf/crmffut.h
@@ -41,7 +41,7 @@
 
 /*
  * Use this function to create the CRMFSinglePubInfo* variables that will 
- * populate the inPubInfoArray paramter for the funciton
+ * populate the inPubInfoArray parameter for the function
  * CRMF_CreatePKIPublicationInfo.
  *
  * "inPubMethod" specifies which publication method will be used
diff --git a/security/nss/lib/crmf/crmfi.h b/security/nss/lib/crmf/crmfi.h
index 5a4fbe4693ad..84fa7e1afe39 100644
--- a/security/nss/lib/crmf/crmfi.h
+++ b/security/nss/lib/crmf/crmfi.h
@@ -93,7 +93,7 @@ struct crmfEncoderOutput {
 };
 
 /*
- * This funciton is used by the API for encoding functions that are 
+ * This function is used by the API for encoding functions that are 
  * exposed through the API, ie all of the CMMF_Encode* and CRMF_Encode*
  * functions.
  */
diff --git a/security/nss/lib/cryptohi/cryptohi.h b/security/nss/lib/cryptohi/cryptohi.h
index 52d8f6df54dd..0ef11ce3c83a 100644
--- a/security/nss/lib/cryptohi/cryptohi.h
+++ b/security/nss/lib/cryptohi/cryptohi.h
@@ -37,7 +37,7 @@
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
-/* $Id: cryptohi.h,v 1.14 2010/02/10 00:49:43 wtc%google.com Exp $ */
+/* $Id: cryptohi.h,v 1.15 2010/08/12 01:15:37 wtc%google.com Exp $ */
 
 #ifndef _CRYPTOHI_H_
 #define _CRYPTOHI_H_
@@ -164,7 +164,7 @@ extern SECStatus SGN_Digest(SECKEYPrivateKey *privKey,
 ** 	"pk" the private key to encrypt with
 */
 extern SECStatus SEC_DerSignData(PLArenaPool *arena, SECItem *result,
-				unsigned char *buf, int len,
+				const unsigned char *buf, int len,
 				SECKEYPrivateKey *pk, SECOidTag algid);
 
 /*
diff --git a/security/nss/lib/cryptohi/keyhi.h b/security/nss/lib/cryptohi/keyhi.h
index b358e073b100..c3b2ab238a04 100644
--- a/security/nss/lib/cryptohi/keyhi.h
+++ b/security/nss/lib/cryptohi/keyhi.h
@@ -35,7 +35,7 @@
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
-/* $Id: keyhi.h,v 1.17 2008/06/14 14:20:00 wtc%google.com Exp $ */
+/* $Id: keyhi.h,v 1.18 2011/07/24 13:48:12 wtc%google.com Exp $ */
 
 #ifndef _KEYHI_H_
 #define _KEYHI_H_
@@ -67,18 +67,12 @@ extern SECStatus SECKEY_CopySubjectPublicKeyInfo(PLArenaPool *arena,
 
 /*
 ** Update the PQG parameters for a cert's public key.
-** Only done for DSA and Fortezza certs
+** Only done for DSA certs
 */
 extern SECStatus
 SECKEY_UpdateCertPQG(CERTCertificate * subjectCert);
 
 
-/* Compare the KEA parameters of two public keys.  
- * Only used by fortezza.      */
-
-extern SECStatus
-SECKEY_KEAParamCompare(CERTCertificate *cert1,CERTCertificate *cert2);
-
 /*
 ** Return the strength of the public key in bytes
 */
diff --git a/security/nss/lib/cryptohi/keythi.h b/security/nss/lib/cryptohi/keythi.h
index 545d5ee615ba..751cef2738e2 100644
--- a/security/nss/lib/cryptohi/keythi.h
+++ b/security/nss/lib/cryptohi/keythi.h
@@ -43,7 +43,7 @@
 #include "prclist.h"
 
 /*
-** RFC 4055 specifies three different RSA key types.
+** RFC 4055 Section 1.2 specifies three different RSA key types.
 **
 ** rsaKey maps to keys with SEC_OID_PKCS1_RSA_ENCRYPTION and can be used for
 ** both encryption and signatures with old (PKCS #1 v1.5) and new (PKCS #1
@@ -60,9 +60,9 @@ typedef enum {
     nullKey = 0, 
     rsaKey = 1, 
     dsaKey = 2, 
-    fortezzaKey = 3,
+    fortezzaKey = 3, /* deprecated */
     dhKey = 4, 
-    keaKey = 5,
+    keaKey = 5, /* deprecated */
     ecKey = 6,
     rsaPssKey = 7,
     rsaOaepKey = 8
@@ -74,6 +74,7 @@ typedef enum {
 
 SEC_BEGIN_PROTOS
 extern const SEC_ASN1Template SECKEY_RSAPublicKeyTemplate[];
+extern const SEC_ASN1Template SECKEY_RSAPSSParamsTemplate[];
 extern const SEC_ASN1Template SECKEY_DSAPublicKeyTemplate[];
 extern const SEC_ASN1Template SECKEY_DHPublicKeyTemplate[];
 extern const SEC_ASN1Template SECKEY_DHParamKeyTemplate[];
@@ -81,8 +82,9 @@ extern const SEC_ASN1Template SECKEY_PQGParamsTemplate[];
 extern const SEC_ASN1Template SECKEY_DSAPrivateKeyExportTemplate[];
 
 /* Windows DLL accessor functions */
-extern SEC_ASN1TemplateChooser NSS_Get_SECKEY_DSAPublicKeyTemplate;
-extern SEC_ASN1TemplateChooser NSS_Get_SECKEY_RSAPublicKeyTemplate;
+SEC_ASN1_CHOOSER_DECLARE(SECKEY_DSAPublicKeyTemplate)
+SEC_ASN1_CHOOSER_DECLARE(SECKEY_RSAPublicKeyTemplate)
+SEC_ASN1_CHOOSER_DECLARE(SECKEY_RSAPSSParamsTemplate)
 SEC_END_PROTOS
 
 
@@ -98,6 +100,16 @@ struct SECKEYRSAPublicKeyStr {
 };
 typedef struct SECKEYRSAPublicKeyStr SECKEYRSAPublicKey;
 
+/* 
+** RSA-PSS parameters
+*/
+struct SECKEYRSAPSSParamsStr {
+    SECAlgorithmID *hashAlg;
+    SECAlgorithmID *maskAlg;
+    SECItem saltLength;
+    SECItem trailerField;
+};
+typedef struct SECKEYRSAPSSParamsStr SECKEYRSAPSSParams;
 
 /*
 ** DSA Public Key and related structures
diff --git a/security/nss/lib/cryptohi/manifest.mn b/security/nss/lib/cryptohi/manifest.mn
index a6c0303873f3..e3bcdb83601d 100644
--- a/security/nss/lib/cryptohi/manifest.mn
+++ b/security/nss/lib/cryptohi/manifest.mn
@@ -38,8 +38,6 @@ CORE_DEPTH = ../../..
 
 MODULE = nss
 
-REQUIRES = dbm
-
 LIBRARY_NAME = cryptohi
 
 EXPORTS = \
@@ -54,7 +52,7 @@ EXPORTS = \
 PRIVATE_EXPORTS = \
 	$(NULL)
 
-LIBSRCS = \
+CSRCS = \
 	sechash.c \
 	seckey.c  \
 	secsign.c \
@@ -62,7 +60,5 @@ LIBSRCS = \
 	dsautil.c \
 	$(NULL)
 
-CSRCS = $(LIBSRCS)
-
 # This part of the code, including all sub-dirs, can be optimized for size
 export ALLOW_OPT_CODE_SIZE = 1
diff --git a/security/nss/lib/cryptohi/sechash.c b/security/nss/lib/cryptohi/sechash.c
index af6ea8203067..f5974f3d0731 100644
--- a/security/nss/lib/cryptohi/sechash.c
+++ b/security/nss/lib/cryptohi/sechash.c
@@ -91,6 +91,11 @@ sha1_NewContext(void) {
 	return (void *) PK11_CreateDigestContext(SEC_OID_SHA1);
 }
 
+static void *
+sha224_NewContext(void) {
+	return (void *) PK11_CreateDigestContext(SEC_OID_SHA224);
+}
+
 static void *
 sha256_NewContext(void) {
 	return (void *) PK11_CreateDigestContext(SEC_OID_SHA256);
@@ -184,6 +189,17 @@ const SECHashObject SECHashObjects[] = {
     SHA512_BLOCK_LENGTH,
     HASH_AlgSHA512
   },
+  { SHA224_LENGTH,
+    (void * (*)(void)) sha224_NewContext,
+    (void * (*)(void *)) PK11_CloneContext,
+    (void (*)(void *, PRBool)) PK11_DestroyContext,
+    (void (*)(void *)) PK11_DigestBegin,
+    (void (*)(void *, const unsigned char *, unsigned int)) PK11_DigestOp,
+    (void (*)(void *, unsigned char *, unsigned int *, unsigned int))
+							PK11_DigestFinal,
+    SHA224_BLOCK_LENGTH,
+    HASH_AlgSHA224
+  },
 };
 
 const SECHashObject * 
@@ -201,6 +217,7 @@ HASH_GetHashTypeByOidTag(SECOidTag hashOid)
     case SEC_OID_MD2:	 ht = HASH_AlgMD2;    break;
     case SEC_OID_MD5:	 ht = HASH_AlgMD5;    break;
     case SEC_OID_SHA1:	 ht = HASH_AlgSHA1;   break;
+    case SEC_OID_SHA224: ht = HASH_AlgSHA224; break;
     case SEC_OID_SHA256: ht = HASH_AlgSHA256; break;
     case SEC_OID_SHA384: ht = HASH_AlgSHA384; break;
     case SEC_OID_SHA512: ht = HASH_AlgSHA512; break;
@@ -220,6 +237,7 @@ HASH_GetHashOidTagByHMACOidTag(SECOidTag hmacOid)
     /* no oid exists for HMAC_MD2 */
     /* NSS does not define a oid for HMAC_MD4 */
     case SEC_OID_HMAC_SHA1:   hashOid = SEC_OID_SHA1;   break;
+    case SEC_OID_HMAC_SHA224: hashOid = SEC_OID_SHA224; break;
     case SEC_OID_HMAC_SHA256: hashOid = SEC_OID_SHA256; break;
     case SEC_OID_HMAC_SHA384: hashOid = SEC_OID_SHA384; break;
     case SEC_OID_HMAC_SHA512: hashOid = SEC_OID_SHA512; break;
@@ -239,6 +257,7 @@ HASH_GetHMACOidTagByHashOidTag(SECOidTag hashOid)
     /* no oid exists for HMAC_MD2 */
     /* NSS does not define a oid for HMAC_MD4 */
     case SEC_OID_SHA1:   hmacOid = SEC_OID_HMAC_SHA1;   break;
+    case SEC_OID_SHA224: hmacOid = SEC_OID_HMAC_SHA224; break;
     case SEC_OID_SHA256: hmacOid = SEC_OID_HMAC_SHA256; break;
     case SEC_OID_SHA384: hmacOid = SEC_OID_HMAC_SHA384; break;
     case SEC_OID_SHA512: hmacOid = SEC_OID_HMAC_SHA512; break;
diff --git a/security/nss/lib/cryptohi/seckey.c b/security/nss/lib/cryptohi/seckey.c
index 42a4cd3f579d..5b8fd228cfab 100644
--- a/security/nss/lib/cryptohi/seckey.c
+++ b/security/nss/lib/cryptohi/seckey.c
@@ -51,6 +51,7 @@
 #include "keyi.h"
 
 SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate)
+SEC_ASN1_MKSUB(SEC_IntegerTemplate)
 
 const SEC_ASN1Template CERT_SubjectPublicKeyInfoTemplate[] = {
     { SEC_ASN1_SEQUENCE,
@@ -78,6 +79,34 @@ const SEC_ASN1Template SECKEY_RSAPublicKeyTemplate[] = {
     { 0, }
 };
 
+static const SEC_ASN1Template seckey_PointerToAlgorithmIDTemplate[] = {
+    { SEC_ASN1_POINTER | SEC_ASN1_XTRN, 0,
+      SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) }
+};
+
+/* Parameters for SEC_OID_PKCS1_RSA_PSS_SIGNATURE */
+const SEC_ASN1Template SECKEY_RSAPSSParamsTemplate[] =
+{
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SECKEYRSAPSSParams) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT |
+          SEC_ASN1_CONTEXT_SPECIFIC | 0,
+          offsetof(SECKEYRSAPSSParams, hashAlg),
+          seckey_PointerToAlgorithmIDTemplate },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT |
+          SEC_ASN1_CONTEXT_SPECIFIC | 1,
+          offsetof(SECKEYRSAPSSParams, maskAlg),
+          seckey_PointerToAlgorithmIDTemplate },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT |
+          SEC_ASN1_XTRN | SEC_ASN1_CONTEXT_SPECIFIC | 2,
+          offsetof(SECKEYRSAPSSParams, saltLength),
+          SEC_ASN1_SUB(SEC_IntegerTemplate) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT |
+          SEC_ASN1_XTRN | SEC_ASN1_CONTEXT_SPECIFIC | 3,
+          offsetof(SECKEYRSAPSSParams, trailerField),
+          SEC_ASN1_SUB(SEC_IntegerTemplate) },
+    { 0 }
+};
+
 const SEC_ASN1Template SECKEY_DSAPublicKeyTemplate[] = {
     { SEC_ASN1_INTEGER, offsetof(SECKEYPublicKey,u.dsa.publicValue), },
     { 0, }
@@ -107,6 +136,7 @@ const SEC_ASN1Template SECKEY_DHParamKeyTemplate[] = {
 
 SEC_ASN1_CHOOSER_IMPLEMENT(SECKEY_DSAPublicKeyTemplate)
 SEC_ASN1_CHOOSER_IMPLEMENT(SECKEY_RSAPublicKeyTemplate)
+SEC_ASN1_CHOOSER_IMPLEMENT(SECKEY_RSAPSSParamsTemplate)
 SEC_ASN1_CHOOSER_IMPLEMENT(CERT_SubjectPublicKeyInfoTemplate)
 
 /*
@@ -296,128 +326,14 @@ SECKEY_CopySubjectPublicKeyInfo(PRArenaPool *arena,
     return rv;
 }
 
-SECStatus
-SECKEY_KEASetParams(SECKEYKEAParams * params, SECKEYPublicKey * pubKey) {
-
-    if (pubKey->keyType == fortezzaKey) {
-        /* the key is a fortezza V1 public key  */
-
-	/* obtain hash of pubkey->u.fortezza.params.prime.data +
-		          pubkey->u.fortezza.params.subPrime.data +
-			  pubkey->u.fortezza.params.base.data  */
-
-	/* store hash in params->hash */
-
-    } else if (pubKey->keyType == keaKey) {
-
-        /* the key is a new fortezza KEA public key. */
-        SECITEM_CopyItem(pubKey->arena, ¶ms->hash, 
-	                 &pubKey->u.kea.params.hash );
-
-    } else {
-
-	/* the key has no KEA parameters */
-	return SECFailure;
-    }
-    return SECSuccess;
-}
-
-
-SECStatus
-SECKEY_KEAParamCompare(CERTCertificate *cert1,CERTCertificate *cert2) 
-{
-
-    SECStatus rv;
-
-    SECKEYPublicKey *pubKey1 = 0;
-    SECKEYPublicKey *pubKey2 = 0;
-
-    SECKEYKEAParams params1;
-    SECKEYKEAParams params2;
-
-
-    rv = SECFailure;
-
-    /* get cert1's public key */
-    pubKey1 = CERT_ExtractPublicKey(cert1);
-    if ( !pubKey1 ) {
-	return(SECFailure);
-    }
-    
-
-    /* get cert2's public key */
-    pubKey2 = CERT_ExtractPublicKey(cert2);
-    if ( !pubKey2 ) {
-	return(SECFailure);
-    }
-
-    /* handle the case when both public keys are new
-     * fortezza KEA public keys.    */
-
-    if ((pubKey1->keyType == keaKey) &&
-        (pubKey2->keyType == keaKey) ) {
-
-        rv = (SECStatus)SECITEM_CompareItem(&pubKey1->u.kea.params.hash,
-	                         &pubKey2->u.kea.params.hash);
-	goto done;
-    }
-
-    /* handle the case when both public keys are old fortezza
-     * public keys.              */
-
-    if ((pubKey1->keyType == fortezzaKey) &&
-        (pubKey2->keyType == fortezzaKey) ) {
-
-        rv = (SECStatus)SECITEM_CompareItem(&pubKey1->u.fortezza.keaParams.prime,
-	                         &pubKey2->u.fortezza.keaParams.prime);
-
-	if (rv == SECEqual) {
-	    rv = (SECStatus)SECITEM_CompareItem(&pubKey1->u.fortezza.keaParams.subPrime,
-	                             &pubKey2->u.fortezza.keaParams.subPrime);
-	}
-
-	if (rv == SECEqual) {
-	    rv = (SECStatus)SECITEM_CompareItem(&pubKey1->u.fortezza.keaParams.base,
-	                             &pubKey2->u.fortezza.keaParams.base);
-	}
-	
-	goto done;
-    }
-
-
-    /* handle the case when the public keys are a mixture of 
-     * old and new.                          */
-
-    rv = SECKEY_KEASetParams(¶ms1, pubKey1);
-    if (rv != SECSuccess) return rv;
-
-    rv = SECKEY_KEASetParams(¶ms2, pubKey2);
-    if (rv != SECSuccess) return rv;
-
-    rv = (SECStatus)SECITEM_CompareItem(¶ms1.hash, ¶ms2.hash);
-
-done:
-    SECKEY_DestroyPublicKey(pubKey1);
-    SECKEY_DestroyPublicKey(pubKey2);
-
-    return rv;   /* returns SECEqual if parameters are equal */
-
-}
-
-
 /* Procedure to update the pqg parameters for a cert's public key.
- * pqg parameters only need to be updated for DSA and fortezza certificates.
+ * pqg parameters only need to be updated for DSA certificates.
  * The procedure uses calls to itself recursively to update a certificate
  * issuer's pqg parameters.  Some important rules are:
  *    - Do nothing if the cert already has PQG parameters.
  *    - If the cert does not have PQG parameters, obtain them from the issuer.
- *    - A valid cert chain cannot have a DSA or Fortezza cert without
- *      pqg parameters that has a parent that is not a DSA or Fortezza cert.
- *    - pqg parameters are stored in two different formats: the standard
- *      DER encoded format and the fortezza-only wrapped format.  The params
- *      should be copied from issuer to subject cert without modifying the
- *      formats.  The public key extraction code will deal with the different
- *      formats at the time of extraction.  */
+ *    - A valid cert chain cannot have a DSA cert without
+ *      pqg parameters that has a parent that is not a DSA cert.  */
 
 static SECStatus
 seckey_UpdateCertPQGChain(CERTCertificate * subjectCert, int count)
@@ -443,14 +359,10 @@ seckey_UpdateCertPQGChain(CERTCertificate * subjectCert, int count)
     if (oid != NULL) {  
         tag = oid->offset;
              
-        /* Check if cert has a DSA or Fortezza public key. If not, return
+        /* Check if cert has a DSA public key. If not, return
          * success since no PQG params need to be updated.  */
 
-	if ( (tag != SEC_OID_MISSI_KEA_DSS_OLD) &&
-	     (tag != SEC_OID_MISSI_DSS_OLD) &&
-             (tag != SEC_OID_MISSI_KEA_DSS) &&
-             (tag != SEC_OID_MISSI_DSS) &&               
-             (tag != SEC_OID_ANSIX9_DSA_SIGNATURE) &&
+	if ( (tag != SEC_OID_ANSIX9_DSA_SIGNATURE) &&
              (tag != SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST) &&
              (tag != SEC_OID_BOGUS_DSA_SIGNATURE_WITH_SHA1_DIGEST) &&
              (tag != SEC_OID_SDN702_DSA_SIGNATURE) &&
@@ -482,21 +394,17 @@ seckey_UpdateCertPQGChain(CERTCertificate * subjectCert, int count)
 	return SECFailure;
     }
 
-    /* if parent is not DSA or fortezza, return failure since
+    /* if parent is not DSA, return failure since
        we don't allow this case. */
 
     oid = SECOID_FindOID(&issuerCert->subjectPublicKeyInfo.algorithm.algorithm);
     if (oid != NULL) {  
         tag = oid->offset;
              
-        /* Check if issuer cert has a DSA or Fortezza public key. If not,
+        /* Check if issuer cert has a DSA public key. If not,
          * return failure.   */
 
-	if ( (tag != SEC_OID_MISSI_KEA_DSS_OLD) &&
-	     (tag != SEC_OID_MISSI_DSS_OLD) &&
-             (tag != SEC_OID_MISSI_KEA_DSS) &&
-             (tag != SEC_OID_MISSI_DSS) &&               
-             (tag != SEC_OID_ANSIX9_DSA_SIGNATURE) &&
+	if ( (tag != SEC_OID_ANSIX9_DSA_SIGNATURE) &&
              (tag != SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST) &&
              (tag != SEC_OID_BOGUS_DSA_SIGNATURE_WITH_SHA1_DIGEST) &&
              (tag != SEC_OID_SDN702_DSA_SIGNATURE) &&
@@ -511,7 +419,7 @@ seckey_UpdateCertPQGChain(CERTCertificate * subjectCert, int count)
 
 
     /* at this point the subject cert has no pqg parameters and the
-     * issuer cert has a DSA or fortezza public key.  Update the issuer's
+     * issuer cert has a DSA public key.  Update the issuer's
      * pqg parameters with a recursive call to this same function. */
 
     rv = seckey_UpdateCertPQGChain(issuerCert, count);
@@ -780,18 +688,6 @@ CERT_ExtractPublicKey(CERTCertificate *cert)
     return seckey_ExtractPublicKey(&cert->subjectPublicKeyInfo);
 }
 
-/*
- * Get the public key for the fortezza KMID. NOTE this requires the
- * PQG parameters to be set. We probably should have a fortezza call that 
- * just extracts the kmid for us directly so this function can work
- * without having the whole cert chain
- */
-SECKEYPublicKey *
-CERT_KMIDPublicKey(CERTCertificate *cert)
-{
-    return seckey_ExtractPublicKey(&cert->subjectPublicKeyInfo);
-}
-
 int
 SECKEY_ECParamsToKeySize(const SECItem *encodedParams)
 {
@@ -1075,8 +971,7 @@ SECKEY_PublicKeyStrength(const SECKEYPublicKey *pubk)
     unsigned char b0;
     unsigned size;
 
-    /* interpret modulus length as key strength... in
-     * fortezza that's the public key length */
+    /* interpret modulus length as key strength */
     if (!pubk)
     	goto loser;
     switch (pubk->keyType) {
@@ -1094,8 +989,6 @@ SECKEY_PublicKeyStrength(const SECKEYPublicKey *pubk)
     	b0 = pubk->u.dh.publicValue.data[0];
     	return b0 ? pubk->u.dh.publicValue.len :
 	    pubk->u.dh.publicValue.len - 1;
-    case fortezzaKey:
-	return PR_MAX(pubk->u.fortezza.KEAKey.len, pubk->u.fortezza.DSSKey.len);
     case ecKey:
 	/* Get the key size in bits and adjust */
 	size =	SECKEY_ECParamsToKeySize(&pubk->u.ec.DEREncodedParams);
@@ -1117,7 +1010,6 @@ SECKEY_PublicKeyStrengthInBits(const SECKEYPublicKey *pubk)
     case rsaKey:
     case dsaKey:
     case dhKey:
-    case fortezzaKey:
 	return SECKEY_PublicKeyStrength(pubk) * 8; /* 1 byte = 8 bits */
     case ecKey:
 	size = SECKEY_ECParamsToKeySize(&pubk->u.ec.DEREncodedParams);
@@ -1140,7 +1032,6 @@ SECKEY_SignatureLen(const SECKEYPublicKey *pubk)
     case rsaKey:
     	b0 = pubk->u.rsa.modulus.data[0];
     	return b0 ? pubk->u.rsa.modulus.len : pubk->u.rsa.modulus.len - 1;
-    case fortezzaKey:
     case dsaKey:
     	return DSA_SIGNATURE_LEN;
     case ecKey:
@@ -1255,51 +1146,6 @@ SECKEY_CopyPublicKey(const SECKEYPublicKey *pubk)
           rv = SECITEM_CopyItem(arena, ©k->u.dsa.params.base,
                                 &pubk->u.dsa.params.base);
           break;
-      case keaKey:
-          rv = SECITEM_CopyItem(arena, ©k->u.kea.publicValue,
-                                &pubk->u.kea.publicValue);
-          if (rv != SECSuccess) break;
-          rv = SECITEM_CopyItem(arena, ©k->u.kea.params.hash,
-                                &pubk->u.kea.params.hash);
-          break;
-      case fortezzaKey:
-          copyk->u.fortezza.KEAversion = pubk->u.fortezza.KEAversion;
-          copyk->u.fortezza.DSSversion = pubk->u.fortezza.DSSversion;
-          PORT_Memcpy(copyk->u.fortezza.KMID, pubk->u.fortezza.KMID,
-                      sizeof(pubk->u.fortezza.KMID));
-          rv = SECITEM_CopyItem(arena, ©k->u.fortezza.clearance, 
-                                &pubk->u.fortezza.clearance);
-          if (rv != SECSuccess) break;
-          rv = SECITEM_CopyItem(arena, ©k->u.fortezza.KEAprivilege, 
-                                &pubk->u.fortezza.KEAprivilege);
-          if (rv != SECSuccess) break;
-          rv = SECITEM_CopyItem(arena, ©k->u.fortezza.DSSprivilege, 
-                                &pubk->u.fortezza.DSSprivilege);
-          if (rv != SECSuccess) break;
-          rv = SECITEM_CopyItem(arena, ©k->u.fortezza.KEAKey, 
-                                &pubk->u.fortezza.KEAKey);
-          if (rv != SECSuccess) break;
-          rv = SECITEM_CopyItem(arena, ©k->u.fortezza.DSSKey, 
-                                &pubk->u.fortezza.DSSKey);
-          if (rv != SECSuccess) break;
-          rv = SECITEM_CopyItem(arena, ©k->u.fortezza.params.prime, 
-                                &pubk->u.fortezza.params.prime);
-          if (rv != SECSuccess) break;
-          rv = SECITEM_CopyItem(arena, ©k->u.fortezza.params.subPrime, 
-                                &pubk->u.fortezza.params.subPrime);
-          if (rv != SECSuccess) break;
-          rv = SECITEM_CopyItem(arena, ©k->u.fortezza.params.base, 
-                                &pubk->u.fortezza.params.base);
-          if (rv != SECSuccess) break;
-          rv = SECITEM_CopyItem(arena, ©k->u.fortezza.keaParams.prime, 
-                                &pubk->u.fortezza.keaParams.prime);
-          if (rv != SECSuccess) break;
-          rv = SECITEM_CopyItem(arena, ©k->u.fortezza.keaParams.subPrime, 
-                                &pubk->u.fortezza.keaParams.subPrime);
-          if (rv != SECSuccess) break;
-          rv = SECITEM_CopyItem(arena, ©k->u.fortezza.keaParams.base, 
-                                &pubk->u.fortezza.keaParams.base);
-          break;
       case dhKey:
           rv = SECITEM_CopyItem(arena,©k->u.dh.prime,&pubk->u.dh.prime);
           if (rv != SECSuccess) break;
@@ -1366,12 +1212,7 @@ SECKEY_ConvertToPublicKey(SECKEYPrivateKey *privk)
     pubk->pkcs11ID = CK_INVALID_HANDLE;
     pubk->arena = arena;
 
-    /*
-     * fortezza is at the head of this switch, since we don't want to
-     * allocate an arena... CERT_ExtractPublicKey will to that for us.
-     */
     switch(privk->keyType) {
-      case fortezzaKey:
       case nullKey:
       case dhKey:
       case dsaKey:
@@ -1500,40 +1341,8 @@ SECKEY_CreateSubjectPublicKeyInfo(SECKEYPublicKey *pubk)
 		return spki;
 	    }
 	    break;
-	  case keaKey:
 	  case dhKey: /* later... */
 
-	  break;  
-	  case fortezzaKey:
-#ifdef notdef
-	    /* encode the DSS parameters (PQG) */
-	    rv = FortezzaBuildParams(¶ms,pubk);
-	    if (rv != SECSuccess) break;
-
-	    /* set the algorithm */
-	    rv = SECOID_SetAlgorithmID(arena, &spki->algorithm,
-				       SEC_OID_MISSI_KEA_DSS, ¶ms);
-	    PORT_Free(params.data);
-	    if (rv == SECSuccess) {
-		/*
-		 * Encode the public key into the subjectPublicKeyInfo.
-		 * Fortezza key material is not standard DER
-		 */
-		rv = FortezzaEncodeCertKey(arena,&spki->subjectPublicKey,pubk);
-		if (rv == SECSuccess) {
-		    /*
-		     * The stored value is supposed to be a BIT_STRING,
-		     * so convert the length.
-		     */
-		    spki->subjectPublicKey.len <<= 3;
-
-		    /*
-		     * We got a good one; return it.
-		     */
-		    return spki;
-		}
-	    }
-#endif
 	    break;
 	  default:
 	    break;
diff --git a/security/nss/lib/cryptohi/secsign.c b/security/nss/lib/cryptohi/secsign.c
index 38220ffbf31a..37609b19385d 100644
--- a/security/nss/lib/cryptohi/secsign.c
+++ b/security/nss/lib/cryptohi/secsign.c
@@ -37,7 +37,7 @@
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
-/* $Id: secsign.c,v 1.22 2010/02/10 00:49:43 wtc%google.com Exp $ */
+/* $Id: secsign.c,v 1.26 2011/07/24 13:48:12 wtc%google.com Exp $ */
 
 #include 
 #include "cryptohi.h"
@@ -83,8 +83,7 @@ SGN_NewContext(SECOidTag alg, SECKEYPrivateKey *key)
 
     /* verify our key type */
     if (key->keyType != keyType &&
-	!((key->keyType == dsaKey) && (keyType == fortezzaKey)) &&
-	!((key->keyType == fortezzaKey) && (keyType == dsaKey)) ) {
+	!((key->keyType == dsaKey) && (keyType == fortezzaKey)) ) {
 	PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
 	return 0;
     }
@@ -341,7 +340,8 @@ SEC_ASN1_CHOOSER_IMPLEMENT(CERT_SignedDataTemplate)
 
 SECStatus
 SEC_DerSignData(PRArenaPool *arena, SECItem *result, 
-	unsigned char *buf, int len, SECKEYPrivateKey *pk, SECOidTag algID)
+	const unsigned char *buf, int len, SECKEYPrivateKey *pk,
+	SECOidTag algID)
 {
     SECItem it;
     CERTSignedData sd;
@@ -376,7 +376,7 @@ SEC_DerSignData(PRArenaPool *arena, SECItem *result,
 
     /* Fill out SignedData object */
     PORT_Memset(&sd, 0, sizeof(sd));
-    sd.data.data = buf;
+    sd.data.data = (unsigned char*) buf;
     sd.data.len = len;
     sd.signature.data = it.data;
     sd.signature.len = it.len << 3;		/* convert to bit string */
diff --git a/security/nss/lib/dev/ckhelper.c b/security/nss/lib/dev/ckhelper.c
index 24d10bcc2ceb..13988e259a11 100644
--- a/security/nss/lib/dev/ckhelper.c
+++ b/security/nss/lib/dev/ckhelper.c
@@ -35,7 +35,7 @@
  * ***** END LICENSE BLOCK ***** */
 
 #ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile: ckhelper.c,v $ $Revision: 1.40 $ $Date: 2010/01/08 02:00:58 $";
+static const char CVS_ID[] = "@(#) $RCSfile: ckhelper.c,v $ $Revision: 1.41 $ $Date: 2011/04/13 00:10:25 $";
 #endif /* DEBUG */
 
 #include "pkcs11.h"
@@ -78,7 +78,7 @@ is_string_attribute (
     PRBool isString;
     switch (aType) {
     case CKA_LABEL:
-    case CKA_NETSCAPE_EMAIL:
+    case CKA_NSS_EMAIL:
 	isString = PR_TRUE;
 	break;
     default:
@@ -401,14 +401,13 @@ get_nss_trust (
 {
     nssTrustLevel t;
     switch (ckt) {
-    case CKT_NETSCAPE_UNTRUSTED: t = nssTrustLevel_NotTrusted; break;
-    case CKT_NETSCAPE_TRUSTED_DELEGATOR: t = nssTrustLevel_TrustedDelegator; 
+    case CKT_NSS_NOT_TRUSTED: t = nssTrustLevel_NotTrusted; break;
+    case CKT_NSS_TRUSTED_DELEGATOR: t = nssTrustLevel_TrustedDelegator; 
 	break;
-    case CKT_NETSCAPE_VALID_DELEGATOR: t = nssTrustLevel_ValidDelegator; break;
-    case CKT_NETSCAPE_TRUSTED: t = nssTrustLevel_Trusted; break;
-    case CKT_NETSCAPE_VALID: t = nssTrustLevel_Valid; break;
-    case CKT_NETSCAPE_MUST_VERIFY:
-    case CKT_NETSCAPE_TRUST_UNKNOWN:
+    case CKT_NSS_VALID_DELEGATOR: t = nssTrustLevel_ValidDelegator; break;
+    case CKT_NSS_TRUSTED: t = nssTrustLevel_Trusted; break;
+    case CKT_NSS_MUST_VERIFY_TRUST: t = nssTrustLevel_MustVerify; break;
+    case CKT_NSS_TRUST_UNKNOWN:
     default:
 	t = nssTrustLevel_Unknown; break;
     }
@@ -432,10 +431,10 @@ nssCryptokiTrust_GetAttributes (
     nssSession *session;
     CK_BBOOL isToken = PR_FALSE;
     CK_BBOOL stepUp = PR_FALSE;
-    CK_TRUST saTrust = CKT_NETSCAPE_TRUST_UNKNOWN;
-    CK_TRUST caTrust = CKT_NETSCAPE_TRUST_UNKNOWN;
-    CK_TRUST epTrust = CKT_NETSCAPE_TRUST_UNKNOWN;
-    CK_TRUST csTrust = CKT_NETSCAPE_TRUST_UNKNOWN;
+    CK_TRUST saTrust = CKT_NSS_TRUST_UNKNOWN;
+    CK_TRUST caTrust = CKT_NSS_TRUST_UNKNOWN;
+    CK_TRUST epTrust = CKT_NSS_TRUST_UNKNOWN;
+    CK_TRUST csTrust = CKT_NSS_TRUST_UNKNOWN;
     CK_ATTRIBUTE_PTR attr;
     CK_ATTRIBUTE trust_template[7];
     CK_ULONG trust_size;
@@ -453,7 +452,7 @@ nssCryptokiTrust_GetAttributes (
 
     status = nssToken_GetCachedObjectAttributes(trustObject->token, NULL,
                                                 trustObject, 
-                                                CKO_NETSCAPE_TRUST,
+                                                CKO_NSS_TRUST,
                                                 trust_template, trust_size);
     if (status != PR_SUCCESS) {
 	session = sessionOpt ? 
@@ -510,10 +509,10 @@ nssCryptokiCRL_GetAttributes (
 	NSS_CK_SET_ATTRIBUTE_NULL(attr, CKA_VALUE);
     }
     if (urlOpt) {
-	NSS_CK_SET_ATTRIBUTE_NULL(attr, CKA_NETSCAPE_URL);
+	NSS_CK_SET_ATTRIBUTE_NULL(attr, CKA_NSS_URL);
     }
     if (isKRLOpt) {
-	NSS_CK_SET_ATTRIBUTE_NULL(attr, CKA_NETSCAPE_KRL);
+	NSS_CK_SET_ATTRIBUTE_NULL(attr, CKA_NSS_KRL);
     }
     if (subjectOpt) {
 	NSS_CK_SET_ATTRIBUTE_NULL(attr, CKA_SUBJECT);
@@ -522,7 +521,7 @@ nssCryptokiCRL_GetAttributes (
 
     status = nssToken_GetCachedObjectAttributes(crlObject->token, NULL,
                                                 crlObject, 
-                                                CKO_NETSCAPE_CRL,
+                                                CKO_NSS_CRL,
                                                 crl_template, crl_size);
     if (status != PR_SUCCESS) {
 	session = sessionOpt ? 
diff --git a/security/nss/lib/dev/devt.h b/security/nss/lib/dev/devt.h
index 317069e610bf..5cb7e467bcbe 100644
--- a/security/nss/lib/dev/devt.h
+++ b/security/nss/lib/dev/devt.h
@@ -38,7 +38,7 @@
 #define DEVT_H
 
 #ifdef DEBUG
-static const char DEVT_CVS_ID[] = "@(#) $RCSfile: devt.h,v $ $Revision: 1.24 $ $Date: 2010/01/08 02:00:58 $";
+static const char DEVT_CVS_ID[] = "@(#) $RCSfile: devt.h,v $ $Revision: 1.25 $ $Date: 2011/04/13 00:10:25 $";
 #endif /* DEBUG */
 
 /*
@@ -143,7 +143,7 @@ typedef enum {
     nssTrustLevel_NotTrusted = 1,
     nssTrustLevel_Trusted = 2,
     nssTrustLevel_TrustedDelegator = 3,
-    nssTrustLevel_Valid = 4,
+    nssTrustLevel_MustVerify = 4,
     nssTrustLevel_ValidDelegator = 5
 } nssTrustLevel;
 
diff --git a/security/nss/lib/dev/devtoken.c b/security/nss/lib/dev/devtoken.c
index 08ba19849c5a..f5edb3b6d344 100644
--- a/security/nss/lib/dev/devtoken.c
+++ b/security/nss/lib/dev/devtoken.c
@@ -35,7 +35,7 @@
  * ***** END LICENSE BLOCK ***** */
 
 #ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile: devtoken.c,v $ $Revision: 1.54 $ $Date: 2010/04/03 18:27:30 $";
+static const char CVS_ID[] = "@(#) $RCSfile: devtoken.c,v $ $Revision: 1.56 $ $Date: 2011/07/12 21:29:20 $";
 #endif /* DEBUG */
 
 #include "pkcs11.h"
@@ -522,7 +522,7 @@ nssToken_ImportCertificate (
     NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_SUBJECT,           subject);
     NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_SERIAL_NUMBER,     serial);
     if (email) {
-	NSS_CK_SET_ATTRIBUTE_UTF8(attr, CKA_NETSCAPE_EMAIL,    email);
+	NSS_CK_SET_ATTRIBUTE_UTF8(attr, CKA_NSS_EMAIL,    email);
     }
     NSS_CK_TEMPLATE_FINISH(cert_tmpl, attr, ctsize);
     /* see if the cert is already there */
@@ -714,7 +714,7 @@ nssToken_FindCertificatesByNickname (
 
 /* XXX
  * This function *does not* use the token object cache, because not even
- * the softoken will return a value for CKA_NETSCAPE_EMAIL from a call
+ * the softoken will return a value for CKA_NSS_EMAIL from a call
  * to GetAttributes.  The softoken does allow searches with that attribute,
  * it just won't return a value for it.
  */
@@ -733,7 +733,7 @@ nssToken_FindCertificatesByEmail (
     CK_ULONG etsize;
     nssCryptokiObject **objects;
     NSS_CK_TEMPLATE_START(email_template, attr, etsize);
-    NSS_CK_SET_ATTRIBUTE_UTF8(attr, CKA_NETSCAPE_EMAIL, email);
+    NSS_CK_SET_ATTRIBUTE_UTF8(attr, CKA_NSS_EMAIL, email);
     /* Set the search to token/session only if provided */
     if (searchType == nssTokenSearchType_SessionOnly) {
 	NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_false);
@@ -1071,14 +1071,14 @@ get_ck_trust (
 {
     CK_TRUST t;
     switch (nssTrust) {
-    case nssTrustLevel_NotTrusted: t = CKT_NETSCAPE_UNTRUSTED; break;
-    case nssTrustLevel_TrustedDelegator: t = CKT_NETSCAPE_TRUSTED_DELEGATOR; 
+    case nssTrustLevel_NotTrusted: t = CKT_NSS_NOT_TRUSTED; break;
+    case nssTrustLevel_TrustedDelegator: t = CKT_NSS_TRUSTED_DELEGATOR; 
 	break;
-    case nssTrustLevel_ValidDelegator: t = CKT_NETSCAPE_VALID_DELEGATOR; break;
-    case nssTrustLevel_Trusted: t = CKT_NETSCAPE_TRUSTED; break;
-    case nssTrustLevel_Valid: t = CKT_NETSCAPE_VALID; break;
+    case nssTrustLevel_ValidDelegator: t = CKT_NSS_VALID_DELEGATOR; break;
+    case nssTrustLevel_Trusted: t = CKT_NSS_TRUSTED; break;
+    case nssTrustLevel_MustVerify: t = CKT_NSS_MUST_VERIFY_TRUST; break;
     case nssTrustLevel_Unknown:
-    default: t = CKT_NETSCAPE_TRUST_UNKNOWN; break;
+    default: t = CKT_NSS_TRUST_UNKNOWN; break;
     }
     return t;
 }
@@ -1099,7 +1099,7 @@ nssToken_ImportTrust (
 )
 {
     nssCryptokiObject *object;
-    CK_OBJECT_CLASS tobjc = CKO_NETSCAPE_TRUST;
+    CK_OBJECT_CLASS tobjc = CKO_NSS_TRUST;
     CK_TRUST ckSA, ckCA, ckCS, ckEP;
     CK_ATTRIBUTE_PTR attr;
     CK_ATTRIBUTE trust_tmpl[11];
@@ -1158,7 +1158,7 @@ nssToken_FindTrustForCertificate (
   nssTokenSearchType searchType
 )
 {
-    CK_OBJECT_CLASS tobjc = CKO_NETSCAPE_TRUST;
+    CK_OBJECT_CLASS tobjc = CKO_NSS_TRUST;
     CK_ATTRIBUTE_PTR attr;
     CK_ATTRIBUTE tobj_template[5];
     CK_ULONG tobj_size;
@@ -1172,9 +1172,7 @@ nssToken_FindTrustForCertificate (
     }
 
     NSS_CK_TEMPLATE_START(tobj_template, attr, tobj_size);
-    if (searchType == nssTokenSearchType_SessionOnly) {
-	NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_false);
-    } else if (searchType == nssTokenSearchType_TokenOnly) {
+    if (searchType == nssTokenSearchType_TokenOnly) {
 	NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_true);
     }
     NSS_CK_SET_ATTRIBUTE_VAR( attr, CKA_CLASS,          tobjc);
@@ -1203,7 +1201,7 @@ nssToken_ImportCRL (
 )
 {
     nssCryptokiObject *object;
-    CK_OBJECT_CLASS crlobjc = CKO_NETSCAPE_CRL;
+    CK_OBJECT_CLASS crlobjc = CKO_NSS_CRL;
     CK_ATTRIBUTE_PTR attr;
     CK_ATTRIBUTE crl_tmpl[6];
     CK_ULONG crlsize;
@@ -1217,11 +1215,11 @@ nssToken_ImportCRL (
     NSS_CK_SET_ATTRIBUTE_VAR( attr, CKA_CLASS,        crlobjc);
     NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_SUBJECT,      subject);
     NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_VALUE,        encoding);
-    NSS_CK_SET_ATTRIBUTE_UTF8(attr, CKA_NETSCAPE_URL, url);
+    NSS_CK_SET_ATTRIBUTE_UTF8(attr, CKA_NSS_URL, url);
     if (isKRL) {
-	NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_NETSCAPE_KRL, &g_ck_true);
+	NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_NSS_KRL, &g_ck_true);
     } else {
-	NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_NETSCAPE_KRL, &g_ck_false);
+	NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_NSS_KRL, &g_ck_false);
     }
     NSS_CK_TEMPLATE_FINISH(crl_tmpl, attr, crlsize);
 
@@ -1244,7 +1242,7 @@ nssToken_FindCRLsBySubject (
   PRStatus *statusOpt
 )
 {
-    CK_OBJECT_CLASS crlobjc = CKO_NETSCAPE_CRL;
+    CK_OBJECT_CLASS crlobjc = CKO_NSS_CRL;
     CK_ATTRIBUTE_PTR attr;
     CK_ATTRIBUTE crlobj_template[3];
     CK_ULONG crlobj_size;
diff --git a/security/nss/lib/freebl/Makefile b/security/nss/lib/freebl/Makefile
index 6e52bb9b11a3..c807ec2ea5d5 100644
--- a/security/nss/lib/freebl/Makefile
+++ b/security/nss/lib/freebl/Makefile
@@ -82,10 +82,48 @@ ifeq ($(FREEBL_NO_DEPEND),1)
 else
 	MAPFILE_SOURCE = freebl.def
 endif
+
+# FREEBL_USE_PRELINK
+#
+# Most modern version of Linux support a speed optimization scheme where an
+# application called prelink modifies programs and shared libraries to quickly
+# load if they fit into an already designed address space. In short, prelink
+# scans the list of programs and libraries on your system, assigns them a
+# predefined space in the the address space, then provides the fixups to the
+# library.
+#
+# The modification of the shared library is correctly detected by the freebl
+# FIPS checksum scheme where we check a signed hash of the library against the
+# library itself.
+#
+# The prelink command itself can reverse the process of modification and output
+# the prestine shared library as it was before prelink made it's changes.
+# This option tells Freebl could use prelink to output the original copy of
+# the shared library before prelink modified it.
+#
+# FREEBL_PRELINK_COMMAND
+#
+# This is an optional environment variable which can override the default
+# prelink command. It could be used on systems that did something similiar to 
+# prelink but used a different command and syntax. The only requirement is the 
+# program must take the library as the last argument, the program must output 
+# the original library to standard out, and the program does not need to take 
+# any quoted or imbedded spaces in its arguments (except the path to the 
+# library itself, which can have imbedded spaces or special characters).
+#
+ifdef FREEBL_USE_PRELINK
+	DEFINES += -DFREEBL_USE_PRELINK
+ifdef LINUX
+	DEFINES += -D__GNU_SOURCE=1
+endif
+endif
+ifdef FREEBL_PRELINK_COMMAND
+	DEFINES +=-DFREEBL_PRELINK_COMMAND=\"$(FREEBL_PRELINK_COMMAND)\"
+endif
 # NSS_X86 means the target is a 32-bits x86 CPU architecture
 # NSS_X64 means the target is a 64-bits x64 CPU architecture
 # NSS_X86_OR_X64 means the target is either x86 or x64
-ifeq (,$(filter-out x386 x86 x86_64,$(CPU_ARCH)))
+ifeq (,$(filter-out i386 x386 x86 x86_64,$(CPU_ARCH)))
         DEFINES += -DNSS_X86_OR_X64
 ifdef USE_64
         DEFINES += -DNSS_X64
@@ -180,6 +218,12 @@ ifeq ($(CPU_ARCH),x86)
     # The floating point ECC code doesn't work on Linux x86 (bug 311432).
     #ECL_USE_FP = 1
 endif
+ifeq ($(CPU_ARCH),arm)
+    DEFINES += -DMP_ASSEMBLY_MULTIPLY -DMP_ASSEMBLY_SQUARE 
+    DEFINES += -DMP_USE_UINT_DIGIT
+    DEFINES += -DSHA_NO_LONG_LONG # avoid 64-bit arithmetic in SHA512
+    MPI_SRCS += mpi_arm.c
+endif
 endif # Linux
 
 ifeq ($(OS_TARGET),AIX)
@@ -215,12 +259,14 @@ else
     MPI_SRCS += mpi_hp.c 
     ASFILES  += hpma512.s hppa20.s 
     DEFINES  += -DMP_ASSEMBLY_MULTIPLY -DMP_ASSEMBLY_SQUARE
+ifndef NS_USE_GCC
     ARCHFLAG = -Aa +e +DA2.0 +DS2.0
 endif
 endif
 endif
 endif
 endif
+endif
 
 # The blapi functions are defined not only in the freebl shared
 # libraries but also in the shared libraries linked with loader.c
diff --git a/security/nss/lib/freebl/blapi.h b/security/nss/lib/freebl/blapi.h
index bfe23f8353be..3a7cf3d9f9e3 100644
--- a/security/nss/lib/freebl/blapi.h
+++ b/security/nss/lib/freebl/blapi.h
@@ -37,7 +37,7 @@
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
-/* $Id: blapi.h,v 1.33.22.2 2010/12/04 18:59:01 rrelyea%redhat.com Exp $ */
+/* $Id: blapi.h,v 1.41 2010/12/06 17:22:49 kaie%kuix.de Exp $ */
 
 #ifndef _BLAPI_H_
 #define _BLAPI_H_
@@ -1089,6 +1089,24 @@ extern void SHA1_Clone(SHA1Context *dest, SHA1Context *src);
 
 /******************************************/
 
+extern SHA224Context *SHA224_NewContext(void);
+extern void SHA224_DestroyContext(SHA224Context *cx, PRBool freeit);
+extern void SHA224_Begin(SHA224Context *cx);
+extern void SHA224_Update(SHA224Context *cx, const unsigned char *input,
+			unsigned int inputLen);
+extern void SHA224_End(SHA224Context *cx, unsigned char *digest,
+		     unsigned int *digestLen, unsigned int maxDigestLen);
+extern SECStatus SHA224_HashBuf(unsigned char *dest, const unsigned char *src,
+			      uint32 src_length);
+extern SECStatus SHA224_Hash(unsigned char *dest, const char *src);
+extern void SHA224_TraceState(SHA224Context *cx);
+extern unsigned int SHA224_FlattenSize(SHA224Context *cx);
+extern SECStatus SHA224_Flatten(SHA224Context *cx,unsigned char *space);
+extern SHA224Context * SHA224_Resurrect(unsigned char *space, void *arg);
+extern void SHA224_Clone(SHA224Context *dest, SHA224Context *src);
+
+/******************************************/
+
 extern SHA256Context *SHA256_NewContext(void);
 extern void SHA256_DestroyContext(SHA256Context *cx, PRBool freeit);
 extern void SHA256_Begin(SHA256Context *cx);
@@ -1142,13 +1160,17 @@ extern SHA384Context * SHA384_Resurrect(unsigned char *space, void *arg);
 extern void SHA384_Clone(SHA384Context *dest, SHA384Context *src);
 
 /****************************************
- * implement TLS Pseudo Random Function (PRF)
+ * implement TLS 1.0 Pseudo Random Function (PRF) and TLS P_hash function
  */
 
 extern SECStatus
 TLS_PRF(const SECItem *secret, const char *label, SECItem *seed, 
          SECItem *result, PRBool isFIPS);
 
+extern SECStatus
+TLS_P_hash(HASH_HashType hashAlg, const SECItem *secret, const char *label,
+           SECItem *seed, SECItem *result, PRBool isFIPS);
+
 /******************************************/
 /*
 ** Pseudo Random Number Generation.  FIPS compliance desirable.
@@ -1235,6 +1257,12 @@ PRNGTEST_Generate(PRUint8 *bytes, unsigned int bytes_len,
 extern SECStatus
 PRNGTEST_Uninstantiate(void);
 
+/*
+ * Mask generation function MGF1
+ */
+extern SECStatus
+MGF1(HASH_HashType hashAlg, unsigned char *mask, unsigned int maskLen,
+     const unsigned char *mgfSeed, unsigned int mgfSeedLen);
 
 /* Generate PQGParams and PQGVerify structs.
  * Length of seed and length of h both equal length of P. 
@@ -1307,6 +1335,11 @@ extern void BL_Unload(void);
  **************************************************************************/
 PRBool BLAPI_SHVerify(const char *name, PRFuncPtr addr);
 
+/**************************************************************************
+ *  Verify a given filename's signature                               *
+ **************************************************************************/
+PRBool BLAPI_SHVerifyFile(const char *shName);
+
 /**************************************************************************
  *  Verify Are Own Shared library signature                               *
  **************************************************************************/
diff --git a/security/nss/lib/freebl/blapii.h b/security/nss/lib/freebl/blapii.h
index a92420f47339..8d636e87ff3d 100644
--- a/security/nss/lib/freebl/blapii.h
+++ b/security/nss/lib/freebl/blapii.h
@@ -42,11 +42,11 @@
 
 SEC_BEGIN_PROTOS
 
-#if defined(XP_UNIX) && !defined(NO_CHECK_FORK)
+#if defined(XP_UNIX) && !defined(NO_FORK_CHECK)
 
-extern PRBool parentForkedAfterC_Initialize;
+extern PRBool bl_parentForkedAfterC_Initialize;
 
-#define SKIP_AFTER_FORK(x) if (!parentForkedAfterC_Initialize) x
+#define SKIP_AFTER_FORK(x) if (!bl_parentForkedAfterC_Initialize) x
 
 #else
 
diff --git a/security/nss/lib/freebl/blapit.h b/security/nss/lib/freebl/blapit.h
index af4ed12b6033..83a60edc35d2 100644
--- a/security/nss/lib/freebl/blapit.h
+++ b/security/nss/lib/freebl/blapit.h
@@ -38,7 +38,7 @@
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
-/* $Id: blapit.h,v 1.22.22.1 2011/03/16 18:49:45 alexei.volkov.bugs%sun.com Exp $ */
+/* $Id: blapit.h,v 1.24 2011/03/16 18:37:41 alexei.volkov.bugs%sun.com Exp $ */
 
 #ifndef _BLAPIT_H_
 #define _BLAPIT_H_
@@ -106,6 +106,7 @@
 #define MD2_BLOCK_LENGTH 	 64 	/* bytes */
 #define MD5_BLOCK_LENGTH 	 64 	/* bytes */
 #define SHA1_BLOCK_LENGTH 	 64 	/* bytes */
+#define SHA224_BLOCK_LENGTH 	 64 	/* bytes */
 #define SHA256_BLOCK_LENGTH 	 64 	/* bytes */
 #define SHA384_BLOCK_LENGTH 	128 	/* bytes */
 #define SHA512_BLOCK_LENGTH 	128 	/* bytes */
@@ -206,6 +207,8 @@ typedef struct MD2ContextStr        MD2Context;
 typedef struct MD5ContextStr        MD5Context;
 typedef struct SHA1ContextStr       SHA1Context;
 typedef struct SHA256ContextStr     SHA256Context;
+/* SHA224Context is really a SHA256ContextStr.  This is not a mistake. */
+typedef struct SHA256ContextStr     SHA224Context;
 typedef struct SHA512ContextStr     SHA512Context;
 /* SHA384Context is really a SHA512ContextStr.  This is not a mistake. */
 typedef struct SHA512ContextStr     SHA384Context;
diff --git a/security/nss/lib/freebl/camellia.c b/security/nss/lib/freebl/camellia.c
index 1379ec24d868..570d225aaf35 100644
--- a/security/nss/lib/freebl/camellia.c
+++ b/security/nss/lib/freebl/camellia.c
@@ -36,7 +36,7 @@
  * ***** END LICENSE BLOCK ***** */
 
 /*
- * $Id: camellia.c,v 1.3 2010/04/30 00:10:53 wtc%google.com Exp $
+ * $Id: camellia.c,v 1.4 2010/07/20 01:26:02 wtc%google.com Exp $
  */
 
 #ifdef FREEBL_NO_DEPEND
@@ -50,6 +50,7 @@
 #include "prtypes.h"
 #include "blapi.h"
 #include "camellia.h"
+#include "sha_fast.h" /* for SHA_HTONL and related configuration macros */
 
 
 /* key constants */
@@ -72,15 +73,18 @@
  */
 
 
-#if defined(_MSC_VER) && defined(NSS_X86_OR_X64)
+#if defined(SHA_ALLOW_UNALIGNED_ACCESS)
 
-/* require a little-endian CPU that allows unaligned access */
+/* require a CPU that allows unaligned access */
 
-# define SWAP(x) (_lrotl(x, 8) & 0x00ff00ff | _lrotr(x, 8) & 0xff00ff00)
-# define GETU32(p) SWAP(*((PRUint32 *)(p)))
-# define PUTU32(ct, st) {*((PRUint32 *)(ct)) = SWAP((st));}
+#if defined(SHA_NEED_TMP_VARIABLE)
+#define CAMELLIA_NEED_TMP_VARIABLE 1
+#endif
 
-#else /* not MSVC or not x86/x64 */
+# define GETU32(p) SHA_HTONL(*((PRUint32 *)(p)))
+# define PUTU32(ct, st) {*((PRUint32 *)(ct)) = SHA_HTONL(st);}
+
+#else /* no unaligned access */
 
 # define GETU32(pt)					\
     (((PRUint32)(pt)[0] << 24)				\
@@ -473,6 +477,9 @@ void camellia_setup128(const unsigned char *key, PRUint32 *subkey)
     PRUint32 kw4l, kw4r, dw, tl, tr;
     PRUint32 subL[26];
     PRUint32 subR[26];
+#if defined(CAMELLIA_NEED_TMP_VARIABLE)
+    PRUint32 tmp;
+#endif
 
     /**
      *  k == kll || klr || krl || krr (|| is concatination)
@@ -685,6 +692,9 @@ void camellia_setup256(const unsigned char *key, PRUint32 *subkey)
     PRUint32 kw4l, kw4r, dw, tl, tr;
     PRUint32 subL[34];
     PRUint32 subR[34];
+#if defined(CAMELLIA_NEED_TMP_VARIABLE)
+    PRUint32 tmp;
+#endif
 
     /**
      *  key = (kll || klr || krl || krr || krll || krlr || krrl || krrr)
@@ -991,6 +1001,9 @@ camellia_encrypt128(const PRUint32 *subkey,
 {
     PRUint32 il, ir, t0, t1;
     PRUint32 io[4];
+#if defined(CAMELLIA_NEED_TMP_VARIABLE)
+    PRUint32 tmp;
+#endif
 
     io[0] = GETU32(input);
     io[1] = GETU32(input+4);
@@ -1095,6 +1108,9 @@ camellia_decrypt128(const PRUint32 *subkey,
 {
     PRUint32 il,ir,t0,t1;               /* temporary valiables */
     PRUint32 io[4];
+#if defined(CAMELLIA_NEED_TMP_VARIABLE)
+    PRUint32 tmp;
+#endif
 
     io[0] = GETU32(input);
     io[1] = GETU32(input+4);
@@ -1202,6 +1218,9 @@ camellia_encrypt256(const PRUint32 *subkey,
 {
     PRUint32 il,ir,t0,t1;           /* temporary valiables */
     PRUint32 io[4];
+#if defined(CAMELLIA_NEED_TMP_VARIABLE)
+    PRUint32 tmp;
+#endif
 
     io[0] = GETU32(input);
     io[1] = GETU32(input+4);
@@ -1330,6 +1349,9 @@ camellia_decrypt256(const PRUint32 *subkey,
 {
     PRUint32 il,ir,t0,t1;           /* temporary valiables */
     PRUint32 io[4];
+#if defined(CAMELLIA_NEED_TMP_VARIABLE)
+    PRUint32 tmp;
+#endif
 
     io[0] = GETU32(input);
     io[1] = GETU32(input+4);
diff --git a/security/nss/lib/freebl/des.c b/security/nss/lib/freebl/des.c
index a3541ba7a7a2..7ed2203041f6 100644
--- a/security/nss/lib/freebl/des.c
+++ b/security/nss/lib/freebl/des.c
@@ -408,6 +408,19 @@ static const HALF PC2[8][64] = {
 #pragma intrinsic(_byteswap_ulong)
 #define BYTESWAP(word, temp) \
     word = _byteswap_ulong(word);
+#elif defined(__GNUC__) && (defined(__thumb2__) || \
+      (!defined(__thumb__) && \
+      (defined(__ARM_ARCH_6__) || \
+       defined(__ARM_ARCH_6J__) || \
+       defined(__ARM_ARCH_6K__) || \
+       defined(__ARM_ARCH_6Z__) || \
+       defined(__ARM_ARCH_6ZK__) || \
+       defined(__ARM_ARCH_6T2__) || \
+       defined(__ARM_ARCH_7__) || \
+       defined(__ARM_ARCH_7A__) || \
+       defined(__ARM_ARCH_7R__))))
+#define BYTESWAP(word, temp) \
+    __asm("rev %0, %0" : "+r" (word));
 #else
 #define BYTESWAP(word, temp) \
     word = (word >> 16) | (word << 16); \
diff --git a/security/nss/lib/freebl/dh.c b/security/nss/lib/freebl/dh.c
index 25d3482a3318..2569de05dd6f 100644
--- a/security/nss/lib/freebl/dh.c
+++ b/security/nss/lib/freebl/dh.c
@@ -38,7 +38,7 @@
  * Diffie-Hellman parameter generation, key generation, and secret derivation.
  * KEA secret generation and verification.
  *
- * $Id: dh.c,v 1.8 2008/11/18 19:48:22 rrelyea%redhat.com Exp $
+ * $Id: dh.c,v 1.9 2010/07/20 01:26:02 wtc%google.com Exp $
  */
 #ifdef FREEBL_NO_DEPEND
 #include "stubs.h"
@@ -219,7 +219,8 @@ DH_Derive(SECItem *publicValue,
 {
     mp_int p, Xa, Yb, ZZ;
     mp_err err = MP_OKAY;
-    unsigned int len = 0, nb;
+    int len = 0;
+    unsigned int nb;
     unsigned char *secret = NULL;
     if (!publicValue || !prime || !privateValue || !derivedSecret) {
 	PORT_SetError(SEC_ERROR_INVALID_ARGS);
@@ -241,6 +242,10 @@ DH_Derive(SECItem *publicValue,
     CHECK_MPI_OK( mp_exptmod(&Yb, &Xa, &p, &ZZ) );
     /* number of bytes in the derived secret */
     len = mp_unsigned_octet_size(&ZZ);
+    if (len <= 0) {
+        err = MP_BADARG;
+        goto cleanup;
+    }
     /* allocate a buffer which can hold the entire derived secret. */
     secret = PORT_Alloc(len);
     /* grab the derived secret */
diff --git a/security/nss/lib/freebl/dsa.c b/security/nss/lib/freebl/dsa.c
index ac5606e1f733..de5896ba740d 100644
--- a/security/nss/lib/freebl/dsa.c
+++ b/security/nss/lib/freebl/dsa.c
@@ -35,7 +35,7 @@
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
-/* $Id: dsa.c,v 1.20.22.1 2010/12/04 18:59:01 rrelyea%redhat.com Exp $ */
+/* $Id: dsa.c,v 1.21 2010/12/04 18:57:16 rrelyea%redhat.com Exp $ */
 
 #ifdef FREEBL_NO_DEPEND
 #include "stubs.h"
diff --git a/security/nss/lib/freebl/ec.c b/security/nss/lib/freebl/ec.c
index afd06252fe43..9c74375b478b 100644
--- a/security/nss/lib/freebl/ec.c
+++ b/security/nss/lib/freebl/ec.c
@@ -248,6 +248,7 @@ ec_NewKey(ECParams *ecParams, ECPrivateKey **privKey,
 #if EC_DEBUG
     printf("ec_NewKey called\n");
 #endif
+    MP_DIGITS(&k) = 0;
 
     if (!ecParams || !privKey || !privKeyBytes || (privKeyLen < 0)) {
 	PORT_SetError(SEC_ERROR_INVALID_ARGS);
@@ -316,7 +317,6 @@ ec_NewKey(ECParams *ecParams, ECPrivateKey **privKey,
     }
 
     /* Compute corresponding public key */
-    MP_DIGITS(&k) = 0;
     CHECK_MPI_OK( mp_init(&k) );
     CHECK_MPI_OK( mp_read_unsigned_octets(&k, key->privateValue.data, 
 	(mp_size) len) );
@@ -578,12 +578,12 @@ ECDH_Derive(SECItem  *publicValue,
 	return SECFailure;
     }
 
+    MP_DIGITS(&k) = 0;
     memset(derivedSecret, 0, sizeof *derivedSecret);
     len = (ecParams->fieldID.size + 7) >> 3;  
     pointQ.len = 2*len + 1;
     if ((pointQ.data = PORT_Alloc(2*len + 1)) == NULL) goto cleanup;
 
-    MP_DIGITS(&k) = 0;
     CHECK_MPI_OK( mp_init(&k) );
     CHECK_MPI_OK( mp_read_unsigned_octets(&k, privateValue->data, 
 	                                  (mp_size) privateValue->len) );
@@ -655,6 +655,7 @@ ECDSA_SignDigestWithSeed(ECPrivateKey *key, SECItem *signature,
     SECItem kGpoint = { siBuffer, NULL, 0};
     int flen = 0;    /* length in bytes of the field size */
     unsigned olen;   /* length in bytes of the base point order */
+    unsigned obits;  /* length in bits  of the base point order */
 
 #if EC_DEBUG
     char mpstr[256];
@@ -697,6 +698,7 @@ ECDSA_SignDigestWithSeed(ECPrivateKey *key, SECItem *signature,
 
     SECITEM_TO_MPINT( ecParams->order, &n );
     SECITEM_TO_MPINT( key->privateValue, &d );
+
     CHECK_MPI_OK( mp_read_unsigned_octets(&k, kb, kblen) );
     /* Make sure k is in the interval [1, n-1] */
     if ((mp_cmp_z(&k) <= 0) || (mp_cmp(&k, &n) >= 0)) {
@@ -758,8 +760,9 @@ ECDSA_SignDigestWithSeed(ECPrivateKey *key, SECItem *signature,
     /* In the definition of EC signing, digests are truncated
      * to the length of n in bits. 
      * (see SEC 1 "Elliptic Curve Digit Signature Algorithm" section 4.1.*/
-    if (digest->len*8 > ecParams->fieldID.size) {
-	mpl_rsh(&s,&s,digest->len*8 - ecParams->fieldID.size);
+    CHECK_MPI_OK( (obits = mpl_significant_bits(&n)) );
+    if (digest->len*8 > obits) {
+	mpl_rsh(&s,&s,digest->len*8 - obits);
     }
 
 #if EC_DEBUG
@@ -898,6 +901,7 @@ ECDSA_VerifyDigest(ECPublicKey *key, const SECItem *signature,
     int slen;       /* length in bytes of a half signature (r or s) */
     int flen;       /* length in bytes of the field size */
     unsigned olen;  /* length in bytes of the base point order */
+    unsigned obits; /* length in bits  of the base point order */
 
 #if EC_DEBUG
     char mpstr[256];
@@ -979,8 +983,9 @@ ECDSA_VerifyDigest(ECPublicKey *key, const SECItem *signature,
     /* In the definition of EC signing, digests are truncated
      * to the length of n in bits. 
      * (see SEC 1 "Elliptic Curve Digit Signature Algorithm" section 4.1.*/
-    if (digest->len*8 > ecParams->fieldID.size) {  /* u1 = HASH(M')     */
-	mpl_rsh(&u1,&u1,digest->len*8- ecParams->fieldID.size);
+    CHECK_MPI_OK( (obits = mpl_significant_bits(&n)) );
+    if (digest->len*8 > obits) {  /* u1 = HASH(M')     */
+	mpl_rsh(&u1,&u1,digest->len*8 - obits);
     }
 
 #if EC_DEBUG
diff --git a/security/nss/lib/freebl/ecl/ecp_mont.c b/security/nss/lib/freebl/ecl/ecp_mont.c
index c8829b6d1574..c64bc18a7715 100644
--- a/security/nss/lib/freebl/ecl/ecp_mont.c
+++ b/security/nss/lib/freebl/ecl/ecp_mont.c
@@ -77,9 +77,6 @@ GFMethod_consGFp_mont(const mp_int *irr)
 	meth->extra_free = &ec_GFp_extra_free_mont;
 
 	mmm->N = meth->irr;
-	i = mpl_significant_bits(&meth->irr);
-	i += MP_DIGIT_BIT - 1;
-	mmm->b = i - i % MP_DIGIT_BIT;
 	mmm->n0prime = 0 - s_mp_invmod_radix(MP_DIGIT(&meth->irr, 0));
 
   CLEANUP:
@@ -160,7 +157,8 @@ ec_GFp_enc_mont(const mp_int *a, mp_int *r, const GFMethod *meth)
 	mp_err res = MP_OKAY;
 
 	mmm = (mp_mont_modulus *) meth->extra1;
-	MP_CHECKOK(mpl_lsh(a, r, mmm->b));
+	MP_CHECKOK(mp_copy(a, r));
+	MP_CHECKOK(s_mp_lshd(r, MP_USED(&mmm->N)));
 	MP_CHECKOK(mp_mod(r, &mmm->N, r));
   CLEANUP:
 	return res;
diff --git a/security/nss/lib/freebl/hasht.h b/security/nss/lib/freebl/hasht.h
index fd2332a96068..30f9ad5012e0 100644
--- a/security/nss/lib/freebl/hasht.h
+++ b/security/nss/lib/freebl/hasht.h
@@ -33,7 +33,7 @@
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
-/* $Id: hasht.h,v 1.7 2008/12/10 22:48:03 wtchang%redhat.com Exp $ */
+/* $Id: hasht.h,v 1.8 2010/08/18 05:54:57 emaldona%redhat.com Exp $ */
 
 #ifndef _HASHT_H_
 #define _HASHT_H_
@@ -54,6 +54,7 @@ typedef enum {
     HASH_AlgSHA256 = 4,
     HASH_AlgSHA384 = 5,
     HASH_AlgSHA512 = 6,
+    HASH_AlgSHA224 = 7,
     HASH_AlgTOTAL
 } HASH_HashType;
 
@@ -63,6 +64,7 @@ typedef enum {
 #define MD2_LENGTH	16
 #define MD5_LENGTH	16
 #define SHA1_LENGTH	20
+#define SHA224_LENGTH 	28
 #define SHA256_LENGTH 	32
 #define SHA384_LENGTH 	48
 #define SHA512_LENGTH 	64
diff --git a/security/nss/lib/freebl/ldvector.c b/security/nss/lib/freebl/ldvector.c
index a4e683c81e84..b8548d86a8da 100644
--- a/security/nss/lib/freebl/ldvector.c
+++ b/security/nss/lib/freebl/ldvector.c
@@ -37,7 +37,7 @@
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
-/* $Id: ldvector.c,v 1.21.22.3 2010/12/04 18:59:01 rrelyea%redhat.com Exp $ */
+/* $Id: ldvector.c,v 1.28 2010/12/06 17:22:49 kaie%kuix.de Exp $ */
 
 #ifdef FREEBL_NO_DEPEND
 extern int FREEBL_InitStubs(void);
@@ -257,6 +257,7 @@ static const struct FREEBLVectorStr vector =
     PRNGTEST_Instantiate,
     PRNGTEST_Reseed,
     PRNGTEST_Generate,
+
     PRNGTEST_Uninstantiate,
 
     /* End of Version 3.011. */
@@ -270,7 +271,25 @@ static const struct FREEBLVectorStr vector =
     JPAKE_Round2,
     JPAKE_Final,
 
-    /* End of Version 3.012. */
+    /* End of Version 3.012 */
+
+    MGF1,
+    TLS_P_hash,
+    SHA224_NewContext,
+    SHA224_DestroyContext,
+    SHA224_Begin,
+    SHA224_Update,
+    SHA224_End,
+    SHA224_HashBuf,
+    SHA224_Hash,
+    SHA224_TraceState,
+    SHA224_FlattenSize,
+    SHA224_Flatten,
+    SHA224_Resurrect,
+    SHA224_Clone,
+    BLAPI_SHVerifyFile
+
+    /* End of Version 3.013 */
 };
 
 const FREEBLVector * 
diff --git a/security/nss/lib/freebl/loader.c b/security/nss/lib/freebl/loader.c
index 2bcf1352e9f3..5e9d8aa81097 100644
--- a/security/nss/lib/freebl/loader.c
+++ b/security/nss/lib/freebl/loader.c
@@ -37,7 +37,7 @@
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
-/* $Id: loader.c,v 1.44.22.2 2010/12/04 18:59:01 rrelyea%redhat.com Exp $ */
+/* $Id: loader.c,v 1.53 2011/01/15 19:54:49 nelson%bolyard.com Exp $ */
 
 #include "loader.h"
 #include "prmem.h"
@@ -122,7 +122,7 @@ getLibName(void)
     long cpu = sysconf(_SC_CPU_VERSION);
     return (cpu == CPU_PA_RISC2_0) 
 		? "libfreebl_32fpu_3.sl"
-	        : "libfreebl_32int32_3.sl" ;
+	        : "libfreebl_32int_3.sl" ;
 }
 #else
 /* default case, for platforms/ABIs that have only one freebl shared lib. */
@@ -1261,13 +1261,14 @@ BLAPI_SHVerify(const char *name, PRFuncPtr addr)
 
 /*
  * The Caller is expected to pass NULL as the name, which will
- * trigger the p_BLAPI_VerifySelf() to return 'TRUE'. If we really loaded
- * from a shared library, BLAPI_VerifySelf will get pick up the real name
- * from the static set in freebl_LoadDSO( void ) 
+ * trigger the p_BLAPI_VerifySelf() to return 'TRUE'. Pass the real
+ * name of the shared library we loaded (the static libraryName set
+ * in freebl_LoadDSO) to p_BLAPI_VerifySelf.
  */
 PRBool
 BLAPI_VerifySelf(const char *name)
 {
+  PORT_Assert(!name);
   if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
       return PR_FALSE;
   return vector->p_BLAPI_VerifySelf(libraryName);
@@ -1712,6 +1713,7 @@ RSA_PopulatePrivateKey(RSAPrivateKey *key)
     return (vector->p_RSA_PopulatePrivateKey)(key);
 }
 
+
 SECStatus
 JPAKE_Sign(PLArenaPool * arena, const PQGParams * pqg, HASH_HashType hashType,
            const SECItem * signerID, const SECItem * x,
@@ -1755,3 +1757,127 @@ JPAKE_Final(PLArenaPool * arena, const SECItem * p, const SECItem  *q,
         return SECFailure;
     return (vector->p_JPAKE_Final)(arena, p, q, x2, gx4, x2s, B, K);
 }
+
+SECStatus
+MGF1(HASH_HashType hashAlg, unsigned char *mask, unsigned int maskLen,
+     const unsigned char *mgfSeed, unsigned int mgfSeedLen)
+{
+    if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+	return SECFailure;
+    return (vector->p_MGF1)(hashAlg, mask, maskLen, mgfSeed, mgfSeedLen);
+}
+
+SECStatus 
+TLS_P_hash(HASH_HashType hashAlg, const SECItem *secret, const char *label,
+           SECItem *seed, SECItem *result, PRBool isFIPS)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return SECFailure;
+  return (vector->p_TLS_P_hash)(hashAlg, secret, label, seed, result, isFIPS);
+}
+
+SECStatus 
+SHA224_Hash(unsigned char *dest, const char *src)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return SECFailure;
+  return (vector->p_SHA224_Hash)(dest, src);
+}
+
+SECStatus
+SHA224_HashBuf(unsigned char *dest, const unsigned char *src, uint32 src_length)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return SECFailure;
+  return (vector->p_SHA224_HashBuf)(dest, src, src_length);
+}
+
+SHA224Context *
+SHA224_NewContext(void)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return NULL;
+  return (vector->p_SHA224_NewContext)();
+}
+
+void
+SHA224_DestroyContext(SHA224Context *cx, PRBool freeit)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return;
+  (vector->p_SHA224_DestroyContext)(cx, freeit);
+}
+
+void
+SHA224_Begin(SHA256Context *cx)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return;
+  (vector->p_SHA224_Begin)(cx);
+}
+
+void
+SHA224_Update(SHA224Context *cx, const unsigned char *input,
+			unsigned int inputLen)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return;
+  (vector->p_SHA224_Update)(cx, input, inputLen);
+}
+
+void
+SHA224_End(SHA224Context *cx, unsigned char *digest,
+		     unsigned int *digestLen, unsigned int maxDigestLen)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return;
+  (vector->p_SHA224_End)(cx, digest, digestLen, maxDigestLen);
+}
+
+void
+SHA224_TraceState(SHA224Context *cx)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return;
+  (vector->p_SHA224_TraceState)(cx);
+}
+
+unsigned int
+SHA224_FlattenSize(SHA224Context *cx)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return 0;
+  return (vector->p_SHA224_FlattenSize)(cx);
+}
+
+SECStatus
+SHA224_Flatten(SHA224Context *cx,unsigned char *space)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return SECFailure;
+  return (vector->p_SHA224_Flatten)(cx, space);
+}
+
+SHA224Context *
+SHA224_Resurrect(unsigned char *space, void *arg)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return NULL;
+  return (vector->p_SHA224_Resurrect)(space, arg);
+}
+
+void 
+SHA224_Clone(SHA224Context *dest, SHA224Context *src)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return;
+  (vector->p_SHA224_Clone)(dest, src);
+}
+
+PRBool
+BLAPI_SHVerifyFile(const char *name)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return PR_FALSE;
+  return vector->p_BLAPI_SHVerifyFile(name);
+}
diff --git a/security/nss/lib/freebl/loader.h b/security/nss/lib/freebl/loader.h
index d846be6877b0..ed63bf3a748c 100644
--- a/security/nss/lib/freebl/loader.h
+++ b/security/nss/lib/freebl/loader.h
@@ -37,14 +37,14 @@
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
-/* $Id: loader.h,v 1.26.22.2 2010/12/04 18:59:01 rrelyea%redhat.com Exp $ */
+/* $Id: loader.h,v 1.34 2011/03/29 15:12:44 wtc%google.com Exp $ */
 
 #ifndef _LOADER_H_
 #define _LOADER_H_ 1
 
 #include "blapi.h"
 
-#define FREEBL_VERSION 0x030C
+#define FREEBL_VERSION 0x030D
 
 struct FREEBLVectorStr {
 
@@ -541,7 +541,6 @@ struct FREEBLVectorStr {
  SECStatus (* p_PRNGTEST_Uninstantiate)(void);
    /* Version 3.011 came to here */
 
-
  SECStatus (*p_RSA_PopulatePrivateKey)(RSAPrivateKey *key);
 
  SECStatus (*p_DSA_NewRandom)(PLArenaPool * arena, const SECItem * q,
@@ -568,8 +567,38 @@ struct FREEBLVectorStr {
                             const SECItem  *q, const SECItem * x2,
                             const SECItem * gx4, const SECItem * x2s,
                             const SECItem * B, SECItem * K);
- 
-   /* Version 3.012 came to here */
+
+  /* Version 3.012 came to here */
+
+ SECStatus (* p_MGF1)(HASH_HashType hashAlg,
+                      unsigned char *mask, unsigned int maskLen,
+                      const unsigned char *mgfSeed, unsigned int mgfSeedLen);
+
+ SECStatus (* p_TLS_P_hash)(HASH_HashType hashAlg,
+                            const SECItem *secret,
+                            const char *label,
+                            SECItem *seed,
+                            SECItem *result,
+                            PRBool isFIPS);
+
+ SHA224Context *(*p_SHA224_NewContext)(void);
+ void (* p_SHA224_DestroyContext)(SHA224Context *cx, PRBool freeit);
+ void (* p_SHA224_Begin)(SHA224Context *cx);
+ void (* p_SHA224_Update)(SHA224Context *cx, const unsigned char *input,
+			unsigned int inputLen);
+ void (* p_SHA224_End)(SHA224Context *cx, unsigned char *digest,
+		     unsigned int *digestLen, unsigned int maxDigestLen);
+ SECStatus (*p_SHA224_HashBuf)(unsigned char *dest, const unsigned char *src,
+			      uint32 src_length);
+ SECStatus (*p_SHA224_Hash)(unsigned char *dest, const char *src);
+ void (*p_SHA224_TraceState)(SHA224Context *cx);
+ unsigned int (* p_SHA224_FlattenSize)(SHA224Context *cx);
+ SECStatus (* p_SHA224_Flatten)(SHA224Context *cx,unsigned char *space);
+ SHA224Context * (* p_SHA224_Resurrect)(unsigned char *space, void *arg);
+ void (* p_SHA224_Clone)(SHA224Context *dest, SHA224Context *src);
+ PRBool (*p_BLAPI_SHVerifyFile)(const char *name);
+
+  /* Version 3.013 came to here */
 
 };
 
diff --git a/security/nss/lib/freebl/manifest.mn b/security/nss/lib/freebl/manifest.mn
index 80ba1ae39748..d98867d6de99 100644
--- a/security/nss/lib/freebl/manifest.mn
+++ b/security/nss/lib/freebl/manifest.mn
@@ -128,6 +128,7 @@ CSRCS = \
 	md5.c \
 	sha512.c \
 	alghmac.c \
+	mgf1.c \
 	rawhash.c \
 	alg2268.c \
 	arcfour.c \
diff --git a/security/nss/lib/freebl/mgf1.c b/security/nss/lib/freebl/mgf1.c
new file mode 100644
index 000000000000..8e6a4a2689f0
--- /dev/null
+++ b/security/nss/lib/freebl/mgf1.c
@@ -0,0 +1,91 @@
+/*
+ * mgf1.c - implementation of MGF1 as defined in PKCS #1 v2.1 / RFC 3447
+ *
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Hanno Boeck 
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id: mgf1.c,v 1.2 2010/07/22 23:09:46 wtc%google.com Exp $ */
+
+#ifdef FREEBL_NO_DEPEND
+#include "stubs.h"
+#endif
+
+#include "blapi.h"
+#include "hasht.h"
+
+SECStatus
+MGF1(HASH_HashType hashAlg, unsigned char *mask, unsigned int maskLen,
+     const unsigned char *mgfSeed, unsigned int mgfSeedLen)
+{
+    unsigned int digestLen;
+    PRUint32 counter, rounds;
+    unsigned char *tempHash, *temp;
+    const SECHashObject *hash;
+    void *hashContext;
+    unsigned char C[4];
+
+    hash = HASH_GetRawHashObject(hashAlg);
+    if (hash == NULL)
+        return SECFailure;
+
+    hashContext = (*hash->create)();
+    rounds = (maskLen + hash->length - 1) / hash->length;
+    for (counter = 0; counter < rounds; counter++) {
+        C[0] = (unsigned char)((counter >> 24) & 0xff);
+        C[1] = (unsigned char)((counter >> 16) & 0xff);
+        C[2] = (unsigned char)((counter >> 8) & 0xff);
+        C[3] = (unsigned char)(counter & 0xff);
+
+        /* This could be optimized when the clone functions in
+         * rawhash.c are implemented. */
+        (*hash->begin)(hashContext);
+        (*hash->update)(hashContext, mgfSeed, mgfSeedLen); 
+        (*hash->update)(hashContext, C, sizeof C);
+
+        tempHash = mask + counter * hash->length;
+        if (counter != (rounds-1)) {
+            (*hash->end)(hashContext, tempHash, &digestLen, hash->length);
+        } else { /* we're in the last round and need to cut the hash */
+            temp = PORT_Alloc(hash->length);
+            (*hash->end)(hashContext, temp, &digestLen, hash->length);
+            PORT_Memcpy(tempHash, temp, maskLen - counter * hash->length);
+            PORT_Free(temp);
+        }
+    }
+    (*hash->destroy)(hashContext, PR_TRUE);
+
+    return SECSuccess;
+}
diff --git a/security/nss/lib/freebl/mpi/Makefile b/security/nss/lib/freebl/mpi/Makefile
index dd868b3f169c..d4ff76f871ac 100644
--- a/security/nss/lib/freebl/mpi/Makefile
+++ b/security/nss/lib/freebl/mpi/Makefile
@@ -41,7 +41,7 @@
 # ***** END LICENSE BLOCK *****
 
 #
-# $Id: Makefile,v 1.26 2007/05/09 00:09:37 neil.williams%sun.com Exp $
+# $Id: Makefile,v 1.27 2011/02/06 08:42:27 nelson%bolyard.com Exp $
 #
 
 ## Define CC to be the C compiler you wish to use.  The GNU cc
@@ -170,6 +170,8 @@ mpv_sparcv8.s: vis_64.il mpv_sparc.c
 montmulfv8.o montmulfv9.o mpv_sparcv8.o mpv_sparcv9.o : %.o : %.s 
 	$(CC) -o $@ $(SOLARIS_ASM_FLAGS) -c $<
 
+mpi_arm.o: mpi_arm.c $(LIBHDRS)
+
 # This rule is used to build the .s sources, which are then hand optimized.
 #montmulfv8.s montmulfv9.s : montmulf%.s : montmulf%.il montmulf.c montmulf.h 
 #	$(CC) -o $@ $(SOLARIS_ASM_FLAGS) -S montmulf$*.il montmulf.c
diff --git a/security/nss/lib/freebl/mpi/README b/security/nss/lib/freebl/mpi/README
index 50ec394e4140..1de002a9beeb 100644
--- a/security/nss/lib/freebl/mpi/README
+++ b/security/nss/lib/freebl/mpi/README
@@ -676,10 +676,7 @@ exptmod.c       Computes arbitrary precision modular exponentiation
                 from the command line (exptmod a b m -> a^b (mod m))
 
 Most of these can be built from the Makefile that comes with the
-library.  Try 'make tools', if your environment supports it.  (If you
-are compiling on a Macintosh, I'm afraid you'll have to build them by
-hand -- fortunately, this is not difficult -- the library itself
-should compile just fine under Metrowerks CodeWarrior).
+library.  Try 'make tools', if your environment supports it.
 
 
 Testing the Library
@@ -704,9 +701,9 @@ what platform and compiler you were using, as well as which test
 failed.  If a reason for failure was given, please send me that text
 as well.
 
-If you're on a system such as the Macintosh, where the standard Unix
-build tools don't work, you can build the 'mpi-test' program manually,
-and run it by hand.  This is tedious and obnoxious, sorry.
+If you're on a system where the standard Unix build tools don't work,
+you can build the 'mpi-test' program manually, and run it by hand.
+This is tedious and obnoxious, sorry.
 
 Further manual testing can be performed by building the manual testing
 programs, whose source is found in the 'tests' subdirectory.  Each
@@ -736,8 +733,7 @@ cannot use make, here is what needs to be done:
 
 (1) Use 'make-test-arrays' to generate the file 'test-info.c' from
     the 'test-arrays.txt' file.  Since Perl can be found everywhere,
-    even on the Macintosh, this should be no trouble.  Under Unix, 
-    this looks like:
+    this should be no trouble.  Under Unix, this looks like:
 
         make-test-arrays test-arrays.txt > test-info.c
 
diff --git a/security/nss/lib/freebl/mpi/hpma512.s b/security/nss/lib/freebl/mpi/hpma512.s
index 0d88608c17eb..b224c77d0621 100644
--- a/security/nss/lib/freebl/mpi/hpma512.s
+++ b/security/nss/lib/freebl/mpi/hpma512.s
@@ -331,7 +331,7 @@
 multacc512
         .PROC
         .CALLINFO
-        .ENTER
+        .ENTRY
     fldd    0(pM),M                 ; multiplier double word
     ldo     ST_SZ(sp),sp            ; push stack
 
@@ -636,8 +636,10 @@ $L0
 /*      end of module                                                       */
 /*  ======================================================================  */
 
-                .LEAVE
 
+        bve (rp)
+        .EXIT
+        nop
                 .PROCEND
                 .SPACE         $TEXT$
                 .SUBSPA        $CODE$
diff --git a/security/nss/lib/freebl/mpi/hppa20.s b/security/nss/lib/freebl/mpi/hppa20.s
index 4cabd249b542..1f4d0100e625 100644
--- a/security/nss/lib/freebl/mpi/hppa20.s
+++ b/security/nss/lib/freebl/mpi/hppa20.s
@@ -40,7 +40,7 @@
 #else
 ;       .LEVEL   1.1
 ;       .ALLOW   2.0N
-        .LEVEL   2.0N
+        .LEVEL   2.0
 #endif
         .SPACE   $TEXT$,SORT=8
         .SUBSPA  $CODE$,QUAD=0,ALIGN=4,ACCESS=0x2c,CODE_ONLY,SORT=24
@@ -108,17 +108,10 @@ maxpy_little
 maxpy_big
 #endif
         .PROC
-        .CALLINFO FRAME=120,ENTRY_GR=%r4
-        .ENTER
-
-; Of course, real men don't use the sissy "enter" and "leave" commands.
-; They write their own stack manipulation stuff.  Unfortunately,
-; that doesn't generate complete unwind info, whereas "enter" and
-; "leave" (if the documentation is to be believed) do so.  Therefore,
-; we use the sissy commands.  We have verified (by real-man methods)
-; that the above command generates what we want:
-;       STW,MA  %r3,128(%sp)
-;       STW     %r4,-124(%sp)
+        .CALLINFO FRAME=120,ENTRY_GR=4
+        .ENTRY
+        STW,MA  %r3,128(%sp)
+        STW     %r4,-124(%sp)
 
         ADDIB,< -1,%r26,$L0         ; If N = 0, exit immediately.
         FLDD    0(%r25),%fr9        ; fr9 = scalar
@@ -502,12 +495,10 @@ $JOIN5
 ; exit
 
 $L0
-        .LEAVE
-
-; We have verified that the above command generates what we want:
-;       LDW     -124(%sp),%r4
-;       BVE     (%r2)
-;       LDW,MB  -128(%sp),%r3
+        LDW     -124(%sp),%r4
+        BVE     (%r2)
+        .EXIT
+        LDW,MB  -128(%sp),%r3
 
         .PROCEND
 
@@ -529,8 +520,10 @@ add_diag_little
 add_diag_big
 #endif
         .PROC
-        .CALLINFO FRAME=120,ENTRY_GR=%r4
-        .ENTER
+        .CALLINFO FRAME=120,ENTRY_GR=4
+        .ENTRY
+        STW,MA  %r3,128(%sp)
+        STW     %r4,-124(%sp)
 
         ADDIB,< -1,%r26,$Z0         ; If N=0, exit immediately.
         NOP
@@ -747,15 +740,24 @@ $FDIAG1
         STD     %r26,EIGHT(%r24)
 
 $Z0
-        .LEAVE
+        LDW     -124(%sp),%r4
+        BVE     (%r2)
+        .EXIT
+        LDW,MB  -128(%sp),%r3
         .PROCEND
 ;	.ALLOW
 
         .SPACE         $TEXT$
         .SUBSPA        $CODE$
 #ifdef LITTLE_WORDIAN
+#ifdef __GNUC__
+; GNU-as (as of 2.19) does not support LONG_RETURN
+        .EXPORT        maxpy_little,ENTRY,PRIV_LEV=3,ARGW0=GR,ARGW1=GR,ARGW2=GR,ARGW3=GR
+        .EXPORT        add_diag_little,ENTRY,PRIV_LEV=3,ARGW0=GR,ARGW1=GR,ARGW2=GR
+#else
         .EXPORT        maxpy_little,ENTRY,PRIV_LEV=3,ARGW0=GR,ARGW1=GR,ARGW2=GR,ARGW3=GR,LONG_RETURN
         .EXPORT        add_diag_little,ENTRY,PRIV_LEV=3,ARGW0=GR,ARGW1=GR,ARGW2=GR,LONG_RETURN
+#endif
 #else
         .EXPORT        maxpy_big,ENTRY,PRIV_LEV=3,ARGW0=GR,ARGW1=GR,ARGW2=GR,ARGW3=GR,LONG_RETURN
         .EXPORT        add_diag_big,ENTRY,PRIV_LEV=3,ARGW0=GR,ARGW1=GR,ARGW2=GR,LONG_RETURN
diff --git a/security/nss/lib/freebl/mpi/make-logtab b/security/nss/lib/freebl/mpi/make-logtab
index fa2702f2d9ab..5eb84489f2d6 100755
--- a/security/nss/lib/freebl/mpi/make-logtab
+++ b/security/nss/lib/freebl/mpi/make-logtab
@@ -1,4 +1,4 @@
-#!/usr/linguist/bin/perl
+#!/usr/bin/perl
 
 #
 # make-logtab
@@ -43,7 +43,7 @@
 #
 # ***** END LICENSE BLOCK *****
 
-# $Id: make-logtab,v 1.4 2005/02/02 22:28:22 gerv%gerv.net Exp $
+# $Id: make-logtab,v 1.5 2011/05/23 23:45:11 wtc%google.com Exp $
 
 $ARRAYNAME = $ENV{'ARRAYNAME'} || "s_logv_2";
 $ARRAYTYPE = $ENV{'ARRAYTYPE'} || "float";
diff --git a/security/nss/lib/freebl/mpi/make-test-arrays b/security/nss/lib/freebl/mpi/make-test-arrays
index ced5c5412015..da9a8c6ef50e 100755
--- a/security/nss/lib/freebl/mpi/make-test-arrays
+++ b/security/nss/lib/freebl/mpi/make-test-arrays
@@ -1,4 +1,4 @@
-#!/usr/linguist/bin/perl
+#!/usr/bin/perl
 
 #
 # make-test-arrays
@@ -49,7 +49,7 @@
 #
 # ***** END LICENSE BLOCK *****
 
-# $Id: make-test-arrays,v 1.2 2005/02/02 22:28:22 gerv%gerv.net Exp $
+# $Id: make-test-arrays,v 1.3 2011/05/23 23:45:11 wtc%google.com Exp $
 #
 
 # Read parameters from the environment, if available
diff --git a/security/nss/lib/freebl/mpi/mpi-config.h b/security/nss/lib/freebl/mpi/mpi-config.h
index 08e5c5cc2d03..b39a0eb1ff1e 100644
--- a/security/nss/lib/freebl/mpi/mpi-config.h
+++ b/security/nss/lib/freebl/mpi/mpi-config.h
@@ -36,7 +36,7 @@
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
-/* $Id: mpi-config.h,v 1.5.198.1 2011/04/07 22:31:40 wtc%google.com Exp $ */
+/* $Id: mpi-config.h,v 1.6 2010/07/20 01:26:02 wtc%google.com Exp $ */
 
 #ifndef MPI_CONFIG_H_
 #define MPI_CONFIG_H_
diff --git a/security/nss/lib/freebl/mpi/mpi-priv.h b/security/nss/lib/freebl/mpi/mpi-priv.h
index cc8c06ef37a6..41f253df9c03 100644
--- a/security/nss/lib/freebl/mpi/mpi-priv.h
+++ b/security/nss/lib/freebl/mpi/mpi-priv.h
@@ -42,7 +42,7 @@
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
-/* $Id: mpi-priv.h,v 1.23 2010/05/02 22:36:41 nelson%bolyard.com Exp $ */
+/* $Id: mpi-priv.h,v 1.24 2010/07/20 01:26:02 wtc%google.com Exp $ */
 #ifndef _MPI_PRIV_H_
 #define _MPI_PRIV_H_ 1
 
@@ -294,7 +294,6 @@ mp_err   MPI_ASM_DECL s_mpv_div_2dx1d(mp_digit Nhi, mp_digit Nlo,
 typedef struct {
   mp_int       N;	/* modulus N */
   mp_digit     n0prime; /* n0' = - (n0 ** -1) mod MP_RADIX */
-  mp_size      b;	/* R == 2 ** b,  also b = # significant bits in N */
 } mp_mont_modulus;
 
 mp_err s_mp_mul_mont(const mp_int *a, const mp_int *b, mp_int *c, 
diff --git a/security/nss/lib/freebl/mpi/mpi.c b/security/nss/lib/freebl/mpi/mpi.c
index 25c96564040c..168831a11353 100644
--- a/security/nss/lib/freebl/mpi/mpi.c
+++ b/security/nss/lib/freebl/mpi/mpi.c
@@ -40,13 +40,20 @@
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
-/* $Id: mpi.c,v 1.47.2.1 2011/04/07 22:31:40 wtc%google.com Exp $ */
+/* $Id: mpi.c,v 1.50 2011/04/07 22:35:18 wtc%google.com Exp $ */
 
 #include "mpi-priv.h"
 #if defined(OSF1)
 #include 
 #endif
 
+#if defined(__arm__) && \
+    ((defined(__thumb__) && !defined(__thumb2__)) || defined(__ARM_ARCH_3__))
+/* 16-bit thumb or ARM v3 doesn't work inlined assember version */
+#undef MP_ASSEMBLY_MULTIPLY
+#undef MP_ASSEMBLY_SQUARE
+#endif
+
 #if MP_LOGTAB
 /*
   A table of the logs of 2 for various bases (the 0 and 1 entries of
@@ -2939,8 +2946,6 @@ void     s_mp_exch(mp_int *a, mp_int *b)
    Shift mp leftward by p digits, growing if needed, and zero-filling
    the in-shifted digits at the right end.  This is a convenient
    alternative to multiplication by powers of the radix
-   The value of USED(mp) must already have been set to the value for
-   the shifted result.
  */   
 
 mp_err   s_mp_lshd(mp_int *mp, mp_size p)
@@ -4210,6 +4215,7 @@ mp_err   s_mp_div(mp_int *rem, 	/* i: dividend, o: remainder */
   if(mp_cmp_z(div) == 0)
     return MP_RANGE;
 
+  DIGITS(&t) = 0;
   /* Shortcut if divisor is power of two */
   if((ix = s_mp_ispow2(div)) >= 0) {
     MP_CHECKOK( mp_copy(rem, quot) );
@@ -4219,7 +4225,6 @@ mp_err   s_mp_div(mp_int *rem, 	/* i: dividend, o: remainder */
     return MP_OKAY;
   }
 
-  DIGITS(&t) = 0;
   MP_SIGN(rem) = ZPOS;
   MP_SIGN(div) = ZPOS;
 
@@ -4747,7 +4752,7 @@ mp_to_unsigned_octets(const mp_int *mp, unsigned char *str, mp_size maxlen)
   ARGCHK(mp != NULL && str != NULL && !SIGN(mp), MP_BADARG);
 
   bytes = mp_unsigned_octet_size(mp);
-  ARGCHK(bytes <= maxlen, MP_BADARG);
+  ARGCHK(bytes >= 0 && bytes <= maxlen, MP_BADARG);
 
   /* Iterate over each digit... */
   for(ix = USED(mp) - 1; ix >= 0; ix--) {
@@ -4779,7 +4784,7 @@ mp_to_signed_octets(const mp_int *mp, unsigned char *str, mp_size maxlen)
   ARGCHK(mp != NULL && str != NULL && !SIGN(mp), MP_BADARG);
 
   bytes = mp_unsigned_octet_size(mp);
-  ARGCHK(bytes <= maxlen, MP_BADARG);
+  ARGCHK(bytes >= 0 && bytes <= maxlen, MP_BADARG);
 
   /* Iterate over each digit... */
   for(ix = USED(mp) - 1; ix >= 0; ix--) {
@@ -4819,7 +4824,7 @@ mp_to_fixlen_octets(const mp_int *mp, unsigned char *str, mp_size length)
   ARGCHK(mp != NULL && str != NULL && !SIGN(mp), MP_BADARG);
 
   bytes = mp_unsigned_octet_size(mp);
-  ARGCHK(bytes <= length, MP_BADARG);
+  ARGCHK(bytes >= 0 && bytes <= length, MP_BADARG);
 
   /* place any needed leading zeros */
   for (;length > bytes; --length) {
diff --git a/security/nss/lib/freebl/mpi/mpi.h b/security/nss/lib/freebl/mpi/mpi.h
index 79503f325628..c872018a87ae 100644
--- a/security/nss/lib/freebl/mpi/mpi.h
+++ b/security/nss/lib/freebl/mpi/mpi.h
@@ -39,7 +39,7 @@
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
-/* $Id: mpi.h,v 1.23 2008/12/04 18:16:34 rrelyea%redhat.com Exp $ */
+/* $Id: mpi.h,v 1.24 2010/07/20 01:26:02 wtc%google.com Exp $ */
 
 #ifndef _H_MPI_
 #define _H_MPI_
@@ -62,9 +62,7 @@
 #undef ULLONG_MAX
 #endif
 
-#if defined( macintosh )
-#include 
-#elif defined( _WIN32_WCE)
+#if defined( _WIN32_WCE)
 /* #include  What do we need here ?? */
 #else
 #include 
diff --git a/security/nss/lib/freebl/mpi/mpi_arm.c b/security/nss/lib/freebl/mpi/mpi_arm.c
new file mode 100644
index 000000000000..67aaa209f142
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/mpi_arm.c
@@ -0,0 +1,203 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is Mozilla Japan.
+ * Portions created by the Initial Developer are Copyright (C) 2010
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Makoto Kato  (Original Author)
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/* This inlined version is for 32-bit ARM platform only */
+
+#if !defined(__arm__)
+#error "This is for ARM only"
+#endif
+
+/* 16-bit thumb doesn't work inlined assember version */
+#if (!defined(__thumb__) || defined(__thumb2__)) && !defined(__ARM_ARCH_3__)
+
+#include "mpi-priv.h"
+
+#ifdef MP_ASSEMBLY_MULTIPLY
+void s_mpv_mul_d(const mp_digit *a, mp_size a_len, mp_digit b, mp_digit *c)
+{
+  __asm__ __volatile__(
+    "mov     r5, #0\n"
+#ifdef __thumb2__
+    "cbz     %1, 2f\n"
+#else
+    "cmp     %1, r5\n" /* r5 is 0 now */
+    "beq     2f\n"
+#endif
+
+    "1:\n"
+    "mov     r4, #0\n"
+    "ldr     r6, [%0], #4\n"
+    "umlal   r5, r4, r6, %2\n"
+    "str     r5, [%3], #4\n"
+    "mov     r5, r4\n"
+
+    "subs    %1, #1\n"
+    "bne     1b\n"
+
+    "2:\n"
+    "str     r5, [%3]\n"
+  :
+  : "r"(a), "r"(a_len), "r"(b), "r"(c)
+  : "memory", "cc", "%r4", "%r5", "%r6");
+}
+
+void s_mpv_mul_d_add(const mp_digit *a, mp_size a_len, mp_digit b, mp_digit *c)
+{
+  __asm__ __volatile__(
+    "mov     r5, #0\n"
+#ifdef __thumb2__
+    "cbz     %1, 2f\n"
+#else
+    "cmp     %1, r5\n" /* r5 is 0 now */
+    "beq     2f\n"
+#endif
+
+    "1:\n"
+    "mov     r4, #0\n"
+    "ldr     r6, [%3]\n"
+    "adds    r5, r6\n"
+    "adc     r4, #0\n"
+
+    "ldr     r6, [%0], #4\n"
+    "umlal   r5, r4, r6, %2\n"
+    "str     r5, [%3], #4\n"
+    "mov     r5, r4\n"
+
+    "subs    %1, #1\n"
+    "bne     1b\n"
+
+    "2:\n"
+    "str     r5, [%3]\n"
+    :
+    : "r"(a), "r"(a_len), "r"(b), "r"(c)
+    : "memory", "cc", "%r4", "%r5", "%r6");
+}
+
+void s_mpv_mul_d_add_prop(const mp_digit *a, mp_size a_len, mp_digit b, mp_digit *c)
+{
+  if (!a_len)
+    return;
+
+  __asm__ __volatile__(
+    "mov     r5, #0\n"
+
+    "1:\n"
+    "mov     r4, #0\n"
+    "ldr     r6, [%3]\n"
+    "adds    r5, r6\n"
+    "adc     r4, #0\n"
+    "ldr     r6, [%0], #4\n"
+    "umlal   r5, r4, r6, %2\n"
+    "str     r5, [%3], #4\n"
+    "mov     r5, r4\n"
+
+    "subs    %1, #1\n"
+    "bne     1b\n"
+
+#ifdef __thumb2__
+    "cbz     r4, 3f\n"
+#else
+    "cmp     r4, #0\n"
+    "beq     3f\n"
+#endif
+
+    "2:\n"
+    "mov     r4, #0\n"
+    "ldr     r6, [%3]\n"
+    "adds    r5, r6\n"
+    "adc     r4, #0\n"
+    "str     r5, [%3], #4\n"
+    "movs    r5, r4\n"
+    "bne     2b\n"
+
+    "3:\n"
+    :
+    : "r"(a), "r"(a_len), "r"(b), "r"(c)
+    : "memory", "cc", "%r4", "%r5", "%r6");
+}
+#endif
+
+#ifdef MP_ASSEMBLY_SQUARE
+void s_mpv_sqr_add_prop(const mp_digit *pa, mp_size a_len, mp_digit *ps)
+{
+  if (!a_len)
+    return;
+
+  __asm__ __volatile__(
+    "mov     r3, #0\n"
+
+    "1:\n"
+    "mov     r4, #0\n"
+    "ldr     r6, [%0], #4\n"
+    "ldr     r5, [%2]\n"
+    "adds    r3, r5\n"
+    "adc     r4, #0\n"
+    "umlal   r3, r4, r6, r6\n" /* w = r3:r4 */
+    "str     r3, [%2], #4\n"
+
+    "ldr     r5, [%2]\n"
+    "adds    r3, r4, r5\n"
+    "mov     r4, #0\n"
+    "adc     r4, #0\n"
+    "str     r3, [%2], #4\n"
+    "mov     r3, r4\n"
+
+    "subs    %1, #1\n"
+    "bne     1b\n"
+
+#ifdef __thumb2__
+    "cbz     r3, 3f\n"
+#else
+    "cmp     r3, #0\n"
+    "beq     3f\n"
+#endif
+
+    "2:\n"
+    "mov     r4, #0\n"
+    "ldr     r5, [%2]\n"
+    "adds    r3, r5\n"
+    "adc     r4, #0\n"
+    "str     r3, [%2], #4\n"
+    "movs    r3, r4\n"
+    "bne     2b\n"
+
+    "3:"
+    :
+    : "r"(pa), "r"(a_len), "r"(ps)
+    : "memory", "cc", "%r3", "%r4", "%r5", "%r6");
+}
+#endif
+#endif
diff --git a/security/nss/lib/freebl/mpi/mpmontg.c b/security/nss/lib/freebl/mpi/mpmontg.c
index 528b94d99837..5ed0e2d83b9b 100644
--- a/security/nss/lib/freebl/mpi/mpmontg.c
+++ b/security/nss/lib/freebl/mpi/mpmontg.c
@@ -36,11 +36,11 @@
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
-/* $Id: mpmontg.c,v 1.22 2010/05/02 22:36:41 nelson%bolyard.com Exp $ */
+/* $Id: mpmontg.c,v 1.23 2010/07/20 01:26:02 wtc%google.com Exp $ */
 
 /* This file implements moduluar exponentiation using Montgomery's
  * method for modular reduction.  This file implements the method
- * described as "Improvement 1" in the paper "A Cryptogrpahic Library for
+ * described as "Improvement 2" in the paper "A Cryptogrpahic Library for
  * the Motorola DSP56000" by Stephen R. Dusse' and Burton S. Kaliski Jr.
  * published in "Advances in Cryptology: Proceedings of EUROCRYPT '90"
  * "Lecture Notes in Computer Science" volume 473, 1991, pg 230-244,
@@ -76,13 +76,15 @@
 #define ABORT abort()
 #endif
 
-/* computes T = REDC(T), 2^b == R */
+/*! computes T = REDC(T), 2^b == R 
+    \param T < RN
+*/
 mp_err s_mp_redc(mp_int *T, mp_mont_modulus *mmm)
 {
   mp_err res;
   mp_size i;
 
-  i = MP_USED(T) + MP_USED(&mmm->N) + 2;
+  i = (MP_USED(&mmm->N) << 1) + 1;
   MP_CHECKOK( s_mp_pad(T, i) );
   for (i = 0; i < MP_USED(&mmm->N); ++i ) {
     mp_digit m_i = MP_DIGIT(T, i) * mmm->n0prime;
@@ -92,7 +94,7 @@ mp_err s_mp_redc(mp_int *T, mp_mont_modulus *mmm)
   s_mp_clamp(T);
 
   /* T /= R */
-  s_mp_div_2d(T, mmm->b); 
+  s_mp_rshd( T, MP_USED(&mmm->N) );
 
   if ((res = s_mp_cmp(T, &mmm->N)) >= 0) {
     /* T = T - N */
@@ -109,14 +111,20 @@ CLEANUP:
   return res;
 }
 
-#if !defined(MP_ASSEMBLY_MUL_MONT) && !defined(MP_MONT_USE_MP_MUL)
+#if !defined(MP_MONT_USE_MP_MUL)
+
+/*! c <- REDC( a * b ) mod N
+    \param a < N  i.e. "reduced"
+    \param b < N  i.e. "reduced"
+    \param mmm modulus N and n0' of N
+*/
 mp_err s_mp_mul_mont(const mp_int *a, const mp_int *b, mp_int *c, 
 	           mp_mont_modulus *mmm)
 {
   mp_digit *pb;
   mp_digit m_i;
   mp_err   res;
-  mp_size  ib;
+  mp_size  ib; /* "index b": index of current digit of B */
   mp_size  useda, usedb;
 
   ARGCHK(a != NULL && b != NULL && c != NULL, MP_BADARG);
@@ -128,7 +136,7 @@ mp_err s_mp_mul_mont(const mp_int *a, const mp_int *b, mp_int *c,
   }
 
   MP_USED(c) = 1; MP_DIGIT(c, 0) = 0;
-  ib = MP_USED(a) + MP_MAX(MP_USED(b), MP_USED(&mmm->N)) + 2;
+  ib = (MP_USED(&mmm->N) << 1) + 1;
   if((res = s_mp_pad(c, ib)) != MP_OKAY)
     goto CLEANUP;
 
@@ -157,7 +165,7 @@ mp_err s_mp_mul_mont(const mp_int *a, const mp_int *b, mp_int *c,
     }
   }
   s_mp_clamp(c);
-  s_mp_div_2d(c, mmm->b); 
+  s_mp_rshd( c, MP_USED(&mmm->N) ); /* c /= R */
   if (s_mp_cmp(c, &mmm->N) >= 0) {
     MP_CHECKOK( s_mp_sub(c, &mmm->N) );
   }
@@ -174,7 +182,8 @@ mp_err s_mp_to_mont(const mp_int *x, mp_mont_modulus *mmm, mp_int *xMont)
   mp_err res;
 
   /* xMont = x * R mod N   where  N is modulus */
-  MP_CHECKOK( mpl_lsh(x, xMont, mmm->b) );  		/* xMont = x << b */
+  MP_CHECKOK( mp_copy( x, xMont ) );
+  MP_CHECKOK( s_mp_lshd( xMont, MP_USED(&mmm->N) ) );	/* xMont = x << b */
   MP_CHECKOK( mp_div(xMont, &mmm->N, 0, xMont) );	/*         mod N */
 CLEANUP:
   return res;
@@ -1109,9 +1118,6 @@ mp_err mp_exptmod(const mp_int *inBase, const mp_int *exponent,
   MP_CHECKOK( mp_init_size(&montBase, 2 * nLen + 2) );
 
   mmm.N = *modulus;			/* a copy of the mp_int struct */
-  i = mpl_significant_bits(modulus);
-  i += MP_DIGIT_BIT - 1;
-  mmm.b = i - i % MP_DIGIT_BIT;
 
   /* compute n0', given n0, n0' = -(n0 ** -1) mod MP_RADIX
   **		where n0 = least significant mp_digit of N, the modulus.
diff --git a/security/nss/lib/freebl/mpi/target.mk b/security/nss/lib/freebl/mpi/target.mk
index dcc09f0d1965..0ad6172e27f0 100644
--- a/security/nss/lib/freebl/mpi/target.mk
+++ b/security/nss/lib/freebl/mpi/target.mk
@@ -218,6 +218,12 @@ CFLAGS= -O2 -fPIC -DLINUX1_2 -Di386 -D_XOPEN_SOURCE -DLINUX2_1 -ansi -Wall \
  -DXP_UNIX -UDEBUG -DNDEBUG -D_REENTRANT $(MPICMN)
 endif
 
+ifeq ($(TARGET),armLINUX)
+MPICMN += -DMP_ASSEMBLY_MULTIPLY -DMP_ASSEMBLY_SQUARE
+MPICMN += -DMP_USE_UINT_DIGIT 
+AS_OBJS += mpi_arm.o
+endif
+
 ifeq ($(TARGET),AMD64SOLARIS)
 ASFLAGS += -xarch=generic64
 AS_OBJS = mpi_amd64.o mpi_amd64_sun.o
diff --git a/security/nss/lib/freebl/mpi/utils/primegen.c b/security/nss/lib/freebl/mpi/utils/primegen.c
index 9e4b90e006b7..0bea4f4183b4 100644
--- a/security/nss/lib/freebl/mpi/utils/primegen.c
+++ b/security/nss/lib/freebl/mpi/utils/primegen.c
@@ -46,7 +46,7 @@
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
-/* $Id: primegen.c,v 1.7 2004/04/27 23:04:37 gerv%gerv.net Exp $ */
+/* $Id: primegen.c,v 1.8 2010/07/20 01:26:03 wtc%google.com Exp $ */
 
 #include 
 #include 
@@ -58,12 +58,6 @@
 #include "mplogic.h"
 #include "mpprime.h"
 
-#undef MACOS		/* define if running on a Macintosh */
-
-#ifdef MACOS
-#include 
-#endif
-
 #define NUM_TESTS 5  /* Number of Rabin-Miller iterations to test with */
 
 #ifdef DEBUG
@@ -83,10 +77,6 @@ int main(int argc, char *argv[])
   mp_err	res;
   clock_t	start, end;
 
-#ifdef MACOS
-  argc = ccommand(&argv);
-#endif
-
   /* We'll just use the C library's rand() for now, although this
      won't be good enough for cryptographic purposes */
   if((out = getenv("SEED")) == NULL) {
diff --git a/security/nss/lib/freebl/mpi/utils/ptab.pl b/security/nss/lib/freebl/mpi/utils/ptab.pl
index 451b2e862702..84d7da26562a 100755
--- a/security/nss/lib/freebl/mpi/utils/ptab.pl
+++ b/security/nss/lib/freebl/mpi/utils/ptab.pl
@@ -1,4 +1,4 @@
-#!/usr/linguist/bin/perl
+#!/usr/bin/perl
 
 # ***** BEGIN LICENSE BLOCK *****
 # Version: MPL 1.1/GPL 2.0/LGPL 2.1
@@ -36,7 +36,7 @@
 #
 # ***** END LICENSE BLOCK *****
 
-# $Id: ptab.pl,v 1.2 2005/02/02 22:28:23 gerv%gerv.net Exp $
+# $Id: ptab.pl,v 1.3 2011/05/23 23:45:11 wtc%google.com Exp $
 #
 
 while(<>) {
diff --git a/security/nss/lib/freebl/nsslowhash.c b/security/nss/lib/freebl/nsslowhash.c
index db5d99b75b2f..bb92c7099c05 100644
--- a/security/nss/lib/freebl/nsslowhash.c
+++ b/security/nss/lib/freebl/nsslowhash.c
@@ -33,7 +33,7 @@
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
-/* $Id: nsslowhash.c,v 1.4.8.1 2011/01/20 18:41:51 emaldona%redhat.com Exp $ */
+/* $Id: nsslowhash.c,v 1.6 2010/09/10 00:42:36 emaldona%redhat.com Exp $ */
 
 #include "stubs.h"
 #include "prtypes.h"
@@ -129,6 +129,13 @@ freebl_fips_SHA_PowerUpSelfTest( void )
 			       0x72,0xf6,0xc7,0x22,0xf1,0x27,0x9f,0xf0,
 			       0xe0,0x68,0x47,0x7a};
 
+    /* SHA-224 Known Digest Message (224-bits). */
+    static const PRUint8 sha224_known_digest[] = {
+        0x1c,0xc3,0x06,0x8e,0xce,0x37,0x68,0xfb, 
+        0x1a,0x82,0x4a,0xbe,0x2b,0x00,0x51,0xf8,
+        0x9d,0xb6,0xe0,0x90,0x0d,0x00,0xc9,0x64,
+        0x9a,0xb8,0x98,0x4e};
+
     /* SHA-256 Known Digest Message (256-bits). */
     static const PRUint8 sha256_known_digest[] = {
         0x38,0xa9,0xc1,0xf0,0x35,0xf6,0x5d,0x61,
@@ -172,6 +179,18 @@ freebl_fips_SHA_PowerUpSelfTest( void )
                        SHA1_LENGTH ) != 0 ) )
         return( CKR_DEVICE_ERROR );
 
+    /***************************************************/
+    /* SHA-224 Single-Round Known Answer Hashing Test. */
+    /***************************************************/
+
+    sha_status = SHA224_HashBuf( sha_computed_digest, known_hash_message,
+                                FIPS_KNOWN_HASH_MESSAGE_LENGTH );
+
+    if( ( sha_status != SECSuccess ) ||
+        ( PORT_Memcmp( sha_computed_digest, sha224_known_digest,
+                       SHA224_LENGTH ) != 0 ) )
+        return( CKR_DEVICE_ERROR );
+
     /***************************************************/
     /* SHA-256 Single-Round Known Answer Hashing Test. */
     /***************************************************/
diff --git a/security/nss/lib/freebl/rawhash.c b/security/nss/lib/freebl/rawhash.c
index 811be1a2403a..de16aafe94cb 100644
--- a/security/nss/lib/freebl/rawhash.c
+++ b/security/nss/lib/freebl/rawhash.c
@@ -155,6 +155,17 @@ const SECHashObject SECRawHashObjects[] = {
     SHA512_BLOCK_LENGTH,
     HASH_AlgSHA512
   },
+  { SHA224_LENGTH,
+    (void * (*)(void)) SHA224_NewContext,
+    (void * (*)(void *)) null_hash_clone_context,
+    (void (*)(void *, PRBool)) SHA224_DestroyContext,
+    (void (*)(void *)) SHA224_Begin,
+    (void (*)(void *, const unsigned char *, unsigned int)) SHA224_Update,
+    (void (*)(void *, unsigned char *, unsigned int *,
+	      unsigned int)) SHA224_End,
+    SHA224_BLOCK_LENGTH,
+    HASH_AlgSHA224
+  },
 };
 
 const SECHashObject *
diff --git a/security/nss/lib/freebl/ret_cr16.s b/security/nss/lib/freebl/ret_cr16.s
index 7fb37e725021..da738f0dbd71 100644
--- a/security/nss/lib/freebl/ret_cr16.s
+++ b/security/nss/lib/freebl/ret_cr16.s
@@ -48,10 +48,12 @@ ret_cr16
 	.PROC
 	.CALLINFO 	FRAME=0, NO_CALLS
 	.EXPORT 	ret_cr16,ENTRY
-	.ENTER
+	.ENTRY
 ;	BV		%r0(%rp)
 	BV		0(%rp)
 	MFCTL		%cr16,%ret0
-        .LEAVE
+        BV %r0(%rp)
+        .EXIT
+        NOP
         .PROCEND
         .END
diff --git a/security/nss/lib/freebl/rijndael.c b/security/nss/lib/freebl/rijndael.c
index dea7de31e1dd..8d3b5d8f9672 100644
--- a/security/nss/lib/freebl/rijndael.c
+++ b/security/nss/lib/freebl/rijndael.c
@@ -33,7 +33,7 @@
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
-/* $Id: rijndael.c,v 1.25.6.1 2010/11/18 01:33:42 rrelyea%redhat.com Exp $ */
+/* $Id: rijndael.c,v 1.26 2010/11/18 01:33:24 rrelyea%redhat.com Exp $ */
 
 #ifdef FREEBL_NO_DEPEND
 #include "stubs.h"
diff --git a/security/nss/lib/freebl/rsa.c b/security/nss/lib/freebl/rsa.c
index a8599771202e..1f6f3c14ade1 100644
--- a/security/nss/lib/freebl/rsa.c
+++ b/security/nss/lib/freebl/rsa.c
@@ -37,7 +37,7 @@
 /*
  * RSA key generation, public key op, private key op.
  *
- * $Id: rsa.c,v 1.39.22.2 2011/03/30 18:39:44 rrelyea%redhat.com Exp $
+ * $Id: rsa.c,v 1.42 2011/03/30 01:20:12 rrelyea%redhat.com Exp $
  */
 #ifdef FREEBL_NO_DEPEND
 #include "stubs.h"
@@ -1420,6 +1420,8 @@ RSA_PrivateKeyCheck(RSAPrivateKey *key)
     mp_int p, q, n, psub1, qsub1, e, d, d_p, d_q, qInv, res;
     mp_err   err = MP_OKAY;
     SECStatus rv = SECSuccess;
+    MP_DIGITS(&p)    = 0;
+    MP_DIGITS(&q)    = 0;
     MP_DIGITS(&n)    = 0;
     MP_DIGITS(&psub1)= 0;
     MP_DIGITS(&qsub1)= 0;
@@ -1429,9 +1431,9 @@ RSA_PrivateKeyCheck(RSAPrivateKey *key)
     MP_DIGITS(&d_q)  = 0;
     MP_DIGITS(&qInv) = 0;
     MP_DIGITS(&res)  = 0;
-    CHECK_MPI_OK( mp_init(&n)    );
     CHECK_MPI_OK( mp_init(&p)    );
     CHECK_MPI_OK( mp_init(&q)    );
+    CHECK_MPI_OK( mp_init(&n)    );
     CHECK_MPI_OK( mp_init(&psub1));
     CHECK_MPI_OK( mp_init(&qsub1));
     CHECK_MPI_OK( mp_init(&e)    );
@@ -1593,13 +1595,13 @@ void BL_Cleanup(void)
     RSA_Cleanup();
 }
 
-PRBool parentForkedAfterC_Initialize;
+PRBool bl_parentForkedAfterC_Initialize;
 
 /*
  * Set fork flag so it can be tested in SKIP_AFTER_FORK on relevant platforms.
  */
 void BL_SetForkState(PRBool forked)
 {
-    parentForkedAfterC_Initialize = forked;
+    bl_parentForkedAfterC_Initialize = forked;
 }
 
diff --git a/security/nss/lib/freebl/secmpi.h b/security/nss/lib/freebl/secmpi.h
index e343fb8943ae..fded41e602d7 100644
--- a/security/nss/lib/freebl/secmpi.h
+++ b/security/nss/lib/freebl/secmpi.h
@@ -47,10 +47,13 @@
     CHECK_MPI_OK(mp_read_unsigned_octets((mp), (it).data, (it).len))
 
 #define MPINT_TO_SECITEM(mp, it, arena)                         \
-    SECITEM_AllocItem(arena, (it), mp_unsigned_octet_size(mp)); \
+ do { int mpintLen = mp_unsigned_octet_size(mp);                \
+    if (mpintLen <= 0) {err = MP_RANGE; goto cleanup;}          \
+    SECITEM_AllocItem(arena, (it), mpintLen);                   \
     if ((it)->data == NULL) {err = MP_MEM; goto cleanup;}       \
     err = mp_to_unsigned_octets(mp, (it)->data, (it)->len);     \
-    if (err < 0) goto cleanup; else err = MP_OKAY;
+    if (err < 0) goto cleanup; else err = MP_OKAY;              \
+  } while (0)
 
 #define MP_TO_SEC_ERROR(err)                                          \
     switch (err) {                                                    \
diff --git a/security/nss/lib/freebl/sha512.c b/security/nss/lib/freebl/sha512.c
index 567586712bcb..871245d8596d 100644
--- a/security/nss/lib/freebl/sha512.c
+++ b/security/nss/lib/freebl/sha512.c
@@ -1,5 +1,5 @@
 /*
- * sha512.c - implementation of SHA256, SHA384 and SHA512
+ * sha512.c - implementation of SHA224, SHA256, SHA384 and SHA512
  *
  * ***** BEGIN LICENSE BLOCK *****
  * Version: MPL 1.1/GPL 2.0/LGPL 2.1
@@ -36,7 +36,7 @@
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
-/* $Id: sha512.c,v 1.14.6.2 2011/03/30 22:45:05 wtc%google.com Exp $ */
+/* $Id: sha512.c,v 1.18 2011/03/30 22:35:43 wtc%google.com Exp $ */
 
 #ifdef FREEBL_NO_DEPEND
 #include "stubs.h"
@@ -63,6 +63,7 @@
 #define SHL(x,n) (x << n)
 #define Ch(x,y,z)  ((x & y) ^ (~x & z))
 #define Maj(x,y,z) ((x & y) ^ (x & z) ^ (y & z))
+#define SHA_MIN(a,b) (a < b ? a : b)
 
 /* Padding used with all flavors of SHA */
 static const PRUint8 pad[240] = { 
@@ -71,7 +72,7 @@ static const PRUint8 pad[240] = {
    /* compiler will fill the rest in with zeros */
 };
 
-/* ============= SHA256 implemenmtation ================================== */
+/* ============= SHA256 implementation ================================== */
 
 /* SHA-256 constants, K256. */
 static const PRUint32 K256[64] = {
@@ -135,6 +136,26 @@ static __inline__ PRUint32 swap4b(PRUint32 value)
 #define SHA_HTONL(x) swap4b(x)
 #define BYTESWAP4(x)  x = SHA_HTONL(x)
 
+#elif defined(__GNUC__) && (defined(__thumb2__) || \
+      (!defined(__thumb__) && \
+      (defined(__ARM_ARCH_6__) || \
+       defined(__ARM_ARCH_6J__) || \
+       defined(__ARM_ARCH_6K__) || \
+       defined(__ARM_ARCH_6Z__) || \
+       defined(__ARM_ARCH_6ZK__) || \
+       defined(__ARM_ARCH_6T2__) || \
+       defined(__ARM_ARCH_7__) || \
+       defined(__ARM_ARCH_7A__) || \
+       defined(__ARM_ARCH_7R__))))
+static __inline__ PRUint32 swap4b(PRUint32 value)
+{
+    PRUint32 ret;
+    __asm__("rev %0, %1" : "=r" (ret) : "r"(value));
+    return ret;
+}
+#define SHA_HTONL(x) swap4b(x)
+#define BYTESWAP4(x)  x = SHA_HTONL(x)
+
 #else
 #define SWAP4MASK  0x00FF00FF
 #define SHA_HTONL(x) (t1 = (x), t1 = (t1 << 16) | (t1 >> 16), \
@@ -523,6 +544,99 @@ void SHA256_Clone(SHA256Context *dest, SHA256Context *src)
     memcpy(dest, src, sizeof *dest);
 }
 
+/* ============= SHA224 implementation ================================== */
+
+/* SHA-224 initial hash values */
+static const PRUint32 H224[8] = {
+    0xc1059ed8, 0x367cd507, 0x3070dd17, 0xf70e5939, 
+    0xffc00b31, 0x68581511, 0x64f98fa7, 0xbefa4fa4
+};
+
+SHA224Context *
+SHA224_NewContext(void)
+{
+    return SHA256_NewContext();
+}
+
+void
+SHA224_DestroyContext(SHA224Context *ctx, PRBool freeit)
+{
+    SHA256_DestroyContext(ctx, freeit);
+}
+
+void
+SHA224_Begin(SHA224Context *ctx)
+{
+    memset(ctx, 0, sizeof *ctx);
+    memcpy(H, H224, sizeof H224);
+}
+
+static void
+SHA224_Compress(SHA224Context *ctx)
+{
+    SHA256_Compress(ctx);
+}
+
+void
+SHA224_Update(SHA224Context *ctx, const unsigned char *input,
+		    unsigned int inputLen)
+{
+    SHA256_Update(ctx, input, inputLen);
+}
+
+void
+SHA224_End(SHA256Context *ctx, unsigned char *digest,
+           unsigned int *digestLen, unsigned int maxDigestLen)
+{
+    unsigned int maxLen = SHA_MIN(maxDigestLen, SHA224_LENGTH);
+    SHA256_End(ctx, digest, digestLen, maxLen);
+}
+
+SECStatus 
+SHA224_HashBuf(unsigned char *dest, const unsigned char *src,
+               uint32 src_length)
+{
+    SHA256Context ctx;
+    unsigned int outLen;
+
+    SHA224_Begin(&ctx);
+    SHA256_Update(&ctx, src, src_length);
+    SHA256_End(&ctx, dest, &outLen, SHA224_LENGTH);
+
+    return SECSuccess;
+}
+
+SECStatus
+SHA224_Hash(unsigned char *dest, const char *src)
+{
+    return SHA224_HashBuf(dest, (const unsigned char *)src, PORT_Strlen(src));
+}
+
+void SHA224_TraceState(SHA224Context *ctx) { }
+
+unsigned int
+SHA224_FlattenSize(SHA224Context *ctx)
+{
+    return SHA256_FlattenSize(ctx);
+}
+
+SECStatus
+SHA224_Flatten(SHA224Context *ctx, unsigned char *space)
+{
+    return SHA256_Flatten(ctx, space);
+}
+
+SHA224Context *
+SHA224_Resurrect(unsigned char *space, void *arg)
+{
+    return SHA256_Resurrect(space, arg);
+}
+
+void SHA224_Clone(SHA224Context *dest, SHA224Context *src) 
+{
+    SHA256_Clone(dest, src);
+}
+
 
 /* ======= SHA512 and SHA384 common constants and defines ================= */
 
@@ -1251,7 +1365,6 @@ void
 SHA384_End(SHA384Context *ctx, unsigned char *digest,
 		 unsigned int *digestLen, unsigned int maxDigestLen)
 {
-#define SHA_MIN(a,b) (a < b ? a : b)
     unsigned int maxLen = SHA_MIN(maxDigestLen, SHA384_LENGTH);
     SHA512_End(ctx, digest, digestLen, maxLen);
 }
@@ -1337,6 +1450,38 @@ void test256(void)
     dumpHash32(outBuf, sizeof outBuf);
 }
 
+void test224(void)
+{
+    SHA224Context ctx;
+    unsigned char a1000times[1000];
+    unsigned int outLen;
+    unsigned char outBuf[SHA224_LENGTH];
+    int i;
+
+    /* Test Vector 1 */
+    printf("SHA224, input = %s\n", abc);
+    SHA224_Hash(outBuf, abc);
+    dumpHash32(outBuf, sizeof outBuf);
+
+    /* Test Vector 2 */
+    printf("SHA224, input = %s\n", abcdbc);
+    SHA224_Hash(outBuf, abcdbc);
+    dumpHash32(outBuf, sizeof outBuf);
+
+    /* Test Vector 3 */
+
+    /* to hash one million 'a's perform 1000
+     * sha224 updates on a buffer with 1000 'a's 
+     */
+    memset(a1000times, 'a', 1000);
+    printf("SHA224, input = %s\n", "a one million times");
+    SHA224_Begin(&ctx);
+    for (i = 0; i < 1000; i++)
+        SHA224_Update(&ctx, a1000times, 1000);
+    SHA224_End(&ctx, outBuf, &outLen, SHA224_LENGTH);
+    dumpHash32(outBuf, sizeof outBuf);
+}
+
 void
 dumpHash64(const unsigned char *buf, unsigned int bufLen)
 {
@@ -1392,9 +1537,10 @@ int main (int argc, char *argv[], char *envp[])
     	i = atoi(argv[1]);
     }
     if (i < 2) {
+	test224();
 	test256();
-	test512();
 	test384();
+	test512();
     } else {
     	while (i-- > 0) {
 	    time512();
diff --git a/security/nss/lib/freebl/sha_fast.h b/security/nss/lib/freebl/sha_fast.h
index 952d2cf93fa9..ade10a091848 100644
--- a/security/nss/lib/freebl/sha_fast.h
+++ b/security/nss/lib/freebl/sha_fast.h
@@ -93,7 +93,6 @@ swap4b(PRUint32 dwd)
 
 #if defined(__GNUC__) 
 /* __x86_64__  and __x86_64 are defined by GCC on x86_64 CPUs */
-
 #if defined( SHA1_USING_64_BIT )
 static __inline__ PRUint64 SHA_ROTL(PRUint64 x, PRUint32 n)
 {
@@ -115,6 +114,26 @@ static __inline__ PRUint32 swap4b(PRUint32 value)
     return (value);
 }
 #define SHA_HTONL(x) swap4b(x)
+
+#elif defined(__thumb2__) || \
+      (!defined(__thumb__) && \
+       (defined(__ARM_ARCH_6__) || \
+        defined(__ARM_ARCH_6J__) || \
+        defined(__ARM_ARCH_6K__) || \
+        defined(__ARM_ARCH_6Z__) || \
+        defined(__ARM_ARCH_6ZK__) || \
+        defined(__ARM_ARCH_6T2__) || \
+        defined(__ARM_ARCH_7__) || \
+        defined(__ARM_ARCH_7A__) || \
+        defined(__ARM_ARCH_7R__)))
+static __inline__ PRUint32 swap4b(PRUint32 value)
+{
+    PRUint32 ret;
+    __asm__("rev %0, %1" : "=r" (ret) : "r"(value));
+    return ret;
+}
+#define SHA_HTONL(x) swap4b(x)
+
 #endif /* x86 family */
 
 #endif /* __GNUC__ */
diff --git a/security/nss/lib/freebl/shvfy.c b/security/nss/lib/freebl/shvfy.c
index 8a62720effa9..783b4c5ac39b 100644
--- a/security/nss/lib/freebl/shvfy.c
+++ b/security/nss/lib/freebl/shvfy.c
@@ -34,7 +34,7 @@
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
-/* $Id: shvfy.c,v 1.13 2010/04/29 00:17:52 rrelyea%redhat.com Exp $ */
+/* $Id: shvfy.c,v 1.15 2010/12/06 17:22:49 kaie%kuix.de Exp $ */
 
 #ifdef FREEBL_NO_DEPEND
 #include "stubs.h"
@@ -48,6 +48,208 @@
 #include "stdio.h"
 #include "prmem.h"
 
+/*
+ * Most modern version of Linux support a speed optimization scheme where an
+ * application called prelink modifies programs and shared libraries to quickly
+ * load if they fit into an already designed address space. In short, prelink
+ * scans the list of programs and libraries on your system, assigns them a
+ * predefined space in the the address space, then provides the fixups to the
+ * library.
+
+ * The modification of the shared library is correctly detected by the freebl
+ * FIPS checksum scheme where we check a signed hash of the library against the
+ * library itself.
+ * 
+ * The prelink command itself can reverse the process of modification and
+ * output the prestine shared library as it was before prelink made it's
+ * changes. If FREEBL_USE_PRELINK is set Freebl uses prelink to output the
+ * original copy of the shared library before prelink modified it.
+ */
+#ifdef FREEBL_USE_PRELINK
+#ifndef FREELB_PRELINK_COMMAND
+#define FREEBL_PRELINK_COMMAND "/usr/sbin/prelink -u -o -"
+#endif
+#include "private/pprio.h"
+
+#include 
+#include 
+#include 
+#include 
+#include 
+
+/*
+ * This function returns an NSPR PRFileDesc * which the caller can read to
+ * obtain the prestine value of the shared library, before any OS related
+ * changes to it (usually address fixups). 
+ *
+ * If prelink is installed, this
+ * file descriptor is a pipe connecting the output of 
+ *            /usr/sbin/prelink -u -o - {Library}
+ * and *pid returns the process id of the prelink child.
+ *
+ * If prelink is not installed, it returns a normal readonly handle to the
+ * library itself and *pid is set to '0'.
+ */
+PRFileDesc *
+bl_OpenUnPrelink(const char *shName, int *pid)
+{
+    char *command= strdup(FREEBL_PRELINK_COMMAND);
+    char *argString = NULL;
+    char  **argv = NULL;
+    char *shNameArg = NULL;
+    char *cp;
+    pid_t child;
+    int argc = 0, argNext = 0;
+    struct stat statBuf;
+    int pipefd[2] = {-1,-1};
+    int ret;
+
+    *pid = 0;
+
+    /* make sure the prelink command exists first. If not, fall back to
+     * just reading the file */
+    for (cp = command; *cp ; cp++) {
+	if (*cp == ' ') {
+	    *cp++ = 0;
+	    argString = cp;
+	    break;
+        }
+    }
+    memset (&statBuf, 0, sizeof(statBuf));
+    /* stat the file, follow the link */
+    ret = stat(command, &statBuf);
+    if (ret < 0) {
+	free(command);
+	return PR_Open(shName, PR_RDONLY, 0);
+    }
+    /* file exits, make sure it's an executable */
+    if (!S_ISREG(statBuf.st_mode) || 
+			((statBuf.st_mode & (S_IXUSR|S_IXGRP|S_IXOTH)) == 0)) {
+	free(command);
+	return PR_Open(shName, PR_RDONLY, 0);
+    }
+
+    /* OK, the prelink command exists and looks correct, use it */
+    /* build the arglist while we can still malloc */
+    /* count the args if any */
+    if (argString && *argString) {
+	/* argString may have leading spaces, strip them off*/
+	for (cp = argString; *cp && *cp == ' '; cp++);
+	argString = cp;
+	if (*cp) {
+	    /* there is at least one arg.. */
+	    argc = 1;
+	}
+
+        /* count the rest: Note there is no provision for escaped
+         * spaces here */
+	for (cp = argString; *cp ; cp++) {
+	    if (*cp == ' ') {
+		while (*cp && *cp == ' ') cp++;
+		if (*cp) argc++;
+	    }
+	}
+    }
+
+    /* add the additional args: argv[0] (command), shName, NULL*/
+    argc += 3;
+    argv = PORT_NewArray(char *, argc);
+    if (argv == NULL) {
+	goto loser;
+    }
+
+    /* fill in the arglist */
+    argv[argNext++] = command;
+    if (argString && *argString) {
+	argv[argNext++] = argString;
+	for (cp = argString; *cp; cp++) {
+	    if (*cp == ' ') {
+		*cp++ = 0;
+		while (*cp && *cp == ' ') cp++;
+		if (*cp) argv[argNext++] = cp;
+	    }
+	}
+    }
+    /* exec doesn't advertise taking const char **argv, do the paranoid
+     * copy */
+    shNameArg = strdup(shName);
+    if (shNameArg == NULL) {
+	goto loser;
+    }
+    argv[argNext++] = shNameArg;
+    argv[argNext++] = 0;
+    
+    ret = pipe(pipefd);
+    if (ret < 0) {
+	goto loser;
+    }
+
+    /* use vfork() so we don't trigger the pthread_at_fork() handlers */
+    child = vfork();
+    if (child < 0) goto loser;
+    if (child == 0) {
+	/* set up the file descriptors */
+	/* if we need to support BSD, this will need to be an open of 
+	 * /dev/null and dup2(nullFD, 0)*/
+	close(0);
+	/* associate pipefd[1] with stdout */
+	if (pipefd[1] != 1) dup2(pipefd[1], 1);
+	close(2);
+	close(pipefd[0]);
+	/* should probably close the other file descriptors? */
+
+
+	execv(command, argv);
+	/* avoid at_exit() handlers */
+	_exit(1); /* shouldn't reach here except on an error */
+    }
+    close(pipefd[1]);
+    pipefd[1] = -1;
+
+    /* this is safe because either vfork() as full fork() semantics, and thus
+     * already has it's own address space, or because vfork() has paused
+     * the parent util the exec or exit */
+    free(command);
+    free(shNameArg);
+    PORT_Free(argv);
+
+    *pid = child;
+
+    return PR_ImportPipe(pipefd[0]);
+
+loser:
+    if (pipefd[0] != -1) {
+	close(pipefd[0]);
+    }
+    if (pipefd[1] != -1) {
+	close(pipefd[1]);
+    }
+    free(command);
+    free(shNameArg);
+    PORT_Free(argv);
+
+    return NULL;
+}
+
+/*
+ * bl_CloseUnPrelink -
+ *
+ * This closes the file descripter and reaps and children openned and crated by
+ * b;_OpenUnprelink. It's primary difference between it and just close is
+ * that it calls wait on the pid if one is supplied, preventing zombie children
+ * from hanging around.
+ */
+void
+bl_CloseUnPrelink( PRFileDesc *file, int pid)
+{
+    /* close the file descriptor */
+    PR_Close(file);
+    /* reap the child */
+    if (pid) {
+	waitpid(pid, NULL, 0);
+    }
+}
+#endif
 
 /* #define DEBUG_SHVERIFY 1 */
 
@@ -105,8 +307,26 @@ readItem(PRFileDesc *fd, SECItem *item)
 PRBool
 BLAPI_SHVerify(const char *name, PRFuncPtr addr)
 {
+    PRBool result = PR_FALSE; /* if anything goes wrong,
+			       * the signature does not verify */
     /* find our shared library name */
     char *shName = PR_GetLibraryFilePathname(name, addr);
+    if (!shName) {
+	goto loser;
+    }
+    result = BLAPI_SHVerifyFile(shName);
+
+loser:
+    if (shName != NULL) {
+	PR_Free(shName);
+    }
+
+    return result;
+}
+
+PRBool
+BLAPI_SHVerifyFile(const char *shName)
+{
     char *checkName = NULL;
     PRFileDesc *checkFD = NULL;
     PRFileDesc *shFD = NULL;
@@ -117,10 +337,13 @@ BLAPI_SHVerify(const char *name, PRFuncPtr addr)
     SECStatus rv;
     DSAPublicKey key;
     int count;
+#ifdef FREEBL_USE_PRELINK
+    int pid = 0;
+#endif
 
     PRBool result = PR_FALSE; /* if anything goes wrong,
 			       * the signature does not verify */
-    unsigned char buf[512];
+    unsigned char buf[4096];
     unsigned char hashBuf[SHA1_LENGTH];
 
     PORT_Memset(&key,0,sizeof(key));
@@ -197,7 +420,11 @@ BLAPI_SHVerify(const char *name, PRFuncPtr addr)
     checkFD = NULL;
 
     /* open our library file */
+#ifdef FREEBL_USE_PRELINK
+    shFD = bl_OpenUnPrelink(shName,&pid);
+#else
     shFD = PR_Open(shName, PR_RDONLY, 0);
+#endif
     if (shFD == NULL) {
 #ifdef DEBUG_SHVERIFY
         fprintf(stderr, "Failed to open the library file %s: (%d, %d)\n",
@@ -218,7 +445,11 @@ BLAPI_SHVerify(const char *name, PRFuncPtr addr)
 	SHA1_Update(hashcx, buf, bytesRead);
 	count += bytesRead;
     }
+#ifdef FREEBL_USE_PRELINK
+    bl_CloseUnPrelink(shFD, pid);
+#else
     PR_Close(shFD);
+#endif
     shFD = NULL;
 
     SHA1_End(hashcx, hash.data, &hash.len, hash.len);
@@ -255,9 +486,6 @@ BLAPI_SHVerify(const char *name, PRFuncPtr addr)
 
 
 loser:
-    if (shName != NULL) {
-	PR_Free(shName);
-    }
     if (checkName != NULL) {
 	PORT_Free(checkName);
     }
@@ -292,8 +520,11 @@ loser:
 PRBool
 BLAPI_VerifySelf(const char *name)
 {
-    /* to separate shlib to verify if name is NULL */
     if (name == NULL) {
+	/*
+	 * If name is NULL, freebl is statically linked into softoken.
+	 * softoken will call BLAPI_SHVerify next to verify itself.
+	 */
 	return PR_TRUE;
     }
     return BLAPI_SHVerify(name, (PRFuncPtr) decodeInt);
diff --git a/security/nss/lib/freebl/stubs.c b/security/nss/lib/freebl/stubs.c
index 02d3f04518c2..9fd67b887fb7 100644
--- a/security/nss/lib/freebl/stubs.c
+++ b/security/nss/lib/freebl/stubs.c
@@ -70,6 +70,7 @@
 #include 
 #include 
 #include 
+#include 
 
 #define FREEBL_NO_WEAK 1
 
@@ -155,6 +156,7 @@ STUB_DECLARE(void,PR_DestroyCondVar,(PRCondVar *cvar));
 STUB_DECLARE(void,PR_Free,(void *ptr));
 STUB_DECLARE(char * ,PR_GetLibraryFilePathname,(const char *name,
 			PRFuncPtr addr));
+STUB_DECLARE(PRFileDesc *,PR_ImportPipe,(PROsfd osfd));
 STUB_DECLARE(void,PR_Lock,(PRLock *lock));
 STUB_DECLARE(PRCondVar *,PR_NewCondVar,(PRLock *lock));
 STUB_DECLARE(PRLock *,PR_NewLock,(void));
@@ -170,6 +172,7 @@ STUB_DECLARE(PRStatus,PR_Unlock,(PRLock *lock));
 STUB_DECLARE(PRStatus,PR_WaitCondVar,(PRCondVar *cvar,
 			PRIntervalTime timeout));
 
+
 STUB_DECLARE(SECItem *,SECITEM_AllocItem_Util,(PRArenaPool *arena, 
 			SECItem *item,unsigned int len));
 STUB_DECLARE(SECComparison,SECITEM_CompareItem_Util,(const SECItem *a, 
@@ -303,6 +306,20 @@ PR_Open_stub(const char *name, PRIntn flags, PRIntn mode)
     return (PRFileDesc *)lfd;
 }
 
+extern PRFileDesc *
+PR_ImportPipe_stub(PROsfd fd)
+{
+    int *lfd = NULL;
+
+    STUB_SAFE_CALL1(PR_ImportPipe, fd);
+
+    lfd = PORT_New_stub(int);
+    if (lfd != NULL) {
+	*lfd = fd;
+    }
+    return (PRFileDesc *)lfd;
+}
+
 extern PRStatus
 PR_Close_stub(PRFileDesc *fd)
 {
@@ -549,6 +566,7 @@ freebl_InitNSPR(void *lib)
 {
     STUB_FETCH_FUNCTION(PR_Free);
     STUB_FETCH_FUNCTION(PR_Open);
+    STUB_FETCH_FUNCTION(PR_ImportPipe);
     STUB_FETCH_FUNCTION(PR_Close);
     STUB_FETCH_FUNCTION(PR_Read);
     STUB_FETCH_FUNCTION(PR_Seek);
diff --git a/security/nss/lib/freebl/stubs.h b/security/nss/lib/freebl/stubs.h
index d435634ff169..dafa47017714 100644
--- a/security/nss/lib/freebl/stubs.h
+++ b/security/nss/lib/freebl/stubs.h
@@ -68,16 +68,16 @@
 #define SECITEM_CopyItem  SECITEM_CopyItem_stub
 #define SECITEM_FreeItem  SECITEM_FreeItem_stub
 #define SECITEM_ZfreeItem  SECITEM_ZfreeItem_stub
-
 #define NSS_SecureMemcmp NSS_SecureMemcmp_stub
 
-#define PR_DestroyCondVar PR_DestroyCondVar_stub
 #define PR_Assert  PR_Assert_stub
 #define PR_CallOnce  PR_CallOnce_stub
 #define PR_Close  PR_Close_stub
+#define PR_DestroyCondVar PR_DestroyCondVar_stub
 #define PR_DestroyLock  PR_DestroyLock_stub
 #define PR_Free  PR_Free_stub
 #define PR_GetLibraryFilePathname  PR_GetLibraryFilePathname_stub
+#define PR_ImportPipe  PR_ImportPipe_stub
 #define PR_Lock  PR_Lock_stub
 #define PR_NewCondVar PR_NewCondVar_stub
 #define PR_NewLock  PR_NewLock_stub
diff --git a/security/nss/lib/freebl/tlsprfalg.c b/security/nss/lib/freebl/tlsprfalg.c
index 4208ebc98c06..4eabf459bf66 100644
--- a/security/nss/lib/freebl/tlsprfalg.c
+++ b/security/nss/lib/freebl/tlsprfalg.c
@@ -35,7 +35,7 @@
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
-/* $Id: tlsprfalg.c,v 1.6 2008/11/18 19:48:24 rrelyea%redhat.com Exp $ */
+/* $Id: tlsprfalg.c,v 1.7 2010/08/10 22:03:36 rrelyea%redhat.com Exp $ */
 
 #ifdef FREEBL_NO_DEPEND
 #include "stubs.h"
@@ -46,11 +46,11 @@
 #include "blapi.h"
 
 
-#define PHASH_STATE_MAX_LEN SHA1_LENGTH
+#define PHASH_STATE_MAX_LEN HASH_LENGTH_MAX
 
 /* TLS P_hash function */
-static SECStatus
-sftk_P_hash(HASH_HashType hashType, const SECItem *secret, const char *label, 
+SECStatus
+TLS_P_hash(HASH_HashType hashType, const SECItem *secret, const char *label, 
 	SECItem *seed, SECItem *result, PRBool isFIPS)
 {
     unsigned char state[PHASH_STATE_MAX_LEN];
@@ -148,11 +148,11 @@ TLS_PRF(const SECItem *secret, const char *label, SECItem *seed,
 	goto loser;
     tmp.len = result->len;
 
-    status = sftk_P_hash(HASH_AlgMD5, &S1, label, seed, result, isFIPS);
+    status = TLS_P_hash(HASH_AlgMD5, &S1, label, seed, result, isFIPS);
     if (status != SECSuccess)
 	goto loser;
 
-    status = sftk_P_hash(HASH_AlgSHA1, &S2, label, seed, &tmp, isFIPS);
+    status = TLS_P_hash(HASH_AlgSHA1, &S2, label, seed, &tmp, isFIPS);
     if (status != SECSuccess)
 	goto loser;
 
diff --git a/security/nss/lib/jar/config.mk b/security/nss/lib/jar/config.mk
index 331dd1904688..1c6538ff4795 100644
--- a/security/nss/lib/jar/config.mk
+++ b/security/nss/lib/jar/config.mk
@@ -48,7 +48,7 @@ PROGRAM        =
 # NSS_X86 means the target is a 32-bits x86 CPU architecture
 # NSS_X64 means the target is a 64-bits x64 CPU architecture
 # NSS_X86_OR_X64 means the target is either x86 or x64
-ifeq (,$(filter-out x386 x86 x86_64,$(CPU_ARCH)))
+ifeq (,$(filter-out i386 x386 x86 x86_64,$(CPU_ARCH)))
         DEFINES += -DNSS_X86_OR_X64
 ifdef USE_64
         DEFINES += -DNSS_X64
diff --git a/security/nss/lib/jar/jarver.c b/security/nss/lib/jar/jarver.c
index 6aee23a777f7..37fe8a7bd838 100644
--- a/security/nss/lib/jar/jarver.c
+++ b/security/nss/lib/jar/jarver.c
@@ -124,7 +124,7 @@ JAR_parse_manifest(JAR *jar, char *raw_manifest, long length,
 {
     int filename_free = 0;
 
-    /* fill in the path, if supplied. This is a the location
+    /* fill in the path, if supplied. This is the location
 	 of the jar file on disk, if known */
 
     if (jar->filename == NULL && path) {
diff --git a/security/nss/lib/jar/manifest.mn b/security/nss/lib/jar/manifest.mn
index 9de67cc115ac..2255860c7a8b 100644
--- a/security/nss/lib/jar/manifest.mn
+++ b/security/nss/lib/jar/manifest.mn
@@ -49,8 +49,6 @@ CSRCS =	\
 	jarint.c \
 	$(NULL)
 
-REQUIRES = dbm
-
 EXPORTS	 = jar.h jar-ds.h jarfile.h
 
 DEFINES = -DMOZILLA_CLIENT=1
diff --git a/security/nss/lib/libpkix/pkix/certsel/manifest.mn b/security/nss/lib/libpkix/pkix/certsel/manifest.mn
index c5d1b4e01a48..62f11cb4f5ea 100755
--- a/security/nss/lib/libpkix/pkix/certsel/manifest.mn
+++ b/security/nss/lib/libpkix/pkix/certsel/manifest.mn
@@ -52,7 +52,5 @@ CSRCS = \
 	pkix_comcertselparams.c \
 	$(NULL)
 
-REQUIRES = dbm
-
 LIBRARY_NAME = pkixcertsel
 
diff --git a/security/nss/lib/libpkix/pkix/checker/manifest.mn b/security/nss/lib/libpkix/pkix/checker/manifest.mn
index 6a270287120f..8f3b9b326158 100755
--- a/security/nss/lib/libpkix/pkix/checker/manifest.mn
+++ b/security/nss/lib/libpkix/pkix/checker/manifest.mn
@@ -74,7 +74,5 @@ CSRCS = \
 	pkix_targetcertchecker.c \
 	$(NULL)
 
-REQUIRES = dbm
-
 LIBRARY_NAME = pkixchecker
 
diff --git a/security/nss/lib/libpkix/pkix/crlsel/manifest.mn b/security/nss/lib/libpkix/pkix/crlsel/manifest.mn
index 0679f260dbbb..a483e04ed185 100755
--- a/security/nss/lib/libpkix/pkix/crlsel/manifest.mn
+++ b/security/nss/lib/libpkix/pkix/crlsel/manifest.mn
@@ -52,7 +52,5 @@ CSRCS = \
 	pkix_comcrlselparams.c \
 	$(NULL)
 
-REQUIRES = dbm
-
 LIBRARY_NAME = pkixcrlsel
 
diff --git a/security/nss/lib/libpkix/pkix/params/manifest.mn b/security/nss/lib/libpkix/pkix/params/manifest.mn
index deadc6a1ce9d..e3f9c14505b8 100755
--- a/security/nss/lib/libpkix/pkix/params/manifest.mn
+++ b/security/nss/lib/libpkix/pkix/params/manifest.mn
@@ -56,7 +56,5 @@ CSRCS = \
 	pkix_resourcelimits.c \
 	$(NULL)
 
-REQUIRES = dbm
-
 LIBRARY_NAME = pkixparams
 
diff --git a/security/nss/lib/libpkix/pkix/results/manifest.mn b/security/nss/lib/libpkix/pkix/results/manifest.mn
index bcc975800458..6d16fec9b827 100755
--- a/security/nss/lib/libpkix/pkix/results/manifest.mn
+++ b/security/nss/lib/libpkix/pkix/results/manifest.mn
@@ -56,7 +56,5 @@ CSRCS = \
 	pkix_verifynode.c \
 	$(NULL)
 
-REQUIRES = dbm
-
 LIBRARY_NAME = pkixresults
 
diff --git a/security/nss/lib/libpkix/pkix/store/manifest.mn b/security/nss/lib/libpkix/pkix/store/manifest.mn
index 95101f26ca5d..025a1b5b966a 100755
--- a/security/nss/lib/libpkix/pkix/store/manifest.mn
+++ b/security/nss/lib/libpkix/pkix/store/manifest.mn
@@ -50,7 +50,5 @@ CSRCS = \
 	pkix_store.c \
 	$(NULL)
 
-REQUIRES = dbm
-
 LIBRARY_NAME = pkixstore
 
diff --git a/security/nss/lib/libpkix/pkix/top/manifest.mn b/security/nss/lib/libpkix/pkix/top/manifest.mn
index 67efa32fa4b7..a9c2729723ed 100755
--- a/security/nss/lib/libpkix/pkix/top/manifest.mn
+++ b/security/nss/lib/libpkix/pkix/top/manifest.mn
@@ -54,7 +54,5 @@ CSRCS = \
 	pkix_build.c \
 	$(NULL)
 
-REQUIRES = dbm
-
 LIBRARY_NAME = pkixtop
 
diff --git a/security/nss/lib/libpkix/pkix/util/manifest.mn b/security/nss/lib/libpkix/pkix/util/manifest.mn
index 8776310b4434..938788b578fb 100755
--- a/security/nss/lib/libpkix/pkix/util/manifest.mn
+++ b/security/nss/lib/libpkix/pkix/util/manifest.mn
@@ -57,7 +57,5 @@ CSRCS = \
 	pkix_errpaths.c \
 	$(NULL)
 
-REQUIRES = dbm
-
 LIBRARY_NAME = pkixutil
 
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/module/manifest.mn b/security/nss/lib/libpkix/pkix_pl_nss/module/manifest.mn
index c757dfe94010..478bc4d680b7 100755
--- a/security/nss/lib/libpkix/pkix_pl_nss/module/manifest.mn
+++ b/security/nss/lib/libpkix/pkix_pl_nss/module/manifest.mn
@@ -75,7 +75,5 @@ CSRCS = \
 	pkix_pl_socket.c \
 	$(NULL)
 
-REQUIRES = dbm
-
 LIBRARY_NAME = pkixmodule
 
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_httpdefaultclient.c b/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_httpdefaultclient.c
index 1bd0a5a38083..649d97649a10 100644
--- a/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_httpdefaultclient.c
+++ b/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_httpdefaultclient.c
@@ -1350,6 +1350,7 @@ pkix_pl_HttpDefaultClient_TrySendAndReceive(
         PKIX_UInt32 postLen = 0;
         PRPollDesc *pollDesc = NULL;
         char *sendbuf = NULL;
+        char portstr[16];
 
         PKIX_ENTER
                 (HTTPDEFAULTCLIENT,
@@ -1393,13 +1394,19 @@ pkix_pl_HttpDefaultClient_TrySendAndReceive(
                 client->rcv_http_data = http_response_data;
 
                 /* prepare the message */
+                portstr[0] = '\0';
+                if (client->portnum != 80) {
+                        PR_snprintf(portstr, sizeof(portstr), ":%d", 
+                                    client->portnum);
+                }
+                
                 if (client->send_http_method == HTTP_POST_METHOD) {
                         sendbuf = PR_smprintf
-                            ("POST %s HTTP/1.0\r\nHost: %s:%d\r\n"
+                            ("POST %s HTTP/1.0\r\nHost: %s%s\r\n"
                             "Content-Type: %s\r\nContent-Length: %u\r\n\r\n",
                             client->path,
                             client->host,
-                            client->portnum,
+                            portstr,
                             client->send_http_content_type,
                             client->send_http_data_len);
                         postLen = PORT_Strlen(sendbuf);
@@ -1427,10 +1434,10 @@ pkix_pl_HttpDefaultClient_TrySendAndReceive(
                         
                 } else if (client->send_http_method == HTTP_GET_METHOD) {
                         client->GETBuf = PR_smprintf
-                            ("GET %s HTTP/1.1\r\nHost: %s:%d\r\n\r\n",
+                            ("GET %s HTTP/1.0\r\nHost: %s%s\r\n\r\n",
                             client->path,
                             client->host,
-                            client->portnum);
+                            portstr);
                         client->GETLen = PORT_Strlen(client->GETBuf);
                 }
 
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/pki/manifest.mn b/security/nss/lib/libpkix/pkix_pl_nss/pki/manifest.mn
index 322ea85eb9ce..338532360cc2 100755
--- a/security/nss/lib/libpkix/pkix_pl_nss/pki/manifest.mn
+++ b/security/nss/lib/libpkix/pkix_pl_nss/pki/manifest.mn
@@ -83,7 +83,5 @@ CSRCS = \
 	pkix_pl_ocspcertid.c \
 	$(NULL)
 
-REQUIRES = dbm
-
 LIBRARY_NAME = pkixpki
 
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/system/manifest.mn b/security/nss/lib/libpkix/pkix_pl_nss/system/manifest.mn
index bcf03ee37b67..a5c0e1808c81 100755
--- a/security/nss/lib/libpkix/pkix_pl_nss/system/manifest.mn
+++ b/security/nss/lib/libpkix/pkix_pl_nss/system/manifest.mn
@@ -75,7 +75,5 @@ CSRCS = \
 	pkix_pl_string.c \
 	$(NULL)
 
-REQUIRES = dbm
-
 LIBRARY_NAME = pkixsystem
 
diff --git a/security/nss/lib/nss/manifest.mn b/security/nss/lib/nss/manifest.mn
index b3bbd97a29ab..a497cd10f240 100644
--- a/security/nss/lib/nss/manifest.mn
+++ b/security/nss/lib/nss/manifest.mn
@@ -52,8 +52,6 @@ CSRCS = \
 	utilwrap.c \
 	$(NULL)
 
-REQUIRES = dbm
-
 MAPFILE = $(OBJDIR)/nss.def
 
 LIBRARY_NAME = nss
diff --git a/security/nss/lib/nss/nss.def b/security/nss/lib/nss/nss.def
index 0373d80d5608..c7674de54432 100644
--- a/security/nss/lib/nss/nss.def
+++ b/security/nss/lib/nss/nss.def
@@ -1020,3 +1020,11 @@ CERT_DestroyCERTRevocationFlags;
 ;+    local:
 ;+       *;
 ;+};
+;+NSS_3.13 { 	# NSS 3.13 release
+;+    global:
+;;SECKEY_RSAPSSParamsTemplate DATA ;
+NSS_Get_SECKEY_RSAPSSParamsTemplate;
+NSS_GetVersion;
+;+    local:
+;+       *;
+;+};
diff --git a/security/nss/lib/nss/nss.h b/security/nss/lib/nss/nss.h
index 6d9aa8700780..c3e119ebea24 100644
--- a/security/nss/lib/nss/nss.h
+++ b/security/nss/lib/nss/nss.h
@@ -36,7 +36,7 @@
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
-/* $Id: nss.h,v 1.81.2.8 2011/08/09 15:56:30 kaie%kuix.de Exp $ */
+/* $Id: nss.h,v 1.83 2011/08/01 07:08:08 kaie%kuix.de Exp $ */
 
 #ifndef __nss_h_
 #define __nss_h_
@@ -66,12 +66,12 @@
  * The format of the version string should be
  *     ".[.[.]][ ][ ]"
  */
-#define NSS_VERSION  "3.12.11.0" _NSS_ECC_STRING _NSS_CUSTOMIZED
+#define NSS_VERSION  "3.13.0.0" _NSS_ECC_STRING _NSS_CUSTOMIZED " Beta"
 #define NSS_VMAJOR   3
-#define NSS_VMINOR   12
-#define NSS_VPATCH   11
+#define NSS_VMINOR   13
+#define NSS_VPATCH   0
 #define NSS_VBUILD   0
-#define NSS_BETA     PR_FALSE
+#define NSS_BETA     PR_TRUE
 
 #ifndef RC_INVOKED
 
@@ -157,7 +157,7 @@ SEC_BEGIN_PROTOS
  * Return a boolean that indicates whether the underlying library
  * will perform as the caller expects.
  *
- * The only argument is a string, which should be the verson
+ * The only argument is a string, which should be the version
  * identifier of the NSS library. That string will be compared
  * against a string that represents the actual build version of
  * the NSS library.  It also invokes the version checking functions
@@ -165,6 +165,11 @@ SEC_BEGIN_PROTOS
  */
 extern PRBool NSS_VersionCheck(const char *importedVersion);
 
+/*
+ * Returns a const string of the NSS library version.
+ */
+extern const char *NSS_GetVersion(void);
+
 /*
  * Open the Cert, Key, and Security Module databases, read only.
  * Initialize the Random Number Generator.
diff --git a/security/nss/lib/nss/nssinit.c b/security/nss/lib/nss/nssinit.c
index cafa012093ec..da05206bfd12 100644
--- a/security/nss/lib/nss/nssinit.c
+++ b/security/nss/lib/nss/nssinit.c
@@ -36,14 +36,16 @@
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
-/* $Id: nssinit.c,v 1.106 2010/04/03 20:06:00 nelson%bolyard.com Exp $ */
+/* $Id: nssinit.c,v 1.108 2011/08/17 14:40:49 emaldona%redhat.com Exp $ */
 
 #include 
 #include 
 #include "seccomon.h"
+#include "prerror.h"
 #include "prinit.h"
 #include "prprf.h"
 #include "prmem.h"
+#include "prtypes.h"
 #include "cert.h"
 #include "key.h"
 #include "secmod.h"
@@ -51,7 +53,9 @@
 #include "nss.h"
 #include "pk11func.h"
 #include "secerr.h"
+#include "errstrs.h"
 #include "nssbase.h"
+#include "nssutil.h"
 #include "pkixt.h"
 #include "pkix.h"
 #include "pkix_tools.h"
@@ -377,6 +381,7 @@ nss_InitModules(const char *configdir, const char *certPrefix,
 		PRBool isContextInit)
 {
     SECStatus rv = SECFailure;
+    PRStatus status = PR_SUCCESS;
     char *moduleSpec = NULL;
     char *flags = NULL;
     char *lconfigdir = NULL;
@@ -389,6 +394,12 @@ nss_InitModules(const char *configdir, const char *certPrefix,
     char *lupdateID = NULL;
     char *lupdateName = NULL;
 
+    status = NSS_InitializePRErrorTable();
+    if (status != PR_SUCCESS) {
+	PORT_SetError(status);
+	return SECFailure;
+    }
+
     flags = nss_makeFlags(readOnly,noCertDB,noModDB,forceOpen,
 					pwRequired, optimizeSpace);
     if (flags == NULL) return rv;
@@ -1204,3 +1215,9 @@ NSS_VersionCheck(const char *importedVersion)
     }
     return PR_TRUE;
 }
+
+const char *
+NSS_GetVersion(void)
+{
+    return NSS_VERSION;
+}
diff --git a/security/nss/lib/pk11wrap/debug_module.c b/security/nss/lib/pk11wrap/debug_module.c
index 0b29647a6df1..cbe8a891d339 100644
--- a/security/nss/lib/pk11wrap/debug_module.c
+++ b/security/nss/lib/pk11wrap/debug_module.c
@@ -163,18 +163,18 @@ static void get_attr_type_str(CK_ATTRIBUTE_TYPE atype, char *str, int len)
     CASE(CKA_RESET_ON_INIT);
     CASE(CKA_HAS_RESET);
     CASE(CKA_VENDOR_DEFINED);
-    CASE(CKA_NETSCAPE_URL);
-    CASE(CKA_NETSCAPE_EMAIL);
-    CASE(CKA_NETSCAPE_SMIME_INFO);
-    CASE(CKA_NETSCAPE_SMIME_TIMESTAMP);
-    CASE(CKA_NETSCAPE_PKCS8_SALT);
-    CASE(CKA_NETSCAPE_PASSWORD_CHECK);
-    CASE(CKA_NETSCAPE_EXPIRES);
-    CASE(CKA_NETSCAPE_KRL);
-    CASE(CKA_NETSCAPE_PQG_COUNTER);
-    CASE(CKA_NETSCAPE_PQG_SEED);
-    CASE(CKA_NETSCAPE_PQG_H);
-    CASE(CKA_NETSCAPE_PQG_SEED_BITS);
+    CASE(CKA_NSS_URL);
+    CASE(CKA_NSS_EMAIL);
+    CASE(CKA_NSS_SMIME_INFO);
+    CASE(CKA_NSS_SMIME_TIMESTAMP);
+    CASE(CKA_NSS_PKCS8_SALT);
+    CASE(CKA_NSS_PASSWORD_CHECK);
+    CASE(CKA_NSS_EXPIRES);
+    CASE(CKA_NSS_KRL);
+    CASE(CKA_NSS_PQG_COUNTER);
+    CASE(CKA_NSS_PQG_SEED);
+    CASE(CKA_NSS_PQG_H);
+    CASE(CKA_NSS_PQG_SEED_BITS);
     CASE(CKA_TRUST);
     CASE(CKA_TRUST_DIGITAL_SIGNATURE);
     CASE(CKA_TRUST_NON_REPUDIATION);
@@ -216,10 +216,10 @@ static void get_obj_class(CK_OBJECT_CLASS objClass, char *str, int len)
     CASE(CKO_SECRET_KEY);
     CASE(CKO_HW_FEATURE);
     CASE(CKO_DOMAIN_PARAMETERS);
-    CASE(CKO_NETSCAPE_CRL);
-    CASE(CKO_NETSCAPE_SMIME);
-    CASE(CKO_NETSCAPE_TRUST);
-    CASE(CKO_NETSCAPE_BUILTIN_ROOT_LIST);
+    CASE(CKO_NSS_CRL);
+    CASE(CKO_NSS_SMIME);
+    CASE(CKO_NSS_TRUST);
+    CASE(CKO_NSS_BUILTIN_ROOT_LIST);
     default: break;
     }
     if (a)
@@ -233,13 +233,12 @@ static void get_trust_val(CK_TRUST trust, char *str, int len)
     const char * a = NULL;
 
     switch (trust) {
-    CASE(CKT_NETSCAPE_TRUSTED);
-    CASE(CKT_NETSCAPE_TRUSTED_DELEGATOR);
-    CASE(CKT_NETSCAPE_UNTRUSTED);
-    CASE(CKT_NETSCAPE_MUST_VERIFY);
-    CASE(CKT_NETSCAPE_TRUST_UNKNOWN);
-    CASE(CKT_NETSCAPE_VALID);
-    CASE(CKT_NETSCAPE_VALID_DELEGATOR);
+    CASE(CKT_NSS_TRUSTED);
+    CASE(CKT_NSS_TRUSTED_DELEGATOR);
+    CASE(CKT_NSS_NOT_TRUSTED);
+    CASE(CKT_NSS_MUST_VERIFY_TRUST);
+    CASE(CKT_NSS_TRUST_UNKNOWN);
+    CASE(CKT_NSS_VALID_DELEGATOR);
     default: break;
     }
     if (a)
@@ -688,8 +687,8 @@ static void print_attr_value(CK_ATTRIBUTE_PTR attr)
 	    break;
 	}
     case CKA_LABEL:
-    case CKA_NETSCAPE_EMAIL:
-    case CKA_NETSCAPE_URL:
+    case CKA_NSS_EMAIL:
+    case CKA_NSS_URL:
 	if (attr->ulValueLen > 0 && attr->pValue) {
 	    len = PR_MIN(attr->ulValueLen + 1, sizeof valstr);
 	    PR_snprintf(valstr, len, "%s", attr->pValue);
diff --git a/security/nss/lib/pk11wrap/dev3hack.c b/security/nss/lib/pk11wrap/dev3hack.c
index af50b1748e5e..8691f651ea2b 100644
--- a/security/nss/lib/pk11wrap/dev3hack.c
+++ b/security/nss/lib/pk11wrap/dev3hack.c
@@ -35,7 +35,7 @@
  * ***** END LICENSE BLOCK ***** */
 
 #ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile: dev3hack.c,v $ $Revision: 1.25 $ $Date: 2008/09/30 04:09:04 $";
+static const char CVS_ID[] = "@(#) $RCSfile: dev3hack.c,v $ $Revision: 1.26 $ $Date: 2010/09/09 21:14:24 $";
 #endif /* DEBUG */
 
 #ifndef PKIT_H
@@ -85,39 +85,41 @@ nssSlot_CreateSession
 )
 {
     nssSession *rvSession;
+
+    if (!readWrite) {
+	/* nss3hack version only returns rw swssions */
+	return NULL;
+    }
     rvSession = nss_ZNEW(arenaOpt, nssSession);
     if (!rvSession) {
 	return (nssSession *)NULL;
     }
-    if (readWrite) {
-	rvSession->handle = PK11_GetRWSession(slot->pk11slot);
-	if (rvSession->handle == CK_INVALID_HANDLE) {
+
+    rvSession->handle = PK11_GetRWSession(slot->pk11slot);
+    if (rvSession->handle == CK_INVALID_HANDLE) {
 	    nss_ZFreeIf(rvSession);
 	    return NULL;
-	}
-	rvSession->isRW = PR_TRUE;
-	rvSession->slot = slot;
-        /*
-         * The session doesn't need its own lock.  Here's why.
-         * 1. If we are reusing the default RW session of the slot,
-         *    the slot lock is already locked to protect the session.
-         * 2. If the module is not thread safe, the slot (or rather
-         *    module) lock is already locked.
-         * 3. If the module is thread safe and we are using a new
-         *    session, no higher-level lock has been locked and we
-         *    would need a lock for the new session.  However, the
-         *    current usage of the session is that it is always
-         *    used and destroyed within the same function and never
-         *    shared with another thread.
-         * So the session is either already protected by another
-         * lock or only used by one thread.
-         */
-        rvSession->lock = NULL;
-        rvSession->ownLock = PR_FALSE;
-	return rvSession;
-    } else {
-	return NULL;
     }
+    rvSession->isRW = PR_TRUE;
+    rvSession->slot = slot;
+    /*
+     * The session doesn't need its own lock.  Here's why.
+     * 1. If we are reusing the default RW session of the slot,
+     *    the slot lock is already locked to protect the session.
+     * 2. If the module is not thread safe, the slot (or rather
+     *    module) lock is already locked.
+     * 3. If the module is thread safe and we are using a new
+     *    session, no higher-level lock has been locked and we
+     *    would need a lock for the new session.  However, the
+     *    current usage of the session is that it is always
+     *    used and destroyed within the same function and never
+     *    shared with another thread.
+     * So the session is either already protected by another
+     * lock or only used by one thread.
+     */
+    rvSession->lock = NULL;
+    rvSession->ownLock = PR_FALSE;
+    return rvSession;
 }
 
 NSS_IMPLEMENT PRStatus
diff --git a/security/nss/lib/pk11wrap/manifest.mn b/security/nss/lib/pk11wrap/manifest.mn
index 0fb04d3e4763..8f6924c373eb 100644
--- a/security/nss/lib/pk11wrap/manifest.mn
+++ b/security/nss/lib/pk11wrap/manifest.mn
@@ -77,8 +77,6 @@ CSRCS = \
 	pk11util.c \
 	$(NULL)
 
-REQUIRES = dbm
-
 LIBRARY_NAME = pk11wrap
 
 LIBRARY_VERSION = 3
diff --git a/security/nss/lib/pk11wrap/pk11akey.c b/security/nss/lib/pk11wrap/pk11akey.c
index d268146f3c22..6e1dc1712cb2 100644
--- a/security/nss/lib/pk11wrap/pk11akey.c
+++ b/security/nss/lib/pk11wrap/pk11akey.c
@@ -223,6 +223,9 @@ PK11_ImportPublicKey(PK11SlotInfo *slot, SECKEYPublicKey *pubKey,
 	    }
 	    break;
 	default:
+	    if (ckaId) {
+		SECITEM_FreeItem(ckaId,PR_TRUE);
+	    }
 	    PORT_SetError( SEC_ERROR_BAD_KEY );
 	    return CK_INVALID_HANDLE;
 	}
@@ -272,7 +275,7 @@ pk11_Attr2SecItem(PRArenaPool *arena, const CK_ATTRIBUTE *attr, SECItem *item)
 /*
  * get a curve length from a set of ecParams.
  * 
- * We need this so we can reliably determine if a the ecPoint passed to us
+ * We need this so we can reliably determine if the ecPoint passed to us
  * was encoded or not. With out this, for many curves, we would incorrectly
  * identify an unencoded curve as an encoded curve 1 in 65536 times, and for
  * a few we would make that same mistake 1 in 32768 times. These are bad 
@@ -465,7 +468,7 @@ pk11_get_Decoded_ECPoint(PRArenaPool *arena, const SECItem *ecParams,
 	 * form that's correct, with a preference for the encoded form if we
 	 * can't determine for sure. We do this by checking the key we got
 	 * back from SEC_QuickDERDecodeItem for defects. If no defects are
-	 * found, we assume the encoded paramter was was passed to us.
+	 * found, we assume the encoded parameter was was passed to us.
 	 * our defect tests include:
 	 *   1) it didn't decode.
 	 *   2) The decode key had an invalid length (must be odd).
diff --git a/security/nss/lib/pk11wrap/pk11cert.c b/security/nss/lib/pk11wrap/pk11cert.c
index 78acd302c430..43047e78a9bb 100644
--- a/security/nss/lib/pk11wrap/pk11cert.c
+++ b/security/nss/lib/pk11wrap/pk11cert.c
@@ -1367,6 +1367,69 @@ loser:
     return NULL;
 }
 
+static PRCallOnceType keyIDHashCallOnce;
+
+static PRStatus PR_CALLBACK
+pk11_keyIDHash_populate(void *wincx)
+{
+    CERTCertList     *certList;
+    CERTCertListNode *node = NULL;
+    SECItem           subjKeyID = {siBuffer, NULL, 0};
+    SECItem          *slotid = NULL;
+    SECMODModuleList *modules, *mlp;
+    SECMODListLock   *moduleLock;
+    int               i;
+
+    certList = PK11_ListCerts(PK11CertListUser, wincx);
+    if (!certList) {
+	return PR_FAILURE;
+    }
+
+    for (node = CERT_LIST_HEAD(certList);
+         !CERT_LIST_END(node, certList);
+         node = CERT_LIST_NEXT(node)) {
+	if (CERT_FindSubjectKeyIDExtension(node->cert, 
+	                                   &subjKeyID) == SECSuccess && 
+	    subjKeyID.data != NULL) {
+	    cert_AddSubjectKeyIDMapping(&subjKeyID, node->cert);
+	    SECITEM_FreeItem(&subjKeyID, PR_FALSE);
+	}
+    }
+    CERT_DestroyCertList(certList);
+
+    /*
+     * Record the state of each slot in a hash. The concatenation of slotID
+     * and moduleID is used as its key, with the slot series as its value.
+     */
+    slotid = SECITEM_AllocItem(NULL, NULL,
+                               sizeof(CK_SLOT_ID) + sizeof(SECMODModuleID));
+    if (!slotid) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	return PR_FAILURE;
+    }
+    moduleLock = SECMOD_GetDefaultModuleListLock();
+    if (!moduleLock) {
+	PORT_SetError(SEC_ERROR_NOT_INITIALIZED);
+	return PR_FAILURE;
+    }
+    SECMOD_GetReadLock(moduleLock);
+    modules = SECMOD_GetDefaultModuleList();
+    for (mlp = modules; mlp; mlp = mlp->next) {
+	for (i = 0; i < mlp->module->slotCount; i++) {
+	    memcpy(slotid->data, &mlp->module->slots[i]->slotID,
+	           sizeof(CK_SLOT_ID));
+	    memcpy(&slotid->data[sizeof(CK_SLOT_ID)], &mlp->module->moduleID,
+	           sizeof(SECMODModuleID));
+	    cert_UpdateSubjectKeyIDSlotCheck(slotid,
+	                                     mlp->module->slots[i]->series);
+	}
+    }
+    SECMOD_ReleaseReadLock(moduleLock);
+    SECITEM_FreeItem(slotid, PR_TRUE);
+
+    return PR_SUCCESS;
+}
+
 /*
  * We're looking for a cert which we have the private key for that's on the
  * list of recipients. This searches one slot.
@@ -1379,11 +1442,77 @@ pk11_FindCertObjectByRecipientNew(PK11SlotInfo *slot, NSSCMSRecipient **recipien
 {
     NSSCMSRecipient *ri = NULL;
     int i;
+    PRBool tokenRescanDone = PR_FALSE;
 
     for (i=0; (ri = recipientlist[i]) != NULL; i++) {
 	CERTCertificate *cert = NULL;
 	if (ri->kind == RLSubjKeyID) {
 	    SECItem *derCert = cert_FindDERCertBySubjectKeyID(ri->id.subjectKeyID);
+	    if (!derCert && !tokenRescanDone) {
+		/*
+		 * We didn't find the cert by its key ID. If we have slots
+		 * with removable tokens, a failure from
+		 * cert_FindDERCertBySubjectKeyID doesn't necessarily imply
+		 * that the cert is unavailable - the token might simply
+		 * have been inserted after the initial run of
+		 * pk11_keyIDHash_populate (wrapped by PR_CallOnceWithArg),
+		 * or a different token might have been present in that
+		 * slot, initially. Let's check for new tokens...
+		 */
+		PK11SlotList *sl = PK11_GetAllTokens(CKM_INVALID_MECHANISM,
+		                                     PR_FALSE, PR_FALSE, pwarg);
+		if (sl) {
+		    PK11SlotListElement *le;
+		    SECItem *slotid = SECITEM_AllocItem(NULL, NULL,
+		                   sizeof(CK_SLOT_ID) + sizeof(SECMODModuleID));
+		    if (!slotid) {
+			PORT_SetError(SEC_ERROR_NO_MEMORY);
+			return NULL;
+		    }
+		    for (le = sl->head; le; le = le->next) {
+			memcpy(slotid->data, &le->slot->slotID,
+			       sizeof(CK_SLOT_ID));
+			memcpy(&slotid->data[sizeof(CK_SLOT_ID)],
+			       &le->slot->module->moduleID,
+			       sizeof(SECMODModuleID));
+			/*
+			 * Any changes with the slot since our last check?
+			 * If so, re-read the certs in that specific slot.
+			 */
+			if (cert_SubjectKeyIDSlotCheckSeries(slotid)
+			    != PK11_GetSlotSeries(le->slot)) {
+			    CERTCertListNode *node = NULL;
+			    SECItem subjKeyID = {siBuffer, NULL, 0};
+			    CERTCertList *cl = PK11_ListCertsInSlot(le->slot);
+			    if (!cl) {
+				continue;
+			    }
+			    for (node = CERT_LIST_HEAD(cl);
+			         !CERT_LIST_END(node, cl);
+			         node = CERT_LIST_NEXT(node)) {
+				if (CERT_IsUserCert(node->cert) &&
+				    CERT_FindSubjectKeyIDExtension(node->cert,
+				                   &subjKeyID) == SECSuccess) {
+				    if (subjKeyID.data) {
+					cert_AddSubjectKeyIDMapping(&subjKeyID,
+					                            node->cert);
+					cert_UpdateSubjectKeyIDSlotCheck(slotid,
+					          PK11_GetSlotSeries(le->slot));
+				    }
+				    SECITEM_FreeItem(&subjKeyID, PR_FALSE);
+				}
+			    }
+			    CERT_DestroyCertList(cl);
+			}
+		    }
+		    PK11_FreeSlotList(sl);
+		    SECITEM_FreeItem(slotid, PR_TRUE);
+		}
+		/* only check once per message/recipientlist */
+		tokenRescanDone = PR_TRUE;
+		/* do another lookup (hopefully we found that cert...) */
+		derCert = cert_FindDERCertBySubjectKeyID(ri->id.subjectKeyID);
+	    }
 	    if (derCert) {
 		cert = PK11_FindCertFromDERCertItem(slot, derCert, pwarg);
 		SECITEM_FreeItem(derCert, PR_TRUE);
@@ -1558,34 +1687,6 @@ loser:
     return NULL;
 }
 
-static PRCallOnceType keyIDHashCallOnce;
-
-static PRStatus PR_CALLBACK
-pk11_keyIDHash_populate(void *wincx)
-{
-    CERTCertList     *certList;
-    CERTCertListNode *node = NULL;
-    SECItem           subjKeyID = {siBuffer, NULL, 0};
-
-    certList = PK11_ListCerts(PK11CertListUser, wincx);
-    if (!certList) {
-	return PR_FAILURE;
-    }
-
-    for (node = CERT_LIST_HEAD(certList);
-         !CERT_LIST_END(node, certList);
-         node = CERT_LIST_NEXT(node)) {
-	if (CERT_FindSubjectKeyIDExtension(node->cert, 
-	                                   &subjKeyID) == SECSuccess && 
-	    subjKeyID.data != NULL) {
-	    cert_AddSubjectKeyIDMapping(&subjKeyID, node->cert);
-	    SECITEM_FreeItem(&subjKeyID, PR_FALSE);
-	}
-    }
-    CERT_DestroyCertList(certList);
-    return PR_SUCCESS;
-}
-
 /*
  * This is the new version of the above function for NSS SMIME code
  * this stuff should REALLY be in the SMIME code, but some things in here are not public
@@ -2060,14 +2161,14 @@ PK11_FindCertFromDERCert(PK11SlotInfo *slot, CERTCertificate *cert,
 }
 
 CERTCertificate *
-PK11_FindCertFromDERCertItem(PK11SlotInfo *slot, SECItem *inDerCert,
+PK11_FindCertFromDERCertItem(PK11SlotInfo *slot, const SECItem *inDerCert,
 								 void *wincx)
 
 {
-    NSSCertificate *c;
     NSSDER derCert;
     NSSToken *tok;
     NSSTrustDomain *td = STAN_GetDefaultTrustDomain();
+    nssCryptokiObject *co = NULL;
     SECStatus rv;
 
     tok = PK11Slot_GetNSSToken(slot);
@@ -2077,26 +2178,12 @@ PK11_FindCertFromDERCertItem(PK11SlotInfo *slot, SECItem *inDerCert,
 	PK11_FreeSlot(slot);
 	return NULL;
     }
-    c = NSSTrustDomain_FindCertificateByEncodedCertificate(td, &derCert);
-    if (c) {
-	PRBool isToken = PR_FALSE;
-	NSSToken **tp;
-	NSSToken **tokens = nssPKIObject_GetTokens(&c->object, NULL);
-	if (tokens) {
-	    for (tp = tokens; *tp; tp++) {
-		if (*tp == tok) {
-		    isToken = PR_TRUE;
-		    break;
-		}
-	    }
-	    if (!isToken) {
-		NSSCertificate_Destroy(c);
-		c = NULL;
-	    }
-	    nssTokenArray_Destroy(tokens);
-	}
-    }
-    return c ? STAN_GetCERTCertificateOrRelease(c) : NULL;
+
+    co = nssToken_FindCertificateByEncodedCertificate(tok, NULL, &derCert,
+                                          nssTokenSearchType_TokenOnly, NULL);
+
+    return co ? PK11_MakeCertFromHandle(slot, co->handle, NULL) : NULL;
+
 } 
 
 /*
@@ -2188,11 +2275,8 @@ PK11_ImportCertForKeyToSlot(PK11SlotInfo *slot, CERTCertificate *cert,
 PRBool
 KEAPQGCompare(CERTCertificate *server,CERTCertificate *cert) {
 
-    if ( SECKEY_KEAParamCompare(server,cert) == SECEqual ) {
-        return PR_TRUE;
-    } else {
-	return PR_FALSE;
-    }
+    /* not implemented */
+    return PR_FALSE;
 }
 
 PRBool
@@ -2349,6 +2433,7 @@ pk11ListCertCallback(NSSCertificate *c, void *arg)
     PRBool isCA = PR_FALSE;
     char *nickname = NULL;
     unsigned int certType;
+    SECStatus rv;
 
     if ((type == PK11CertListUnique) || (type == PK11CertListRootUnique) ||
         (type == PK11CertListCAUnique) || (type == PK11CertListUserUnique) ) {
@@ -2391,9 +2476,13 @@ pk11ListCertCallback(NSSCertificate *c, void *arg)
 
 	/* put slot certs at the end */
 	if (newCert->slot && !PK11_IsInternal(newCert->slot)) {
-	    CERT_AddCertToListTailWithData(certList,newCert,nickname);
+	    rv = CERT_AddCertToListTailWithData(certList,newCert,nickname);
 	} else {
-	    CERT_AddCertToListHeadWithData(certList,newCert,nickname);
+	    rv = CERT_AddCertToListHeadWithData(certList,newCert,nickname);
+	}
+	/* if we didn't add the cert to the list, don't leak it */
+	if (rv != SECSuccess) {
+	    CERT_DestroyCertificate(newCert);
 	}
     } else {
 	/* add multiple instances to the cert list */
@@ -2414,9 +2503,13 @@ pk11ListCertCallback(NSSCertificate *c, void *arg)
 
 	    /* put slot certs at the end */
 	    if (slot && !PK11_IsInternal(slot)) {
-		CERT_AddCertToListTailWithData(certList,newCert,nickname);
+		rv = CERT_AddCertToListTailWithData(certList,newCert,nickname);
 	    } else {
-		CERT_AddCertToListHeadWithData(certList,newCert,nickname);
+		rv = CERT_AddCertToListHeadWithData(certList,newCert,nickname);
+	    }
+	    /* if we didn't add the cert to the list, don't leak it */
+	    if (rv != SECSuccess) {
+		CERT_DestroyCertificate(newCert);
 	    }
 	}
 	nssCryptokiObjectArray_Destroy(instances);
@@ -2498,6 +2591,7 @@ listCertsCallback(CERTCertificate* cert, void*arg)
     nssCryptokiObject *instance, **ci;
     nssCryptokiObject **instances;
     NSSCertificate *c = STAN_GetNSSCertificate(cert);
+    SECStatus rv;
 
     if (c == NULL) {
         return SECFailure;
@@ -2520,11 +2614,15 @@ listCertsCallback(CERTCertificate* cert, void*arg)
 	return SECFailure;
     }
     nickname = STAN_GetCERTCertificateNameForInstance(cdata->list->arena,
-	c, instance);
+						      c, instance);
     nssCryptokiObjectArray_Destroy(instances);
 
-    return CERT_AddCertToListTailWithData(cdata->list, 
-				CERT_DupCertificate(cert),nickname);
+    CERT_DupCertificate(cert);
+    rv = CERT_AddCertToListTailWithData(cdata->list, cert, nickname);
+    if (rv != SECSuccess) {
+	CERT_DestroyCertificate(cert);
+    }
+    return rv;
 }
 
 CERTCertList *
diff --git a/security/nss/lib/pk11wrap/pk11err.c b/security/nss/lib/pk11wrap/pk11err.c
index c87d8a236a51..5299ed3df385 100644
--- a/security/nss/lib/pk11wrap/pk11err.c
+++ b/security/nss/lib/pk11wrap/pk11err.c
@@ -40,6 +40,10 @@
  *  operations). If any of these errors need more detail in the upper layers
  *  which call PK11 library functions, we can add more SEC_ERROR_XXX functions
  *  and change there mappings here.
+ *
+ *  Some PKCS11 errors are mapped to SEC_ERROR_LIBRARY_FAILURE intentionally
+ *  because they indicate that there is a bug in the library (either NSS or
+ *  the token).
  */
 #include "pkcs11t.h"
 #include "pk11func.h"
@@ -147,7 +151,7 @@ PK11_MapError(CK_RV rv) {
 	    return pk11_error_map[i].sec_error;
 	}
     }
-    return SEC_ERROR_IO;
+    return SEC_ERROR_UNKNOWN_PKCS11_ERROR;
  }
 
 
@@ -156,7 +160,7 @@ PK11_MapError(CK_RV rv) {
     default:
 	break;
     }
-    return SEC_ERROR_IO;
+    return SEC_ERROR_UNKNOWN_PKCS11_ERROR;
 }
 
 
diff --git a/security/nss/lib/pk11wrap/pk11load.c b/security/nss/lib/pk11wrap/pk11load.c
index 80850c11c6d4..a0d899d5bd89 100644
--- a/security/nss/lib/pk11wrap/pk11load.c
+++ b/security/nss/lib/pk11wrap/pk11load.c
@@ -387,7 +387,6 @@ SECStatus
 secmod_LoadPKCS11Module(SECMODModule *mod, SECMODModule **oldModule) {
     PRLibrary *library = NULL;
     CK_C_GetFunctionList entry = NULL;
-    char * full_name;
     CK_INFO info;
     CK_ULONG slotCount = 0;
     SECStatus rv;
@@ -434,14 +433,11 @@ secmod_LoadPKCS11Module(SECMODModule *mod, SECMODModule **oldModule) {
 	    return SECFailure;
 	}
 
-	full_name = PORT_Strdup(mod->dllName);
-
 	/* load the library. If this succeeds, then we have to remember to
 	 * unload the library if anything goes wrong from here on out...
 	 */
-	library = PR_LoadLibrary(full_name);
+	library = PR_LoadLibrary(mod->dllName);
 	mod->library = (void *)library;
-	PORT_Free(full_name);
 
 	if (library == NULL) {
 	    return SECFailure;
diff --git a/security/nss/lib/pk11wrap/pk11mech.c b/security/nss/lib/pk11wrap/pk11mech.c
index f69c7feff703..f12102720de8 100644
--- a/security/nss/lib/pk11wrap/pk11mech.c
+++ b/security/nss/lib/pk11wrap/pk11mech.c
@@ -373,6 +373,7 @@ PK11_GetKeyType(CK_MECHANISM_TYPE type,unsigned long len)
     case CKM_MD2_RSA_PKCS:
     case CKM_MD5_RSA_PKCS:
     case CKM_SHA1_RSA_PKCS:
+    case CKM_SHA224_RSA_PKCS:
     case CKM_SHA256_RSA_PKCS:
     case CKM_SHA384_RSA_PKCS:
     case CKM_SHA512_RSA_PKCS:
@@ -407,6 +408,8 @@ PK11_GetKeyType(CK_MECHANISM_TYPE type,unsigned long len)
     case CKM_TLS_KEY_AND_MAC_DERIVE:
     case CKM_SHA_1_HMAC:
     case CKM_SHA_1_HMAC_GENERAL:
+    case CKM_SHA224_HMAC:
+    case CKM_SHA224_HMAC_GENERAL:
     case CKM_SHA256_HMAC:
     case CKM_SHA256_HMAC_GENERAL:
     case CKM_SHA384_HMAC:
@@ -1380,7 +1383,7 @@ pk11_GenIV(CK_MECHANISM_TYPE type, SECItem *iv) {
 
 
 /*
- * create a new paramter block from the passed in MECHANISM and the
+ * create a new parameter block from the passed in MECHANISM and the
  * key. Use Netscape's S/MIME Rules for the New param block.
  */
 SECItem *
diff --git a/security/nss/lib/pk11wrap/pk11merge.c b/security/nss/lib/pk11wrap/pk11merge.c
index 5a27725571d5..3069460b29d7 100644
--- a/security/nss/lib/pk11wrap/pk11merge.c
+++ b/security/nss/lib/pk11wrap/pk11merge.c
@@ -1037,13 +1037,11 @@ pk11_mergeTrustEntry(CK_ATTRIBUTE *target, CK_ATTRIBUTE *source)
      * actual trust of the cert (CKT_MUST_VERIFY, CKT_NSS_VALID,
      * CKT_NSS_VALID_DELEGATOR).
      */
-    if ((sourceTrust == CKT_NSS_MUST_VERIFY) 
-	|| (sourceTrust == CKT_NSS_VALID)
+    if ((sourceTrust == CKT_NSS_MUST_VERIFY_TRUST) 
 	|| (sourceTrust == CKT_NSS_VALID_DELEGATOR)) {
 	return USE_TARGET;
     }
-    if ((targetTrust == CKT_NSS_MUST_VERIFY) 
-	|| (targetTrust == CKT_NSS_VALID)
+    if ((targetTrust == CKT_NSS_MUST_VERIFY_TRUST) 
 	|| (targetTrust == CKT_NSS_VALID_DELEGATOR)) {
 	/* source overrites the target */
 	return USE_SOURCE;
diff --git a/security/nss/lib/pk11wrap/pk11nobj.c b/security/nss/lib/pk11wrap/pk11nobj.c
index ce34de544c37..7cfbecec595f 100644
--- a/security/nss/lib/pk11wrap/pk11nobj.c
+++ b/security/nss/lib/pk11wrap/pk11nobj.c
@@ -138,31 +138,31 @@ pk11_HandleTrustObject(PK11SlotInfo *slot, CERTCertificate *cert, CERTCertTrust
   /* First implementation: keep it simple for testing.  We can study what other
    * mappings would be appropriate and add them later.. fgmr 20000724 */
 
-  if ( serverAuth ==  CKT_NETSCAPE_TRUSTED ) {
-    trust->sslFlags |= CERTDB_VALID_PEER | CERTDB_TRUSTED;
+  if ( serverAuth ==  CKT_NSS_TRUSTED ) {
+    trust->sslFlags |= CERTDB_TERMINAL_RECORD | CERTDB_TRUSTED;
   }
 
-  if ( serverAuth == CKT_NETSCAPE_TRUSTED_DELEGATOR ) {
+  if ( serverAuth == CKT_NSS_TRUSTED_DELEGATOR ) {
     trust->sslFlags |= CERTDB_VALID_CA | CERTDB_TRUSTED_CA | 
 							CERTDB_NS_TRUSTED_CA;
   }
-  if ( clientAuth == CKT_NETSCAPE_TRUSTED_DELEGATOR ) {
+  if ( clientAuth == CKT_NSS_TRUSTED_DELEGATOR ) {
     trust->sslFlags |=  CERTDB_TRUSTED_CLIENT_CA ;
   }
 
-  if ( emailProtection == CKT_NETSCAPE_TRUSTED ) {
-    trust->emailFlags |= CERTDB_VALID_PEER | CERTDB_TRUSTED;
+  if ( emailProtection == CKT_NSS_TRUSTED ) {
+    trust->emailFlags |= CERTDB_TERMINAL_RECORD | CERTDB_TRUSTED;
   }
 
-  if ( emailProtection == CKT_NETSCAPE_TRUSTED_DELEGATOR ) {
+  if ( emailProtection == CKT_NSS_TRUSTED_DELEGATOR ) {
     trust->emailFlags |= CERTDB_VALID_CA | CERTDB_TRUSTED_CA | CERTDB_NS_TRUSTED_CA;
   }
 
-  if( codeSigning == CKT_NETSCAPE_TRUSTED ) {
-    trust->objectSigningFlags |= CERTDB_VALID_PEER | CERTDB_TRUSTED;
+  if( codeSigning == CKT_NSS_TRUSTED ) {
+    trust->objectSigningFlags |= CERTDB_TERMINAL_RECORD | CERTDB_TRUSTED;
   }
 
-  if( codeSigning == CKT_NETSCAPE_TRUSTED_DELEGATOR ) {
+  if( codeSigning == CKT_NSS_TRUSTED_DELEGATOR ) {
     trust->objectSigningFlags |= CERTDB_VALID_CA | CERTDB_TRUSTED_CA | CERTDB_NS_TRUSTED_CA;
   }
 
diff --git a/security/nss/lib/pk11wrap/pk11obj.c b/security/nss/lib/pk11wrap/pk11obj.c
index 4323ebcb3abf..8ee58b8362fe 100644
--- a/security/nss/lib/pk11wrap/pk11obj.c
+++ b/security/nss/lib/pk11wrap/pk11obj.c
@@ -930,7 +930,7 @@ PK11_UnwrapPrivKey(PK11SlotInfo *slot, PK11SymKey *wrappingKey,
     CK_OBJECT_HANDLE privKeyID;
     CK_MECHANISM mechanism;
     CK_ATTRIBUTE *attrs = keyTemplate;
-    SECItem *param_free = NULL, *ck_id;
+    SECItem *param_free = NULL, *ck_id = NULL;
     CK_RV crv;
     CK_SESSION_HANDLE rwsession;
     PK11SymKey *newKey = NULL;
@@ -996,10 +996,12 @@ PK11_UnwrapPrivKey(PK11SlotInfo *slot, PK11SymKey *wrappingKey,
 	    if (rwsession != CK_INVALID_SESSION) 
 		PK11_EnterSlotMonitor(slot);
 	}
+        /* This is a lot a work to deal with fussy PKCS #11 modules
+         * that can't bother to return BAD_DATA when presented with an
+         * invalid session! */
 	if (rwsession == CK_INVALID_SESSION) {
-	    PK11_FreeSymKey(newKey);
 	    PORT_SetError(SEC_ERROR_BAD_DATA);
-	    return NULL;
+	    goto loser;
 	}
 	crv = PK11_GETTAB(slot)->C_UnwrapKey(rwsession, &mechanism, 
 					 newKey->objectID,
@@ -1013,11 +1015,12 @@ PK11_UnwrapPrivKey(PK11SlotInfo *slot, PK11SymKey *wrappingKey,
 	    PK11_ExitSlotMonitor(slot);
 	}
 	PK11_FreeSymKey(newKey);
+	newKey = NULL;
     } else {
 	crv = CKR_FUNCTION_NOT_SUPPORTED;
     }
 
-    if(ck_id) {
+    if (ck_id) {
 	SECITEM_FreeItem(ck_id, PR_TRUE);
 	ck_id = NULL;
     }
@@ -1045,6 +1048,15 @@ PK11_UnwrapPrivKey(PK11SlotInfo *slot, PK11SymKey *wrappingKey,
 	return NULL;
     }
     return PK11_MakePrivKey(slot, nullKey, PR_FALSE, privKeyID, wincx);
+
+loser:
+    if (newKey) {
+	PK11_FreeSymKey(newKey);
+    }
+    if (ck_id) {
+	SECITEM_FreeItem(ck_id, PR_TRUE);
+    }
+    return NULL;
 }
 
 /*
diff --git a/security/nss/lib/pk11wrap/pk11pbe.c b/security/nss/lib/pk11wrap/pk11pbe.c
index 987428654990..973528335ab1 100644
--- a/security/nss/lib/pk11wrap/pk11pbe.c
+++ b/security/nss/lib/pk11wrap/pk11pbe.c
@@ -1348,7 +1348,7 @@ PK11_PBEKeyGen(PK11SlotInfo *slot, SECAlgorithmID *algid, SECItem *pwitem,
 {
     CK_MECHANISM_TYPE type;
     SECItem *param = NULL;
-    PK11SymKey *symKey;
+    PK11SymKey *symKey = NULL;
     SECOidTag	pbeAlg;
     CK_KEY_TYPE keyType = -1;
     int keyLen = 0;
@@ -1377,14 +1377,15 @@ PK11_PBEKeyGen(PK11SlotInfo *slot, SECAlgorithmID *algid, SECItem *pwitem,
     } else {
 	param = PK11_ParamFromAlgid(algid);
     }
+
     if(param == NULL) {
-	return NULL;
+	goto loser;
     }
 
     type = PK11_AlgtagToMechanism(pbeAlg);	
     if (type == CKM_INVALID_MECHANISM) {
 	PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
-	return NULL;
+	goto loser;
     }
     if(faulty3DES && (type == CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC)) {
 	type = CKM_NETSCAPE_PBE_SHA1_FAULTY_3DES_CBC;
@@ -1392,7 +1393,10 @@ PK11_PBEKeyGen(PK11SlotInfo *slot, SECAlgorithmID *algid, SECItem *pwitem,
     symKey = pk11_RawPBEKeyGenWithKeyType(slot, type, param, keyType, keyLen, 
 					pwitem, wincx);
 
-    SECITEM_ZfreeItem(param, PR_TRUE);
+loser:
+    if (param) {
+	SECITEM_ZfreeItem(param, PR_TRUE);
+    }
     return symKey;
 }
 
@@ -1442,14 +1446,14 @@ loser:
 }
 
 /*
- * public, supports pkcs5 v2
+ * Public, supports pkcs5 v2
  *
- * get a the crypto mechanism directly from the pbe algorithmid.
+ * Get the crypto mechanism directly from the pbe algorithmid.
  *
- * it's important to go directly from the algorithm id so that we can
+ * It's important to go directly from the algorithm id so that we can
  * handle both the PKCS #5 v1, PKCS #12, and PKCS #5 v2 cases.
  *
- * This function returns both the mechanism an the paramter for the mechanism.
+ * This function returns both the mechanism and the parameter for the mechanism.
  * The caller is responsible for freeing the parameter.
  */
 CK_MECHANISM_TYPE
diff --git a/security/nss/lib/pk11wrap/pk11pk12.c b/security/nss/lib/pk11wrap/pk11pk12.c
index c135b7c13e82..3d0feb0e184d 100644
--- a/security/nss/lib/pk11wrap/pk11pk12.c
+++ b/security/nss/lib/pk11wrap/pk11pk12.c
@@ -447,15 +447,6 @@ loser:
     return rv;
 }
 
-SECStatus
-PK11_ImportPrivateKey(PK11SlotInfo *slot, SECKEYRawPrivateKey *lpk, 
-	SECItem *nickname, SECItem *publicValue, PRBool isPerm, 
-	PRBool isPrivate, unsigned int keyUsage, void *wincx) 
-{
-    return PK11_ImportAndReturnPrivateKey(slot, lpk, nickname, publicValue,
-	isPerm, isPrivate, keyUsage, NULL, wincx);
-}
-
 SECStatus
 PK11_ImportPrivateKeyInfoAndReturnKey(PK11SlotInfo *slot,
 	SECKEYPrivateKeyInfo *pki, SECItem *nickname, SECItem *publicValue,
@@ -467,7 +458,7 @@ PK11_ImportPrivateKeyInfoAndReturnKey(PK11SlotInfo *slot,
     SECKEYRawPrivateKey *lpk = NULL;
     const SEC_ASN1Template *keyTemplate, *paramTemplate;
     void *paramDest = NULL;
-    PRArenaPool *arena;
+    PRArenaPool *arena = NULL;
 
     arena = PORT_NewArena(2048);
     if(!arena) {
@@ -540,7 +531,7 @@ PK11_ImportPrivateKeyInfoAndReturnKey(PK11SlotInfo *slot,
 
 
 loser:
-    if (lpk!= NULL) {
+    if (arena != NULL) {
 	PORT_FreeArena(arena, PR_TRUE);
     }
 
diff --git a/security/nss/lib/pk11wrap/pk11pub.h b/security/nss/lib/pk11wrap/pk11pub.h
index 2813e370b552..769a76ad5dbd 100644
--- a/security/nss/lib/pk11wrap/pk11pub.h
+++ b/security/nss/lib/pk11wrap/pk11pub.h
@@ -652,7 +652,7 @@ SECStatus PK11_TraverseCertsForSubjectInSlot(CERTCertificate *cert,
 CERTCertificate *PK11_FindCertFromDERCert(PK11SlotInfo *slot, 
 					  CERTCertificate *cert, void *wincx);
 CERTCertificate *PK11_FindCertFromDERCertItem(PK11SlotInfo *slot,
-                                          SECItem *derCert, void *wincx);
+                                          const SECItem *derCert, void *wincx);
 SECStatus PK11_ImportCertForKeyToSlot(PK11SlotInfo *slot, CERTCertificate *cert,
 					char *nickname, PRBool addUsage,
 					void *wincx);
diff --git a/security/nss/lib/pk11wrap/pk11skey.c b/security/nss/lib/pk11wrap/pk11skey.c
index 0cc7cea60396..c67c635507fa 100644
--- a/security/nss/lib/pk11wrap/pk11skey.c
+++ b/security/nss/lib/pk11wrap/pk11skey.c
@@ -892,11 +892,11 @@ PK11_MoveSymKey(PK11SlotInfo *slot, CK_ATTRIBUTE_TYPE operation,
  *  for the key. Most PKCS #11 modules fail if you specify the CKA_VALUE_LEN 
  *  attribute for keys with fixed length. The exception is DES2. If you
  *  select a CKM_DES3_CBC mechanism, this code will not add the CKA_VALUE_LEN
- *  paramter and use the key size to determine which underlying DES keygen
+ *  parameter and use the key size to determine which underlying DES keygen
  *  function to use (CKM_DES2_KEY_GEN or CKM_DES3_KEY_GEN).
  *
  * keyType must be -1 for most algorithms. Some PBE algorthims cannot 
- *  determine the correct key type from the mechanism or the paramters,
+ *  determine the correct key type from the mechanism or the parameters,
  *  so key type must be specified. Other PKCS #11 mechanisms may do so in
  *  the future. Currently there is no need to export this publically.
  *  Keep it private until there is a need in case we need to expand the
@@ -972,7 +972,7 @@ pk11_TokenKeyGenWithFlagsAndKeyType(PK11SlotInfo *slot, CK_MECHANISM_TYPE type,
  *  for the key. Most PKCS #11 modules fail if you specify the CKA_VALUE_LEN 
  *  attribute for keys with fixed length. The exception is DES2. If you
  *  select a CKM_DES3_CBC mechanism, this code will not add the CKA_VALUE_LEN
- *  paramter and use the key size to determine which underlying DES keygen
+ *  parameter and use the key size to determine which underlying DES keygen
  *  function to use (CKM_DES2_KEY_GEN or CKM_DES3_KEY_GEN).
  *
  * CK_FLAGS flags: key operation flags
diff --git a/security/nss/lib/pkcs12/manifest.mn b/security/nss/lib/pkcs12/manifest.mn
index fd4bdb1dc801..14f39e8d23d0 100644
--- a/security/nss/lib/pkcs12/manifest.mn
+++ b/security/nss/lib/pkcs12/manifest.mn
@@ -57,8 +57,6 @@ CSRCS = \
 	p12d.c \
 	$(NULL)
 
-REQUIRES = dbm
-
 LIBRARY_NAME = pkcs12
 
 # This part of the code, including all sub-dirs, can be optimized for size
diff --git a/security/nss/lib/pkcs12/p12.h b/security/nss/lib/pkcs12/p12.h
index 852047c1f2f3..04a67647da32 100644
--- a/security/nss/lib/pkcs12/p12.h
+++ b/security/nss/lib/pkcs12/p12.h
@@ -64,6 +64,11 @@ typedef void (PR_CALLBACK * SEC_PKCS12EncoderOutputCallback)(
 typedef void (PR_CALLBACK * SEC_PKCS12DecoderOutputCallback)(
                             void *arg, const char *buf,
                             unsigned long len);
+/*
+ * In NSS 3.12 or later, 'arg' actually points to a CERTCertificate,
+ * the 'leafCert' variable in sec_pkcs12_validate_cert in p12d.c. 
+ * See r1.35 of p12d.c ("Patch 2" in bug 321584).
+ */
 typedef SECItem * (PR_CALLBACK * SEC_PKCS12NicknameCollisionCallback)(
                                  SECItem *old_nickname,
                                  PRBool *cancel,
diff --git a/security/nss/lib/pkcs12/p12d.c b/security/nss/lib/pkcs12/p12d.c
index cc859068910e..98dfbe12bf83 100644
--- a/security/nss/lib/pkcs12/p12d.c
+++ b/security/nss/lib/pkcs12/p12d.c
@@ -1907,8 +1907,7 @@ sec_pkcs12_get_key_info(sec_PKCS12SafeBag *key)
  */
 static SECItem *
 sec_pkcs12_get_nickname_for_cert(sec_PKCS12SafeBag *cert,
-				 sec_PKCS12SafeBag *key, 
-				 void *wincx)
+				 sec_PKCS12SafeBag *key)
 {
     SECItem *nickname;
 
@@ -1939,8 +1938,7 @@ sec_pkcs12_get_nickname_for_cert(sec_PKCS12SafeBag *cert,
 static SECStatus
 sec_pkcs12_set_nickname_for_cert(sec_PKCS12SafeBag *cert, 
 				 sec_PKCS12SafeBag *key, 
-				 SECItem *nickname, 
-				 void *wincx)
+				 SECItem *nickname)
 {
     if(!nickname || !cert) {
 	PORT_SetError(SEC_ERROR_INVALID_ARGS);
@@ -2072,7 +2070,7 @@ gatherNicknames(CERTCertificate *cert, void *arg)
  * If so, return it. 
  */
 static SECItem *
-sec_pkcs12_get_existing_nick_for_dn(sec_PKCS12SafeBag *cert, void *wincx)
+sec_pkcs12_get_existing_nick_for_dn(sec_PKCS12SafeBag *cert)
 {
     struct certNickInfo *nickArg = NULL;
     SECItem *derCert, *returnDn = NULL;
@@ -2191,7 +2189,7 @@ static void
 sec_pkcs12_validate_cert_nickname(sec_PKCS12SafeBag *cert,
 				sec_PKCS12SafeBag *key,
 				SEC_PKCS12NicknameCollisionCallback nicknameCb,
-				void *wincx)
+				CERTCertificate *leafCert)
 {
     SECItem *certNickname, *existingDNNick;
     PRBool setNickname = PR_FALSE, cancel = PR_FALSE;
@@ -2216,8 +2214,8 @@ sec_pkcs12_validate_cert_nickname(sec_PKCS12SafeBag *cert,
 	return;
     }
 
-    certNickname = sec_pkcs12_get_nickname_for_cert(cert, key, wincx);
-    existingDNNick = sec_pkcs12_get_existing_nick_for_dn(cert, wincx);
+    certNickname = sec_pkcs12_get_nickname_for_cert(cert, key);
+    existingDNNick = sec_pkcs12_get_existing_nick_for_dn(cert);
 
     /* nickname is already used w/ this dn, so it is safe to return */
     if(certNickname && existingDNNick &&
@@ -2229,7 +2227,7 @@ sec_pkcs12_validate_cert_nickname(sec_PKCS12SafeBag *cert,
      * this dn.  set the nicks in the p12 bags and finish.
      */
     if(existingDNNick) {
-	sec_pkcs12_set_nickname_for_cert(cert, key, existingDNNick, wincx);
+	sec_pkcs12_set_nickname_for_cert(cert, key, existingDNNick);
 	goto loser;
     }
 
@@ -2257,14 +2255,13 @@ sec_pkcs12_validate_cert_nickname(sec_PKCS12SafeBag *cert,
 	if (certNickname && certNickname->data &&
 	    !sec_pkcs12_certs_for_nickname_exist(certNickname, cert->slot)) {
 	    if (setNickname) {
-		sec_pkcs12_set_nickname_for_cert(cert, key, certNickname,
-				    wincx);
+		sec_pkcs12_set_nickname_for_cert(cert, key, certNickname);
 	    }
 	    break;
 	}
 
 	setNickname = PR_FALSE;
-	newNickname = (*nicknameCb)(certNickname, &cancel, wincx);
+	newNickname = (*nicknameCb)(certNickname, &cancel, leafCert);
 	if(cancel) {
 	    cert->problem = PR_TRUE;
 	    cert->error = SEC_ERROR_USER_CANCELLED;
@@ -2304,8 +2301,7 @@ loser:
 static void 
 sec_pkcs12_validate_cert(sec_PKCS12SafeBag *cert,
 			 sec_PKCS12SafeBag *key,
-			 SEC_PKCS12NicknameCollisionCallback nicknameCb,
-			 void *wincx)
+			 SEC_PKCS12NicknameCollisionCallback nicknameCb)
 {
     CERTCertificate *leafCert;
 
@@ -2345,7 +2341,7 @@ sec_pkcs12_validate_cert(sec_PKCS12SafeBag *cert,
 	return;
     }
 
-    sec_pkcs12_validate_cert_nickname(cert, key, nicknameCb, (void *)leafCert);
+    sec_pkcs12_validate_cert_nickname(cert, key, nicknameCb, leafCert);
 
     CERT_DestroyCertificate(leafCert);
 }
@@ -2748,7 +2744,7 @@ sec_pkcs12_validate_bags(sec_PKCS12SafeBag **safeBags,
 			cert->error   = key->error;
 			continue;
 		    } 
-		    sec_pkcs12_validate_cert(cert, key, nicknameCb, wincx);
+		    sec_pkcs12_validate_cert(cert, key, nicknameCb);
 		    if(cert->problem) {
 			key->problem = cert->problem;
 			key->error   = cert->error;
@@ -2769,7 +2765,7 @@ sec_pkcs12_validate_bags(sec_PKCS12SafeBag **safeBags,
 
 	    switch(bagType) {
 	    case SEC_OID_PKCS12_V1_CERT_BAG_ID:
-		sec_pkcs12_validate_cert(bag, NULL, nicknameCb, wincx);
+		sec_pkcs12_validate_cert(bag, NULL, nicknameCb);
 		break;
 	    case SEC_OID_PKCS12_V1_KEY_BAG_ID:
 	    case SEC_OID_PKCS12_V1_PKCS8_SHROUDED_KEY_BAG_ID:
@@ -2936,8 +2932,7 @@ sec_pkcs12_install_bags(sec_PKCS12SafeBag **safeBags, void *wincx)
 		/* use the cert's nickname, if it has one, else use the 
 		 * key's nickname, else fail.
 		 */
-		nickName = sec_pkcs12_get_nickname_for_cert(certList[0], 
-		                                            key, wincx);
+		nickName = sec_pkcs12_get_nickname_for_cert(certList[0], key);
 	    } else {
 		nickName = sec_pkcs12_get_nickname(key);
 	    }
diff --git a/security/nss/lib/pkcs7/manifest.mn b/security/nss/lib/pkcs7/manifest.mn
index 7b7ae43a0578..1be9018fb37a 100644
--- a/security/nss/lib/pkcs7/manifest.mn
+++ b/security/nss/lib/pkcs7/manifest.mn
@@ -59,8 +59,6 @@ CSRCS = \
 	secmime.c  \
 	$(NULL)
 
-REQUIRES = dbm
-
 LIBRARY_NAME = pkcs7
 
 # This part of the code, including all sub-dirs, can be optimized for size
diff --git a/security/nss/lib/pki/certificate.c b/security/nss/lib/pki/certificate.c
index 38e17acefe56..07ee6e6c76da 100644
--- a/security/nss/lib/pki/certificate.c
+++ b/security/nss/lib/pki/certificate.c
@@ -35,7 +35,7 @@
  * ***** END LICENSE BLOCK ***** */
 
 #ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile: certificate.c,v $ $Revision: 1.67 $ $Date: 2010/04/03 18:27:32 $";
+static const char CVS_ID[] = "@(#) $RCSfile: certificate.c,v $ $Revision: 1.68 $ $Date: 2011/07/12 21:29:17 $";
 #endif /* DEBUG */
 
 #ifndef NSSPKI_H
@@ -960,6 +960,44 @@ nssCertificateList_AddReferences (
     (void)nssCertificateList_DoCallback(certList, add_ref_callback, NULL);
 }
 
+
+/*
+ * Is this trust record safe to apply to all certs of the same issuer/SN 
+ * independent of the cert matching the hash. This is only true is the trust 
+ * is unknown or distrusted. In general this feature is only useful to 
+ * explicitly distrusting certs. It is not safe to use to trust certs, so 
+ * only allow unknown and untrusted trust types.
+ */
+PRBool
+nssTrust_IsSafeToIgnoreCertHash(nssTrustLevel serverAuth, 
+		nssTrustLevel clientAuth, nssTrustLevel codeSigning, 
+		nssTrustLevel email, PRBool stepup)
+{
+    /* step up is a trust type, if it's on, we must have a hash for the cert */
+    if (stepup) {
+	return PR_FALSE;
+    }
+    if ((serverAuth != nssTrustLevel_Unknown) && 
+	(serverAuth != nssTrustLevel_NotTrusted)) {
+	return PR_FALSE;
+    }
+    if ((clientAuth != nssTrustLevel_Unknown) && 
+	(clientAuth != nssTrustLevel_NotTrusted)) {
+	return PR_FALSE;
+    }
+    if ((codeSigning != nssTrustLevel_Unknown) && 
+	(codeSigning != nssTrustLevel_NotTrusted)) {
+	return PR_FALSE;
+    }
+    if ((email != nssTrustLevel_Unknown) && 
+	(email != nssTrustLevel_NotTrusted)) {
+	return PR_FALSE;
+    }
+    /* record only has Unknown and Untrusted entries, ok to accept without a 
+     * hash */
+    return PR_TRUE;
+}
+
 NSS_IMPLEMENT NSSTrust *
 nssTrust_Create (
   nssPKIObject *object,
@@ -1009,7 +1047,19 @@ nssTrust_Create (
 	    nssPKIObject_Unlock(object);
 	    return (NSSTrust *)NULL;
 	}
-	if (PORT_Memcmp(sha1_hashin,sha1_hashcmp,SHA1_LENGTH) != 0) {
+	/* if no hash is specified, then trust applies to all certs with
+	 * this issuer/SN. NOTE: This is only true for entries that
+	 * have distrust and unknown record */
+	if (!(
+            /* we continue if there is no hash, and the trust type is
+	     * safe to accept without a hash ... or ... */
+	     ((sha1_hash.size == 0)  && 
+		nssTrust_IsSafeToIgnoreCertHash(serverAuth,clientAuth,
+		codeSigning, emailProtection,stepUp)) 
+	   ||
+            /* we have a hash of the correct size, and it matches */
+            ((sha1_hash.size == SHA1_LENGTH) && (PORT_Memcmp(sha1_hashin,
+	        sha1_hashcmp,SHA1_LENGTH) == 0))   )) {
 	    nssPKIObject_Unlock(object);
 	    return (NSSTrust *)NULL;
 	}
diff --git a/security/nss/lib/pki/pki3hack.c b/security/nss/lib/pki/pki3hack.c
index b13a05ee1b14..7e7693b92285 100644
--- a/security/nss/lib/pki/pki3hack.c
+++ b/security/nss/lib/pki/pki3hack.c
@@ -35,7 +35,7 @@
  * ***** END LICENSE BLOCK ***** */
 
 #ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile: pki3hack.c,v $ $Revision: 1.100.2.1 $ $Date: 2011/03/26 16:55:01 $";
+static const char CVS_ID[] = "@(#) $RCSfile: pki3hack.c,v $ $Revision: 1.102 $ $Date: 2011/04/13 00:10:26 $";
 #endif /* DEBUG */
 
 /*
@@ -555,17 +555,17 @@ nssDecodedPKIXCertificate_Destroy (
 
 /* see pk11cert.c:pk11_HandleTrustObject */
 static unsigned int
-get_nss3trust_from_nss4trust(CK_TRUST t)
+get_nss3trust_from_nss4trust(nssTrustLevel t)
 {
     unsigned int rt = 0;
     if (t == nssTrustLevel_Trusted) {
-	rt |= CERTDB_VALID_PEER | CERTDB_TRUSTED;
+	rt |= CERTDB_TERMINAL_RECORD | CERTDB_TRUSTED;
     }
     if (t == nssTrustLevel_TrustedDelegator) {
-	rt |= CERTDB_VALID_CA | CERTDB_TRUSTED_CA /*| CERTDB_NS_TRUSTED_CA*/;
+	rt |= CERTDB_VALID_CA | CERTDB_TRUSTED_CA;
     }
-    if (t == nssTrustLevel_Valid) {
-	rt |= CERTDB_VALID_PEER;
+    if (t == nssTrustLevel_NotTrusted) {
+	rt |= CERTDB_TERMINAL_RECORD;
     }
     if (t == nssTrustLevel_ValidDelegator) {
 	rt |= CERTDB_VALID_CA;
@@ -922,13 +922,13 @@ get_stan_trust(unsigned int t, PRBool isClientAuth)
     if (t & CERTDB_TRUSTED) {
 	return nssTrustLevel_Trusted;
     }
+    if (t & CERTDB_TERMINAL_RECORD) {
+	return nssTrustLevel_NotTrusted;
+    }
     if (t & CERTDB_VALID_CA) {
 	return nssTrustLevel_ValidDelegator;
     }
-    if (t & CERTDB_VALID_PEER) {
-	return nssTrustLevel_Valid;
-    }
-    return nssTrustLevel_NotTrusted;
+    return nssTrustLevel_MustVerify;
 }
 
 NSS_EXTERN NSSCertificate *
diff --git a/security/nss/lib/pki/pki3hack.h b/security/nss/lib/pki/pki3hack.h
index b9ce7f7c6ff2..45bf97c20e57 100644
--- a/security/nss/lib/pki/pki3hack.h
+++ b/security/nss/lib/pki/pki3hack.h
@@ -38,7 +38,7 @@
 #define PKINSS3HACK_H
 
 #ifdef DEBUG
-static const char PKINSS3HACK_CVS_ID[] = "@(#) $RCSfile: pki3hack.h,v $ $Revision: 1.19.192.1 $ $Date: 2011/03/26 16:55:01 $";
+static const char PKINSS3HACK_CVS_ID[] = "@(#) $RCSfile: pki3hack.h,v $ $Revision: 1.20 $ $Date: 2011/03/26 17:34:22 $";
 #endif /* DEBUG */
 
 #ifndef NSSDEVT_H
diff --git a/security/nss/lib/pki/pkistore.c b/security/nss/lib/pki/pkistore.c
index 3371fdd36159..3909fdc55cd0 100644
--- a/security/nss/lib/pki/pkistore.c
+++ b/security/nss/lib/pki/pkistore.c
@@ -35,7 +35,7 @@
  * ***** END LICENSE BLOCK ***** */
 
 #ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile: pkistore.c,v $ $Revision: 1.33.40.1 $ $Date: 2010/12/17 20:14:38 $";
+static const char CVS_ID[] = "@(#) $RCSfile: pkistore.c,v $ $Revision: 1.34 $ $Date: 2010/12/17 02:34:07 $";
 #endif /* DEBUG */
 
 #ifndef PKIM_H
diff --git a/security/nss/lib/smime/cms.h b/security/nss/lib/smime/cms.h
index 896408f72b5a..ca662f33727a 100644
--- a/security/nss/lib/smime/cms.h
+++ b/security/nss/lib/smime/cms.h
@@ -37,7 +37,7 @@
 /*
  * Interfaces of the CMS implementation.
  *
- * $Id: cms.h,v 1.23.2.3 2011/02/11 16:44:02 emaldona%redhat.com Exp $
+ * $Id: cms.h,v 1.26 2011/02/24 22:06:14 emaldona%redhat.com Exp $
  */
 
 #ifndef _CMS_H_
diff --git a/security/nss/lib/smime/cmsasn1.c b/security/nss/lib/smime/cmsasn1.c
index d924528a594c..b9232674668d 100644
--- a/security/nss/lib/smime/cmsasn1.c
+++ b/security/nss/lib/smime/cmsasn1.c
@@ -37,7 +37,7 @@
 /*
  * CMS ASN.1 templates
  *
- * $Id: cmsasn1.c,v 1.7.2.2 2011/02/01 00:33:23 rrelyea%redhat.com Exp $
+ * $Id: cmsasn1.c,v 1.9 2011/01/31 23:56:30 rrelyea%redhat.com Exp $
  */
 
 #include "cmslocal.h"
diff --git a/security/nss/lib/smime/cmscinfo.c b/security/nss/lib/smime/cmscinfo.c
index bd1cc85b6dae..4a8008e93e86 100644
--- a/security/nss/lib/smime/cmscinfo.c
+++ b/security/nss/lib/smime/cmscinfo.c
@@ -37,7 +37,7 @@
 /*
  * CMS contentInfo methods.
  *
- * $Id: cmscinfo.c,v 1.7.192.3 2011/02/11 03:57:50 emaldona%redhat.com Exp $
+ * $Id: cmscinfo.c,v 1.10 2011/02/11 01:53:17 emaldona%redhat.com Exp $
  */
 
 #include "cmslocal.h"
diff --git a/security/nss/lib/smime/cmsdecode.c b/security/nss/lib/smime/cmsdecode.c
index 79299dd793ed..341516e1b2fd 100644
--- a/security/nss/lib/smime/cmsdecode.c
+++ b/security/nss/lib/smime/cmsdecode.c
@@ -37,7 +37,7 @@
 /*
  * CMS decoding.
  *
- * $Id: cmsdecode.c,v 1.9.66.4 2011/03/15 17:51:01 emaldona%redhat.com Exp $
+ * $Id: cmsdecode.c,v 1.13 2011/03/15 17:45:21 emaldona%redhat.com Exp $
  */
 
 #include "cmslocal.h"
diff --git a/security/nss/lib/smime/cmsdigdata.c b/security/nss/lib/smime/cmsdigdata.c
index 47f5a4ceb4f4..1a96973aabef 100644
--- a/security/nss/lib/smime/cmsdigdata.c
+++ b/security/nss/lib/smime/cmsdigdata.c
@@ -37,7 +37,7 @@
 /*
  * CMS digestedData methods.
  *
- * $Id: cmsdigdata.c,v 1.5.192.2 2011/02/11 03:57:50 emaldona%redhat.com Exp $
+ * $Id: cmsdigdata.c,v 1.7 2011/02/11 01:53:17 emaldona%redhat.com Exp $
  */
 
 #include "cmslocal.h"
diff --git a/security/nss/lib/smime/cmsencdata.c b/security/nss/lib/smime/cmsencdata.c
index 29d8e39dec9a..d131f4b77ad8 100644
--- a/security/nss/lib/smime/cmsencdata.c
+++ b/security/nss/lib/smime/cmsencdata.c
@@ -37,7 +37,7 @@
 /*
  * CMS encryptedData methods.
  *
- * $Id: cmsencdata.c,v 1.11.56.2 2011/02/11 03:57:50 emaldona%redhat.com Exp $
+ * $Id: cmsencdata.c,v 1.13 2011/02/11 01:53:17 emaldona%redhat.com Exp $
  */
 
 #include "cmslocal.h"
diff --git a/security/nss/lib/smime/cmsencode.c b/security/nss/lib/smime/cmsencode.c
index 7e6f036397d8..d3471a991a9a 100644
--- a/security/nss/lib/smime/cmsencode.c
+++ b/security/nss/lib/smime/cmsencode.c
@@ -37,7 +37,7 @@
 /*
  * CMS encoding.
  *
- * $Id: cmsencode.c,v 1.6.66.5 2011/02/11 03:57:50 emaldona%redhat.com Exp $
+ * $Id: cmsencode.c,v 1.11 2011/02/11 01:53:17 emaldona%redhat.com Exp $
  */
 
 #include "cmslocal.h"
diff --git a/security/nss/lib/smime/cmsenvdata.c b/security/nss/lib/smime/cmsenvdata.c
index 1c0c20aade77..dc0b86428d51 100644
--- a/security/nss/lib/smime/cmsenvdata.c
+++ b/security/nss/lib/smime/cmsenvdata.c
@@ -37,7 +37,7 @@
 /*
  * CMS envelopedData methods.
  *
- * $Id: cmsenvdata.c,v 1.11.142.2 2011/02/11 03:57:50 emaldona%redhat.com Exp $
+ * $Id: cmsenvdata.c,v 1.13 2011/02/11 01:53:17 emaldona%redhat.com Exp $
  */
 
 #include "cmslocal.h"
diff --git a/security/nss/lib/smime/cmslocal.h b/security/nss/lib/smime/cmslocal.h
index 222f90a15d5f..5762d143e267 100644
--- a/security/nss/lib/smime/cmslocal.h
+++ b/security/nss/lib/smime/cmslocal.h
@@ -42,7 +42,7 @@
  * you.  If that has a problem, then just move out what you need, changing
  * its name as appropriate!
  *
- * $Id: cmslocal.h,v 1.5.142.1 2011/01/28 23:08:27 rrelyea%redhat.com Exp $
+ * $Id: cmslocal.h,v 1.6 2011/01/28 23:03:59 rrelyea%redhat.com Exp $
  */
 
 #ifndef _CMSLOCAL_H_
diff --git a/security/nss/lib/smime/cmsmessage.c b/security/nss/lib/smime/cmsmessage.c
index cb45eba0bba6..53a6d36093f1 100644
--- a/security/nss/lib/smime/cmsmessage.c
+++ b/security/nss/lib/smime/cmsmessage.c
@@ -37,7 +37,7 @@
 /*
  * CMS message methods.
  *
- * $Id: cmsmessage.c,v 1.6.192.1 2011/01/28 23:08:27 rrelyea%redhat.com Exp $
+ * $Id: cmsmessage.c,v 1.7 2011/01/28 23:03:59 rrelyea%redhat.com Exp $
  */
 
 #include "cmslocal.h"
diff --git a/security/nss/lib/smime/cmssigdata.c b/security/nss/lib/smime/cmssigdata.c
index 5a1bb4cea8f9..e701c8836b3f 100644
--- a/security/nss/lib/smime/cmssigdata.c
+++ b/security/nss/lib/smime/cmssigdata.c
@@ -37,7 +37,7 @@
 /*
  * CMS signedData methods.
  *
- * $Id: cmssigdata.c,v 1.29.142.2 2011/02/11 03:57:50 emaldona%redhat.com Exp $
+ * $Id: cmssigdata.c,v 1.31 2011/02/11 01:53:17 emaldona%redhat.com Exp $
  */
 
 #include "cmslocal.h"
diff --git a/security/nss/lib/smime/cmssiginfo.c b/security/nss/lib/smime/cmssiginfo.c
index 3bc7cd91a048..9c11d833f90f 100644
--- a/security/nss/lib/smime/cmssiginfo.c
+++ b/security/nss/lib/smime/cmssiginfo.c
@@ -38,7 +38,7 @@
 /*
  * CMS signerInfo methods.
  *
- * $Id: cmssiginfo.c,v 1.32.2.1 2010/08/28 19:51:44 nelson%bolyard.com Exp $
+ * $Id: cmssiginfo.c,v 1.34 2011/02/07 18:32:19 nelson%bolyard.com Exp $
  */
 
 #include "cmslocal.h"
@@ -166,7 +166,8 @@ NSS_CMSSignerInfo_Destroy(NSSCMSSignerInfo *si)
  *
  */
 SECStatus
-NSS_CMSSignerInfo_Sign(NSSCMSSignerInfo *signerinfo, SECItem *digest, SECItem *contentType)
+NSS_CMSSignerInfo_Sign(NSSCMSSignerInfo *signerinfo, SECItem *digest, 
+                       SECItem *contentType)
 {
     CERTCertificate *cert;
     SECKEYPrivateKey *privkey = NULL;
@@ -186,7 +187,8 @@ NSS_CMSSignerInfo_Sign(NSSCMSSignerInfo *signerinfo, SECItem *digest, SECItem *c
     case NSSCMSSignerID_IssuerSN:
         cert = signerinfo->cert;
 
-        if ((privkey = PK11_FindKeyByAnyCert(cert, signerinfo->cmsg->pwfn_arg)) == NULL)
+        privkey = PK11_FindKeyByAnyCert(cert, signerinfo->cmsg->pwfn_arg);
+        if (privkey == NULL)
 	    goto loser;
         algID = &cert->subjectPublicKeyInfo.algorithm;
         break;
@@ -272,6 +274,7 @@ NSS_CMSSignerInfo_Sign(NSSCMSSignerInfo *signerinfo, SECItem *digest, SECItem *c
 	rv = SEC_SignData(&signature, encoded_attrs.data, encoded_attrs.len, 
 	                  privkey, signAlgTag);
 	PORT_FreeArena(tmppoolp, PR_FALSE); /* awkward memory management :-( */
+	tmppoolp = 0;
     } else {
 	rv = SGN_Digest(privkey, digestalgtag, &signature, digest);
     }
diff --git a/security/nss/lib/smime/cmst.h b/security/nss/lib/smime/cmst.h
index 11b772a3093c..7bd415061cfa 100644
--- a/security/nss/lib/smime/cmst.h
+++ b/security/nss/lib/smime/cmst.h
@@ -37,7 +37,7 @@
 /*
  * Header for CMS types.
  *
- * $Id: cmst.h,v 1.10.142.3 2011/02/11 03:57:50 emaldona%redhat.com Exp $
+ * $Id: cmst.h,v 1.13 2011/02/11 01:53:17 emaldona%redhat.com Exp $
  */
 
 #ifndef _CMST_H_
diff --git a/security/nss/lib/smime/cmsudf.c b/security/nss/lib/smime/cmsudf.c
index 025c0e36b0d8..82bfdf0bc778 100644
--- a/security/nss/lib/smime/cmsudf.c
+++ b/security/nss/lib/smime/cmsudf.c
@@ -37,7 +37,7 @@
 /*
  * CMS User Define Types
  *
- * $Id: cmsudf.c,v 1.1.2.4 2011/02/11 03:57:50 emaldona%redhat.com Exp $
+ * $Id: cmsudf.c,v 1.3 2011/02/11 01:53:17 emaldona%redhat.com Exp $
  */
 
 #include "cmslocal.h"
diff --git a/security/nss/lib/smime/cmsutil.c b/security/nss/lib/smime/cmsutil.c
index a60255be9dae..6d97b38e8829 100644
--- a/security/nss/lib/smime/cmsutil.c
+++ b/security/nss/lib/smime/cmsutil.c
@@ -38,7 +38,7 @@
 /*
  * CMS miscellaneous utility functions.
  *
- * $Id: cmsutil.c,v 1.15.54.1 2011/01/28 23:08:27 rrelyea%redhat.com Exp $
+ * $Id: cmsutil.c,v 1.16 2011/01/28 23:03:59 rrelyea%redhat.com Exp $
  */
 
 #include "cmslocal.h"
diff --git a/security/nss/lib/smime/manifest.mn b/security/nss/lib/smime/manifest.mn
index 1f5421f35e4e..e6c2cd98a485 100644
--- a/security/nss/lib/smime/manifest.mn
+++ b/security/nss/lib/smime/manifest.mn
@@ -76,8 +76,6 @@ CSRCS = \
 	smimever.c \
 	$(NULL)
 
-REQUIRES = dbm
-
 LIBRARY_NAME = smime
 LIBRARY_VERSION = 3
 
diff --git a/security/nss/lib/smime/smime.def b/security/nss/lib/smime/smime.def
index 993d108a28bb..6bbf812fad7a 100644
--- a/security/nss/lib/smime/smime.def
+++ b/security/nss/lib/smime/smime.def
@@ -293,3 +293,9 @@ NSS_Get_NSS_PointerToCMSGenericWrapperDataTemplate;
 ;+    local:
 ;+       *;
 ;+};
+;+NSS_3.13 {    # NSS 3.13 release
+;+    global:
+NSSSMIME_GetVersion;
+;+    local:
+;+       *;
+;+};
diff --git a/security/nss/lib/smime/smime.h b/security/nss/lib/smime/smime.h
index 0c112c9a10da..8a72b4809822 100644
--- a/security/nss/lib/smime/smime.h
+++ b/security/nss/lib/smime/smime.h
@@ -38,7 +38,7 @@
  * Header file for routines specific to S/MIME.  Keep things that are pure
  * pkcs7 out of here; this is for S/MIME policy, S/MIME interoperability, etc.
  *
- * $Id: smime.h,v 1.8.192.1 2011/02/11 03:57:50 emaldona%redhat.com Exp $
+ * $Id: smime.h,v 1.10 2011/08/01 07:08:09 kaie%kuix.de Exp $
  */
 
 #ifndef _SECMIME_H_
@@ -150,6 +150,23 @@ extern CERTCertificate *NSS_SMIMEUtil_GetCertFromEncryptionKeyPreference(CERTCer
 extern SECStatus
 NSS_SMIMEUtil_FindBulkAlgForRecipients(CERTCertificate **rcerts, SECOidTag *bulkalgtag, int *keysize);
 
+/*
+ * Return a boolean that indicates whether the underlying library
+ * will perform as the caller expects.
+ *
+ * The only argument is a string, which should be the version
+ * identifier of the NSS library. That string will be compared
+ * against a string that represents the actual build version of
+ * the S/MIME library.  It also invokes the version checking functions
+ * of the dependent libraries such as NSPR.
+ */
+extern PRBool NSSSMIME_VersionCheck(const char *importedVersion);
+
+/*
+ * Returns a const string of the S/MIME library version.
+ */
+extern const char *NSSSMIME_GetVersion(void);
+
 /************************************************************************/
 SEC_END_PROTOS
 
diff --git a/security/nss/lib/smime/smimeutil.c b/security/nss/lib/smime/smimeutil.c
index 4200842a6ce2..2fe02e81f6d5 100644
--- a/security/nss/lib/smime/smimeutil.c
+++ b/security/nss/lib/smime/smimeutil.c
@@ -37,7 +37,7 @@
 /*
  * Stuff specific to S/MIME policy and interoperability.
  *
- * $Id: smimeutil.c,v 1.20 2007/05/10 01:12:21 nelson%bolyard.com Exp $
+ * $Id: smimeutil.c,v 1.21 2011/08/01 07:08:09 kaie%kuix.de Exp $
  */
 
 #include "secmime.h"
@@ -793,3 +793,8 @@ NSSSMIME_VersionCheck(const char *importedVersion)
     return NSS_VersionCheck(importedVersion);
 }
 
+const char *
+NSSSMIME_GetVersion(void)
+{
+    return NSS_VERSION;
+}
diff --git a/security/nss/lib/softoken/fipstest.c b/security/nss/lib/softoken/fipstest.c
index a9ca120a21c2..b4354e2f7eb4 100644
--- a/security/nss/lib/softoken/fipstest.c
+++ b/security/nss/lib/softoken/fipstest.c
@@ -36,7 +36,7 @@
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
-/* $Id: fipstest.c,v 1.27 2009/06/19 23:05:48 rrelyea%redhat.com Exp $ */
+/* $Id: fipstest.c,v 1.29 2011/03/29 15:12:43 wtc%google.com Exp $ */
 
 #include "softoken.h"   /* Required for RC2-ECB, RC2-CBC, RC4, DES-ECB,  */
                         /*              DES-CBC, DES3-ECB, DES3-CBC, RSA */
@@ -865,6 +865,13 @@ sftk_fips_HMAC_PowerUpSelfTest( void )
         0x3b, 0x57, 0x1d, 0x61, 0xe7, 0xb8, 0x84, 0x1e, 
         0x5d, 0x0e, 0x1e, 0x11};
 
+    /* known SHA224 hmac (28 bytes) */
+    static const PRUint8 known_SHA224_hmac[] = {
+        0x1c, 0xc3, 0x06, 0x8e, 0xce, 0x37, 0x68, 0xfb, 
+        0x1a, 0x82, 0x4a, 0xbe, 0x2b, 0x00, 0x51, 0xf8,
+        0x9d, 0xb6, 0xe0, 0x90, 0x0d, 0x00, 0xc9, 0x64,
+        0x9a, 0xb8, 0x98, 0x4e};
+
     /* known SHA256 hmac (32 bytes) */
     static const PRUint8 known_SHA256_hmac[] = {
         0x05, 0x75, 0x9a, 0x9e, 0x70, 0x5e, 0xe7, 0x44, 
@@ -911,6 +918,22 @@ sftk_fips_HMAC_PowerUpSelfTest( void )
                        SHA1_LENGTH ) != 0 ) )
         return( CKR_DEVICE_ERROR );
 
+    /***************************************************/
+    /* HMAC SHA-224 Single-Round Known Answer Test.    */
+    /***************************************************/
+
+    hmac_status = sftk_fips_HMAC(hmac_computed, 
+                                 HMAC_known_secret_key,
+                                 HMAC_known_secret_key_length,
+                                 known_hash_message,
+                                 FIPS_KNOWN_HASH_MESSAGE_LENGTH,
+                                 HASH_AlgSHA224);
+
+    if( ( hmac_status != SECSuccess ) || 
+        ( PORT_Memcmp( hmac_computed, known_SHA224_hmac,
+                       SHA224_LENGTH ) != 0 ) )
+        return( CKR_DEVICE_ERROR );
+
     /***************************************************/
     /* HMAC SHA-256 Single-Round Known Answer Test.    */
     /***************************************************/
@@ -971,6 +994,13 @@ sftk_fips_SHA_PowerUpSelfTest( void )
 			       0x72,0xf6,0xc7,0x22,0xf1,0x27,0x9f,0xf0,
 			       0xe0,0x68,0x47,0x7a};
 
+    /* SHA-224 Known Digest Message (224-bits). */
+    static const PRUint8 sha224_known_digest[] = {
+        0x89,0x5e,0x7f,0xfd,0x0e,0xd8,0x35,0x6f,
+        0x64,0x6d,0xf2,0xde,0x5e,0xed,0xa6,0x7f, 
+        0x29,0xd1,0x12,0x73,0x42,0x84,0x95,0x4f, 
+        0x8e,0x08,0xe5,0xcb};
+
     /* SHA-256 Known Digest Message (256-bits). */
     static const PRUint8 sha256_known_digest[] = {
         0x38,0xa9,0xc1,0xf0,0x35,0xf6,0x5d,0x61,
@@ -1014,6 +1044,18 @@ sftk_fips_SHA_PowerUpSelfTest( void )
                        SHA1_LENGTH ) != 0 ) )
         return( CKR_DEVICE_ERROR );
 
+    /***************************************************/
+    /* SHA-224 Single-Round Known Answer Hashing Test. */
+    /***************************************************/
+
+    sha_status = SHA224_HashBuf( sha_computed_digest, known_hash_message,
+                                FIPS_KNOWN_HASH_MESSAGE_LENGTH );
+
+    if( ( sha_status != SECSuccess ) ||
+        ( PORT_Memcmp( sha_computed_digest, sha224_known_digest,
+                       SHA224_LENGTH ) != 0 ) )
+        return( CKR_DEVICE_ERROR );
+
     /***************************************************/
     /* SHA-256 Single-Round Known Answer Hashing Test. */
     /***************************************************/
diff --git a/security/nss/lib/softoken/legacydb/keydb.c b/security/nss/lib/softoken/legacydb/keydb.c
index 8fe9fb5431ac..f94f65064e6b 100644
--- a/security/nss/lib/softoken/legacydb/keydb.c
+++ b/security/nss/lib/softoken/legacydb/keydb.c
@@ -34,7 +34,7 @@
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
-/* $Id: keydb.c,v 1.11.22.1 2010/08/07 05:49:16 wtc%google.com Exp $ */
+/* $Id: keydb.c,v 1.12 2010/07/20 01:26:04 wtc%google.com Exp $ */
 
 #include "lowkeyi.h"
 #include "secasn1.h"
@@ -1209,7 +1209,7 @@ nsslowkey_KeyForCertExists(NSSLOWKEYDBHandle *handle, NSSLOWCERTCertificate *cer
 	    PORT_Free(buf);
 	}
     }
-    nsslowkey_DestroyPublicKey(pubkey);
+    lg_nsslowkey_DestroyPublicKey(pubkey);
     if ( status ) {
 	return PR_FALSE;
     }
@@ -1396,7 +1396,7 @@ loser:
     if (dbkey) {
  	sec_destroy_dbkey(dbkey);
     }
-    if (global_salt && global_salt != &none) {
+    if (global_salt != &none) {
 	SECITEM_FreeItem(global_salt,PR_TRUE);
     }
     return rv;
@@ -1535,9 +1535,9 @@ seckey_encrypt_private_key( PLArenaPool *permarena, NSSLOWKEYPrivateKey *pk,
     /* Encode the key, and set the algorithm (with params) */
     switch (pk->keyType) {
       case NSSLOWKEYRSAKey:
-        prepare_low_rsa_priv_key_for_asn1(pk);
+        lg_prepare_low_rsa_priv_key_for_asn1(pk);
 	dummy = SEC_ASN1EncodeItem(temparena, &(pki->privateKey), pk, 
-				   nsslowkey_RSAPrivateKeyTemplate);
+				   lg_nsslowkey_RSAPrivateKeyTemplate);
 	if (dummy == NULL) {
 	    rv = SECFailure;
 	    goto loser;
@@ -1551,17 +1551,17 @@ seckey_encrypt_private_key( PLArenaPool *permarena, NSSLOWKEYPrivateKey *pk,
 	
 	break;
       case NSSLOWKEYDSAKey:
-        prepare_low_dsa_priv_key_for_asn1(pk);
+        lg_prepare_low_dsa_priv_key_for_asn1(pk);
 	dummy = SEC_ASN1EncodeItem(temparena, &(pki->privateKey), pk,
-				   nsslowkey_DSAPrivateKeyTemplate);
+				   lg_nsslowkey_DSAPrivateKeyTemplate);
 	if (dummy == NULL) {
 	    rv = SECFailure;
 	    goto loser;
 	}
 	
-        prepare_low_pqg_params_for_asn1(&pk->u.dsa.params);
+        lg_prepare_low_pqg_params_for_asn1(&pk->u.dsa.params);
 	dummy = SEC_ASN1EncodeItem(temparena, NULL, &pk->u.dsa.params,
-				   nsslowkey_PQGParamsTemplate);
+				   lg_nsslowkey_PQGParamsTemplate);
 	if (dummy == NULL) {
 	    rv = SECFailure;
 	    goto loser;
@@ -1575,9 +1575,9 @@ seckey_encrypt_private_key( PLArenaPool *permarena, NSSLOWKEYPrivateKey *pk,
 	
 	break;
       case NSSLOWKEYDHKey:
-        prepare_low_dh_priv_key_for_asn1(pk);
+        lg_prepare_low_dh_priv_key_for_asn1(pk);
 	dummy = SEC_ASN1EncodeItem(temparena, &(pki->privateKey), pk,
-				   nsslowkey_DHPrivateKeyTemplate);
+				   lg_nsslowkey_DHPrivateKeyTemplate);
 	if (dummy == NULL) {
 	    rv = SECFailure;
 	    goto loser;
@@ -1591,7 +1591,7 @@ seckey_encrypt_private_key( PLArenaPool *permarena, NSSLOWKEYPrivateKey *pk,
 	break;
 #ifdef NSS_ENABLE_ECC
       case NSSLOWKEYECKey:
-	prepare_low_ec_priv_key_for_asn1(pk);
+	lg_prepare_low_ec_priv_key_for_asn1(pk);
 	/* Public value is encoded as a bit string so adjust length
 	 * to be in bits before ASN encoding and readjust 
 	 * immediately after.
@@ -1604,7 +1604,7 @@ seckey_encrypt_private_key( PLArenaPool *permarena, NSSLOWKEYPrivateKey *pk,
 	savelen = pk->u.ec.ecParams.curveOID.len;
 	pk->u.ec.ecParams.curveOID.len = 0;
 	dummy = SEC_ASN1EncodeItem(temparena, &(pki->privateKey), pk,
-				   nsslowkey_ECPrivateKeyTemplate);
+				   lg_nsslowkey_ECPrivateKeyTemplate);
 	pk->u.ec.ecParams.curveOID.len = savelen;
 	pk->u.ec.publicValue.len >>= 3;
 
@@ -1637,7 +1637,7 @@ seckey_encrypt_private_key( PLArenaPool *permarena, NSSLOWKEYPrivateKey *pk,
 
     /* setup encrypted private key info */
     dummy = SEC_ASN1EncodeItem(temparena, der_item, pki, 
-	nsslowkey_PrivateKeyInfoTemplate);
+	lg_nsslowkey_PrivateKeyInfoTemplate);
 
     SEC_PRINT("seckey_encrypt_private_key()", "PrivateKeyInfo", 
 	      pk->keyType, der_item);
@@ -1777,50 +1777,50 @@ seckey_decrypt_private_key(SECItem*epki,
 		  dest);
 
 	rv = SEC_QuickDERDecodeItem(temparena, pki, 
-	    nsslowkey_PrivateKeyInfoTemplate, dest);
+	    lg_nsslowkey_PrivateKeyInfoTemplate, dest);
 	if(rv == SECSuccess)
 	{
 	    switch(SECOID_GetAlgorithmTag(&pki->algorithm)) {
 	      case SEC_OID_X500_RSA_ENCRYPTION:
 	      case SEC_OID_PKCS1_RSA_ENCRYPTION:
 		pk->keyType = NSSLOWKEYRSAKey;
-		prepare_low_rsa_priv_key_for_asn1(pk);
+		lg_prepare_low_rsa_priv_key_for_asn1(pk);
                 if (SECSuccess != SECITEM_CopyItem(permarena, &newPrivateKey,
                     &pki->privateKey) ) break;
 		rv = SEC_QuickDERDecodeItem(permarena, pk,
-					nsslowkey_RSAPrivateKeyTemplate,
+					lg_nsslowkey_RSAPrivateKeyTemplate,
 					&newPrivateKey);
 		break;
 	      case SEC_OID_ANSIX9_DSA_SIGNATURE:
 		pk->keyType = NSSLOWKEYDSAKey;
-		prepare_low_dsa_priv_key_for_asn1(pk);
+		lg_prepare_low_dsa_priv_key_for_asn1(pk);
                 if (SECSuccess != SECITEM_CopyItem(permarena, &newPrivateKey,
                     &pki->privateKey) ) break;
 		rv = SEC_QuickDERDecodeItem(permarena, pk,
-					nsslowkey_DSAPrivateKeyTemplate,
+					lg_nsslowkey_DSAPrivateKeyTemplate,
 					&newPrivateKey);
 		if (rv != SECSuccess)
 		    goto loser;
-		prepare_low_pqg_params_for_asn1(&pk->u.dsa.params);
+		lg_prepare_low_pqg_params_for_asn1(&pk->u.dsa.params);
                 if (SECSuccess != SECITEM_CopyItem(permarena, &newAlgParms,
                     &pki->algorithm.parameters) ) break;
 		rv = SEC_QuickDERDecodeItem(permarena, &pk->u.dsa.params,
-					nsslowkey_PQGParamsTemplate,
+					lg_nsslowkey_PQGParamsTemplate,
 					&newAlgParms);
 		break;
 	      case SEC_OID_X942_DIFFIE_HELMAN_KEY:
 		pk->keyType = NSSLOWKEYDHKey;
-		prepare_low_dh_priv_key_for_asn1(pk);
+		lg_prepare_low_dh_priv_key_for_asn1(pk);
                 if (SECSuccess != SECITEM_CopyItem(permarena, &newPrivateKey,
                     &pki->privateKey) ) break;
 		rv = SEC_QuickDERDecodeItem(permarena, pk,
-					nsslowkey_DHPrivateKeyTemplate,
+					lg_nsslowkey_DHPrivateKeyTemplate,
 					&newPrivateKey);
 		break;
 #ifdef NSS_ENABLE_ECC
 	      case SEC_OID_ANSIX962_EC_PUBLIC_KEY:
 		pk->keyType = NSSLOWKEYECKey;
-		prepare_low_ec_priv_key_for_asn1(pk);
+		lg_prepare_low_ec_priv_key_for_asn1(pk);
 
 		fordebug = &pki->privateKey;
 		SEC_PRINT("seckey_decrypt_private_key()", "PrivateKey", 
@@ -1828,12 +1828,12 @@ seckey_decrypt_private_key(SECItem*epki,
                 if (SECSuccess != SECITEM_CopyItem(permarena, &newPrivateKey,
                     &pki->privateKey) ) break;
 		rv = SEC_QuickDERDecodeItem(permarena, pk,
-					nsslowkey_ECPrivateKeyTemplate,
+					lg_nsslowkey_ECPrivateKeyTemplate,
 					&newPrivateKey);
 		if (rv != SECSuccess)
 		    goto loser;
 
-		prepare_low_ecparams_for_asn1(&pk->u.ec.ecParams);
+		lg_prepare_low_ecparams_for_asn1(&pk->u.ec.ecParams);
 
 		rv = SECITEM_CopyItem(permarena, 
 		    &pk->u.ec.ecParams.DEREncoding, 
@@ -1980,7 +1980,7 @@ nsslowkey_FindKeyNicknameByPublicKey(NSSLOWKEYDBHandle *handle,
 
     pk = seckey_get_private_key(handle, &namekey, &nickname, sdbpw);
     if (pk) {
-	nsslowkey_DestroyPrivateKey(pk);
+	lg_nsslowkey_DestroyPrivateKey(pk);
     }
     
     /* no need to free dbkey, since its on the stack, and the data it
diff --git a/security/nss/lib/softoken/legacydb/lgattr.c b/security/nss/lib/softoken/legacydb/lgattr.c
index 344644888fdb..0d26bf4e8f45 100644
--- a/security/nss/lib/softoken/legacydb/lgattr.c
+++ b/security/nss/lib/softoken/legacydb/lgattr.c
@@ -61,7 +61,7 @@ typedef struct LGObjectCacheStr {
 
 static const CK_OBJECT_HANDLE lg_classArray[] = {
     0, CKO_PRIVATE_KEY, CKO_PUBLIC_KEY, CKO_SECRET_KEY,
-    CKO_NETSCAPE_TRUST, CKO_NETSCAPE_CRL, CKO_NETSCAPE_SMIME,
+    CKO_NSS_TRUST, CKO_NSS_CRL, CKO_NSS_SMIME,
      CKO_CERTIFICATE };
 
 #define handleToClass(handle) \
@@ -290,7 +290,7 @@ lg_getSMime(LGObjectCache *obj)
     certDBEntrySMime *entry;
     NSSLOWCERTCertDBHandle *certHandle;
 
-    if (obj->objclass != CKO_NETSCAPE_SMIME) {
+    if (obj->objclass != CKO_NSS_SMIME) {
 	return NULL;
     }
     if (obj->objectInfo) {
@@ -314,7 +314,7 @@ lg_getCrl(LGObjectCache *obj)
     PRBool isKrl;
     NSSLOWCERTCertDBHandle *certHandle;
 
-    if (obj->objclass != CKO_NETSCAPE_CRL) {
+    if (obj->objclass != CKO_NSS_CRL) {
 	return NULL;
     }
     if (obj->objectInfo) {
@@ -339,7 +339,7 @@ lg_getCert(LGObjectCache *obj, NSSLOWCERTCertDBHandle *certHandle)
     NSSLOWCERTCertificate *cert;
     CK_OBJECT_CLASS objClass = obj->objclass;
 
-    if ((objClass != CKO_CERTIFICATE) && (objClass != CKO_NETSCAPE_TRUST)) {
+    if ((objClass != CKO_CERTIFICATE) && (objClass != CKO_NSS_TRUST)) {
 	return NULL;
     }
     if (objClass == CKO_CERTIFICATE && obj->objectInfo) {
@@ -358,7 +358,7 @@ lg_getTrust(LGObjectCache *obj, NSSLOWCERTCertDBHandle *certHandle)
 {
     NSSLOWCERTTrust *trust;
 
-    if (obj->objclass != CKO_NETSCAPE_TRUST) {
+    if (obj->objclass != CKO_NSS_TRUST) {
 	return NULL;
     }
     if (obj->objectInfo) {
@@ -386,10 +386,10 @@ lg_GetPublicKey(LGObjectCache *obj)
     if (privKey == NULL) {
 	return NULL;
     }
-    pubKey = nsslowkey_ConvertToPublicKey(privKey);
-    nsslowkey_DestroyPrivateKey(privKey);
+    pubKey = lg_nsslowkey_ConvertToPublicKey(privKey);
+    lg_nsslowkey_DestroyPrivateKey(privKey);
     obj->objectInfo = (void *) pubKey;
-    obj->infoFree = (LGFreeFunc) nsslowkey_DestroyPublicKey ;
+    obj->infoFree = (LGFreeFunc) lg_nsslowkey_DestroyPublicKey ;
     return pubKey;
 }
 
@@ -418,7 +418,7 @@ lg_GetPrivateKeyWithDB(LGObjectCache *obj, NSSLOWKEYDBHandle *keyHandle)
 	return NULL;
     }
     obj->objectInfo = (void *) privKey;
-    obj->infoFree = (LGFreeFunc) nsslowkey_DestroyPrivateKey ;
+    obj->infoFree = (LGFreeFunc) lg_nsslowkey_DestroyPrivateKey ;
     return privKey;
 }
 
@@ -1083,10 +1083,10 @@ lg_FindSMIMEAttribute(LGObjectCache *obj, CK_ATTRIBUTE_TYPE type,
     case CKA_PRIVATE:
     case CKA_MODIFIABLE:
 	return LG_CLONE_ATTR(attribute,type,lg_StaticFalseAttr);
-    case CKA_NETSCAPE_EMAIL:
+    case CKA_NSS_EMAIL:
 	return lg_CopyAttribute(attribute,type,obj->dbKey.data,
 						obj->dbKey.len-1);
-    case CKA_NETSCAPE_SMIME_TIMESTAMP:
+    case CKA_NSS_SMIME_TIMESTAMP:
     case CKA_SUBJECT:
     case CKA_VALUE:
 	break;
@@ -1098,7 +1098,7 @@ lg_FindSMIMEAttribute(LGObjectCache *obj, CK_ATTRIBUTE_TYPE type,
 	return CKR_OBJECT_HANDLE_INVALID;
     }
     switch (type) {
-    case CKA_NETSCAPE_SMIME_TIMESTAMP:
+    case CKA_NSS_SMIME_TIMESTAMP:
 	return lg_CopyAttribute(attribute,type,entry->optionsDate.data,
 					entry->optionsDate.len);
     case CKA_SUBJECT:
@@ -1172,26 +1172,25 @@ lg_FindTrustAttribute(LGObjectCache *obj, CK_ATTRIBUTE_TYPE type,
 trust:
 	if (trustFlags & CERTDB_TRUSTED_CA ) {
 	    return lg_ULongAttribute(attribute, type,
-				     CKT_NETSCAPE_TRUSTED_DELEGATOR);
+				     CKT_NSS_TRUSTED_DELEGATOR);
 	}
 	if (trustFlags & CERTDB_TRUSTED) {
-	    return lg_ULongAttribute(attribute, type, CKT_NETSCAPE_TRUSTED);
+	    return lg_ULongAttribute(attribute, type, CKT_NSS_TRUSTED);
 	}
-	if (trustFlags & CERTDB_NOT_TRUSTED) {
-	    return lg_ULongAttribute(attribute, type, CKT_NETSCAPE_UNTRUSTED);
+	if (trustFlags & CERTDB_MUST_VERIFY) {
+	    return lg_ULongAttribute(attribute, type, 
+				     CKT_NSS_MUST_VERIFY_TRUST);
 	}
 	if (trustFlags & CERTDB_TRUSTED_UNKNOWN) {
-	    return lg_ULongAttribute(attribute, type,
-				     CKT_NETSCAPE_TRUST_UNKNOWN);
+	    return lg_ULongAttribute(attribute, type, CKT_NSS_TRUST_UNKNOWN);
 	}
 	if (trustFlags & CERTDB_VALID_CA) {
-	    return lg_ULongAttribute(attribute, type,
-				     CKT_NETSCAPE_VALID_DELEGATOR);
+	    return lg_ULongAttribute(attribute, type, CKT_NSS_VALID_DELEGATOR);
 	}
-	if (trustFlags & CERTDB_VALID_PEER) {
-	    return lg_ULongAttribute(attribute, type, CKT_NETSCAPE_VALID);
+	if (trustFlags & CERTDB_TERMINAL_RECORD) {
+	    return lg_ULongAttribute(attribute, type, CKT_NSS_NOT_TRUSTED);
 	}
-	return lg_ULongAttribute(attribute, type, CKT_NETSCAPE_MUST_VERIFY);
+	return lg_ULongAttribute(attribute, type, CKT_NSS_TRUST_UNKNOWN);
     case CKA_TRUST_STEP_UP_APPROVED:
 	if (trust->trust->sslFlags & CERTDB_GOVT_APPROVED_CA) {
 	    return LG_CLONE_ATTR(attribute,type,lg_StaticTrueAttr);
@@ -1237,14 +1236,14 @@ lg_FindCrlAttribute(LGObjectCache *obj, CK_ATTRIBUTE_TYPE type,
     case CKA_PRIVATE:
     case CKA_MODIFIABLE:
 	return LG_CLONE_ATTR(attribute,type,lg_StaticFalseAttr);
-    case CKA_NETSCAPE_KRL:
+    case CKA_NSS_KRL:
 	return ((obj->handle == LG_TOKEN_KRL_HANDLE) 
 		? LG_CLONE_ATTR(attribute,type,lg_StaticTrueAttr)
 		: LG_CLONE_ATTR(attribute,type,lg_StaticFalseAttr));
     case CKA_SUBJECT:
 	return lg_CopyAttribute(attribute,type,obj->dbKey.data,
 						obj->dbKey.len);
-    case CKA_NETSCAPE_URL:
+    case CKA_NSS_URL:
     case CKA_VALUE:
 	break;
     default:
@@ -1255,7 +1254,7 @@ lg_FindCrlAttribute(LGObjectCache *obj, CK_ATTRIBUTE_TYPE type,
 	return CKR_OBJECT_HANDLE_INVALID;
     }
     switch (type) {
-    case CKA_NETSCAPE_URL:
+    case CKA_NSS_URL:
 	if (crl->url == NULL) {
 	    return LG_CLONE_ATTR(attribute,type,lg_StaticNullAttr);
 	}
@@ -1294,7 +1293,7 @@ lg_FindCertAttribute(LGObjectCache *obj, CK_ATTRIBUTE_TYPE type,
     case CKA_SUBJECT:
     case CKA_ISSUER:
     case CKA_SERIAL_NUMBER:
-    case CKA_NETSCAPE_EMAIL:
+    case CKA_NSS_EMAIL:
 	break;
     default:
 	return lg_invalidAttribute(attribute);
@@ -1323,12 +1322,12 @@ lg_FindCertAttribute(LGObjectCache *obj, CK_ATTRIBUTE_TYPE type,
 	if (pubKey == NULL) break;
 	item = lg_GetPubItem(pubKey);
 	if (item == NULL) {
-	    nsslowkey_DestroyPublicKey(pubKey);
+	    lg_nsslowkey_DestroyPublicKey(pubKey);
 	    break;
 	}
 	SHA1_HashBuf(hash,item->data,item->len);
 	/* item is imbedded in pubKey, just free the key */
-	nsslowkey_DestroyPublicKey(pubKey);
+	lg_nsslowkey_DestroyPublicKey(pubKey);
 	return lg_CopyAttribute(attribute, type, hash, SHA1_LENGTH);
     case CKA_LABEL:
 	return cert->nickname 
@@ -1344,7 +1343,7 @@ lg_FindCertAttribute(LGObjectCache *obj, CK_ATTRIBUTE_TYPE type,
     case CKA_SERIAL_NUMBER:
 	return lg_CopyAttribute(attribute,type,cert->derSN.data,
 						cert->derSN.len);
-    case CKA_NETSCAPE_EMAIL:
+    case CKA_NSS_EMAIL:
 	return (cert->emailAddr && cert->emailAddr[0])
 	    ? lg_CopyAttribute(attribute, type, cert->emailAddr,
 	                             PORT_Strlen(cert->emailAddr))
@@ -1379,11 +1378,11 @@ lg_GetSingleAttribute(LGObjectCache *obj, CK_ATTRIBUTE *attribute)
     switch (obj->objclass) {
     case CKO_CERTIFICATE:
 	return lg_FindCertAttribute(obj,type,attribute);
-    case CKO_NETSCAPE_CRL:
+    case CKO_NSS_CRL:
 	return lg_FindCrlAttribute(obj,type,attribute);
-    case CKO_NETSCAPE_TRUST:
+    case CKO_NSS_TRUST:
 	return lg_FindTrustAttribute(obj,type,attribute);
-    case CKO_NETSCAPE_SMIME:
+    case CKO_NSS_SMIME:
 	return lg_FindSMIMEAttribute(obj,type,attribute);
     case CKO_PUBLIC_KEY:
 	return lg_FindPublicKeyAttribute(obj,type,attribute);
@@ -1501,7 +1500,7 @@ lg_SetCertAttribute(LGObjectCache *obj, CK_ATTRIBUTE_TYPE type,
 
     /* we can't change  the EMAIL values, but let the
      * upper layers feel better about the fact we tried to set these */
-    if (type == CKA_NETSCAPE_EMAIL) {
+    if (type == CKA_NSS_EMAIL) {
 	return CKR_OK;
     }
 
@@ -1763,10 +1762,10 @@ lg_SetSingleAttribute(LGObjectCache *obj, const CK_ATTRIBUTE *attr,
 	crv = lg_SetCertAttribute(obj,attr->type,
 				  attr->pValue,attr->ulValueLen);
 	break;
-    case CKO_NETSCAPE_CRL:
+    case CKO_NSS_CRL:
 	/* change URL */
 	break;
-    case CKO_NETSCAPE_TRUST:
+    case CKO_NSS_TRUST:
 	crv = lg_SetTrustAttribute(obj,attr);
 	break;
     case CKO_PRIVATE_KEY:
diff --git a/security/nss/lib/softoken/legacydb/lgcreate.c b/security/nss/lib/softoken/legacydb/lgcreate.c
index ab6c652f7f03..fa76297c1765 100644
--- a/security/nss/lib/softoken/legacydb/lgcreate.c
+++ b/security/nss/lib/softoken/legacydb/lgcreate.c
@@ -143,7 +143,7 @@ lg_createCertObject(SDB *sdb, CK_OBJECT_HANDLE *handle,
     /*
      * Add a NULL S/MIME profile if necessary.
      */
-    email = lg_getString(CKA_NETSCAPE_EMAIL, templ, count);
+    email = lg_getString(CKA_NSS_EMAIL, templ, count);
     if (email) {
 	certDBEntrySMime *entry;
 
@@ -168,17 +168,15 @@ lg_MapTrust(CK_TRUST trust, PRBool clientAuth)
     unsigned int trustCA = clientAuth ? CERTDB_TRUSTED_CLIENT_CA :
 							CERTDB_TRUSTED_CA;
     switch (trust) {
-    case CKT_NETSCAPE_TRUSTED:
-	return CERTDB_VALID_PEER|CERTDB_TRUSTED;
-    case CKT_NETSCAPE_TRUSTED_DELEGATOR:
+    case CKT_NSS_TRUSTED:
+	return CERTDB_TERMINAL_RECORD|CERTDB_TRUSTED;
+    case CKT_NSS_TRUSTED_DELEGATOR:
 	return CERTDB_VALID_CA|trustCA;
-    case CKT_NETSCAPE_UNTRUSTED:
-	return CERTDB_NOT_TRUSTED;
-    case CKT_NETSCAPE_MUST_VERIFY:
-	return 0;
-    case CKT_NETSCAPE_VALID: /* implies must verify */
-	return CERTDB_VALID_PEER;
-    case CKT_NETSCAPE_VALID_DELEGATOR: /* implies must verify */
+    case CKT_NSS_MUST_VERIFY_TRUST:
+	return CERTDB_MUST_VERIFY;
+    case CKT_NSS_NOT_TRUSTED:
+	return CERTDB_TERMINAL_RECORD;
+    case CKT_NSS_VALID_DELEGATOR: /* implies must verify */
 	return CERTDB_VALID_CA;
     default:
 	break;
@@ -198,10 +196,10 @@ lg_createTrustObject(SDB *sdb, CK_OBJECT_HANDLE *handle,
     const CK_ATTRIBUTE *serial = NULL;
     NSSLOWCERTCertificate *cert = NULL;
     const CK_ATTRIBUTE *trust;
-    CK_TRUST sslTrust = CKT_NETSCAPE_TRUST_UNKNOWN;
-    CK_TRUST clientTrust = CKT_NETSCAPE_TRUST_UNKNOWN;
-    CK_TRUST emailTrust = CKT_NETSCAPE_TRUST_UNKNOWN;
-    CK_TRUST signTrust = CKT_NETSCAPE_TRUST_UNKNOWN;
+    CK_TRUST sslTrust = CKT_NSS_TRUST_UNKNOWN;
+    CK_TRUST clientTrust = CKT_NSS_TRUST_UNKNOWN;
+    CK_TRUST emailTrust = CKT_NSS_TRUST_UNKNOWN;
+    CK_TRUST signTrust = CKT_NSS_TRUST_UNKNOWN;
     CK_BBOOL stepUp;
     NSSLOWCERTCertTrust dbTrust = { 0 };
     SECStatus rv;
@@ -323,7 +321,7 @@ lg_createSMimeObject(SDB *sdb, CK_OBJECT_HANDLE *handle,
     }
 
     /* lookup Time */
-    time = lg_FindAttribute(CKA_NETSCAPE_SMIME_TIMESTAMP,templ,count);
+    time = lg_FindAttribute(CKA_NSS_SMIME_TIMESTAMP,templ,count);
     if (time) {
 	rawTime.data = (unsigned char *)time->pValue;
 	rawTime.len = time->ulValueLen ;
@@ -332,7 +330,7 @@ lg_createSMimeObject(SDB *sdb, CK_OBJECT_HANDLE *handle,
     }
 
 
-    email = lg_getString(CKA_NETSCAPE_EMAIL,templ,count);
+    email = lg_getString(CKA_NSS_EMAIL,templ,count);
     if (!email) {
 	ck_rv = CKR_ATTRIBUTE_VALUE_INVALID;
 	goto loser;
@@ -399,8 +397,8 @@ lg_createCrlObject(SDB *sdb, CK_OBJECT_HANDLE *handle,
     derCrl.data = (unsigned char *)crl->pValue;
     derCrl.len = crl->ulValueLen ;
 
-    url = lg_getString(CKA_NETSCAPE_URL,templ,count);
-    isKRL = lg_isTrue(CKA_NETSCAPE_KRL,templ,count);
+    url = lg_getString(CKA_NSS_URL,templ,count);
+    isKRL = lg_isTrue(CKA_NSS_KRL,templ,count);
 
     /* Store CRL by SUBJECT */
     rv = nsslowcert_AddCrl(certHandle, &derCrl, &derSubj, url, isKRL);
@@ -520,7 +518,7 @@ lg_createPublicKeyObject(SDB *sdb, CK_KEY_TYPE key_type,
 	crv = CKR_ATTRIBUTE_VALUE_INVALID;
 	goto done;
     }
-    nsslowkey_DestroyPrivateKey(priv);
+    lg_nsslowkey_DestroyPrivateKey(priv);
     crv = CKR_OK;
 
     *handle = lg_mkHandle(sdb, pubKey, LG_TOKEN_TYPE_PUB);
@@ -727,7 +725,7 @@ fail:
     if (label) PORT_Free(label);
     *handle = lg_mkHandle(sdb,&pubKey,LG_TOKEN_TYPE_PRIV);
     if (pubKey.data) PORT_Free(pubKey.data);
-    nsslowkey_DestroyPrivateKey(privKey);
+    lg_nsslowkey_DestroyPrivateKey(privKey);
     if (rv != SECSuccess) return crv;
 
     return CKR_OK;
@@ -929,7 +927,7 @@ lg_createSecretKeyObject(SDB *sdb, CK_KEY_TYPE key_type,
 
 loser:
     if (label) PORT_Free(label);
-    if (privKey) nsslowkey_DestroyPrivateKey(privKey);
+    if (privKey) lg_nsslowkey_DestroyPrivateKey(privKey);
     if (pubKey.data) PORT_Free(pubKey.data);
 
     return crv;
@@ -987,13 +985,13 @@ lg_CreateObject(SDB *sdb, CK_OBJECT_HANDLE *handle,
     case CKO_CERTIFICATE:
 	crv = lg_createCertObject(sdb,handle,templ,count);
 	break;
-    case CKO_NETSCAPE_TRUST:
+    case CKO_NSS_TRUST:
 	crv = lg_createTrustObject(sdb,handle,templ,count);
 	break;
-    case CKO_NETSCAPE_CRL:
+    case CKO_NSS_CRL:
 	crv = lg_createCrlObject(sdb,handle,templ,count);
 	break;
-    case CKO_NETSCAPE_SMIME:
+    case CKO_NSS_SMIME:
 	crv = lg_createSMimeObject(sdb,handle,templ,count);
 	break;
     case CKO_PRIVATE_KEY:
diff --git a/security/nss/lib/softoken/legacydb/lgdb.h b/security/nss/lib/softoken/legacydb/lgdb.h
index ed6f1298d4ce..266178066753 100644
--- a/security/nss/lib/softoken/legacydb/lgdb.h
+++ b/security/nss/lib/softoken/legacydb/lgdb.h
@@ -51,18 +51,11 @@
 #define MULTIACCESS "multiaccess:"
 
 
-/* machine dependent path stuff used by dbinit.c and pk11db.c */
-#ifdef macintosh
-#define PATH_SEPARATOR ":"
-#define SECMOD_DB "Security Modules"
-#define CERT_DB_FMT "%sCertificates%s"
-#define KEY_DB_FMT "%sKey Database%s"
-#else
+/* path stuff (was machine dependent) used by dbinit.c and pk11db.c */
 #define PATH_SEPARATOR "/"
 #define SECMOD_DB "secmod.db"
 #define CERT_DB_FMT "%scert%s.db"
 #define KEY_DB_FMT "%skey%s.db"
-#endif
 
 SEC_BEGIN_PROTOS
 
@@ -197,20 +190,20 @@ SEC_END_PROTOS
 
 #ifndef XP_UNIX
 
-#define NO_CHECK_FORK
+#define NO_FORK_CHECK
 
 #endif
 
-#ifndef NO_CHECK_FORK
+#ifndef NO_FORK_CHECK
 
-extern PRBool parentForkedAfterC_Initialize;
-#define SKIP_AFTER_FORK(x) if (!parentForkedAfterC_Initialize) x
+extern PRBool lg_parentForkedAfterC_Initialize;
+#define SKIP_AFTER_FORK(x) if (!lg_parentForkedAfterC_Initialize) x
 
 #else
 
 #define SKIP_AFTER_FORK(x) x
 
-#endif /* NO_CHECK_FORK */
+#endif /* NO_FORK_CHECK */
 
 #endif /* _LGDB_H_ */
 
diff --git a/security/nss/lib/softoken/legacydb/lgfind.c b/security/nss/lib/softoken/legacydb/lgfind.c
index 29aab3dd3141..3cd8bbe8e440 100644
--- a/security/nss/lib/softoken/legacydb/lgfind.c
+++ b/security/nss/lib/softoken/legacydb/lgfind.c
@@ -223,7 +223,7 @@ lg_key_collect(DBT *key, DBT *data, void *arg)
 							~LG_KEY;
 		haveMatch = (PRBool)
 			((classFlags & (LG_KEY|LG_PRIVATE|LG_PUBLIC)) != 0);
-		nsslowkey_DestroyPrivateKey(privKey);
+		lg_nsslowkey_DestroyPrivateKey(privKey);
 	    }
 	} else {
 	    SHA1_HashBuf( hashKey, key->data, key->size ); /* match id */
@@ -289,7 +289,7 @@ lg_key_collect(DBT *key, DBT *data, void *arg)
 
 loser:
     if ( privKey ) {
-	nsslowkey_DestroyPrivateKey(privKey);
+	lg_nsslowkey_DestroyPrivateKey(privKey);
     }
     return(SECSuccess);
 }
@@ -327,7 +327,7 @@ lg_searchKeys(SDB *sdb, SECItem *key_id,
 			lg_mkHandle(sdb,key_id,LG_TOKEN_TYPE_PUB));
 		found = PR_TRUE;
 	    }
-    	    nsslowkey_DestroyPrivateKey(privKey);
+    	    lg_nsslowkey_DestroyPrivateKey(privKey);
 	}
 	/* don't do the traversal if we have an up to date db */
 	if (keyHandle->version != 3) {
diff --git a/security/nss/lib/softoken/legacydb/lginit.c b/security/nss/lib/softoken/legacydb/lginit.c
index 6236b7851d6d..c1b1578318cd 100644
--- a/security/nss/lib/softoken/legacydb/lginit.c
+++ b/security/nss/lib/softoken/legacydb/lginit.c
@@ -36,7 +36,7 @@
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
-/* $Id: lginit.c,v 1.14.22.1 2011/01/06 19:55:02 wtc%google.com Exp $ */
+/* $Id: lginit.c,v 1.16 2011/01/06 19:33:14 wtc%google.com Exp $ */
 
 #include "lowkeyi.h"
 #include "pcert.h"
@@ -44,6 +44,26 @@
 #include "lgdb.h"
 #include "secoid.h"
 #include "prenv.h"
+#include "softkver.h"
+
+/* Library identity and versioning */
+
+#if defined(DEBUG)
+#define _DEBUG_STRING " (debug)"
+#else
+#define _DEBUG_STRING ""
+#endif
+
+/*
+ * Version information for the 'ident' and 'what commands
+ *
+ * NOTE: the first component of the concatenated rcsid string
+ * must not end in a '$' to prevent rcs keyword substitution.
+ */
+const char __nss_dbm_rcsid[] = "$Header: NSS " SOFTOKEN_VERSION _DEBUG_STRING
+        "  " __DATE__ " " __TIME__ " $";
+const char __nss_dbm_sccsid[] = "@(#)NSS " SOFTOKEN_VERSION _DEBUG_STRING
+        "  " __DATE__ " " __TIME__;
 
 typedef struct LGPrivateStr {
     NSSLOWCERTCertDBHandle *certDB;
@@ -462,11 +482,11 @@ lg_getKeyDB(SDB *sdb)
     return lgdb_p->keyDB;
 }
 
-PRBool parentForkedAfterC_Initialize;
+PRBool lg_parentForkedAfterC_Initialize;
 
 void lg_SetForkState(PRBool forked)
 {
-    parentForkedAfterC_Initialize = forked;
+    lg_parentForkedAfterC_Initialize = forked;
 }
 
 CK_RV
@@ -606,6 +626,9 @@ legacy_Open(const char *configdir, const char *certPrefix,
     CK_RV crv = CKR_OK;
     SECStatus rv;
     PRBool readOnly = (flags == SDB_RDONLY)? PR_TRUE: PR_FALSE;
+    volatile char c; /* force a reference that won't get optimized away */
+
+    c = __nss_dbm_rcsid[0] + __nss_dbm_sccsid[0];
 
     rv = SECOID_Init();
     if (SECSuccess != rv) {
diff --git a/security/nss/lib/softoken/legacydb/lowcert.c b/security/nss/lib/softoken/legacydb/lowcert.c
index 703faeb2f7bd..aa1d61a955e7 100644
--- a/security/nss/lib/softoken/legacydb/lowcert.c
+++ b/security/nss/lib/softoken/legacydb/lowcert.c
@@ -38,7 +38,7 @@
 /*
  * Certificate handling code
  *
- * $Id: lowcert.c,v 1.5 2009/04/12 01:31:45 nelson%bolyard.com Exp $
+ * $Id: lowcert.c,v 1.6 2010/07/20 01:26:04 wtc%google.com Exp $
  */
 
 #include "seccomon.h"
@@ -120,6 +120,11 @@ nsslowcert_dataStart(unsigned char *buf, unsigned int length,
     unsigned char tag;
     unsigned int used_length= 0;
 
+    /* need at least a tag and a 1 byte length */
+    if (length < 2) {
+	return NULL;
+    }
+
     tag = buf[used_length++];
 
     if (rettag) {
@@ -136,6 +141,10 @@ nsslowcert_dataStart(unsigned char *buf, unsigned int length,
     if (*data_length&0x80) {
 	int  len_count = *data_length & 0x7f;
 
+	if (len_count+used_length > length) {
+	   return NULL;
+	}
+
 	*data_length = 0;
 
 	while (len_count-- > 0) {
@@ -213,6 +222,9 @@ nsslowcert_GetCertFields(unsigned char *cert,int cert_length,
     /* serial number */
     if (derSN) {
 	derSN->data=nsslowcert_dataStart(buf,buf_length,&derSN->len,PR_TRUE, NULL);
+	/* derSN->data  doesn't need to be checked because if it fails so will
+	 * serial->data below. The only difference between the two calls is
+	 * whether or not the tags are included in the returned buffer */
     }
     serial->data = nsslowcert_dataStart(buf,buf_length,&serial->len,PR_FALSE, NULL);
     if (serial->data == NULL) return SECFailure;
@@ -256,7 +268,21 @@ nsslowcert_GetCertFields(unsigned char *cert,int cert_length,
 	if (buf[0] == 0xa3) {
 	    extensions->data = nsslowcert_dataStart(buf,buf_length, 
 					&extensions->len, PR_FALSE, NULL);
-	    break;
+	    /* if the DER is bad, we should fail. Previously we accepted
+	     * bad DER here and treated the extension as missin */
+	    if (extensions->data == NULL ||
+	       (extensions->data - buf) + extensions->len != buf_length) 
+                return SECFailure;
+            buf = extensions->data;
+            buf_length = extensions->len; 
+            /* now parse the SEQUENCE holding the extensions. */
+            dummy = nsslowcert_dataStart(buf,buf_length,&dummylen,PR_FALSE,NULL);
+            if (dummy == NULL ||
+               (dummy - buf) + dummylen != buf_length)
+                return SECFailure;
+            buf_length -= (dummy - buf);
+            buf = dummy;
+            /* Now parse the extensions inside this sequence */
 	}
 	dummy = nsslowcert_dataStart(buf,buf_length,&dummylen,PR_FALSE,NULL);
 	if (dummy == NULL) return SECFailure;
@@ -628,6 +654,10 @@ nsslowcert_DecodeDERCertificate(SECItem *derSignedCert, char *nickname)
 	&cert->derIssuer, &cert->serialNumber, &cert->derSN, &cert->derSubject,
 	&cert->validity, &cert->derSubjKeyInfo, &cert->extensions);
 
+    if (rv != SECSuccess) {
+	goto loser;
+    }
+
     /* cert->subjectKeyID;	 x509v3 subject key identifier */
     cert->subjectKeyID.data = NULL;
     cert->subjectKeyID.len = 0;
@@ -825,7 +855,7 @@ nsslowcert_ExtractPublicKey(NSSLOWCERTCertificate *cert)
         break;
     }
 
-    nsslowkey_DestroyPublicKey (pubk);
+    lg_nsslowkey_DestroyPublicKey (pubk);
     return NULL;
 }
 
diff --git a/security/nss/lib/softoken/legacydb/lowkey.c b/security/nss/lib/softoken/legacydb/lowkey.c
index 5ee64d1f247f..28a7ac94cc69 100644
--- a/security/nss/lib/softoken/legacydb/lowkey.c
+++ b/security/nss/lib/softoken/legacydb/lowkey.c
@@ -59,7 +59,7 @@ static const SEC_ASN1Template nsslowkey_SetOfAttributeTemplate[] = {
     { SEC_ASN1_SET_OF, 0, nsslowkey_AttributeTemplate },
 };
 /* ASN1 Templates for new decoder/encoder */
-const SEC_ASN1Template nsslowkey_PrivateKeyInfoTemplate[] = {
+const SEC_ASN1Template lg_nsslowkey_PrivateKeyInfoTemplate[] = {
     { SEC_ASN1_SEQUENCE,
 	0, NULL, sizeof(NSSLOWKEYPrivateKeyInfo) },
     { SEC_ASN1_INTEGER,
@@ -75,7 +75,7 @@ const SEC_ASN1Template nsslowkey_PrivateKeyInfoTemplate[] = {
     { 0 }
 };
 
-const SEC_ASN1Template nsslowkey_PQGParamsTemplate[] = {
+const SEC_ASN1Template lg_nsslowkey_PQGParamsTemplate[] = {
     { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(PQGParams) },
     { SEC_ASN1_INTEGER, offsetof(PQGParams,prime) },
     { SEC_ASN1_INTEGER, offsetof(PQGParams,subPrime) },
@@ -83,7 +83,7 @@ const SEC_ASN1Template nsslowkey_PQGParamsTemplate[] = {
     { 0, }
 };
 
-const SEC_ASN1Template nsslowkey_RSAPrivateKeyTemplate[] = {
+const SEC_ASN1Template lg_nsslowkey_RSAPrivateKeyTemplate[] = {
     { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(NSSLOWKEYPrivateKey) },
     { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.rsa.version) },
     { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.rsa.modulus) },
@@ -98,18 +98,14 @@ const SEC_ASN1Template nsslowkey_RSAPrivateKeyTemplate[] = {
 };                                                                            
 
 
-const SEC_ASN1Template nsslowkey_DSAPrivateKeyTemplate[] = {
+const SEC_ASN1Template lg_nsslowkey_DSAPrivateKeyTemplate[] = {
     { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(NSSLOWKEYPrivateKey) },
     { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.dsa.publicValue) },
     { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.dsa.privateValue) },
     { 0, }
 };
 
-const SEC_ASN1Template nsslowkey_DSAPrivateKeyExportTemplate[] = {
-    { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.dsa.privateValue) },
-};
-
-const SEC_ASN1Template nsslowkey_DHPrivateKeyTemplate[] = {
+const SEC_ASN1Template lg_nsslowkey_DHPrivateKeyTemplate[] = {
     { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(NSSLOWKEYPrivateKey) },
     { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.dh.publicValue) },
     { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.dh.privateValue) },
@@ -124,9 +120,9 @@ const SEC_ASN1Template nsslowkey_DHPrivateKeyTemplate[] = {
  * generic curves and need full-blown support for parsing EC
  * parameters. For now, we only support named curves in which
  * EC params are simply encoded as an object ID and we don't
- * use nsslowkey_ECParamsTemplate.
+ * use lg_nsslowkey_ECParamsTemplate.
  */
-const SEC_ASN1Template nsslowkey_ECParamsTemplate[] = {
+const SEC_ASN1Template lg_nsslowkey_ECParamsTemplate[] = {
     { SEC_ASN1_CHOICE, offsetof(ECParams,type), NULL, sizeof(ECParams) },
     { SEC_ASN1_OBJECT_ID, offsetof(ECParams,curveOID), NULL, ec_params_named },
     { 0, }
@@ -138,7 +134,7 @@ const SEC_ASN1Template nsslowkey_ECParamsTemplate[] = {
  * in the PrivateKeyAlgorithmIdentifier field of the PrivateKeyInfo
  * instead.
  */
-const SEC_ASN1Template nsslowkey_ECPrivateKeyTemplate[] = {
+const SEC_ASN1Template lg_nsslowkey_ECPrivateKeyTemplate[] = {
     { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(NSSLOWKEYPrivateKey) },
     { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.ec.version) },
     { SEC_ASN1_OCTET_STRING, 
@@ -146,7 +142,7 @@ const SEC_ASN1Template nsslowkey_ECPrivateKeyTemplate[] = {
     /* XXX The following template works for now since we only
      * support named curves for which the parameters are
      * encoded as an object ID. When we support generic curves,
-     * we'll need to define nsslowkey_ECParamsTemplate
+     * we'll need to define lg_nsslowkey_ECParamsTemplate
      */
 #if 1
     { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED |
@@ -157,7 +153,7 @@ const SEC_ASN1Template nsslowkey_ECPrivateKeyTemplate[] = {
     { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED |
       SEC_ASN1_EXPLICIT | SEC_ASN1_CONTEXT_SPECIFIC | 0, 
       offsetof(NSSLOWKEYPrivateKey,u.ec.ecParams), 
-      nsslowkey_ECParamsTemplate }, 
+      lg_nsslowkey_ECParamsTemplate }, 
 #endif
     { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED |
       SEC_ASN1_EXPLICIT | SEC_ASN1_CONTEXT_SPECIFIC |
@@ -246,7 +242,7 @@ loser:
  */
 
 void
-prepare_low_rsa_priv_key_for_asn1(NSSLOWKEYPrivateKey *key)
+lg_prepare_low_rsa_priv_key_for_asn1(NSSLOWKEYPrivateKey *key)
 {
     key->u.rsa.modulus.type = siUnsignedInteger;
     key->u.rsa.publicExponent.type = siUnsignedInteger;
@@ -259,7 +255,7 @@ prepare_low_rsa_priv_key_for_asn1(NSSLOWKEYPrivateKey *key)
 }
 
 void
-prepare_low_pqg_params_for_asn1(PQGParams *params)
+lg_prepare_low_pqg_params_for_asn1(PQGParams *params)
 {
     params->prime.type = siUnsignedInteger;
     params->subPrime.type = siUnsignedInteger;
@@ -267,7 +263,7 @@ prepare_low_pqg_params_for_asn1(PQGParams *params)
 }
 
 void
-prepare_low_dsa_priv_key_for_asn1(NSSLOWKEYPrivateKey *key)
+lg_prepare_low_dsa_priv_key_for_asn1(NSSLOWKEYPrivateKey *key)
 {
     key->u.dsa.publicValue.type = siUnsignedInteger;
     key->u.dsa.privateValue.type = siUnsignedInteger;
@@ -277,13 +273,7 @@ prepare_low_dsa_priv_key_for_asn1(NSSLOWKEYPrivateKey *key)
 }
 
 void
-prepare_low_dsa_priv_key_export_for_asn1(NSSLOWKEYPrivateKey *key)
-{
-    key->u.dsa.privateValue.type = siUnsignedInteger;
-}
-
-void
-prepare_low_dh_priv_key_for_asn1(NSSLOWKEYPrivateKey *key)
+lg_prepare_low_dh_priv_key_for_asn1(NSSLOWKEYPrivateKey *key)
 {
     key->u.dh.prime.type = siUnsignedInteger;
     key->u.dh.base.type = siUnsignedInteger;
@@ -293,14 +283,14 @@ prepare_low_dh_priv_key_for_asn1(NSSLOWKEYPrivateKey *key)
 
 #ifdef NSS_ENABLE_ECC
 void
-prepare_low_ecparams_for_asn1(ECParams *params)
+lg_prepare_low_ecparams_for_asn1(ECParams *params)
 {
     params->DEREncoding.type = siUnsignedInteger;
     params->curveOID.type = siUnsignedInteger;
 }
 
 void
-prepare_low_ec_priv_key_for_asn1(NSSLOWKEYPrivateKey *key)
+lg_prepare_low_ec_priv_key_for_asn1(NSSLOWKEYPrivateKey *key)
 {
     key->u.ec.version.type = siUnsignedInteger;
     key->u.ec.ecParams.DEREncoding.type = siUnsignedInteger;
@@ -311,7 +301,7 @@ prepare_low_ec_priv_key_for_asn1(NSSLOWKEYPrivateKey *key)
 #endif /* NSS_ENABLE_ECC */
 
 void
-nsslowkey_DestroyPrivateKey(NSSLOWKEYPrivateKey *privk)
+lg_nsslowkey_DestroyPrivateKey(NSSLOWKEYPrivateKey *privk)
 {
     if (privk && privk->arena) {
 	PORT_FreeArena(privk->arena, PR_TRUE);
@@ -319,48 +309,15 @@ nsslowkey_DestroyPrivateKey(NSSLOWKEYPrivateKey *privk)
 }
 
 void
-nsslowkey_DestroyPublicKey(NSSLOWKEYPublicKey *pubk)
+lg_nsslowkey_DestroyPublicKey(NSSLOWKEYPublicKey *pubk)
 {
     if (pubk && pubk->arena) {
 	PORT_FreeArena(pubk->arena, PR_FALSE);
     }
 }
-unsigned
-nsslowkey_PublicModulusLen(NSSLOWKEYPublicKey *pubk)
-{
-    unsigned char b0;
-
-    /* interpret modulus length as key strength... in
-     * fortezza that's the public key length */
-
-    switch (pubk->keyType) {
-    case NSSLOWKEYRSAKey:
-    	b0 = pubk->u.rsa.modulus.data[0];
-    	return b0 ? pubk->u.rsa.modulus.len : pubk->u.rsa.modulus.len - 1;
-    default:
-	break;
-    }
-    return 0;
-}
-
-unsigned
-nsslowkey_PrivateModulusLen(NSSLOWKEYPrivateKey *privk)
-{
-
-    unsigned char b0;
-
-    switch (privk->keyType) {
-    case NSSLOWKEYRSAKey:
-	b0 = privk->u.rsa.modulus.data[0];
-	return b0 ? privk->u.rsa.modulus.len : privk->u.rsa.modulus.len - 1;
-    default:
-	break;
-    }
-    return 0;
-}
 
 NSSLOWKEYPublicKey *
-nsslowkey_ConvertToPublicKey(NSSLOWKEYPrivateKey *privk)
+lg_nsslowkey_ConvertToPublicKey(NSSLOWKEYPrivateKey *privk)
 {
     NSSLOWKEYPublicKey *pubk;
     PLArenaPool *arena;
diff --git a/security/nss/lib/softoken/legacydb/lowkeyi.h b/security/nss/lib/softoken/legacydb/lowkeyi.h
index a40ff95153f1..3c162714c205 100644
--- a/security/nss/lib/softoken/legacydb/lowkeyi.h
+++ b/security/nss/lib/softoken/legacydb/lowkeyi.h
@@ -34,7 +34,7 @@
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
-/* $Id: lowkeyi.h,v 1.2 2007/06/13 00:24:57 rrelyea%redhat.com Exp $ */
+/* $Id: lowkeyi.h,v 1.4 2010/10/11 19:30:10 wtc%google.com Exp $ */
 
 #ifndef _LOWKEYI_H_
 #define _LOWKEYI_H_
@@ -56,14 +56,13 @@ SEC_BEGIN_PROTOS
  * source or destination (encoding or decoding, respectively) type as
  * siUnsignedInteger.
  */
-extern void prepare_low_rsa_priv_key_for_asn1(NSSLOWKEYPrivateKey *key);
-extern void prepare_low_pqg_params_for_asn1(PQGParams *params);
-extern void prepare_low_dsa_priv_key_for_asn1(NSSLOWKEYPrivateKey *key);
-extern void prepare_low_dsa_priv_key_export_for_asn1(NSSLOWKEYPrivateKey *key);
-extern void prepare_low_dh_priv_key_for_asn1(NSSLOWKEYPrivateKey *key);
+extern void lg_prepare_low_rsa_priv_key_for_asn1(NSSLOWKEYPrivateKey *key);
+extern void lg_prepare_low_pqg_params_for_asn1(PQGParams *params);
+extern void lg_prepare_low_dsa_priv_key_for_asn1(NSSLOWKEYPrivateKey *key);
+extern void lg_prepare_low_dh_priv_key_for_asn1(NSSLOWKEYPrivateKey *key);
 #ifdef NSS_ENABLE_ECC
-extern void prepare_low_ec_priv_key_for_asn1(NSSLOWKEYPrivateKey *key);
-extern void prepare_low_ecparams_for_asn1(ECParams *params);
+extern void lg_prepare_low_ec_priv_key_for_asn1(NSSLOWKEYPrivateKey *key);
+extern void lg_prepare_low_ecparams_for_asn1(ECParams *params);
 #endif /* NSS_ENABLE_ECC */
 
 typedef char * (* NSSLOWKEYDBNameFunc)(void *arg, int dbVersion);
@@ -96,7 +95,7 @@ extern SECStatus nsslowkey_DeleteKey(NSSLOWKEYDBHandle *handle,
 /*
 ** Store a key in the database, indexed by its public key modulus.
 **	"pk" is the private key to store
-**	"f" is a the callback function for getting the password
+**	"f" is the callback function for getting the password
 **	"arg" is the argument for the callback
 */
 extern SECStatus nsslowkey_StoreKeyByPublicKey(NSSLOWKEYDBHandle *handle, 
@@ -116,32 +115,21 @@ extern PRBool nsslowkey_KeyForIDExists(NSSLOWKEYDBHandle *handle, SECItem *id);
 **	"key" the object
 **	"freeit" if PR_TRUE then free the object as well as its sub-objects
 */
-extern void nsslowkey_DestroyPrivateKey(NSSLOWKEYPrivateKey *key);
+extern void lg_nsslowkey_DestroyPrivateKey(NSSLOWKEYPrivateKey *key);
 
 /*
 ** Destroy a public key object.
 **	"key" the object
 **	"freeit" if PR_TRUE then free the object as well as its sub-objects
 */
-extern void nsslowkey_DestroyPublicKey(NSSLOWKEYPublicKey *key);
-
-/*
-** Return the modulus length of "pubKey".
-*/
-extern unsigned int nsslowkey_PublicModulusLen(NSSLOWKEYPublicKey *pubKey);
-
-
-/*
-** Return the modulus length of "privKey".
-*/
-extern unsigned int nsslowkey_PrivateModulusLen(NSSLOWKEYPrivateKey *privKey);
+extern void lg_nsslowkey_DestroyPublicKey(NSSLOWKEYPublicKey *key);
 
 
 /*
 ** Convert a low private key "privateKey" into a public low key
 */
 extern NSSLOWKEYPublicKey 
-		*nsslowkey_ConvertToPublicKey(NSSLOWKEYPrivateKey *privateKey);
+	*lg_nsslowkey_ConvertToPublicKey(NSSLOWKEYPrivateKey *privateKey);
 
 
 SECStatus
diff --git a/security/nss/lib/softoken/legacydb/lowkeyti.h b/security/nss/lib/softoken/legacydb/lowkeyti.h
index 7fa74da725cc..2e2cdf0c967f 100644
--- a/security/nss/lib/softoken/legacydb/lowkeyti.h
+++ b/security/nss/lib/softoken/legacydb/lowkeyti.h
@@ -70,19 +70,18 @@ typedef struct NSSLOWKEYDBHandleStr NSSLOWKEYDBHandle;
 /*
 ** Typedef for callback to get a password "key".
 */
-extern const SEC_ASN1Template nsslowkey_PQGParamsTemplate[];
-extern const SEC_ASN1Template nsslowkey_RSAPrivateKeyTemplate[];
-extern const SEC_ASN1Template nsslowkey_DSAPrivateKeyTemplate[];
-extern const SEC_ASN1Template nsslowkey_DSAPrivateKeyExportTemplate[];
-extern const SEC_ASN1Template nsslowkey_DHPrivateKeyTemplate[];
-extern const SEC_ASN1Template nsslowkey_DHPrivateKeyExportTemplate[];
+extern const SEC_ASN1Template lg_nsslowkey_PQGParamsTemplate[];
+extern const SEC_ASN1Template lg_nsslowkey_RSAPrivateKeyTemplate[];
+extern const SEC_ASN1Template lg_nsslowkey_DSAPrivateKeyTemplate[];
+extern const SEC_ASN1Template lg_nsslowkey_DHPrivateKeyTemplate[];
+extern const SEC_ASN1Template lg_nsslowkey_DHPrivateKeyExportTemplate[];
 #ifdef NSS_ENABLE_ECC
 #define NSSLOWKEY_EC_PRIVATE_KEY_VERSION   1  /* as per SECG 1 C.4 */
-extern const SEC_ASN1Template nsslowkey_ECParamsTemplate[];
-extern const SEC_ASN1Template nsslowkey_ECPrivateKeyTemplate[];
+extern const SEC_ASN1Template lg_nsslowkey_ECParamsTemplate[];
+extern const SEC_ASN1Template lg_nsslowkey_ECPrivateKeyTemplate[];
 #endif /* NSS_ENABLE_ECC */
 
-extern const SEC_ASN1Template nsslowkey_PrivateKeyInfoTemplate[];
+extern const SEC_ASN1Template lg_nsslowkey_PrivateKeyInfoTemplate[];
 extern const SEC_ASN1Template nsslowkey_EncryptedPrivateKeyInfoTemplate[];
 
 /*
diff --git a/security/nss/lib/softoken/legacydb/manifest.mn b/security/nss/lib/softoken/legacydb/manifest.mn
index a761c922460e..b751c3719c93 100644
--- a/security/nss/lib/softoken/legacydb/manifest.mn
+++ b/security/nss/lib/softoken/legacydb/manifest.mn
@@ -44,7 +44,7 @@ LIBRARY_NAME = nssdbm
 LIBRARY_VERSION = 3
 MAPFILE = $(OBJDIR)/nssdbm.def
 
-DEFINES += -DSHLIB_SUFFIX=\"$(DLL_SUFFIX)\" -DSHLIB_PREFIX=\"$(DLL_PREFIX)\" -DSOFTOKEN_LIB_NAME=\"$(notdir $(SHARED_LIBRARY))\"
+DEFINES += -DSHLIB_SUFFIX=\"$(DLL_SUFFIX)\" -DSHLIB_PREFIX=\"$(DLL_PREFIX)\"
 
 CSRCS = \
 	dbmshim.c \
diff --git a/security/nss/lib/softoken/legacydb/pcertdb.c b/security/nss/lib/softoken/legacydb/pcertdb.c
index 74c8f9d71771..4898819d7e1e 100644
--- a/security/nss/lib/softoken/legacydb/pcertdb.c
+++ b/security/nss/lib/softoken/legacydb/pcertdb.c
@@ -37,7 +37,7 @@
 /*
  * Permanent Certificate database handling code 
  *
- * $Id: pcertdb.c,v 1.11 2009/04/13 17:23:15 nelson%bolyard.com Exp $
+ * $Id: pcertdb.c,v 1.12 2010/07/20 01:26:04 wtc%google.com Exp $
  */
 #include "lowkeyti.h"
 #include "pcert.h"
@@ -1032,9 +1032,8 @@ DeleteDBCertEntry(NSSLOWCERTCertDBHandle *handle, SECItem *certKey)
 	goto loser;
     }
 
-    if (dbkey.data) {
-	PORT_Free(dbkey.data);
-    }
+    PORT_Free(dbkey.data);
+
     return(SECSuccess);
 
 loser:
diff --git a/security/nss/lib/softoken/legacydb/pcertt.h b/security/nss/lib/softoken/legacydb/pcertt.h
index 6862d36d6e43..37314750b7c1 100644
--- a/security/nss/lib/softoken/legacydb/pcertt.h
+++ b/security/nss/lib/softoken/legacydb/pcertt.h
@@ -36,7 +36,7 @@
 /*
  * certt.h - public data structures for the certificate library
  *
- * $Id: pcertt.h,v 1.3 2009/04/12 01:31:46 nelson%bolyard.com Exp $
+ * $Id: pcertt.h,v 1.4 2011/04/13 00:10:27 rrelyea%redhat.com Exp $
  */
 #ifndef _PCERTT_H_
 #define _PCERTT_H_
@@ -431,7 +431,7 @@ typedef union {
 #define DB_CERT_ENTRY_HEADER_LEN	10
 
 /* common flags for all types of certificates */
-#define CERTDB_VALID_PEER	(1<<0)
+#define CERTDB_TERMINAL_RECORD	(1<<0)
 #define CERTDB_TRUSTED		(1<<1)
 #define CERTDB_SEND_WARN	(1<<2)
 #define CERTDB_VALID_CA		(1<<3)
@@ -441,11 +441,11 @@ typedef union {
 #define CERTDB_TRUSTED_CLIENT_CA (1<<7) /* trusted for issuing client certs */
 #define CERTDB_INVISIBLE_CA	(1<<8) /* don't show in UI */
 #define CERTDB_GOVT_APPROVED_CA	(1<<9) /* can do strong crypto in export ver */
-#define CERTDB_NOT_TRUSTED	(1<<10) /* explicitly don't trust this cert */
+#define CERTDB_MUST_VERIFY	(1<<10) /* explicitly don't trust this cert */
 #define CERTDB_TRUSTED_UNKNOWN	(1<<11) /* accept trust from another source */
 
 /* bits not affected by the CKO_NETSCAPE_TRUST object */
-#define CERTDB_PRESERVE_TRUST_BITS (CERTDB_USER | CERTDB_VALID_PEER | \
+#define CERTDB_PRESERVE_TRUST_BITS (CERTDB_USER | \
         CERTDB_NS_TRUSTED_CA | CERTDB_VALID_CA | CERTDB_INVISIBLE_CA | \
                                         CERTDB_GOVT_APPROVED_CA)
 
diff --git a/security/nss/lib/softoken/legacydb/pk11db.c b/security/nss/lib/softoken/legacydb/pk11db.c
index f85a0a6c34a9..45e599495d3b 100644
--- a/security/nss/lib/softoken/legacydb/pk11db.c
+++ b/security/nss/lib/softoken/legacydb/pk11db.c
@@ -211,7 +211,7 @@ secmod_EncodeData(DBT *data, char * module)
     SECMOD_PUTLONG(&encoded->ssl[4],ssl[1]);
     if (ciphers) PORT_Free(ciphers);
 
-    offset = (unsigned short) &(((secmodData *)0)->names[0]);
+    offset = (unsigned short) offsetof(secmodData, names);
     SECMOD_PUTSHORT(encoded->nameStart,offset);
     offset = offset + len + len2 + len3 + 3*sizeof(unsigned short);
     SECMOD_PUTSHORT(encoded->slotOffset,offset);
diff --git a/security/nss/lib/softoken/lowpbe.c b/security/nss/lib/softoken/lowpbe.c
index f918398363bd..d499820837f9 100644
--- a/security/nss/lib/softoken/lowpbe.c
+++ b/security/nss/lib/softoken/lowpbe.c
@@ -81,7 +81,7 @@ static const SEC_ASN1Template NSSPKCS5PKCS12V2PBEParameterTemplate[] =
 
 struct nsspkcs5V2PBEParameterStr {
     SECAlgorithmID keyParams;  /* parameters of the key generation */
-    SECAlgorithmID algParams;  /* paramters for the encryption or mac op */
+    SECAlgorithmID algParams;  /* parameters for the encryption or mac op */
 };
 
 typedef struct nsspkcs5V2PBEParameterStr nsspkcs5V2PBEParameter;
diff --git a/security/nss/lib/softoken/manifest.mn b/security/nss/lib/softoken/manifest.mn
index d70470d8702f..8f5c3f6d82c4 100644
--- a/security/nss/lib/softoken/manifest.mn
+++ b/security/nss/lib/softoken/manifest.mn
@@ -39,8 +39,6 @@ CORE_DEPTH = ../../..
 MODULE = nss
 DIRS = legacydb
 
-REQUIRES = dbm
-
 LIBRARY_NAME = softokn
 LIBRARY_VERSION = 3
 MAPFILE = $(OBJDIR)/softokn.def
diff --git a/security/nss/lib/softoken/pk11pars.h b/security/nss/lib/softoken/pk11pars.h
index dea16e753177..2d311b74e9d4 100644
--- a/security/nss/lib/softoken/pk11pars.h
+++ b/security/nss/lib/softoken/pk11pars.h
@@ -89,6 +89,7 @@ static struct secmodargSlotFlagTable secmod_argSlotFlagTable[] = {
 	SECMOD_ARG_ENTRY(SEED,SECMOD_SEED_FLAG),
 	SECMOD_ARG_ENTRY(PublicCerts,SECMOD_FRIENDLY_FLAG),
 	SECMOD_ARG_ENTRY(RANDOM,SECMOD_RANDOM_FLAG),
+	SECMOD_ARG_ENTRY(Disable, PK11_DISABLE_FLAG),
 };
 
 #define SECMOD_HANDLE_STRING_ARG(param,target,value,command) \
diff --git a/security/nss/lib/softoken/pkcs11.c b/security/nss/lib/softoken/pkcs11.c
index 7a2425c9a9d7..361d536ee4fd 100644
--- a/security/nss/lib/softoken/pkcs11.c
+++ b/security/nss/lib/softoken/pkcs11.c
@@ -296,6 +296,8 @@ static const struct mechanismList mechanisms[] = {
 				 CKF_GENERATE_KEY_PAIR},PR_TRUE},
      {CKM_RSA_PKCS,             {RSA_MIN_MODULUS_BITS,CK_MAX,
 				 CKF_DUZ_IT_ALL},       PR_TRUE},
+     {CKM_RSA_PKCS_PSS,         {RSA_MIN_MODULUS_BITS,CK_MAX,
+				 CKF_SN_VR},            PR_TRUE},
 #ifdef SFTK_RSA9796_SUPPORTED
      {CKM_RSA_9796,		{RSA_MIN_MODULUS_BITS,CK_MAX,
 				 CKF_DUZ_IT_ALL},       PR_TRUE},
@@ -309,6 +311,8 @@ static const struct mechanismList mechanisms[] = {
 				 CKF_SN_VR}, 	PR_TRUE},
      {CKM_SHA1_RSA_PKCS,	{RSA_MIN_MODULUS_BITS,CK_MAX,
 				 CKF_SN_VR}, 	PR_TRUE},
+     {CKM_SHA224_RSA_PKCS,	{RSA_MIN_MODULUS_BITS,CK_MAX,
+				 CKF_SN_VR}, 	PR_TRUE},
      {CKM_SHA256_RSA_PKCS,	{RSA_MIN_MODULUS_BITS,CK_MAX,
 				 CKF_SN_VR}, 	PR_TRUE},
      {CKM_SHA384_RSA_PKCS,	{RSA_MIN_MODULUS_BITS,CK_MAX,
@@ -397,6 +401,9 @@ static const struct mechanismList mechanisms[] = {
      {CKM_SHA_1,		{0,   0, CKF_DIGEST},		PR_FALSE},
      {CKM_SHA_1_HMAC,		{1, 128, CKF_SN_VR},		PR_TRUE},
      {CKM_SHA_1_HMAC_GENERAL,	{1, 128, CKF_SN_VR},		PR_TRUE},
+     {CKM_SHA224,		{0,   0, CKF_DIGEST},		PR_FALSE},
+     {CKM_SHA224_HMAC,		{1, 128, CKF_SN_VR},		PR_TRUE},
+     {CKM_SHA224_HMAC_GENERAL,	{1, 128, CKF_SN_VR},		PR_TRUE},
      {CKM_SHA256,		{0,   0, CKF_DIGEST},		PR_FALSE},
      {CKM_SHA256_HMAC,		{1, 128, CKF_SN_VR},		PR_TRUE},
      {CKM_SHA256_HMAC_GENERAL,	{1, 128, CKF_SN_VR},		PR_TRUE},
@@ -2495,7 +2502,7 @@ CK_RV sftk_CloseAllSessions(SFTKSlot *slot, PRBool logout)
 		--slot->sessionCount;
 		SKIP_AFTER_FORK(PZ_Unlock(slot->slotLock));
 		if (session->info.flags & CKF_RW_SESSION) {
-		    PR_AtomicDecrement(&slot->rwSessionCount);
+		    PR_ATOMIC_DECREMENT(&slot->rwSessionCount);
 		}
 	    } else {
 		SKIP_AFTER_FORK(PZ_Unlock(lock));
@@ -3571,13 +3578,13 @@ CK_RV NSC_OpenSession(CK_SLOT_ID slotID, CK_FLAGS flags,
     ++slot->sessionCount;
     PZ_Unlock(slot->slotLock);
     if (session->info.flags & CKF_RW_SESSION) {
-	PR_AtomicIncrement(&slot->rwSessionCount);
+	PR_ATOMIC_INCREMENT(&slot->rwSessionCount);
     }
 
     do {
         PZLock *lock;
         do {
-            sessionID = (PR_AtomicIncrement(&slot->sessionIDCount) & 0xffffff)
+            sessionID = (PR_ATOMIC_INCREMENT(&slot->sessionIDCount) & 0xffffff)
                         | (slot->index << 24);
         } while (sessionID == CK_INVALID_HANDLE);
         lock = SFTK_SESSION_LOCK(slot,sessionID);
@@ -3639,7 +3646,7 @@ CK_RV NSC_CloseSession(CK_SESSION_HANDLE hSession)
 	    sftk_freeDB(handle);
 	}
 	if (session->info.flags & CKF_RW_SESSION) {
-	    PR_AtomicDecrement(&slot->rwSessionCount);
+	    PR_ATOMIC_DECREMENT(&slot->rwSessionCount);
 	}
     }
 
@@ -3653,7 +3660,7 @@ CK_RV NSC_CloseAllSessions (CK_SLOT_ID slotID)
 {
     SFTKSlot *slot;
 
-#ifndef NO_CHECK_FORK
+#ifndef NO_FORK_CHECK
     /* skip fork check if we are being called from C_Initialize or C_Finalize */
     if (!parentForkedAfterC_Initialize) {
         CHECK_FORK();
diff --git a/security/nss/lib/softoken/pkcs11c.c b/security/nss/lib/softoken/pkcs11c.c
index 8847c2f797fa..ba947c286969 100644
--- a/security/nss/lib/softoken/pkcs11c.c
+++ b/security/nss/lib/softoken/pkcs11c.c
@@ -388,6 +388,17 @@ sftk_GetContext(CK_SESSION_HANDLE handle,SFTKSessionContext **contextPtr,
     return CKR_OK;
 }
 
+/** Terminate operation (in the PKCS#11 spec sense).
+ *  Intuitive name for FreeContext/SetNullContext pair.
+ */
+static void
+sftk_TerminateOp( SFTKSession *session, SFTKContextType ctype,
+        SFTKSessionContext *context )
+{
+    sftk_FreeContext( context );
+    sftk_SetContextByType( session, ctype, NULL );
+}
+
 /*
  ************** Crypto Functions:     Encrypt ************************
  */
@@ -460,15 +471,16 @@ sftk_InitGeneric(SFTKSession *session,SFTKSessionContext **contextPtr,
     return CKR_OK;
 }
 
-/* NSC_CryptInit initializes an encryption/Decryption operation. */
-/* This function is used by NSC_EncryptInit, NSC_DecryptInit, 
- *                          NSC_WrapKey, NSC_UnwrapKey, 
- *                          NSC_SignInit, NSC_VerifyInit (via sftk_InitCBCMac),
- * The only difference in their uses is the value of etype.
+/** NSC_CryptInit initializes an encryption/Decryption operation.
+ *
+ * Always called by NSC_EncryptInit, NSC_DecryptInit, NSC_WrapKey,NSC_UnwrapKey.
+ * Called by NSC_SignInit, NSC_VerifyInit (via sftk_InitCBCMac) only for block
+ *  ciphers MAC'ing.
  */
 static CK_RV
 sftk_CryptInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
-		 CK_OBJECT_HANDLE hKey, CK_ATTRIBUTE_TYPE etype,
+     CK_OBJECT_HANDLE hKey,
+     CK_ATTRIBUTE_TYPE mechUsage, CK_ATTRIBUTE_TYPE keyUsage,
 		 SFTKContextType contextType, PRBool isEncrypt)
 {
     SFTKSession *session;
@@ -487,7 +499,7 @@ sftk_CryptInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
     PRBool useNewKey=PR_FALSE;
     int t;
 
-    crv = sftk_MechAllowsOperation(pMechanism->mechanism, etype);
+    crv = sftk_MechAllowsOperation(pMechanism->mechanism, mechUsage );
     if (crv != CKR_OK) 
     	return crv;
 
@@ -495,7 +507,7 @@ sftk_CryptInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
     if (session == NULL) return CKR_SESSION_HANDLE_INVALID;
 
     crv = sftk_InitGeneric(session,&context,contextType,&key,hKey,&key_type,
-    			isEncrypt ?CKO_PUBLIC_KEY:CKO_PRIVATE_KEY, etype);
+    			isEncrypt ?CKO_PUBLIC_KEY:CKO_PRIVATE_KEY, keyUsage);
 						
     if (crv != CKR_OK) {
 	sftk_FreeSession(session);
@@ -845,7 +857,7 @@ CK_RV NSC_EncryptInit(CK_SESSION_HANDLE hSession,
 		 CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey)
 {
     CHECK_FORK();
-    return sftk_CryptInit(hSession, pMechanism, hKey, CKA_ENCRYPT, 
+    return sftk_CryptInit(hSession, pMechanism, hKey, CKA_ENCRYPT, CKA_ENCRYPT,
 						SFTK_ENCRYPT, PR_TRUE);
 }
 
@@ -972,10 +984,8 @@ CK_RV NSC_EncryptFinal(CK_SESSION_HANDLE hSession,
     }
 
 finish:
-    if (contextFinished) {
-	sftk_SetContextByType(session, SFTK_ENCRYPT, NULL);
-	sftk_FreeContext(context);
-    }
+    if (contextFinished)
+        sftk_TerminateOp( session, SFTK_ENCRYPT, context );
     sftk_FreeSession(session);
     return (rv == SECSuccess) ? CKR_OK : sftk_MapCryptError(PORT_GetError());
 }
@@ -1055,8 +1065,7 @@ CK_RV NSC_Encrypt (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData,
     if (pText.data != pData)
     	PORT_ZFree(pText.data, pText.len);
 fail:
-    sftk_SetContextByType(session, SFTK_ENCRYPT, NULL);
-    sftk_FreeContext(context);
+    sftk_TerminateOp( session, SFTK_ENCRYPT, context );
 finish:
     sftk_FreeSession(session);
 
@@ -1073,8 +1082,7 @@ CK_RV NSC_DecryptInit( CK_SESSION_HANDLE hSession,
 			 CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey)
 {
     CHECK_FORK();
-
-    return sftk_CryptInit(hSession, pMechanism, hKey, CKA_DECRYPT,
+    return sftk_CryptInit(hSession, pMechanism, hKey, CKA_DECRYPT, CKA_DECRYPT,
 						SFTK_DECRYPT, PR_FALSE);
 }
 
@@ -1195,8 +1203,7 @@ CK_RV NSC_DecryptFinal(CK_SESSION_HANDLE hSession,
 	}
     }
 
-    sftk_SetContextByType(session, SFTK_DECRYPT, NULL);
-    sftk_FreeContext(context);
+    sftk_TerminateOp( session, SFTK_DECRYPT, context );
 finish:
     sftk_FreeSession(session);
     return (rv == SECSuccess) ? CKR_OK : sftk_MapDecryptError(PORT_GetError());
@@ -1256,8 +1263,7 @@ CK_RV NSC_Decrypt(CK_SESSION_HANDLE hSession,
 	    outlen -= padding;
     }
     *pulDataLen = (CK_ULONG) outlen;
-    sftk_SetContextByType(session, SFTK_DECRYPT, NULL);
-    sftk_FreeContext(context);
+    sftk_TerminateOp( session, SFTK_DECRYPT, context );
 finish:
     sftk_FreeSession(session);
     return crv;
@@ -1310,6 +1316,7 @@ CK_RV NSC_DigestInit(CK_SESSION_HANDLE hSession,
     INIT_MECH(CKM_MD2,    MD2)
     INIT_MECH(CKM_MD5,    MD5)
     INIT_MECH(CKM_SHA_1,  SHA1)
+    INIT_MECH(CKM_SHA224, SHA224)
     INIT_MECH(CKM_SHA256, SHA256)
     INIT_MECH(CKM_SHA384, SHA384)
     INIT_MECH(CKM_SHA512, SHA512)
@@ -1358,8 +1365,7 @@ CK_RV NSC_Digest(CK_SESSION_HANDLE hSession,
     (*context->end)(context->cipherInfo, pDigest, &digestLen,maxout);
     *pulDigestLen = digestLen;
 
-    sftk_SetContextByType(session, SFTK_HASH, NULL);
-    sftk_FreeContext(context);
+    sftk_TerminateOp( session, SFTK_HASH, context );
 finish:
     sftk_FreeSession(session);
     return CKR_OK;
@@ -1403,8 +1409,7 @@ CK_RV NSC_DigestFinal(CK_SESSION_HANDLE hSession,CK_BYTE_PTR pDigest,
     if (pDigest != NULL) {
         (*context->end)(context->cipherInfo, pDigest, &digestLen, maxout);
         *pulDigestLen = digestLen;
-	sftk_SetContextByType(session, SFTK_HASH, NULL);
-	sftk_FreeContext(context);
+        sftk_TerminateOp( session, SFTK_HASH, context );
     } else {
 	*pulDigestLen = context->maxLen;
     }
@@ -1435,6 +1440,7 @@ sftk_doSub ## mmm(SFTKSessionContext *context) { \
 DOSUB(MD2)
 DOSUB(MD5)
 DOSUB(SHA1)
+DOSUB(SHA224)
 DOSUB(SHA256)
 DOSUB(SHA384)
 DOSUB(SHA512)
@@ -1636,8 +1642,10 @@ sftk_doSSLMACInit(SFTKSessionContext *context,SECOidTag oid,
  ************** Crypto Functions:     Sign  ************************
  */
 
-/*
+/** 
  * Check if We're using CBCMacing and initialize the session context if we are.
+ *  @param contextType SFTK_SIGN or SFTK_VERIFY
+ *  @param keyUsage    check whether key allows this usage
  */
 static CK_RV
 sftk_InitCBCMac(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
@@ -1655,7 +1663,7 @@ sftk_InitCBCMac(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
     unsigned char ivBlock[SFTK_MAX_BLOCK_SIZE];
     SFTKSessionContext *context;
     CK_RV crv;
-    int blockSize;
+    unsigned int blockSize;
 
     switch (pMechanism->mechanism) {
     case CKM_RC2_MAC_GENERAL:
@@ -1685,7 +1693,8 @@ sftk_InitCBCMac(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
 	rc5_params.ulWordsize = rc5_mac->ulWordsize;
 	rc5_params.ulRounds = rc5_mac->ulRounds;
 	rc5_params.pIv = ivBlock;
-	blockSize = rc5_mac->ulWordsize*2;
+	if( (blockSize = rc5_mac->ulWordsize*2) > SFTK_MAX_BLOCK_SIZE )
+            return CKR_MECHANISM_PARAM_INVALID;
 	rc5_params.ulIvLen = blockSize;
 	PORT_Memset(ivBlock,0,blockSize);
 	cbc_mechanism.mechanism = CKM_RC5_CBC;
@@ -1758,8 +1767,18 @@ sftk_InitCBCMac(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
 	return CKR_FUNCTION_NOT_SUPPORTED;
     }
 
-    crv = sftk_CryptInit(hSession, &cbc_mechanism, hKey, keyUsage,
-							contextType, PR_TRUE);
+    /* if MAC size is externally supplied, it should be checked.
+     */
+    if (mac_bytes == SFTK_INVALID_MAC_SIZE)
+        mac_bytes = blockSize >> 1;
+    else {
+        if( mac_bytes > blockSize )
+            return CKR_MECHANISM_PARAM_INVALID;
+    }
+
+    crv = sftk_CryptInit(hSession, &cbc_mechanism, hKey,
+            CKA_ENCRYPT, /* CBC mech is able to ENCRYPT, not SIGN/VERIFY */
+            keyUsage, contextType, PR_TRUE );
     if (crv != CKR_OK) return crv;
     crv = sftk_GetContext(hSession,&context,contextType,PR_TRUE,NULL);
 
@@ -1767,7 +1786,6 @@ sftk_InitCBCMac(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
     PORT_Assert(crv == CKR_OK);
     if (crv != CKR_OK) return crv;
     context->blockSize = blockSize;
-    if (mac_bytes == SFTK_INVALID_MAC_SIZE) mac_bytes = blockSize/2;
     context->macSize = mac_bytes;
     return CKR_OK;
 }
@@ -1849,6 +1867,14 @@ RSA_HashSign(SECOidTag hashOid, NSSLOWKEYPrivateKey *key,
     return rv;
 }
 
+static SECStatus
+sftk_SignPSS(SFTKHashSignInfo *info,unsigned char *sig,unsigned int *sigLen,
+		unsigned int maxLen,unsigned char *hash, unsigned int hashLen)
+{
+    return RSA_SignPSS(info->params,info->key,sig,sigLen,maxLen,
+							hash,hashLen);
+}
+
 static SECStatus
 nsc_DSA_Verify_Stub(void *ctx, void *sigBuf, unsigned int sigLen,
                                void *dataBuf, unsigned int dataLen)
@@ -1987,6 +2013,7 @@ CK_RV NSC_SignInit(CK_SESSION_HANDLE hSession,
     INIT_RSA_SIGN_MECH(MD5)
     INIT_RSA_SIGN_MECH(MD2)
     INIT_RSA_SIGN_MECH(SHA1)
+    INIT_RSA_SIGN_MECH(SHA224)
     INIT_RSA_SIGN_MECH(SHA256)
     INIT_RSA_SIGN_MECH(SHA384)
     INIT_RSA_SIGN_MECH(SHA512)
@@ -1998,13 +2025,12 @@ CK_RV NSC_SignInit(CK_SESSION_HANDLE hSession,
 	context->update = (SFTKCipher)  RSA_SignRaw;
 finish_rsa:
 	if (key_type != CKK_RSA) {
-	    if (info) PORT_Free(info);
 	    crv = CKR_KEY_TYPE_INCONSISTENT;
 	    break;
 	}
 	privKey = sftk_GetPrivKey(key,CKK_RSA,&crv);
 	if (privKey == NULL) {
-	    if (info) PORT_Free(info);
+	    crv = CKR_KEY_TYPE_INCONSISTENT;
 	    break;
 	}
 	/* OK, info is allocated only if we're doing hash and sign mechanism.
@@ -2021,6 +2047,31 @@ finish_rsa:
 	}
 	context->maxLen = nsslowkey_PrivateModulusLen(privKey);
 	break;
+    case CKM_RSA_PKCS_PSS:
+	if (key_type != CKK_RSA) {
+	    crv = CKR_KEY_TYPE_INCONSISTENT;
+	    break;
+	} 
+	if (pMechanism->ulParameterLen != sizeof(CK_RSA_PKCS_PSS_PARAMS)) {
+	    crv = CKR_MECHANISM_PARAM_INVALID;
+	    break;
+	}
+	info = PORT_New(SFTKHashSignInfo);
+	if (info == NULL) {
+	    crv = CKR_HOST_MEMORY;
+	    break;
+	}
+	info->params = pMechanism->pParameter;
+	info->key = sftk_GetPrivKey(key,CKK_RSA,&crv);
+	if (info->key == NULL) {
+	    PORT_Free(info);
+	    break;
+	}
+	context->cipherInfo = info;
+	context->destroy = (SFTKDestroy) sftk_Space;
+	context->update = (SFTKCipher) sftk_SignPSS;
+	context->maxLen = nsslowkey_PrivateModulusLen(info->key);
+	break;	
 
     case CKM_DSA_SHA1:
         context->multi = PR_TRUE;
@@ -2080,6 +2131,7 @@ finish_rsa:
 
     INIT_HMAC_MECH(MD2)
     INIT_HMAC_MECH(MD5)
+    INIT_HMAC_MECH(SHA224)
     INIT_HMAC_MECH(SHA256)
     INIT_HMAC_MECH(SHA384)
     INIT_HMAC_MECH(SHA512)
@@ -2109,92 +2161,118 @@ finish_rsa:
     }
 
     if (crv != CKR_OK) {
+	if (info) PORT_Free(info);
         sftk_FreeContext(context);
-	sftk_FreeSession(session);
-	return crv;
+        sftk_FreeSession(session);
+        return crv;
     }
     sftk_SetContextByType(session, SFTK_SIGN, context);
     sftk_FreeSession(session);
     return CKR_OK;
 }
 
+/** MAC one block of data by block cipher
+ */
+static CK_RV
+sftk_MACBlock( SFTKSessionContext *ctx, void *blk )
+{
+    unsigned int outlen;
+    return ( SECSuccess == (ctx->update)( ctx->cipherInfo, ctx->macBuf, &outlen,
+                SFTK_MAX_BLOCK_SIZE, blk, ctx->blockSize ))
+            ? CKR_OK : sftk_MapCryptError(PORT_GetError());
+}
 
-/* MACUpdate is the common implementation for SignUpdate and VerifyUpdate.
- * (sign and verify only very in their setup and final operations) */
-static CK_RV 
+/** MAC last (incomplete) block of data by block cipher
+ *
+ *  Call once, then terminate MACing operation.
+ */
+static CK_RV
+sftk_MACFinal( SFTKSessionContext *ctx )
+{
+    unsigned int padLen = ctx->padDataLength;
+    /* pad and proceed the residual */
+    if( padLen ) {
+        /* shd clr ctx->padLen to make sftk_MACFinal idempotent */
+        PORT_Memset( ctx->padBuf + padLen, 0, ctx->blockSize - padLen );
+        return sftk_MACBlock( ctx, ctx->padBuf );
+    } else
+        return CKR_OK;
+}
+
+/** The common implementation for {Sign,Verify}Update. (S/V only vary in their
+ * setup and final operations).
+ * 
+ * A call which results in an error terminates the operation [PKCS#11,v2.11]
+ */
+static CK_RV
 sftk_MACUpdate(CK_SESSION_HANDLE hSession,CK_BYTE_PTR pPart,
     					CK_ULONG ulPartLen,SFTKContextType type)
 {
-    unsigned int outlen;
+    SFTKSession *session;
     SFTKSessionContext *context;
     CK_RV crv;
-    SECStatus rv;
 
     /* make sure we're legal */
-    crv = sftk_GetContext(hSession,&context,type,PR_TRUE,NULL);
+    crv = sftk_GetContext(hSession,&context,type, PR_TRUE, &session );
     if (crv != CKR_OK) return crv;
 
     if (context->hashInfo) {
 	(*context->hashUpdate)(context->hashInfo, pPart, ulPartLen);
-	return CKR_OK;
-    }
+    } else {   
+    	/* must be block cipher MACing */
 
-    /* must be block cipher macing */
+        unsigned int  blkSize   = context->blockSize;
+        unsigned char *residual = /* free room in context->padBuf */
+                                context->padBuf + context->padDataLength;
+        unsigned int  minInput  = /* min input for MACing at least one block */
+                                blkSize - context->padDataLength;
 
-    /* deal with previous buffered data */
-    if (context->padDataLength != 0) {
-	int i;
-	/* fill in the padded to a full block size */
-	for (i=context->padDataLength; (ulPartLen != 0) && 
-					i < (int)context->blockSize; i++) {
-	    context->padBuf[i] = *pPart++;
-	    ulPartLen--;
-	    context->padDataLength++;
-	}
+        /* not enough data even for one block */
+        if( ulPartLen < minInput ) {
+            PORT_Memcpy( residual, pPart, ulPartLen );
+            context->padDataLength += ulPartLen;
+            goto cleanup;
+        }
+        /* MACing residual */
+        if( context->padDataLength ) {
+            PORT_Memcpy( residual, pPart, minInput );
+            ulPartLen -= minInput;
+            pPart     += minInput;
+            if( CKR_OK != (crv = sftk_MACBlock( context, context->padBuf )) )
+                goto terminate;
+        }
+        /* MACing full blocks */
+        while( ulPartLen >= blkSize )
+        {
+            if( CKR_OK != (crv = sftk_MACBlock( context, pPart )) )
+                goto terminate;
+            ulPartLen -= blkSize;
+            pPart     += blkSize;
+        }
+        /* save the residual */
+        if( (context->padDataLength = ulPartLen) )
+            PORT_Memcpy( context->padBuf, pPart, ulPartLen );
+    } /* blk cipher MACing */
 
-	/* not enough data to encrypt yet? then return */
-	if (context->padDataLength != context->blockSize)  return CKR_OK;
-	/* encrypt the current padded data */
-    	rv = (*context->update)(context->cipherInfo,context->macBuf,&outlen,
-			SFTK_MAX_BLOCK_SIZE,context->padBuf,context->blockSize);
-    	if (rv != SECSuccess) return sftk_MapCryptError(PORT_GetError());
-    }
+    goto  cleanup;
 
-    /* save the residual */
-    context->padDataLength = ulPartLen % context->blockSize;
-    if (context->padDataLength) {
-	PORT_Memcpy(context->padBuf,
-		    &pPart[ulPartLen-context->padDataLength],
-		    context->padDataLength);
-	ulPartLen -= context->padDataLength;
-    }
-
-    /* if we've exhausted our new buffer, we're done */
-    if (ulPartLen == 0) { return CKR_OK; }
-
-    /* run the data through out encrypter */	
-    while (ulPartLen) {
-    	rv = (*context->update)(context->cipherInfo, context->padBuf, &outlen, 
-			SFTK_MAX_BLOCK_SIZE, pPart, context->blockSize);
-	if (rv != SECSuccess) return sftk_MapCryptError(PORT_GetError());
-	/* paranoia.. make sure we exit the loop */
-	PORT_Assert(ulPartLen >= context->blockSize);
-	if (ulPartLen < context->blockSize) break;
-	ulPartLen -= context->blockSize;
-    }
-
-    return CKR_OK;
-	
+terminate:
+    sftk_TerminateOp( session, type, context );
+cleanup:
+    sftk_FreeSession(session);
+    return crv;
 }
 
 /* NSC_SignUpdate continues a multiple-part signature operation,
  * where the signature is (will be) an appendix to the data, 
- * and plaintext cannot be recovered from the signature */
+ * and plaintext cannot be recovered from the signature 
+ *
+ * A call which results in an error terminates the operation [PKCS#11,v2.11]
+ */
 CK_RV NSC_SignUpdate(CK_SESSION_HANDLE hSession,CK_BYTE_PTR pPart,
     							CK_ULONG ulPartLen)
 {
     CHECK_FORK();
-
     return sftk_MACUpdate(hSession, pPart, ulPartLen, SFTK_SIGN);
 }
 
@@ -2207,51 +2285,47 @@ CK_RV NSC_SignFinal(CK_SESSION_HANDLE hSession,CK_BYTE_PTR pSignature,
     SFTKSession *session;
     SFTKSessionContext *context;
     unsigned int outlen;
-    unsigned int digestLen;
     unsigned int maxoutlen = *pulSignatureLen;
-    unsigned char tmpbuf[SFTK_MAX_MAC_LENGTH];
     CK_RV crv;
-    SECStatus rv = SECSuccess;
 
     CHECK_FORK();
 
     /* make sure we're legal */
-    *pulSignatureLen = 0;
     crv = sftk_GetContext(hSession,&context,SFTK_SIGN,PR_TRUE,&session);
     if (crv != CKR_OK) return crv;
 
-    if (!pSignature) {
-	*pulSignatureLen = context->maxLen;
-	goto finish;
-    } else if (context->hashInfo) {
+    if (context->hashInfo) {
+        unsigned int digestLen;
+        unsigned char tmpbuf[SFTK_MAX_MAC_LENGTH];
+
+        if( !pSignature ) {
+            outlen = context->maxLen; goto finish;
+        }
         (*context->end)(context->hashInfo, tmpbuf, &digestLen, sizeof(tmpbuf));
-	rv = (*context->update)(context->cipherInfo, pSignature,
-					&outlen, maxoutlen, tmpbuf, digestLen);
-        *pulSignatureLen = (CK_ULONG) outlen;
+        if( SECSuccess != (context->update)(context->cipherInfo, pSignature,
+                    &outlen, maxoutlen, tmpbuf, digestLen))
+            crv = sftk_MapCryptError(PORT_GetError());
+        /* CKR_BUFFER_TOO_SMALL here isn't continuable, let operation terminate.
+         * Keeping "too small" CK_RV intact is a standard violation, but allows
+         * application read EXACT signature length */
     } else {
-	/* deal with the last block if any residual */
-	if (context->padDataLength) {
-	    /* fill out rest of pad buffer with pad magic*/
-	    int i;
-	    for (i=context->padDataLength; i < (int)context->blockSize; i++) {
-		context->padBuf[i] = 0;
-	    }
-	    rv = (*context->update)(context->cipherInfo,context->macBuf,
-		&outlen,SFTK_MAX_BLOCK_SIZE,context->padBuf,context->blockSize);
-	}
-	if (rv == SECSuccess) {
-	    PORT_Memcpy(pSignature,context->macBuf,context->macSize);
-	    *pulSignatureLen = context->macSize;
-	}
+        /* must be block cipher MACing */
+        outlen = context->macSize;
+        /* null or "too small" buf doesn't terminate operation [PKCS#11,v2.11]*/
+        if( !pSignature  ||  maxoutlen < outlen ) {
+            if( pSignature ) crv = CKR_BUFFER_TOO_SMALL;
+            goto finish;
+        }
+        if( CKR_OK == (crv = sftk_MACFinal( context )) )
+	    PORT_Memcpy(pSignature, context->macBuf, outlen );
     }
 
-    sftk_FreeContext(context);
-    sftk_SetContextByType(session, SFTK_SIGN, NULL);
-
+terminate:
+    sftk_TerminateOp( session, SFTK_SIGN, context );
 finish:
+    *pulSignatureLen = outlen;
     sftk_FreeSession(session);
-
-    return (rv == SECSuccess) ? CKR_OK : sftk_MapCryptError(PORT_GetError());
+    return crv;
 }
 
 /* NSC_Sign signs (encrypts with private key) data in a single part,
@@ -2263,10 +2337,7 @@ CK_RV NSC_Sign(CK_SESSION_HANDLE hSession,
 {
     SFTKSession *session;
     SFTKSessionContext *context;
-    unsigned int outlen;
-    unsigned int maxoutlen = *pulSignatureLen;
-    CK_RV crv,crv2;
-    SECStatus rv = SECSuccess;
+    CK_RV crv;
 
     CHECK_FORK();
 
@@ -2275,30 +2346,35 @@ CK_RV NSC_Sign(CK_SESSION_HANDLE hSession,
     if (crv != CKR_OK) return crv;
 
     if (!pSignature) {
-	*pulSignatureLen = context->maxLen;
+        /* see also how C_SignUpdate implements this */
+	*pulSignatureLen = (!context->multi || context->hashInfo)
+            ? context->maxLen
+            : context->macSize; /* must be block cipher MACing */
 	goto finish;
     }
 
     /* multi part Signing are completely implemented by SignUpdate and
      * sign Final */
     if (context->multi) {
-        sftk_FreeSession(session);
-	crv = NSC_SignUpdate(hSession,pData,ulDataLen);
-	if (crv != CKR_OK) *pulSignatureLen = 0;
-	crv2 = NSC_SignFinal(hSession, pSignature, pulSignatureLen);
-	return crv == CKR_OK ? crv2 :crv;
-    }
-
-    rv = (*context->update)(context->cipherInfo, pSignature,
-					&outlen, maxoutlen, pData, ulDataLen);
-    *pulSignatureLen = (CK_ULONG) outlen;
-    sftk_FreeContext(context);
-    sftk_SetContextByType(session, SFTK_SIGN, NULL);
+        /* SignFinal can't follow failed SignUpdate */
+	if( CKR_OK == (crv = NSC_SignUpdate(hSession,pData,ulDataLen) ))
+            crv = NSC_SignFinal(hSession, pSignature, pulSignatureLen);
+    } else {   
+    	/* single-part PKC signature (e.g. CKM_ECDSA) */
+        unsigned int outlen;
+        unsigned int maxoutlen = *pulSignatureLen;
+        if( SECSuccess != (*context->update)(context->cipherInfo, pSignature,
+                    &outlen, maxoutlen, pData, ulDataLen))
+            crv = sftk_MapCryptError(PORT_GetError());
+        *pulSignatureLen = (CK_ULONG) outlen;
+        /*  "too small" here is certainly continuable */
+        if( crv != CKR_BUFFER_TOO_SMALL )
+            sftk_TerminateOp(session, SFTK_SIGN, context);
+    } /* single-part */
 
 finish:
     sftk_FreeSession(session);
-
-    return (rv == SECSuccess) ? CKR_OK : sftk_MapCryptError(PORT_GetError());
+    return crv;
 }
 
 
@@ -2400,6 +2476,14 @@ RSA_HashCheckSign(SECOidTag hashOid, NSSLOWKEYPublicKey *key,
     return rv;
 }
 
+static SECStatus
+sftk_CheckSignPSS(SFTKHashVerifyInfo *info, unsigned char *sig,
+	unsigned int sigLen, unsigned char *digest, unsigned int digestLen)
+{
+    return RSA_CheckSignPSS(info->params, info->key, sig, sigLen,
+						digest, digestLen);
+}
+
 /* NSC_VerifyInit initializes a verification operation, 
  * where the signature is an appendix to the data, 
  * and plaintext cannot be recovered from the signature (e.g. DSA) */
@@ -2446,6 +2530,7 @@ CK_RV NSC_VerifyInit(CK_SESSION_HANDLE hSession,
     INIT_RSA_VFY_MECH(MD5) 
     INIT_RSA_VFY_MECH(MD2) 
     INIT_RSA_VFY_MECH(SHA1) 
+    INIT_RSA_VFY_MECH(SHA224)
     INIT_RSA_VFY_MECH(SHA256) 
     INIT_RSA_VFY_MECH(SHA384) 
     INIT_RSA_VFY_MECH(SHA512) 
@@ -2457,11 +2542,14 @@ CK_RV NSC_VerifyInit(CK_SESSION_HANDLE hSession,
 	context->verify = (SFTKVerify) RSA_CheckSignRaw;
 finish_rsa:
 	if (key_type != CKK_RSA) {
+	    if (info) PORT_Free(info);
 	    crv = CKR_KEY_TYPE_INCONSISTENT;
 	    break;
 	}
 	pubKey = sftk_GetPubKey(key,CKK_RSA,&crv);
 	if (pubKey == NULL) {
+	    if (info) PORT_Free(info);
+	    crv = CKR_KEY_TYPE_INCONSISTENT;
 	    break;
 	}
 	if (info) {
@@ -2473,6 +2561,30 @@ finish_rsa:
 	    context->destroy = sftk_Null;
 	}
 	break;
+    case CKM_RSA_PKCS_PSS:
+	if (key_type != CKK_RSA) {
+	    crv = CKR_KEY_TYPE_INCONSISTENT;
+	    break;
+	} 
+	if (pMechanism->ulParameterLen != sizeof(CK_RSA_PKCS_PSS_PARAMS)) {
+	    crv = CKR_MECHANISM_PARAM_INVALID;
+	    break;
+	}
+	info = PORT_New(SFTKHashVerifyInfo);
+	if (info == NULL) {
+	    crv = CKR_HOST_MEMORY;
+	    break;
+	}
+	info->params = pMechanism->pParameter;
+	info->key = sftk_GetPubKey(key,CKK_RSA,&crv);
+	if (info->key == NULL) {
+	    PORT_Free(info);
+	    break;
+	}
+	context->cipherInfo = info;
+	context->destroy = (SFTKDestroy) sftk_Space;
+	context->verify = (SFTKVerify) sftk_CheckSignPSS;
+	break;
     case CKM_DSA_SHA1:
         context->multi = PR_TRUE;
 	crv = sftk_doSubSHA1(context);
@@ -2515,6 +2627,7 @@ finish_rsa:
 
     INIT_HMAC_MECH(MD2)
     INIT_HMAC_MECH(MD5)
+    INIT_HMAC_MECH(SHA224)
     INIT_HMAC_MECH(SHA256)
     INIT_HMAC_MECH(SHA384)
     INIT_HMAC_MECH(SHA512)
@@ -2546,7 +2659,7 @@ finish_rsa:
 
     if (crv != CKR_OK) {
 	if (info) PORT_Free(info);
-        PORT_Free(context);
+        sftk_FreeContext(context);
 	sftk_FreeSession(session);
 	return crv;
     }
@@ -2563,8 +2676,7 @@ CK_RV NSC_Verify(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData,
 {
     SFTKSession *session;
     SFTKSessionContext *context;
-    CK_RV crv, crv2;
-    SECStatus rv;
+    CK_RV crv;
 
     CHECK_FORK();
 
@@ -2575,31 +2687,31 @@ CK_RV NSC_Verify(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData,
     /* multi part Verifying are completely implemented by VerifyUpdate and
      * VerifyFinal */
     if (context->multi) {
-	sftk_FreeSession(session);
-	crv = NSC_VerifyUpdate(hSession, pData, ulDataLen);
-	crv2 = NSC_VerifyFinal(hSession, pSignature, ulSignatureLen);
-	return crv == CKR_OK ? crv2 :crv;
+        /* VerifyFinal can't follow failed VerifyUpdate */
+	if( CKR_OK == (crv = NSC_VerifyUpdate(hSession, pData, ulDataLen)))
+            crv = NSC_VerifyFinal(hSession, pSignature, ulSignatureLen);
+    } else {
+        if (SECSuccess != (*context->verify)(context->cipherInfo,pSignature,
+                                             ulSignatureLen, pData, ulDataLen))
+            crv = sftk_MapCryptError(PORT_GetError());
+
+        sftk_TerminateOp( session, SFTK_VERIFY, context );
     }
-
-    rv = (*context->verify)(context->cipherInfo,pSignature, ulSignatureLen,
-							 pData, ulDataLen);
-    sftk_FreeContext(context);
-    sftk_SetContextByType(session, SFTK_VERIFY, NULL);
     sftk_FreeSession(session);
-
-    return (rv == SECSuccess) ? CKR_OK : sftk_MapVerifyError(PORT_GetError());
-
+    return crv;
 }
 
 
 /* NSC_VerifyUpdate continues a multiple-part verification operation, 
  * where the signature is an appendix to the data, 
- * and plaintext cannot be recovered from the signature */
+ * and plaintext cannot be recovered from the signature
+ *
+ * A call which results in an error terminates the operation [PKCS#11,v2.11]
+ */
 CK_RV NSC_VerifyUpdate( CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart,
 						CK_ULONG ulPartLen)
 {
     CHECK_FORK();
-
     return sftk_MACUpdate(hSession, pPart, ulPartLen, SFTK_VERIFY);
 }
 
@@ -2611,42 +2723,38 @@ CK_RV NSC_VerifyFinal(CK_SESSION_HANDLE hSession,
 {
     SFTKSession *session;
     SFTKSessionContext *context;
-    unsigned int outlen;
-    unsigned int digestLen;
-    unsigned char tmpbuf[SFTK_MAX_MAC_LENGTH];
     CK_RV crv;
-    SECStatus rv = SECSuccess;
 
     CHECK_FORK();
 
+    if (!pSignature) 
+    	return CKR_ARGUMENTS_BAD;
+
     /* make sure we're legal */
     crv = sftk_GetContext(hSession,&context,SFTK_VERIFY,PR_TRUE,&session);
-    if (crv != CKR_OK) return crv;
-
+    if (crv != CKR_OK) 
+    	return crv;
+    
     if (context->hashInfo) {
+        unsigned int digestLen;
+        unsigned char tmpbuf[SFTK_MAX_MAC_LENGTH];
+        
         (*context->end)(context->hashInfo, tmpbuf, &digestLen, sizeof(tmpbuf));
-	rv = (*context->verify)(context->cipherInfo, pSignature, 
-					ulSignatureLen, tmpbuf, digestLen);
-    } else {
-	if (context->padDataLength) {
-	    /* fill out rest of pad buffer with pad magic*/
-	    int i;
-	    for (i=context->padDataLength; i < (int)context->blockSize; i++) {
-		context->padBuf[i] = 0;
-	    }
-	    rv = (*context->update)(context->cipherInfo,context->macBuf, 
-		&outlen,SFTK_MAX_BLOCK_SIZE,context->padBuf,context->blockSize);
-	}
-	if (rv == SECSuccess) {
-	    rv =(PORT_Memcmp(pSignature,context->macBuf,context->macSize) == 0)
-				 ? SECSuccess : SECFailure;
-	}
+        if( SECSuccess != (context->verify)(context->cipherInfo, pSignature,
+                                            ulSignatureLen, tmpbuf, digestLen))
+            crv = sftk_MapCryptError(PORT_GetError());
+    } else if (ulSignatureLen != context->macSize) {
+	/* must be block cipher MACing */
+	crv = CKR_SIGNATURE_LEN_RANGE;
+    } else if (CKR_OK == (crv = sftk_MACFinal(context))) {
+	if (PORT_Memcmp(pSignature, context->macBuf, ulSignatureLen))
+	    crv = CKR_SIGNATURE_INVALID;
     }
 
-    sftk_FreeContext(context);
-    sftk_SetContextByType(session, SFTK_VERIFY, NULL);
+terminate:
+    sftk_TerminateOp( session, SFTK_VERIFY, context );
     sftk_FreeSession(session);
-    return (rv == SECSuccess) ? CKR_OK : sftk_MapVerifyError(PORT_GetError());
+    return crv;
 
 }
 
@@ -2745,8 +2853,7 @@ CK_RV NSC_VerifyRecover(CK_SESSION_HANDLE hSession,
 						pSignature, ulSignatureLen);
     *pulDataLen = (CK_ULONG) outlen;
 
-    sftk_FreeContext(context);
-    sftk_SetContextByType(session, SFTK_VERIFY_RECOVER, NULL);
+    sftk_TerminateOp(session, SFTK_VERIFY_RECOVER, context);
 finish:
     sftk_FreeSession(session);
     return (rv == SECSuccess)  ? CKR_OK : sftk_MapVerifyError(PORT_GetError());
@@ -2899,9 +3006,8 @@ nsc_parameter_gen(CK_KEY_TYPE key_type, SFTKObject *key)
     if (crv != CKR_OK) goto loser;
 
 loser:
-    if (params) {
-	PQG_DestroyParams(params);
-    }
+    PQG_DestroyParams(params);
+
     if (vfy) {
 	PQG_DestroyVerify(vfy);
     }
@@ -3835,7 +3941,7 @@ kpg_done:
 	sftk_DeleteAttributeType(privateKey,CKA_BASE);
 	key_type = CKK_DSA;
 
-	/* extract the necessary paramters and copy them to the private key */
+	/* extract the necessary parameters and copy them to the private key */
 	crv=sftk_Attribute2SSecItem(NULL,&pqgParam.prime,publicKey,CKA_PRIME);
 	if (crv != CKR_OK) break;
 	crv=sftk_Attribute2SSecItem(NULL,&pqgParam.subPrime,publicKey,
@@ -4376,7 +4482,7 @@ CK_RV NSC_WrapKey(CK_SESSION_HANDLE hSession,
 		break;
 	    }
 	    crv = sftk_CryptInit(hSession, pMechanism, hWrappingKey, 
-					CKA_WRAP, SFTK_ENCRYPT, PR_TRUE);
+				CKA_WRAP, CKA_WRAP, SFTK_ENCRYPT, PR_TRUE);
 	    if (crv != CKR_OK) {
 		sftk_FreeAttribute(attribute);
 		break;
@@ -4439,7 +4545,7 @@ CK_RV NSC_WrapKey(CK_SESSION_HANDLE hSession,
 		}
 
 		crv = sftk_CryptInit(hSession, pMechanism, hWrappingKey,
-					CKA_WRAP, SFTK_ENCRYPT, PR_TRUE);
+				CKA_WRAP, CKA_WRAP, SFTK_ENCRYPT, PR_TRUE);
 		if(crv != CKR_OK) {
 		    SECITEM_ZfreeItem(bpki, PR_TRUE);
 		    crv = CKR_KEY_TYPE_INCONSISTENT;
@@ -4755,7 +4861,7 @@ CK_RV NSC_UnwrapKey(CK_SESSION_HANDLE hSession,
     }
 
     crv = sftk_CryptInit(hSession,pMechanism,hUnwrappingKey,CKA_UNWRAP,
-							SFTK_DECRYPT, PR_FALSE);
+					CKA_UNWRAP, SFTK_DECRYPT, PR_FALSE);
     if (crv != CKR_OK) {
 	sftk_FreeObject(key);
 	return sftk_mapWrap(crv);
diff --git a/security/nss/lib/softoken/pkcs11i.h b/security/nss/lib/softoken/pkcs11i.h
index aead2456f6fe..e19c7d1531f1 100644
--- a/security/nss/lib/softoken/pkcs11i.h
+++ b/security/nss/lib/softoken/pkcs11i.h
@@ -266,19 +266,29 @@ typedef enum {
     SFTK_VERIFY_RECOVER
 } SFTKContextType;
 
-
+/** max block size of supported block ciphers */
 #define SFTK_MAX_BLOCK_SIZE 16
-/* currently SHA512 is the biggest hash length */
+/** currently SHA512 is the biggest hash length */
 #define SFTK_MAX_MAC_LENGTH 64
 #define SFTK_INVALID_MAC_SIZE 0xffffffff
 
+/** Particular ongoing operation in session (sign/verify/digest/encrypt/...)
+ *
+ *  Understanding sign/verify context:
+ *      multi=1 hashInfo=0   block (symmetric) cipher MACing
+ *      multi=1 hashInfo=X   PKC S/V with prior hashing
+ *      multi=0 hashInfo=0   PKC S/V one shot (w/o hashing)
+ *      multi=0 hashInfo=X   *** shouldn't happen ***
+ */
 struct SFTKSessionContextStr {
     SFTKContextType	type;
     PRBool		multi; 		/* is multipart */
     PRBool		doPad; 		/* use PKCS padding for block ciphers */
     unsigned int	blockSize; 	/* blocksize for padding */
     unsigned int	padDataLength; 	/* length of the valid data in padbuf */
+    /** latest incomplete block of data for block cipher */
     unsigned char	padBuf[SFTK_MAX_BLOCK_SIZE];
+    /** result of MAC'ing of latest full block of data with block cipher */
     unsigned char	macBuf[SFTK_MAX_BLOCK_SIZE];
     CK_ULONG		macSize;	/* size of a general block cipher mac*/
     void		*cipherInfo;
@@ -385,11 +395,13 @@ struct SFTKSlotStr {
  */
 struct SFTKHashVerifyInfoStr {
     SECOidTag   	hashOid;
+    void		*params;
     NSSLOWKEYPublicKey	*key;
 };
 
 struct SFTKHashSignInfoStr {
     SECOidTag   	hashOid;
+    void		*params;
     NSSLOWKEYPrivateKey	*key;
 };
 
@@ -565,18 +577,11 @@ typedef struct sftk_parametersStr {
 } sftk_parameters;
 
 
-/* machine dependent path stuff used by dbinit.c and pk11db.c */
-#ifdef macintosh
-#define PATH_SEPARATOR ":"
-#define SECMOD_DB "Security Modules"
-#define CERT_DB_FMT "%sCertificates%s"
-#define KEY_DB_FMT "%sKey Database%s"
-#else
+/* path stuff (was machine dependent) used by dbinit.c and pk11db.c */
 #define PATH_SEPARATOR "/"
 #define SECMOD_DB "secmod.db"
 #define CERT_DB_FMT "%scert%s.db"
 #define KEY_DB_FMT "%skey%s.db"
-#endif
 
 SEC_BEGIN_PROTOS
 
diff --git a/security/nss/lib/softoken/rsawrapr.c b/security/nss/lib/softoken/rsawrapr.c
index a40c265dcbff..dcfb2b2a2945 100644
--- a/security/nss/lib/softoken/rsawrapr.c
+++ b/security/nss/lib/softoken/rsawrapr.c
@@ -37,7 +37,7 @@
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
-/* $Id: rsawrapr.c,v 1.11.70.1 2011/04/07 22:54:48 wtc%google.com Exp $ */
+/* $Id: rsawrapr.c,v 1.17 2010/08/07 18:10:35 wtc%google.com Exp $ */
 
 #include "blapi.h"
 #include "softoken.h"
@@ -58,6 +58,9 @@
 
 #define FLAT_BUFSIZE 512	/* bytes to hold flattened SHA1Context. */
 
+/* Needed for RSA-PSS functions */
+static const unsigned char eightZeros[] = { 0, 0, 0, 0, 0, 0, 0, 0 };
+
 static SHA1Context *
 SHA1_CloneContext(SHA1Context *original)
 {
@@ -940,3 +943,295 @@ RSA_DecryptRaw(NSSLOWKEYPrivateKey *key,
 failure:
     return SECFailure;
 }
+
+/*
+ * Encode a RSA-PSS signature.
+ * Described in RFC 3447, section 9.1.1.
+ * We use mHash instead of M as input.
+ * emBits from the RFC is just modBits - 1, see section 8.1.1.
+ * We only support MGF1 as the MGF.
+ *
+ * NOTE: this code assumes modBits is a multiple of 8.
+ */
+static SECStatus
+emsa_pss_encode(unsigned char *em, unsigned int emLen,
+                const unsigned char *mHash, HASH_HashType hashAlg,
+                HASH_HashType maskHashAlg, unsigned int sLen)
+{
+    const SECHashObject *hash;
+    void *hash_context;
+    unsigned char *dbMask;
+    unsigned int dbMaskLen, i;
+    SECStatus rv;
+
+    hash = HASH_GetRawHashObject(hashAlg);
+    dbMaskLen = emLen - hash->length - 1;
+
+    /* Step 3 */
+    if (emLen < hash->length + sLen + 2) {
+	PORT_SetError(SEC_ERROR_OUTPUT_LEN);
+	return SECFailure;
+    }
+
+    /* Step 4 */
+    rv = RNG_GenerateGlobalRandomBytes(&em[dbMaskLen - sLen], sLen);
+    if (rv != SECSuccess) {
+	return rv;
+    }
+
+    /* Step 5 + 6 */
+    /* Compute H and store it at its final location &em[dbMaskLen]. */
+    hash_context = (*hash->create)();
+    if (hash_context == NULL) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	return SECFailure;
+    }
+    (*hash->begin)(hash_context);
+    (*hash->update)(hash_context, eightZeros, 8);
+    (*hash->update)(hash_context, mHash, hash->length);
+    (*hash->update)(hash_context, &em[dbMaskLen - sLen], sLen);
+    (*hash->end)(hash_context, &em[dbMaskLen], &i, hash->length);
+    (*hash->destroy)(hash_context, PR_TRUE);
+
+    /* Step 7 + 8 */
+    memset(em, 0, dbMaskLen - sLen - 1);
+    em[dbMaskLen - sLen - 1] = 0x01;
+
+    /* Step 9 */
+    dbMask = (unsigned char *)PORT_Alloc(dbMaskLen);
+    if (dbMask == NULL) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	return SECFailure;
+    }
+    MGF1(maskHashAlg, dbMask, dbMaskLen, &em[dbMaskLen], hash->length);
+
+    /* Step 10 */
+    for (i = 0; i < dbMaskLen; i++)
+	em[i] ^= dbMask[i];
+    PORT_Free(dbMask);
+
+    /* Step 11 */
+    em[0] &= 0x7f;
+
+    /* Step 12 */
+    em[emLen - 1] = 0xbc;
+
+    return SECSuccess;
+}
+
+/*
+ * Verify a RSA-PSS signature.
+ * Described in RFC 3447, section 9.1.2.
+ * We use mHash instead of M as input.
+ * emBits from the RFC is just modBits - 1, see section 8.1.2.
+ * We only support MGF1 as the MGF.
+ *
+ * NOTE: this code assumes modBits is a multiple of 8.
+ */
+static SECStatus
+emsa_pss_verify(const unsigned char *mHash,
+                const unsigned char *em, unsigned int emLen,
+                HASH_HashType hashAlg, HASH_HashType maskHashAlg,
+                unsigned int sLen)
+{
+    const SECHashObject *hash;
+    void *hash_context;
+    unsigned char *db;
+    unsigned char *H_;  /* H' from the RFC */
+    unsigned int i, dbMaskLen;
+    SECStatus rv;
+
+    hash = HASH_GetRawHashObject(hashAlg);
+    dbMaskLen = emLen - hash->length - 1;
+
+    /* Step 3 + 4 + 6 */
+    if ((emLen < (hash->length + sLen + 2)) ||
+	(em[emLen - 1] != 0xbc) ||
+	((em[0] & 0x80) != 0)) {
+	PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+	return SECFailure;
+    }
+
+    /* Step 7 */
+    db = (unsigned char *)PORT_Alloc(dbMaskLen);
+    if (db == NULL) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	return SECFailure;
+    }
+    /* &em[dbMaskLen] points to H, used as mgfSeed */
+    MGF1(maskHashAlg, db, dbMaskLen, &em[dbMaskLen], hash->length);
+
+    /* Step 8 */
+    for (i = 0; i < dbMaskLen; i++) {
+	db[i] ^= em[i];
+    }
+
+    /* Step 9 */
+    db[0] &= 0x7f;
+
+    /* Step 10 */
+    for (i = 0; i < (dbMaskLen - sLen - 1); i++) {
+	if (db[i] != 0) {
+	    PORT_Free(db);
+	    PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+	    return SECFailure;
+	}
+    }
+    if (db[dbMaskLen - sLen - 1] != 0x01) {
+	PORT_Free(db);
+	PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+	return SECFailure;
+    }
+
+    /* Step 12 + 13 */
+    H_ = (unsigned char *)PORT_Alloc(hash->length);
+    if (H_ == NULL) {
+	PORT_Free(db);
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	return SECFailure;
+    }
+    hash_context = (*hash->create)();
+    if (hash_context == NULL) {
+	PORT_Free(db);
+	PORT_Free(H_);
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	return SECFailure;
+    }
+    (*hash->begin)(hash_context);
+    (*hash->update)(hash_context, eightZeros, 8);
+    (*hash->update)(hash_context, mHash, hash->length);
+    (*hash->update)(hash_context, &db[dbMaskLen - sLen], sLen);
+    (*hash->end)(hash_context, H_, &i, hash->length);
+    (*hash->destroy)(hash_context, PR_TRUE);
+
+    PORT_Free(db);
+
+    /* Step 14 */
+    if (PORT_Memcmp(H_, &em[dbMaskLen], hash->length) != 0) {
+	PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+	rv = SECFailure;
+    } else {
+	rv = SECSuccess;
+    }
+
+    PORT_Free(H_);
+    return rv;
+}
+
+static HASH_HashType
+GetHashTypeFromMechanism(CK_MECHANISM_TYPE mech)
+{
+    /* TODO(wtc): add SHA-224. */
+    switch (mech) {
+        case CKM_SHA_1:
+        case CKG_MGF1_SHA1:
+	    return HASH_AlgSHA1;
+        case CKM_SHA256:
+        case CKG_MGF1_SHA256:
+	    return HASH_AlgSHA256;
+        case CKM_SHA384:
+        case CKG_MGF1_SHA384:
+	    return HASH_AlgSHA384;
+        case CKM_SHA512:
+        case CKG_MGF1_SHA512:
+	    return HASH_AlgSHA512;
+        default:
+	    return HASH_AlgNULL;
+    }
+}
+
+/* MGF1 is the only supported MGF. */
+SECStatus
+RSA_CheckSignPSS(CK_RSA_PKCS_PSS_PARAMS *pss_params,
+		 NSSLOWKEYPublicKey *key,
+		 const unsigned char *sign, unsigned int sign_len,
+		 const unsigned char *hash, unsigned int hash_len)
+{
+    HASH_HashType hashAlg;
+    HASH_HashType maskHashAlg;
+    SECStatus rv;
+    unsigned int modulus_len = nsslowkey_PublicModulusLen(key);
+    unsigned char *buffer;
+
+    if (sign_len != modulus_len) {
+	PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+	return SECFailure;
+    }
+
+    hashAlg = GetHashTypeFromMechanism(pss_params->hashAlg);
+    maskHashAlg = GetHashTypeFromMechanism(pss_params->mgf);
+    if ((hashAlg == HASH_AlgNULL) || (maskHashAlg == HASH_AlgNULL)) {
+	PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
+	return SECFailure;
+    }
+
+    buffer = (unsigned char *)PORT_Alloc(modulus_len);
+    if (!buffer) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	return SECFailure;
+    }
+
+    rv = RSA_PublicKeyOp(&key->u.rsa, buffer, sign);
+    if (rv != SECSuccess) {
+	PORT_Free(buffer);
+	PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+	return SECFailure;
+    }
+
+    rv = emsa_pss_verify(hash, buffer, modulus_len, hashAlg,
+			 maskHashAlg, pss_params->sLen);
+    PORT_Free(buffer);
+
+    return rv;
+}
+
+/* MGF1 is the only supported MGF. */
+SECStatus
+RSA_SignPSS(CK_RSA_PKCS_PSS_PARAMS *pss_params, NSSLOWKEYPrivateKey *key,
+	    unsigned char *output, unsigned int *output_len,
+	    unsigned int max_output_len,
+	    const unsigned char *input, unsigned int input_len)
+{
+    SECStatus rv = SECSuccess;
+    unsigned int modulus_len = nsslowkey_PrivateModulusLen(key);
+    unsigned char *pss_encoded = NULL;
+    HASH_HashType hashAlg;
+    HASH_HashType maskHashAlg;
+
+    if (max_output_len < modulus_len) {
+	PORT_SetError(SEC_ERROR_OUTPUT_LEN);
+	return SECFailure;
+    }
+    PORT_Assert(key->keyType == NSSLOWKEYRSAKey);
+    if (key->keyType != NSSLOWKEYRSAKey) {
+	PORT_SetError(SEC_ERROR_INVALID_KEY);
+	return SECFailure;
+    }
+
+    hashAlg = GetHashTypeFromMechanism(pss_params->hashAlg);
+    maskHashAlg = GetHashTypeFromMechanism(pss_params->mgf);
+    if ((hashAlg == HASH_AlgNULL) || (maskHashAlg == HASH_AlgNULL)) {
+	PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
+	return SECFailure;
+    }
+
+    pss_encoded = (unsigned char *)PORT_Alloc(modulus_len);
+    if (pss_encoded == NULL) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	return SECFailure;
+    }
+    rv = emsa_pss_encode(pss_encoded, modulus_len, input, hashAlg,
+			 maskHashAlg, pss_params->sLen);
+    if (rv != SECSuccess) 
+	goto done;
+
+    rv = RSA_PrivateKeyOpDoubleChecked(&key->u.rsa, output, pss_encoded);
+    if (rv != SECSuccess && PORT_GetError() == SEC_ERROR_LIBRARY_FAILURE) {
+	sftk_fatalError = PR_TRUE;
+    }
+    *output_len = modulus_len;
+
+done:
+    PORT_Free(pss_encoded);
+    return rv;
+}
diff --git a/security/nss/lib/softoken/sftkdb.c b/security/nss/lib/softoken/sftkdb.c
index c68ec4ce5ac0..c650d06f14bf 100644
--- a/security/nss/lib/softoken/sftkdb.c
+++ b/security/nss/lib/softoken/sftkdb.c
@@ -1914,17 +1914,15 @@ sftkdb_reconcileTrustEntry(PRArenaPool *arena, CK_ATTRIBUTE *target,
      * trust attribute should be, and neither agree exactly. 
      * At this point, we prefer 'hard' attributes over 'soft' ones. 
      * 'hard' ones are CKT_NSS_TRUSTED, CKT_NSS_TRUSTED_DELEGATOR, and
-     * CKT_NSS_UNTRUTED. Soft ones are ones which don't change the
-     * actual trust of the cert (CKT_MUST_VERIFY, CKT_NSS_VALID,
+     * CKT_NSS_NOT_TRUTED. Soft ones are ones which don't change the
+     * actual trust of the cert (CKT_MUST_VERIFY_TRUST, 
      * CKT_NSS_VALID_DELEGATOR).
      */
-    if ((sourceTrust == CKT_NSS_MUST_VERIFY) 
-	|| (sourceTrust == CKT_NSS_VALID)
+    if ((sourceTrust == CKT_NSS_MUST_VERIFY_TRUST) 
 	|| (sourceTrust == CKT_NSS_VALID_DELEGATOR)) {
 	return SFTKDB_DROP_ATTRIBUTE;
     }
-    if ((targetTrust == CKT_NSS_MUST_VERIFY) 
-	|| (targetTrust == CKT_NSS_VALID)
+    if ((targetTrust == CKT_NSS_MUST_VERIFY_TRUST) 
 	|| (targetTrust == CKT_NSS_VALID_DELEGATOR)) {
 	/* again, overwriting the target in this case is OK */
 	return SFTKDB_MODIFY_OBJECT;
@@ -2424,7 +2422,7 @@ sftk_freeDB(SFTKDBHandle *handle)
     PRInt32 ref;
 
     if (!handle) return;
-    ref = PR_AtomicDecrement(&handle->ref);
+    ref = PR_ATOMIC_DECREMENT(&handle->ref);
     if (ref == 0) {
 	sftkdb_CloseDB(handle);
     }
@@ -2444,7 +2442,7 @@ sftk_getCertDB(SFTKSlot *slot)
     PZ_Lock(slot->slotLock);
     dbHandle = slot->certDB;
     if (dbHandle) {
-        PR_AtomicIncrement(&dbHandle->ref);
+        PR_ATOMIC_INCREMENT(&dbHandle->ref);
     }
     PZ_Unlock(slot->slotLock);
     return dbHandle;
@@ -2462,7 +2460,7 @@ sftk_getKeyDB(SFTKSlot *slot)
     SKIP_AFTER_FORK(PZ_Lock(slot->slotLock));
     dbHandle = slot->keyDB;
     if (dbHandle) {
-        PR_AtomicIncrement(&dbHandle->ref);
+        PR_ATOMIC_INCREMENT(&dbHandle->ref);
     }
     SKIP_AFTER_FORK(PZ_Unlock(slot->slotLock));
     return dbHandle;
@@ -2480,7 +2478,7 @@ sftk_getDBForTokenObject(SFTKSlot *slot, CK_OBJECT_HANDLE objectID)
     PZ_Lock(slot->slotLock);
     dbHandle = objectID & SFTK_KEYDB_TYPE ? slot->keyDB : slot->certDB;
     if (dbHandle) {
-        PR_AtomicIncrement(&dbHandle->ref);
+        PR_ATOMIC_INCREMENT(&dbHandle->ref);
     }
     PZ_Unlock(slot->slotLock);
     return dbHandle;
diff --git a/security/nss/lib/softoken/sftkmod.c b/security/nss/lib/softoken/sftkmod.c
index c89b7daaed79..e5427d9d7393 100644
--- a/security/nss/lib/softoken/sftkmod.c
+++ b/security/nss/lib/softoken/sftkmod.c
@@ -254,7 +254,7 @@ sftkdb_ReadSecmodDB(SDBType dbType, const char *appName,
     if (fd == NULL) goto done;
 
     /*
-     * the following loop takes line separated config lines and colapses
+     * the following loop takes line separated config lines and collapses
      * the lines to a single string, escaping and quoting as necessary.
      */
     /* loop state variables */
@@ -579,7 +579,7 @@ sftkdb_DeleteSecmodDB(SDBType dbType, const char *appName,
 
 
     /*
-     * the following loop takes line separated config files and colapses
+     * the following loop takes line separated config files and collapses
      * the lines to a single string, escaping and quoting as necessary.
      */
     /* loop state variables */
@@ -638,6 +638,7 @@ sftkdb_DeleteSecmodDB(SDBType dbType, const char *appName,
     PORT_Free(dbname2);
     PORT_Free(lib);
     PORT_Free(name);
+    PORT_Free(block);
     return SECSuccess;
 
 loser:
diff --git a/security/nss/lib/softoken/sftkpwd.c b/security/nss/lib/softoken/sftkpwd.c
index 9d56f1b11927..4da2d1df5e6f 100644
--- a/security/nss/lib/softoken/sftkpwd.c
+++ b/security/nss/lib/softoken/sftkpwd.c
@@ -482,7 +482,7 @@ sftkdb_SignAttribute(PLArenaPool *arena, SECItem *passKey,
     signValue.value.len = hmacLength;
     RNG_GenerateGlobalRandomBytes(saltData,prfLength);
 
-    /* initialize our pkcs5 paramter */
+    /* initialize our pkcs5 parameter */
     param = nsspkcs5_NewParam(signValue.alg, &signValue.salt, 1);
     if (param == NULL) {
 	rv = SECFailure;
diff --git a/security/nss/lib/softoken/softkver.h b/security/nss/lib/softoken/softkver.h
index 071bdabd7fa0..4082b86d4fe0 100644
--- a/security/nss/lib/softoken/softkver.h
+++ b/security/nss/lib/softoken/softkver.h
@@ -57,11 +57,11 @@
  * The format of the version string should be
  *     ".[.[.]][ ][ ]"
  */
-#define SOFTOKEN_VERSION  "3.12.11.0" SOFTOKEN_ECC_STRING
+#define SOFTOKEN_VERSION  "3.13.0.0" SOFTOKEN_ECC_STRING " Beta"
 #define SOFTOKEN_VMAJOR   3
-#define SOFTOKEN_VMINOR   12
-#define SOFTOKEN_VPATCH   11
+#define SOFTOKEN_VMINOR   13
+#define SOFTOKEN_VPATCH   0
 #define SOFTOKEN_VBUILD   0
-#define SOFTOKEN_BETA     PR_FALSE
+#define SOFTOKEN_BETA     PR_TRUE
 
 #endif /* _SOFTKVER_H_ */
diff --git a/security/nss/lib/softoken/softoken.h b/security/nss/lib/softoken/softoken.h
index 6375f9a30609..7968cf295431 100644
--- a/security/nss/lib/softoken/softoken.h
+++ b/security/nss/lib/softoken/softoken.h
@@ -36,7 +36,7 @@
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
-/* $Id: softoken.h,v 1.23 2009/02/26 06:57:15 nelson%bolyard.com Exp $ */
+/* $Id: softoken.h,v 1.27 2010/08/05 00:19:26 wtc%google.com Exp $ */
 
 #ifndef _SOFTOKEN_H_
 #define _SOFTOKEN_H_
@@ -94,6 +94,12 @@ SECStatus RSA_HashSign(SECOidTag hashOid,
 			unsigned int *sigLen, unsigned int maxLen,
 			unsigned char *hash, unsigned int hashLen);
 extern
+SECStatus RSA_SignPSS(CK_RSA_PKCS_PSS_PARAMS *pss_params,
+		      NSSLOWKEYPrivateKey *key, 
+		      unsigned char *output, unsigned int *output_len, 
+		      unsigned int max_output_len, const unsigned char *input,
+		      unsigned int input_len);
+extern
 SECStatus RSA_CheckSign(NSSLOWKEYPublicKey *key, unsigned char *sign,
 			    unsigned int signLength, unsigned char *hash,
 			    unsigned int hashLength);
@@ -103,6 +109,11 @@ SECStatus RSA_HashCheckSign(SECOidTag hashOid,
 			    unsigned int sigLen, unsigned char *digest,
 			    unsigned int digestLen);
 extern
+SECStatus RSA_CheckSignPSS(CK_RSA_PKCS_PSS_PARAMS *pss_params,
+			   NSSLOWKEYPublicKey *key,
+			   const unsigned char *sign, unsigned int sign_len,
+			   const unsigned char *hash, unsigned int hash_len);
+extern
 SECStatus RSA_CheckSignRecover(NSSLOWKEYPublicKey *key, unsigned char *data,
     			    unsigned int *data_len,unsigned int max_output_len, 
 			    unsigned char *sign, unsigned int sign_len);
@@ -265,7 +276,7 @@ extern PRBool sftk_fatalError;
 /*
 ** macros to check for forked child process after C_Initialize
 */
-#if defined(XP_UNIX) && !defined(NO_CHECK_FORK)
+#if defined(XP_UNIX) && !defined(NO_FORK_CHECK)
 
 #ifdef DEBUG
 
diff --git a/security/nss/cmd/lib/SSLerrs.h b/security/nss/lib/ssl/SSLerrs.h
similarity index 100%
rename from security/nss/cmd/lib/SSLerrs.h
rename to security/nss/lib/ssl/SSLerrs.h
diff --git a/security/nss/lib/ssl/derive.c b/security/nss/lib/ssl/derive.c
index 8088296a6110..d4a1d14d9997 100644
--- a/security/nss/lib/ssl/derive.c
+++ b/security/nss/lib/ssl/derive.c
@@ -36,7 +36,7 @@
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
-/* $Id: derive.c,v 1.12.40.1 2011/03/24 01:39:01 alexei.volkov.bugs%sun.com Exp $ */
+/* $Id: derive.c,v 1.13 2011/03/22 22:15:22 alexei.volkov.bugs%sun.com Exp $ */
 
 #include "ssl.h" 	/* prereq to sslimpl.h */
 #include "certt.h"	/* prereq to sslimpl.h */
@@ -742,9 +742,6 @@ SSL_CanBypass(CERTCertificate *cert, SECKEYPrivateKey *srvPrivkey,
 	if (enc_pms.data != NULL) {
 	    SECITEM_FreeItem(&enc_pms, PR_FALSE);
         }
-	if (pms) {
-	    PK11_FreeSymKey(pms);
-        }
 #ifdef NSS_ENABLE_ECC
 	for (; (privKeytype == ecKey && ( testecdh || testecdhe)) ||
 	       (privKeytype == rsaKey && testecdhe); ) {
diff --git a/security/nss/lib/ssl/manifest.mn b/security/nss/lib/ssl/manifest.mn
index 84512296dbfd..2a2e543fd5fc 100644
--- a/security/nss/lib/ssl/manifest.mn
+++ b/security/nss/lib/ssl/manifest.mn
@@ -46,6 +46,11 @@ EXPORTS = \
 	preenc.h \
 	$(NULL)
 
+PRIVATE_EXPORTS = \
+	sslerrstrs.h \
+	SSLerrs.h \
+ 	$(NULL)
+
 MODULE = nss
 MAPFILE = $(OBJDIR)/ssl.def
 
@@ -59,6 +64,8 @@ CSRCS = \
 	ssldef.c \
 	sslenum.c \
 	sslerr.c \
+	sslerrstrs.c \
+	sslinit.c \
 	ssl3ext.c \
 	sslgathr.c \
 	sslmutex.c \
diff --git a/security/nss/lib/ssl/notes.txt b/security/nss/lib/ssl/notes.txt
index 772da4d589cb..44731bc514ba 100644
--- a/security/nss/lib/ssl/notes.txt
+++ b/security/nss/lib/ssl/notes.txt
@@ -91,8 +91,8 @@ user dialog to finish).  It is not the same as EWOULDBLOCK.
 
 Rank (order) of locks
 
-[ReadLock ->]\ [firstHandshake ->] [ssl3Handshake ->] recvbuf \ -> "spec"
-[WriteLock->]/                                        xmitbuf /
+recvLock ->\ firstHandshake -> recvbuf -> ssl3Handshake -> xmitbuf -> "spec"
+sendLock ->/
 
 crypto and hash Data that must be protected while turning plaintext into
 ciphertext:
diff --git a/security/nss/lib/ssl/ssl.def b/security/nss/lib/ssl/ssl.def
index e2b9005d9652..70638eadc9cc 100644
--- a/security/nss/lib/ssl/ssl.def
+++ b/security/nss/lib/ssl/ssl.def
@@ -158,3 +158,9 @@ SSL_ConfigSecureServerWithCertChain;
 ;+    local:
 ;+*;
 ;+};
+;+NSS_3.13 {    # NSS 3.13 release
+;+    global:
+NSSSSL_GetVersion;
+;+    local:
+;+       *;
+;+};
diff --git a/security/nss/lib/ssl/ssl.h b/security/nss/lib/ssl/ssl.h
index 1dcb4a0c9c8e..edb8e6fd131f 100644
--- a/security/nss/lib/ssl/ssl.h
+++ b/security/nss/lib/ssl/ssl.h
@@ -36,7 +36,7 @@
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
-/* $Id: ssl.h,v 1.38.2.4 2011/04/08 05:44:32 wtc%google.com Exp $ */
+/* $Id: ssl.h,v 1.42 2011/08/01 07:08:09 kaie%kuix.de Exp $ */
 
 #ifndef __ssl_h_
 #define __ssl_h_
@@ -639,6 +639,23 @@ SSL_IMPORT SECStatus SSL_HandshakeNegotiatedExtension(PRFileDesc * socket,
                                                       SSLExtensionType extId,
                                                       PRBool *yes);
 
+/*
+ * Return a boolean that indicates whether the underlying library
+ * will perform as the caller expects.
+ *
+ * The only argument is a string, which should be the version
+ * identifier of the NSS library. That string will be compared
+ * against a string that represents the actual build version of
+ * the SSL library.  It also invokes the version checking functions
+ * of the dependent libraries such as NSPR.
+ */
+extern PRBool NSSSSL_VersionCheck(const char *importedVersion);
+
+/*
+ * Returns a const string of the SSL library version.
+ */
+extern const char *NSSSSL_GetVersion(void);
+
 SEC_END_PROTOS
 
 #endif /* __ssl_h_ */
diff --git a/security/nss/lib/ssl/ssl3con.c b/security/nss/lib/ssl/ssl3con.c
index 850a54ceeba6..e044cf4a2d90 100644
--- a/security/nss/lib/ssl/ssl3con.c
+++ b/security/nss/lib/ssl/ssl3con.c
@@ -39,7 +39,7 @@
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
-/* $Id: ssl3con.c,v 1.142.2.5 2011/01/25 01:49:22 wtc%google.com Exp $ */
+/* $Id: ssl3con.c,v 1.151 2011/07/26 02:13:37 wtc%google.com Exp $ */
 
 #include "cert.h"
 #include "ssl.h"
@@ -86,7 +86,8 @@ static SECStatus ssl3_SendServerHello(       sslSocket *ss);
 static SECStatus ssl3_SendServerHelloDone(   sslSocket *ss);
 static SECStatus ssl3_SendServerKeyExchange( sslSocket *ss);
 static SECStatus ssl3_NewHandshakeHashes(    sslSocket *ss);
-static SECStatus ssl3_UpdateHandshakeHashes( sslSocket *ss, unsigned char *b, 
+static SECStatus ssl3_UpdateHandshakeHashes( sslSocket *ss,
+                                             const unsigned char *b,
                                              unsigned int l);
 
 static SECStatus Null_Cipher(void *ctx, unsigned char *output, int *outputLen,
@@ -928,8 +929,7 @@ ssl3_VerifySignedHashes(SSL3Hashes *hash, CERTCertificate *cert,
 
     key = CERT_ExtractPublicKey(cert);
     if (key == NULL) {
-	/* CERT_ExtractPublicKey doesn't set error code */
-	PORT_SetError(SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE);
+	ssl_MapLowLevelError(SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE);
     	return SECFailure;
     }
 
@@ -3178,7 +3178,8 @@ loser:
 ** Caller must hold the ssl3Handshake lock.
 */
 static SECStatus
-ssl3_UpdateHandshakeHashes(sslSocket *ss, unsigned char *b, unsigned int l)
+ssl3_UpdateHandshakeHashes(sslSocket *ss, const unsigned char *b,
+			   unsigned int l)
 {
     SECStatus  rv = SECSuccess;
 
@@ -4741,7 +4742,7 @@ ssl3_SendClientKeyExchange(sslSocket *ss)
     if (ss->sec.peerKey == NULL) {
 	serverKey = CERT_ExtractPublicKey(ss->sec.peerCert);
 	if (serverKey == NULL) {
-	    PORT_SetError(SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE);
+	    ssl_MapLowLevelError(SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE);
 	    return SECFailure;
 	}
     } else {
@@ -5671,14 +5672,21 @@ ssl3_RestartHandshakeAfterCertReq(sslSocket *         ss,
 
 PRBool
 ssl3_CanFalseStart(sslSocket *ss) {
-    return ss->opt.enableFalseStart &&
-	   !ss->sec.isServer &&
-	   !ss->ssl3.hs.isResuming &&
-	   ss->ssl3.cwSpec &&
-	   ss->ssl3.cwSpec->cipher_def->secret_key_size >= 10 &&
-	   (ss->ssl3.hs.kea_def->exchKeyType == ssl_kea_rsa ||
-	    ss->ssl3.hs.kea_def->exchKeyType == ssl_kea_dh  ||
-	    ss->ssl3.hs.kea_def->exchKeyType == ssl_kea_ecdh);
+    PRBool rv;
+
+    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
+
+    ssl_GetSpecReadLock(ss);
+    rv = ss->opt.enableFalseStart &&
+	 !ss->sec.isServer &&
+	 !ss->ssl3.hs.isResuming &&
+	 ss->ssl3.cwSpec &&
+	 ss->ssl3.cwSpec->cipher_def->secret_key_size >= 10 &&
+	(ss->ssl3.hs.kea_def->exchKeyType == ssl_kea_rsa ||
+	 ss->ssl3.hs.kea_def->exchKeyType == ssl_kea_dh  ||
+	 ss->ssl3.hs.kea_def->exchKeyType == ssl_kea_ecdh);
+    ssl_ReleaseSpecReadLock(ss);
+    return rv;
 }
 
 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
@@ -7760,6 +7768,7 @@ static SECStatus
 ssl3_HandleCertificate(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
 {
     ssl3CertNode *   c;
+    ssl3CertNode *   lastCert 	= NULL;
     ssl3CertNode *   certs 	= NULL;
     PRArenaPool *    arena 	= NULL;
     CERTCertificate *cert;
@@ -7887,8 +7896,13 @@ ssl3_HandleCertificate(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
 	if (c->cert->trust)
 	    trusted = PR_TRUE;
 
-	c->next = certs;
-	certs = c;
+	c->next = NULL;
+	if (lastCert) {
+	    lastCert->next = c;
+	} else {
+	    certs = c;
+	}
+	lastCert = c;
     }
 
     if (remaining != 0)
diff --git a/security/nss/lib/ssl/ssl3ext.c b/security/nss/lib/ssl/ssl3ext.c
index 3a92fa0281a1..9c3dca6256d7 100644
--- a/security/nss/lib/ssl/ssl3ext.c
+++ b/security/nss/lib/ssl/ssl3ext.c
@@ -41,7 +41,7 @@
  * ***** END LICENSE BLOCK ***** */
 
 /* TLS extension code moved here from ssl3ecc.c */
-/* $Id: ssl3ext.c,v 1.14.2.2 2011/03/24 16:30:57 alexei.volkov.bugs%sun.com Exp $ */
+/* $Id: ssl3ext.c,v 1.16 2011/03/24 01:40:14 alexei.volkov.bugs%sun.com Exp $ */
 
 #include "nssrenam.h"
 #include "nss.h"
diff --git a/security/nss/lib/ssl/ssl3gthr.c b/security/nss/lib/ssl/ssl3gthr.c
index 65d96f8a7006..172b3459276b 100644
--- a/security/nss/lib/ssl/ssl3gthr.c
+++ b/security/nss/lib/ssl/ssl3gthr.c
@@ -36,7 +36,7 @@
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
-/* $Id: ssl3gthr.c,v 1.9.20.1 2010/07/31 04:33:52 wtc%google.com Exp $ */
+/* $Id: ssl3gthr.c,v 1.10 2010/07/30 03:00:17 wtc%google.com Exp $ */
 
 #include "cert.h"
 #include "ssl.h"
diff --git a/security/nss/lib/ssl/sslauth.c b/security/nss/lib/ssl/sslauth.c
index 6d1eab0f53bc..93c11cdfa7c4 100644
--- a/security/nss/lib/ssl/sslauth.c
+++ b/security/nss/lib/ssl/sslauth.c
@@ -33,7 +33,7 @@
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
-/* $Id: sslauth.c,v 1.16.66.1 2010/08/03 18:52:13 wtc%google.com Exp $ */
+/* $Id: sslauth.c,v 1.17 2010/08/03 18:48:45 wtc%google.com Exp $ */
 #include "cert.h"
 #include "secitem.h"
 #include "ssl.h"
diff --git a/security/nss/lib/ssl/sslcon.c b/security/nss/lib/ssl/sslcon.c
index 8f3bc06a8343..4191c89e30ea 100644
--- a/security/nss/lib/ssl/sslcon.c
+++ b/security/nss/lib/ssl/sslcon.c
@@ -37,7 +37,7 @@
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
-/* $Id: sslcon.c,v 1.40.2.1 2011/03/30 17:38:42 wtc%google.com Exp $ */
+/* $Id: sslcon.c,v 1.42 2011/08/01 07:08:09 kaie%kuix.de Exp $ */
 
 #include "nssrenam.h"
 #include "cert.h"
@@ -3852,3 +3852,9 @@ NSSSSL_VersionCheck(const char *importedVersion)
     c = __nss_ssl_rcsid[0] + __nss_ssl_sccsid[0]; 
     return NSS_VersionCheck(importedVersion);
 }
+
+const char *
+NSSSSL_GetVersion(void)
+{
+    return NSS_VERSION;
+}
diff --git a/security/nss/lib/ssl/sslerr.h b/security/nss/lib/ssl/sslerr.h
index a2f6524bf7fb..1422e2de7b71 100644
--- a/security/nss/lib/ssl/sslerr.h
+++ b/security/nss/lib/ssl/sslerr.h
@@ -36,7 +36,7 @@
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
-/* $Id: sslerr.h,v 1.11.2.2 2010/09/01 19:47:11 wtc%google.com Exp $ */
+/* $Id: sslerr.h,v 1.13 2010/09/01 19:43:48 wtc%google.com Exp $ */
 #ifndef __SSL_ERR_H_
 #define __SSL_ERR_H_
 
diff --git a/security/nss/lib/ssl/sslerrstrs.c b/security/nss/lib/ssl/sslerrstrs.c
new file mode 100644
index 000000000000..182a2bfd6f58
--- /dev/null
+++ b/security/nss/lib/ssl/sslerrstrs.c
@@ -0,0 +1,66 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Red Hat, Inc
+ * Portions created by the Initial Developer are Copyright (C) 2009
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+#include "prerror.h"
+#include "sslerr.h"
+#include "prinit.h"
+#include "nssutil.h"
+#include "ssl.h"
+#include "sslerrstrs.h"
+
+#define ER3(name, value, str) {#name, str},
+
+static const struct PRErrorMessage ssltext[] = {
+#include "SSLerrs.h"
+    {0,0}
+};
+
+static const struct PRErrorTable ssl_et = {
+    ssltext, "sslerr", SSL_ERROR_BASE,
+        (sizeof ssltext)/(sizeof ssltext[0])
+};
+
+static PRStatus
+ssl_InitializePRErrorTableOnce(void) {
+    return PR_ErrorInstallTable(&ssl_et);
+}
+
+static PRCallOnceType once;
+
+PRStatus
+ssl_InitializePRErrorTable(void)
+{
+    return PR_CallOnce(&once, ssl_InitializePRErrorTableOnce);
+}
diff --git a/modules/libreg/src/mmapio.h b/security/nss/lib/ssl/sslerrstrs.h
similarity index 73%
rename from modules/libreg/src/mmapio.h
rename to security/nss/lib/ssl/sslerrstrs.h
index 5c305dcdddfe..69dbd8230e3e 100644
--- a/modules/libreg/src/mmapio.h
+++ b/security/nss/lib/ssl/sslerrstrs.h
@@ -1,4 +1,7 @@
-/* ***** BEGIN LICENSE BLOCK *****
+/*
+ * This file contains prototypes for the public SSL functions.
+ *
+ * ***** BEGIN LICENSE BLOCK *****
  * Version: MPL 1.1/GPL 2.0/LGPL 2.1
  *
  * The contents of this file are subject to the Mozilla Public License Version
@@ -11,15 +14,14 @@
  * for the specific language governing rights and limitations under the
  * License.
  *
- * The Original Code is Mozilla Communicator.
+ * The Original Code is the Netscape security libraries.
  *
  * The Initial Developer of the Original Code is
- * James L. Nance.
- * Portions created by the Initial Developer are Copyright (C) 1999
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
  * the Initial Developer. All Rights Reserved.
  *
  * Contributor(s):
- *   James L. Nance 
  *
  * Alternatively, the contents of this file may be used under the terms of
  * either the GNU General Public License Version 2 or later (the "GPL"), or
@@ -34,14 +36,18 @@
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
+/* $Id: sslerrstrs.h,v 1.1 2011/08/17 14:41:02 emaldona%redhat.com Exp $ */
 
-#include "prio.h"
+#ifndef __sslerrstrs_h_
+#define __sslerrstrs_h_
 
-typedef struct MmioFileStruct MmioFile;
+#include "prtypes.h"
 
-PRStatus mmio_FileSeek(MmioFile *file, PRInt32 offset, PRSeekWhence whence);
-PRInt32  mmio_FileRead(MmioFile *file, char *dest, PRInt32 count);
-PRInt32  mmio_FileWrite(MmioFile *file, const char *src, PRInt32 count);
-PRInt32  mmio_FileTell(MmioFile *file);
-PRStatus mmio_FileClose(MmioFile *file);
-MmioFile *mmio_FileOpen(char *path, PRIntn flags, PRIntn mode);
+SEC_BEGIN_PROTOS
+
+extern PRStatus 
+ssl_InitializePRErrorTable(void);
+
+SEC_END_PROTOS
+
+#endif /* __sslerrstrs_h_ */
diff --git a/security/nss/lib/ssl/sslimpl.h b/security/nss/lib/ssl/sslimpl.h
index 91070d35c07f..782afadfe6f7 100644
--- a/security/nss/lib/ssl/sslimpl.h
+++ b/security/nss/lib/ssl/sslimpl.h
@@ -39,7 +39,7 @@
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
-/* $Id: sslimpl.h,v 1.77.2.2 2011/03/16 18:55:38 alexei.volkov.bugs%sun.com Exp $ */
+/* $Id: sslimpl.h,v 1.82 2011/03/10 04:29:04 alexei.volkov.bugs%sun.com Exp $ */
 
 #ifndef __sslimpl_h_
 #define __sslimpl_h_
@@ -1258,15 +1258,24 @@ extern PRBool    ssl3_CanFalseStart(sslSocket *ss);
 #define SSL_LOCK_WRITER(ss)		if (ss->sendLock) PZ_Lock(ss->sendLock)
 #define SSL_UNLOCK_WRITER(ss)		if (ss->sendLock) PZ_Unlock(ss->sendLock)
 
+/* firstHandshakeLock -> recvBufLock */
 #define ssl_Get1stHandshakeLock(ss)     \
-    { if (!ss->opt.noLocks) PZ_EnterMonitor((ss)->firstHandshakeLock); }
+    { if (!ss->opt.noLocks) { \
+	  PORT_Assert(PZ_InMonitor((ss)->firstHandshakeLock) || \
+		      !ssl_HaveRecvBufLock(ss)); \
+	  PZ_EnterMonitor((ss)->firstHandshakeLock); \
+      } }
 #define ssl_Release1stHandshakeLock(ss) \
     { if (!ss->opt.noLocks) PZ_ExitMonitor((ss)->firstHandshakeLock); }
 #define ssl_Have1stHandshakeLock(ss)    \
     (PZ_InMonitor((ss)->firstHandshakeLock))
 
+/* ssl3HandshakeLock -> xmitBufLock */
 #define ssl_GetSSL3HandshakeLock(ss)	\
-    { if (!ss->opt.noLocks) PZ_EnterMonitor((ss)->ssl3HandshakeLock); }
+    { if (!ss->opt.noLocks) { \
+	  PORT_Assert(!ssl_HaveXmitBufLock(ss)); \
+	  PZ_EnterMonitor((ss)->ssl3HandshakeLock); \
+      } }
 #define ssl_ReleaseSSL3HandshakeLock(ss) \
     { if (!ss->opt.noLocks) PZ_ExitMonitor((ss)->ssl3HandshakeLock); }
 #define ssl_HaveSSL3HandshakeLock(ss)	\
@@ -1276,6 +1285,8 @@ extern PRBool    ssl3_CanFalseStart(sslSocket *ss);
     { if (!ss->opt.noLocks) NSSRWLock_LockRead((ss)->specLock); }
 #define ssl_ReleaseSpecReadLock(ss)	\
     { if (!ss->opt.noLocks) NSSRWLock_UnlockRead((ss)->specLock); }
+/* NSSRWLock_HaveReadLock is not exported so there's no
+ * ssl_HaveSpecReadLock macro. */
 
 #define ssl_GetSpecWriteLock(ss)	\
     { if (!ss->opt.noLocks) NSSRWLock_LockWrite((ss)->specLock); }
@@ -1284,13 +1295,19 @@ extern PRBool    ssl3_CanFalseStart(sslSocket *ss);
 #define ssl_HaveSpecWriteLock(ss)	\
     (NSSRWLock_HaveWriteLock((ss)->specLock))
 
+/* recvBufLock -> ssl3HandshakeLock -> xmitBufLock */
 #define ssl_GetRecvBufLock(ss)		\
-    { if (!ss->opt.noLocks) PZ_EnterMonitor((ss)->recvBufLock); }
+    { if (!ss->opt.noLocks) { \
+	  PORT_Assert(!ssl_HaveSSL3HandshakeLock(ss)); \
+	  PORT_Assert(!ssl_HaveXmitBufLock(ss)); \
+	  PZ_EnterMonitor((ss)->recvBufLock); \
+      } }
 #define ssl_ReleaseRecvBufLock(ss)	\
     { if (!ss->opt.noLocks) PZ_ExitMonitor( (ss)->recvBufLock); }
 #define ssl_HaveRecvBufLock(ss)		\
     (PZ_InMonitor((ss)->recvBufLock))
 
+/* xmitBufLock -> specLock */
 #define ssl_GetXmitBufLock(ss)		\
     { if (!ss->opt.noLocks) PZ_EnterMonitor((ss)->xmitBufLock); }
 #define ssl_ReleaseXmitBufLock(ss)	\
diff --git a/security/nss/lib/ssl/sslinfo.c b/security/nss/lib/ssl/sslinfo.c
index 96377b0d1e81..4253962dfc8b 100644
--- a/security/nss/lib/ssl/sslinfo.c
+++ b/security/nss/lib/ssl/sslinfo.c
@@ -34,7 +34,7 @@
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
-/* $Id: sslinfo.c,v 1.23.2.1 2010/09/02 01:13:46 wtc%google.com Exp $ */
+/* $Id: sslinfo.c,v 1.24 2010/09/02 01:12:57 wtc%google.com Exp $ */
 #include "ssl.h"
 #include "sslimpl.h"
 #include "sslproto.h"
diff --git a/security/nss/lib/ssl/sslinit.c b/security/nss/lib/ssl/sslinit.c
new file mode 100644
index 000000000000..4ba8e84dc104
--- /dev/null
+++ b/security/nss/lib/ssl/sslinit.c
@@ -0,0 +1,60 @@
+/*
+ * NSS utility functions
+ *
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Red Hat Inc.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id: sslinit.c,v 1.1 2011/08/17 14:41:05 emaldona%redhat.com Exp $ */
+
+#include "prtypes.h"
+#include "prinit.h"
+#include "seccomon.h"
+#include "secerr.h"
+#include "ssl.h"
+#include "sslerrstrs.h"
+
+static int ssl_inited = 0;
+
+SECStatus
+ssl_Init(void)
+{
+    if (!ssl_inited) {
+	if (ssl_InitializePRErrorTable() == PR_FAILURE) {
+	   return (SEC_ERROR_NO_MEMORY);
+	}
+	ssl_inited = 1;
+    }
+    return SECSuccess;
+}
diff --git a/security/nss/lib/ssl/sslnonce.c b/security/nss/lib/ssl/sslnonce.c
index 024651073fcc..ca089aaf8f68 100644
--- a/security/nss/lib/ssl/sslnonce.c
+++ b/security/nss/lib/ssl/sslnonce.c
@@ -36,7 +36,7 @@
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
-/* $Id: sslnonce.c,v 1.25.54.1 2011/03/24 16:30:57 alexei.volkov.bugs%sun.com Exp $ */
+/* $Id: sslnonce.c,v 1.26 2011/03/24 01:40:14 alexei.volkov.bugs%sun.com Exp $ */
 
 #include "cert.h"
 #include "pk11pub.h"
diff --git a/security/nss/lib/ssl/sslreveal.c b/security/nss/lib/ssl/sslreveal.c
index 94b2c2fd1d3e..b66be3db268c 100644
--- a/security/nss/lib/ssl/sslreveal.c
+++ b/security/nss/lib/ssl/sslreveal.c
@@ -36,7 +36,7 @@
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
-/* $Id: sslreveal.c,v 1.7.2.1 2010/08/03 18:52:13 wtc%google.com Exp $ */
+/* $Id: sslreveal.c,v 1.8 2010/08/03 18:48:45 wtc%google.com Exp $ */
 
 #include "cert.h"
 #include "ssl.h"
diff --git a/security/nss/lib/ssl/sslsecur.c b/security/nss/lib/ssl/sslsecur.c
index a40dd4fc3195..70b665b3a24c 100644
--- a/security/nss/lib/ssl/sslsecur.c
+++ b/security/nss/lib/ssl/sslsecur.c
@@ -37,7 +37,7 @@
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
-/* $Id: sslsecur.c,v 1.43.2.4 2011/04/08 05:25:21 wtc%google.com Exp $ */
+/* $Id: sslsecur.c,v 1.49 2011/04/08 05:37:44 wtc%google.com Exp $ */
 #include "cert.h"
 #include "secitem.h"
 #include "keyhi.h"
@@ -84,7 +84,8 @@
  *
  * 3.   SECWouldBlock was returned by one of the callback functions, via
  *	one of these paths:
- * -	ssl2_HandleMessage() -> ssl2_HandleRequestCertificate() -> ss->getClientAuthData()
+ * -	ssl2_HandleMessage() -> ssl2_HandleRequestCertificate() ->
+ *	ss->getClientAuthData()
  *
  * -	ssl2_HandleServerHelloMessage() -> ss->handleBadCert()
  *
@@ -117,6 +118,7 @@ ssl_Do1stHandshake(sslSocket *ss)
 	PORT_Assert(ss->opt.noLocks ||  ssl_Have1stHandshakeLock(ss) );
 	PORT_Assert(ss->opt.noLocks || !ssl_HaveRecvBufLock(ss));
 	PORT_Assert(ss->opt.noLocks || !ssl_HaveXmitBufLock(ss));
+	PORT_Assert(ss->opt.noLocks || !ssl_HaveSSL3HandshakeLock(ss));
 
 	if (ss->handshake == 0) {
 	    /* Previous handshake finished. Switch to next one */
@@ -157,6 +159,7 @@ ssl_Do1stHandshake(sslSocket *ss)
 
     PORT_Assert(ss->opt.noLocks || !ssl_HaveRecvBufLock(ss));
     PORT_Assert(ss->opt.noLocks || !ssl_HaveXmitBufLock(ss));
+    PORT_Assert(ss->opt.noLocks || !ssl_HaveSSL3HandshakeLock(ss));
 
     if (rv == SECWouldBlock) {
 	PORT_SetError(PR_WOULD_BLOCK_ERROR);
@@ -235,7 +238,6 @@ SSL_ResetHandshake(PRFileDesc *s, PRBool asServer)
 
     /* Reset handshake state */
     ssl_Get1stHandshakeLock(ss);
-    ssl_GetSSL3HandshakeLock(ss);
 
     ss->firstHsDone = PR_FALSE;
     if ( asServer ) {
@@ -252,6 +254,8 @@ SSL_ResetHandshake(PRFileDesc *s, PRBool asServer)
     status = ssl_InitGather(&ss->gs);
     ssl_ReleaseRecvBufLock(ss);
 
+    ssl_GetSSL3HandshakeLock(ss);
+
     /*
     ** Blow away old security state and get a fresh setup.
     */
@@ -1210,12 +1214,15 @@ ssl_SecureSend(sslSocket *ss, const unsigned char *buf, int len, int flags)
     if (!ss->firstHsDone) {
 	PRBool canFalseStart = PR_FALSE;
 	ssl_Get1stHandshakeLock(ss);
-	if (ss->version >= SSL_LIBRARY_VERSION_3_0 &&
-	    (ss->ssl3.hs.ws == wait_change_cipher ||
-	     ss->ssl3.hs.ws == wait_finished ||
-	     ss->ssl3.hs.ws == wait_new_session_ticket) &&
-	    ssl3_CanFalseStart(ss)) {
-	    canFalseStart = PR_TRUE;
+	if (ss->version >= SSL_LIBRARY_VERSION_3_0) {
+	    ssl_GetSSL3HandshakeLock(ss);
+	    if ((ss->ssl3.hs.ws == wait_change_cipher ||
+		ss->ssl3.hs.ws == wait_finished ||
+		ss->ssl3.hs.ws == wait_new_session_ticket) &&
+		ssl3_CanFalseStart(ss)) {
+		canFalseStart = PR_TRUE;
+	    }
+	    ssl_ReleaseSSL3HandshakeLock(ss);
 	}
 	if (!canFalseStart &&
 	    (ss->handshake || ss->nextHandshake || ss->securityHandshake)) {
diff --git a/security/nss/lib/ssl/sslsnce.c b/security/nss/lib/ssl/sslsnce.c
index cd318df29da8..ee736b282e46 100644
--- a/security/nss/lib/ssl/sslsnce.c
+++ b/security/nss/lib/ssl/sslsnce.c
@@ -36,7 +36,7 @@
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
-/* $Id: sslsnce.c,v 1.54.2.1 2011/03/16 18:49:45 alexei.volkov.bugs%sun.com Exp $ */
+/* $Id: sslsnce.c,v 1.56 2011/08/17 14:41:10 emaldona%redhat.com Exp $ */
 
 /* Note: ssl_FreeSID() in sslnonce.c gets used for both client and server 
  * cache sids!
@@ -83,6 +83,7 @@
 #include "ssl.h"
 #include "sslimpl.h"
 #include "sslproto.h"
+#include "sslutil.h"
 #include "pk11func.h"
 #include "base64.h"
 #include "keyhi.h"
@@ -1331,6 +1332,11 @@ ssl_ConfigServerSessionIDCacheInstanceWithOpt(cacheDesc *cache,
     PORT_Assert(sizeof(certCacheEntry) == 4096);
     PORT_Assert(sizeof(srvNameCacheEntry) == 1072);
 
+    rv = ssl_Init();
+    if (rv != SECSuccess) {
+	return rv;
+    }
+
     myPid = SSL_GETPID();
     if (!directory) {
 	directory = DEFAULT_CACHE_DIRECTORY;
@@ -1511,6 +1517,11 @@ SSL_InheritMPServerSIDCacheInstance(cacheDesc *cache, const char * envString)
     int           locks_initialized = 0;
     int           locks_to_initialize = 0;
 #endif
+    SECStatus     status = ssl_Init();
+
+    if (status != SECSuccess) {
+	return status;
+    }
 
     myPid = SSL_GETPID();
 
diff --git a/security/nss/lib/ssl/sslsock.c b/security/nss/lib/ssl/sslsock.c
index 568b500c8cac..b598688b110f 100644
--- a/security/nss/lib/ssl/sslsock.c
+++ b/security/nss/lib/ssl/sslsock.c
@@ -40,13 +40,14 @@
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
-/* $Id: sslsock.c,v 1.67.2.3 2011/07/26 14:42:57 wtc%google.com Exp $ */
+/* $Id: sslsock.c,v 1.72 2011/08/17 14:41:16 emaldona%redhat.com Exp $ */
 #include "seccomon.h"
 #include "cert.h"
 #include "keyhi.h"
 #include "ssl.h"
 #include "sslimpl.h"
 #include "sslproto.h"
+#include "sslutil.h"
 #include "nspr.h"
 #include "private/pprio.h"
 #include "blapi.h"
@@ -871,6 +872,12 @@ SSL_EnableDefault(int which, PRBool on)
 SECStatus
 SSL_OptionSetDefault(PRInt32 which, PRBool on)
 {
+    SECStatus status = ssl_Init();
+
+    if (status != SECSuccess) {
+	return status;
+    }
+
     ssl_SetDefaultsFromEnvironment();
 
     switch (which) {
@@ -1043,7 +1050,11 @@ SSL_SetPolicy(long which, int policy)
 SECStatus
 SSL_CipherPolicySet(PRInt32 which, PRInt32 policy)
 {
-    SECStatus rv;
+    SECStatus rv = ssl_Init();
+
+    if (rv != SECSuccess) {
+	return rv;
+    }
 
     if (ssl_IsRemovedCipherSuite(which)) {
     	rv = SECSuccess;
@@ -1098,7 +1109,11 @@ SSL_EnableCipher(long which, PRBool enabled)
 SECStatus
 SSL_CipherPrefSetDefault(PRInt32 which, PRBool enabled)
 {
-    SECStatus rv;
+    SECStatus rv = ssl_Init();
+
+    if (rv != SECSuccess) {
+	return rv;
+    }
 
     if (ssl_IsRemovedCipherSuite(which))
     	return SECSuccess;
@@ -1239,6 +1254,11 @@ SSL_ImportFD(PRFileDesc *model, PRFileDesc *fd)
     sslSocket * ns = NULL;
     PRStatus    rv;
     PRNetAddr   addr;
+    SECStatus	status = ssl_Init();
+
+    if (status != SECSuccess) {
+	return NULL;
+    }
 
     if (model == NULL) {
 	/* Just create a default socket if we're given NULL for the model */
@@ -2179,7 +2199,9 @@ ssl_PushIOLayer(sslSocket *ns, PRFileDesc *stack, PRDescIdentity id)
     PRStatus    status;
 
     if (!ssl_inited) {
-	PR_CallOnce(&initIoLayerOnce, &ssl_InitIOLayer);
+	status = PR_CallOnce(&initIoLayerOnce, &ssl_InitIOLayer);
+	if (status != PR_SUCCESS)
+	    goto loser;
     }
 
     if (ns == NULL)
diff --git a/security/nss/lib/ssl/sslutil.h b/security/nss/lib/ssl/sslutil.h
new file mode 100644
index 000000000000..26603280881a
--- /dev/null
+++ b/security/nss/lib/ssl/sslutil.h
@@ -0,0 +1,53 @@
+/*
+ * This file contains prototypes for the public SSL functions.
+ *
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* $Id: sslutil.h,v 1.1 2011/08/17 14:41:20 emaldona%redhat.com Exp $ */
+
+#ifndef __sslutil_h_
+#define __sslutil_h_
+
+#include "prtypes.h"
+
+SEC_BEGIN_PROTOS
+
+extern PRStatus SSL_InitializePRErrorTable(void);
+extern SECStatus ssl_Init(void);
+
+SEC_END_PROTOS
+
+#endif /* __sslutil_h_ */
diff --git a/security/nss/cmd/lib/SECerrs.h b/security/nss/lib/util/SECerrs.h
similarity index 100%
rename from security/nss/cmd/lib/SECerrs.h
rename to security/nss/lib/util/SECerrs.h
diff --git a/security/nss/lib/util/errstrs.c b/security/nss/lib/util/errstrs.c
new file mode 100644
index 000000000000..689aadb36274
--- /dev/null
+++ b/security/nss/lib/util/errstrs.c
@@ -0,0 +1,183 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Red Hat, Inc
+ * Portions created by the Initial Developer are Copyright (C) 2009
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+#include "prerror.h"
+#include "secerr.h"
+#include "secport.h"
+#include "prinit.h"
+#include "prprf.h"
+#include "prtypes.h"
+#include "prlog.h"
+#include "plstr.h"
+#include "nssutil.h"
+#include 
+
+#define ER3(name, value, str) {#name, str},
+
+static const struct PRErrorMessage sectext[] = {
+#include "SECerrs.h"
+    {0,0}
+};
+
+static const struct PRErrorTable sec_et = {
+    sectext, "secerrstrings", SEC_ERROR_BASE, 
+        (sizeof sectext)/(sizeof sectext[0]) 
+};
+
+static PRStatus 
+nss_InitializePRErrorTableOnce(void) {
+    return PR_ErrorInstallTable(&sec_et);
+}
+
+static PRCallOnceType once;
+
+PRStatus
+NSS_InitializePRErrorTable(void)
+{
+    return PR_CallOnce(&once, nss_InitializePRErrorTableOnce);
+}
+
+/* Returns a UTF-8 encoded constant error string for "errNum".
+ * Returns NULL if either initialization of the error tables
+ * or formatting fails due to insufficient memory. 
+ *
+ * This is the simpler common function that the others call.
+ * It is thread safe and does not preappend anything to the
+ * mapped error string.
+ */
+static char *
+nss_Strerror(PRErrorCode errNum)
+{
+    static int initDone;
+
+    if (!initDone) {
+    /* nspr_InitializePRErrorTable(); done by PR_Init */
+    PRStatus rv = NSS_InitializePRErrorTable();
+    /* If this calls fails for insufficient memory, just return NULL */
+    if (rv != PR_SUCCESS) return NULL;
+	initDone = 1;
+    }
+
+    return (char *) PR_ErrorToString(errNum, PR_LANGUAGE_I_DEFAULT);
+}
+
+/* Hope this size is sufficient even with localization */
+#define EBUFF_SIZE 512
+static char ebuf[EBUFF_SIZE];
+
+/* Returns a UTF-8 encoded constant error string for "errNum".
+ * Returns NULL if either initialization of the error tables
+ * or formatting fails due to insufficient memory.
+ *
+ * The format argument indicates whether extra error information
+ * is desired. This is useful when localizations are not yet
+ * available and the mapping would return nothing for a locale. 
+ *
+ * Specify formatSimple to get just the error string as mapped.
+ * Specify formatIncludeErrorCode to format the error code 
+ * numeric value plus a bracketed stringized error name
+ * preappended to the mapped error string. 
+ * 
+ * Additional formatting options may be added in teh future
+ *
+ * This string must not be modified by the application, but may be modified by
+ * a subsequent call to NSS_Perror() or NSS_Strerror().
+ */
+char *
+NSS_Strerror(PRErrorCode errNum, ReportFormatType format)
+{
+    PRUint32 count;
+    char *errname = (char *) PR_ErrorToName(errNum);
+    char *errstr = nss_Strerror(errNum);
+
+    if (!errstr) return NULL;
+
+    if (format == formatSimple) return errstr;
+
+    count = PR_snprintf(ebuf, EBUFF_SIZE, "[%d %s] %s",
+	errNum, errname, errstr);
+
+    PR_ASSERT(count != -1);
+
+    return ebuf;
+}
+
+/* NSS_StrerrorTS is a thread safe version of NSS_Strerror.
+ * It formats output into a buffer allocated at run time.
+ * The buffer is allocated with PR_smprintf thus the string
+ * returned should be freed with PR_smprintf_free.
+ */
+char *
+NSS_StrerrorTS(PRErrorCode errNum, ReportFormatType format)
+{
+    char *errstr = NSS_Strerror(errNum, format);
+
+    return PR_smprintf("[%d %s] %s",
+	errNum, PR_ErrorToName(errNum), errstr ? errstr : "");
+}
+
+/* Prints an error message on the standard error output, describing the last
+ * error encountered during a call to an NSS library function.
+ *
+ * A language-dependent error message is written and formatted to
+ * the standard error stream as follows:
+ *
+ *  If s is not a NULL or empty, prints the string pointed to by s followed
+ *  by a colon and a space and then the error message string followed by a
+ *  newline.
+ *
+ * NSS_Perror is partially modeled after the posix function perror.
+ */
+void
+NSS_Perror(const char *s, ReportFormatType format)
+{
+    PRErrorCode err;
+    char *errString;
+
+    if (!s || PORT_Strlen(s) == 0) {
+	return;
+    }
+
+    err = PORT_GetError();
+    errString = NSS_Strerror(err, format);
+
+    fprintf(stderr, "%s: ", s);
+
+    if (errString != NULL && PORT_Strlen(errString) > 0) {
+	fprintf(stderr, "%s\n", errString);
+    } else {
+	fprintf(stderr, "Unknown error: %d\n", (int)err);
+    }
+}
diff --git a/security/nss/lib/util/errstrs.h b/security/nss/lib/util/errstrs.h
new file mode 100644
index 000000000000..2e71eed7d36a
--- /dev/null
+++ b/security/nss/lib/util/errstrs.h
@@ -0,0 +1,56 @@
+/*
+ * NSS utility functions
+ *
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is Network Security Services.
+ *
+ * The Initial Developer of the Original Code is
+ * Red Hat Inc.
+ * Portions created by the Initial Developer are Copyright (C) 2009
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifndef __errstrs_h_
+#define __errstrs_h_
+
+#include "prerror.h"
+
+#ifndef RC_INVOKED
+#include "seccomon.h"
+#endif
+
+SEC_BEGIN_PROTOS
+
+extern PRStatus
+nss_InitializePRErrorTable(void);
+
+SEC_END_PROTOS
+
+#endif /* __errstrs_h_ */
diff --git a/security/nss/lib/util/manifest.mn b/security/nss/lib/util/manifest.mn
index 74ddd9244e5a..aeafda9fc8a1 100644
--- a/security/nss/lib/util/manifest.mn
+++ b/security/nss/lib/util/manifest.mn
@@ -70,6 +70,7 @@ EXPORTS = \
 	$(NULL)
 
 PRIVATE_EXPORTS = \
+	errstrs.h \
 	templates.c \
 	$(NULL)
 
@@ -80,6 +81,7 @@ CSRCS = \
 	derenc.c \
 	dersubr.c \
 	dertime.c \
+	errstrs.c \
 	nssb64d.c \
 	nssb64e.c \
 	nssrwlk.c \
diff --git a/security/nss/lib/util/nssb64d.c b/security/nss/lib/util/nssb64d.c
index 6358fbe51f04..c97a55f96091 100644
--- a/security/nss/lib/util/nssb64d.c
+++ b/security/nss/lib/util/nssb64d.c
@@ -37,7 +37,7 @@
 /*
  * Base64 decoding (ascii to binary).
  *
- * $Id: nssb64d.c,v 1.7.32.1 2011/05/07 18:20:53 kaie%kuix.de Exp $
+ * $Id: nssb64d.c,v 1.8 2011/05/07 18:20:45 kaie%kuix.de Exp $
  */
 
 #include "nssb64.h"
diff --git a/security/nss/lib/util/nssutil.def b/security/nss/lib/util/nssutil.def
index aa965053f692..bc255f359786 100644
--- a/security/nss/lib/util/nssutil.def
+++ b/security/nss/lib/util/nssutil.def
@@ -254,3 +254,13 @@ PORT_RegExpSearch;
 ;+    local:
 ;+       *;
 ;+};
+;+NSS_3.13 {    # NSS 3.13 release
+;+    global:
+NSSUTIL_GetVersion;
+NSS_InitializePRErrorTable;
+NSS_Strerror;
+NSS_StrerrorTS;
+NSS_Perror;
+;+    local:
+;+       *;
+;+};
diff --git a/security/nss/lib/util/nssutil.h b/security/nss/lib/util/nssutil.h
index 26b474be5ea6..afae7e895b8f 100644
--- a/security/nss/lib/util/nssutil.h
+++ b/security/nss/lib/util/nssutil.h
@@ -41,6 +41,7 @@
 #define __nssutil_h_
 
 #ifndef RC_INVOKED
+#include "prerror.h"
 #include "seccomon.h"
 #endif
 
@@ -51,11 +52,71 @@
  * The format of the version string should be
  *     ".[.[.]][ ]"
  */
-#define NSSUTIL_VERSION  "3.12.11.0"
+#define NSSUTIL_VERSION  "3.13.0.0 Beta"
 #define NSSUTIL_VMAJOR   3
-#define NSSUTIL_VMINOR   12
-#define NSSUTIL_VPATCH   11
+#define NSSUTIL_VMINOR   13
+#define NSSUTIL_VPATCH   0
 #define NSSUTIL_VBUILD   0
-#define NSSUTIL_BETA     PR_FALSE
+#define NSSUTIL_BETA     PR_TRUE
+
+typedef enum {
+    formatSimple = 0,
+    formatIncludeErrorCode
+} ReportFormatType;
+    
+
+SEC_BEGIN_PROTOS
+
+/*
+ * Returns a const string of the UTIL library version.
+ */
+extern const char *NSSUTIL_GetVersion(void);
+
+extern PRStatus
+NSS_InitializePRErrorTable(void);
+
+/* Returns a UTF-8 encoded constant error string for "errNum".
+ * Returns NULL if either initialization of the error tables
+ * or formatting fails due to insufficient memory.
+ *
+ * The format argument indicates whether extra error information
+ * is desired. This is useful when localizations are not yet
+ * available and the mapping would return nothing for a locale. 
+ *
+ * Specify formatSimple to get just the error string as mapped.
+ * Specify formatIncludeErrorCode to format the error code 
+ * numeric value plus a bracketed stringized error name
+ * preappended to the mapped error string. 
+ * 
+ * Additional formatting options may be added in teh future
+ *
+ * This string must not be modified by the application, but may be modified by
+ * a subsequent call to NSS_Perror() or NSS_Strerror().
+ */
+extern char *
+NSS_Strerror(PRErrorCode errNum, ReportFormatType format);
+
+/* NSS_StrerrorTS is a thread safe version of NSS_Strerror.
+ * It formats output into a buffer allocated at run time.
+ * The buffer is allocated with PR_smprintf thus the string
+ * returned should be freed with PR_smprintf_free.
+ */
+extern char *
+NSS_StrerrorTS(PRErrorCode errNum, ReportFormatType format);
+
+/* Prints an error message on the standard error output, describing the last
+ * error encountered during a call to an NSS library function.
+ *
+ * A language-dependent error message is written and formatted to the standard
+ * error stream as follows:
+ *
+ *  If s is not a null pointer or empty, it prints the string pointed to
+ *  by s followed by a colon and a space and then the error message string
+ *  followed by a newline.
+ */
+extern void
+NSS_Perror(const char *s, ReportFormatType format);
+
+SEC_END_PROTOS
 
 #endif /* __nssutil_h_ */
diff --git a/security/nss/lib/util/pkcs11n.h b/security/nss/lib/util/pkcs11n.h
index 833e7008b44b..0db95a004e63 100644
--- a/security/nss/lib/util/pkcs11n.h
+++ b/security/nss/lib/util/pkcs11n.h
@@ -39,7 +39,7 @@
 #define _PKCS11N_H_
 
 #ifdef DEBUG
-static const char CKT_CVS_ID[] = "@(#) $RCSfile: pkcs11n.h,v $ $Revision: 1.19.22.2 $ $Date: 2010/12/04 19:10:46 $";
+static const char CKT_CVS_ID[] = "@(#) $RCSfile: pkcs11n.h,v $ $Revision: 1.22 $ $Date: 2011/04/13 00:10:27 $";
 #endif /* DEBUG */
 
 /*
@@ -330,17 +330,72 @@ typedef CK_ULONG          CK_TRUST;
 /* If trust goes standard, these'll probably drop out of vendor space. */
 #define CKT_NSS_TRUSTED            (CKT_NSS + 1)
 #define CKT_NSS_TRUSTED_DELEGATOR  (CKT_NSS + 2)
-#define CKT_NSS_UNTRUSTED          (CKT_NSS + 3)
-#define CKT_NSS_MUST_VERIFY        (CKT_NSS + 4)
+#define CKT_NSS_MUST_VERIFY_TRUST  (CKT_NSS + 3)
+#define CKT_NSS_NOT_TRUSTED        (CKT_NSS + 10)
 #define CKT_NSS_TRUST_UNKNOWN      (CKT_NSS + 5) /* default */
 
 /* 
  * These may well remain NSS-specific; I'm only using them
  * to cache resolution data.
  */
-#define CKT_NSS_VALID              (CKT_NSS + 10)
 #define CKT_NSS_VALID_DELEGATOR    (CKT_NSS + 11)
 
+
+/*
+ * old definitions. They still exist, but the plain meaning of the
+ * labels have never been accurate to was was really implemented.
+ * The new labels correctly reflect what the values effectively mean.
+ */
+#if __GNUC__ > 3
+/* make GCC warn when we use these #defines */
+/*
+ *  This is really painful because GCC doesn't allow us to mark random
+ *  #defines as deprecated. We can only mark the following:
+ *      functions, variables, and types.
+ *  const variables will create extra storage for everyone including this
+ *       header file, so it's undesirable.
+ *  functions could be inlined to prevent storage creation, but will fail
+ *       when constant values are expected (like switch statements).
+ *  enum types do not seem to pay attention to the deprecated attribute.
+ *
+ *  That leaves typedefs. We declare new types that we then deprecate, then
+ *  cast the resulting value to the deprecated type in the #define, thus
+ *  producting the warning when the #define is used.
+ */
+#if (__GNUC__  == 4) && (__GNUC_MINOR < 5)
+/* The mac doesn't like the friendlier deprecate messages. I'm assuming this
+ * is a gcc version issue rather than mac or ppc specific */
+typedef CK_TRUST __CKT_NSS_UNTRUSTED __attribute__((deprecated));
+typedef CK_TRUST __CKT_NSS_VALID __attribute__ ((deprecated));
+typedef CK_TRUST __CKT_NSS_MUST_VERIFY __attribute__((deprecated));
+#else
+/* when possible, get a full deprecation warning. This works on gcc 4.5
+ * it may work on earlier versions of gcc */
+typedef CK_TRUST __CKT_NSS_UNTRUSTED __attribute__((deprecated
+    ("CKT_NSS_UNTRUSTED really means CKT_NSS_MUST_VERIFY_TRUST")));
+typedef CK_TRUST __CKT_NSS_VALID __attribute__ ((deprecated
+    ("CKT_NSS_VALID really means CKT_NSS_NOT_TRUSTED")));
+typedef CK_TRUST __CKT_NSS_MUST_VERIFY __attribute__((deprecated
+    ("CKT_NSS_MUST_VERIFY really functions as CKT_NSS_TRUST_UNKNOWN")));
+#endif
+#define CKT_NSS_UNTRUSTED ((__CKT_NSS_UNTRUSTED)CKT_NSS_MUST_VERIFY_TRUST)
+#define CKT_NSS_VALID     ((__CKT_NSS_VALID) CKT_NSS_NOT_TRUSTED)
+/* keep the old value for compatibility reasons*/
+#define CKT_NSS_MUST_VERIFY ((__CKT_NSS_MUST_VERIFY)(CKT_NSS +4))
+#else
+#ifdef _WIN32
+/* This magic gets the windows compiler to give us a deprecation
+ * warning */
+#pragma deprecated(CKT_NSS_UNTRUSTED, CKT_NSS_MUST_VERIFY, CKT_NSS_VALID)
+#endif
+/* CKT_NSS_UNTRUSTED really means CKT_NSS_MUST_VERIFY_TRUST */
+#define CKT_NSS_UNTRUSTED          CKT_NSS_MUST_VERIFY_TRUST
+/* CKT_NSS_VALID really means CKT_NSS_NOT_TRUSTED */
+#define CKT_NSS_VALID              CKT_NSS_NOT_TRUSTED
+/* CKT_NSS_MUST_VERIFY was always treated as CKT_NSS_TRUST_UNKNOWN */
+#define CKT_NSS_MUST_VERIFY        (CKT_NSS + 4)  /*really means trust unknown*/
+#endif
+
 /* don't leave old programs in a lurch just yet, give them the old NETSCAPE
  * synonym */
 #define CKO_NETSCAPE_CRL                CKO_NSS_CRL
@@ -367,6 +422,7 @@ typedef CK_ULONG          CK_TRUST;
 #define CKM_NETSCAPE_AES_KEY_WRAP_PAD	CKM_NSS_AES_KEY_WRAP_PAD
 #define CKR_NETSCAPE_CERTDB_FAILED      CKR_NSS_CERTDB_FAILED
 #define CKR_NETSCAPE_KEYDB_FAILED       CKR_NSS_KEYDB_FAILED
+
 #define CKT_NETSCAPE_TRUSTED            CKT_NSS_TRUSTED
 #define CKT_NETSCAPE_TRUSTED_DELEGATOR  CKT_NSS_TRUSTED_DELEGATOR
 #define CKT_NETSCAPE_UNTRUSTED          CKT_NSS_UNTRUSTED
diff --git a/security/nss/lib/util/quickder.c b/security/nss/lib/util/quickder.c
index 29a5821476f4..3f4f20ccf84b 100644
--- a/security/nss/lib/util/quickder.c
+++ b/security/nss/lib/util/quickder.c
@@ -102,7 +102,7 @@ static unsigned char* definite_length_decoder(const unsigned char *buf,
 
 static SECStatus GetItem(SECItem* src, SECItem* dest, PRBool includeTag)
 {
-    if ( (!src) || (!dest) || (!src->data) )
+    if ( (!src) || (!dest) || (!src->data && src->len) )
     {
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
         return SECFailure;
@@ -136,13 +136,13 @@ static SECStatus MatchComponentType(const SEC_ASN1Template* templateEntry,
     unsigned long kind = 0;
     unsigned char tag = 0;
 
-    if ( (!item) || (!templateEntry) || (!match) )
+    if ( (!item) || (!item->data && item->len) || (!templateEntry) || (!match) )
     {
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
         return SECFailure;
     }
 
-    if (!item->len || !item->data)
+    if (!item->len)
     {
         *match = PR_FALSE;
         return SECSuccess;
diff --git a/security/nss/lib/util/secasn1e.c b/security/nss/lib/util/secasn1e.c
index 4f058e2b4ed3..d0331e31df93 100644
--- a/security/nss/lib/util/secasn1e.c
+++ b/security/nss/lib/util/secasn1e.c
@@ -38,7 +38,7 @@
  * Support for ENcoding ASN.1 data based on BER/DER (Basic/Distinguished
  * Encoding Rules).
  *
- * $Id: secasn1e.c,v 1.21.66.1 2011/01/13 00:26:57 wtc%google.com Exp $
+ * $Id: secasn1e.c,v 1.22 2011/01/13 00:23:33 wtc%google.com Exp $
  */
 
 #include "secasn1.h"
diff --git a/security/nss/lib/util/secdig.c b/security/nss/lib/util/secdig.c
index 85f5dacb7325..aca029a656f5 100644
--- a/security/nss/lib/util/secdig.c
+++ b/security/nss/lib/util/secdig.c
@@ -33,7 +33,7 @@
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
-/* $Id: secdig.c,v 1.9 2007/11/07 02:37:22 julien.pierre.boogz%sun.com Exp $ */
+/* $Id: secdig.c,v 1.10 2010/08/18 05:56:55 emaldona%redhat.com Exp $ */
 #include "secdig.h"
 
 #include "secoid.h"
@@ -74,6 +74,7 @@ SGN_CreateDigestInfo(SECOidTag algorithm, unsigned char *sig, unsigned len)
       case SEC_OID_MD2:
       case SEC_OID_MD5:
       case SEC_OID_SHA1:
+      case SEC_OID_SHA224:
       case SEC_OID_SHA256:
       case SEC_OID_SHA384:
       case SEC_OID_SHA512:
diff --git a/security/nss/lib/util/secitem.c b/security/nss/lib/util/secitem.c
index 382f3c377f86..cbb6f868d6af 100644
--- a/security/nss/lib/util/secitem.c
+++ b/security/nss/lib/util/secitem.c
@@ -37,7 +37,7 @@
 /*
  * Support routines for SECItem data structure.
  *
- * $Id: secitem.c,v 1.15 2008/11/19 16:04:38 nelson%bolyard.com Exp $
+ * $Id: secitem.c,v 1.16 2011/07/22 21:22:40 wtc%google.com Exp $
  */
 
 #include "seccomon.h"
@@ -251,6 +251,10 @@ SECITEM_CopyItem(PRArenaPool *arena, SECItem *to, const SECItem *from)
 	PORT_Memcpy(to->data, from->data, from->len);
 	to->len = from->len;
     } else {
+	/*
+	 * If from->data is NULL but from->len is nonzero, this function
+	 * will succeed.  Is this right?
+	 */
 	to->data = 0;
 	to->len = 0;
     }
diff --git a/security/nss/lib/util/secoid.c b/security/nss/lib/util/secoid.c
index aabfc8eb378d..c72289723cc6 100644
--- a/security/nss/lib/util/secoid.c
+++ b/security/nss/lib/util/secoid.c
@@ -178,6 +178,7 @@ const char __nss_util_sccsid[] = "@(#)NSS " NSSUTIL_VERSION _DEBUG_STRING
 /* Microsoft Object ID space */
 /* { 1.3.6.1.4.1.311 } */
 #define MICROSOFT_OID 0x2b, 0x6, 0x1, 0x4, 0x1, 0x82, 0x37
+#define EV_NAME_ATTRIBUTE 	MICROSOFT_OID, 60, 2, 1
 
 #define CERTICOM_OID            0x2b, 0x81, 0x04
 #define SECG_OID                CERTICOM_OID, 0x00
@@ -295,6 +296,7 @@ CONST_OID x520StreetAddress[]                   = { X520_ATTRIBUTE_TYPE, 9 };
 CONST_OID x520OrgName[]                         = { X520_ATTRIBUTE_TYPE, 10 };
 CONST_OID x520OrgUnitName[]                     = { X520_ATTRIBUTE_TYPE, 11 };
 CONST_OID x520Title[]                           = { X520_ATTRIBUTE_TYPE, 12 };
+CONST_OID x520BusinessCategory[]                = { X520_ATTRIBUTE_TYPE, 15 };
 CONST_OID x520PostalAddress[]                   = { X520_ATTRIBUTE_TYPE, 16 };
 CONST_OID x520PostalCode[]                      = { X520_ATTRIBUTE_TYPE, 17 };
 CONST_OID x520PostOfficeBox[]                   = { X520_ATTRIBUTE_TYPE, 18 };
@@ -521,6 +523,7 @@ CONST_OID camellia256_KEY_WRAP[]		= { CAMELLIA_WRAP_OID, 4};
 CONST_OID sha256[]                              = { SHAXXX, 1 };
 CONST_OID sha384[]                              = { SHAXXX, 2 };
 CONST_OID sha512[]                              = { SHAXXX, 3 };
+CONST_OID sha224[]                              = { SHAXXX, 4 };
 
 CONST_OID ansix962ECPublicKey[]             = { ANSI_X962_OID, 0x02, 0x01 };
 CONST_OID ansix962SignaturewithSHA1Digest[] = { ANSI_X962_SIGNATURE_OID, 0x01 };
@@ -602,6 +605,10 @@ CONST_OID secgECsect571r1[] = {SECG_OID, 0x27 };
 
 CONST_OID seed_CBC[]				= { SEED_OID, 4 };
 
+CONST_OID evIncorporationLocality[]     = { EV_NAME_ATTRIBUTE, 1 };
+CONST_OID evIncorporationState[]        = { EV_NAME_ATTRIBUTE, 2 };
+CONST_OID evIncorporationCountry[]      = { EV_NAME_ATTRIBUTE, 3 };
+
 #define OI(x) { siDEROID, (unsigned char *)x, sizeof x }
 #ifndef SECOID_NO_STRINGS
 #define OD(oid,tag,desc,mech,ext) { OI(oid), tag, desc, mech, ext }
@@ -1636,6 +1643,22 @@ const static SECOidData oids[SEC_OID_TOTAL] = {
     OD( pkcs1SHA224WithRSAEncryption, SEC_OID_PKCS1_SHA224_WITH_RSA_ENCRYPTION,
 	"PKCS #1 SHA-224 With RSA Encryption", CKM_SHA224_RSA_PKCS,
 	INVALID_CERT_EXTENSION ),
+
+    OD( sha224, SEC_OID_SHA224, "SHA-224", CKM_SHA224, INVALID_CERT_EXTENSION),
+
+    OD( evIncorporationLocality, SEC_OID_EV_INCORPORATION_LOCALITY,
+        "Jurisdiction of Incorporation Locality Name",
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( evIncorporationState,    SEC_OID_EV_INCORPORATION_STATE,
+        "Jurisdiction of Incorporation State Name",
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( evIncorporationCountry,  SEC_OID_EV_INCORPORATION_COUNTRY,
+        "Jurisdiction of Incorporation Country Name",
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( x520BusinessCategory,    SEC_OID_BUSINESS_CATEGORY,
+        "Business Category",
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+
 };
 
 /* PRIVATE EXTENDED SECOID Table
@@ -2174,4 +2197,8 @@ void UTIL_SetForkState(PRBool forked)
     parentForkedAfterC_Initialize = forked;
 }
 
-
+const char *
+NSSUTIL_GetVersion(void)
+{
+    return NSSUTIL_VERSION;
+}
diff --git a/security/nss/lib/util/secoidt.h b/security/nss/lib/util/secoidt.h
index ad31803061e8..24c854728b8f 100644
--- a/security/nss/lib/util/secoidt.h
+++ b/security/nss/lib/util/secoidt.h
@@ -43,7 +43,7 @@
 /*
  * secoidt.h - public data structures for ASN.1 OID functions
  *
- * $Id: secoidt.h,v 1.31 2010/05/28 01:26:07 wtc%google.com Exp $
+ * $Id: secoidt.h,v 1.34 2010/09/18 21:17:53 nelson%bolyard.com Exp $
  */
 
 #include "secitem.h"
@@ -274,6 +274,9 @@ typedef enum {
     SEC_OID_X942_DIFFIE_HELMAN_KEY = 174,
 
     /* Netscape other name types */
+    /* SEC_OID_NETSCAPE_NICKNAME is an otherName field of type IA5String
+     * in the subjectAltName certificate extension.  NSS dropped support
+     * for SEC_OID_NETSCAPE_NICKNAME in NSS 3.13. */
     SEC_OID_NETSCAPE_NICKNAME = 175,
 
     /* Cert Server OIDS */
@@ -456,6 +459,13 @@ typedef enum {
     SEC_OID_PKCS1_RSA_PSS_SIGNATURE         = 307,
     SEC_OID_PKCS1_SHA224_WITH_RSA_ENCRYPTION = 308,
 
+    SEC_OID_SHA224                          = 309,
+
+    SEC_OID_EV_INCORPORATION_LOCALITY       = 310,
+    SEC_OID_EV_INCORPORATION_STATE          = 311,
+    SEC_OID_EV_INCORPORATION_COUNTRY        = 312,
+    SEC_OID_BUSINESS_CATEGORY               = 313,
+
     SEC_OID_TOTAL
 } SECOidTag;
 
diff --git a/security/nss/lib/zlib/Makefile b/security/nss/lib/zlib/Makefile
index 52596b760fdf..2627d9d8cf6d 100644
--- a/security/nss/lib/zlib/Makefile
+++ b/security/nss/lib/zlib/Makefile
@@ -79,10 +79,9 @@ export:: private_export
 
 test: $(PROGRAMS)
 	@cd $(OBJDIR); \
-	echo hello world | ./minigzip | ./minigzip -d || \
-	  echo '		*** minigzip test FAILED ***' ; \
-	if ./example; then \
+	if echo hello world | ./minigzip | ./minigzip -d && ./example; then \
 	  echo '		*** zlib test OK ***'; \
 	else \
-	  echo '		*** zlib test FAILED ***'; \
+	  echo '		*** zlib test FAILED ***'; false; \
 	fi
+	-@rm -f foo.gz
diff --git a/security/nss/lib/zlib/README b/security/nss/lib/zlib/README
index 92639fcea000..d4219bf889f5 100644
--- a/security/nss/lib/zlib/README
+++ b/security/nss/lib/zlib/README
@@ -1,56 +1,52 @@
 ZLIB DATA COMPRESSION LIBRARY
 
-zlib 1.2.3 is a general purpose data compression library.  All the code is
+zlib 1.2.5 is a general purpose data compression library.  All the code is
 thread safe.  The data format used by the zlib library is described by RFCs
 (Request for Comments) 1950 to 1952 in the files
 http://www.ietf.org/rfc/rfc1950.txt (zlib format), rfc1951.txt (deflate format)
-and rfc1952.txt (gzip format). These documents are also available in other
-formats from ftp://ftp.uu.net/graphics/png/documents/zlib/zdoc-index.html
+and rfc1952.txt (gzip format).
 
 All functions of the compression library are documented in the file zlib.h
-(volunteer to write man pages welcome, contact zlib@gzip.org). A usage example
+(volunteer to write man pages welcome, contact zlib@gzip.org).  A usage example
 of the library is given in the file example.c which also tests that the library
-is working correctly. Another example is given in the file minigzip.c. The
+is working correctly.  Another example is given in the file minigzip.c.  The
 compression library itself is composed of all source files except example.c and
 minigzip.c.
 
 To compile all files and run the test program, follow the instructions given at
-the top of Makefile. In short "make test; make install" should work for most
-machines. For Unix: "./configure; make test; make install". For MSDOS, use one
-of the special makefiles such as Makefile.msc. 
+the top of Makefile.in.  In short "./configure; make test", and if that goes
+well, "make install" should work for most flavors of Unix.  For Windows, use one
+of the special makefiles in win32/ or contrib/vstudio/ .  For VMS, use
+make_vms.com.
 
 Questions about zlib should be sent to , or to Gilles Vollant
- for the Windows DLL version. The zlib home page is
-http://www.zlib.org or http://www.gzip.org/zlib/ Before reporting a problem,
-please check this site to verify that you have the latest version of zlib;
-otherwise get the latest version and check whether the problem still exists or
-not.
+ for the Windows DLL version.  The zlib home page is
+http://zlib.net/ .  Before reporting a problem, please check this site to
+verify that you have the latest version of zlib; otherwise get the latest
+version and check whether the problem still exists or not.
 
-PLEASE read the zlib FAQ http://www.gzip.org/zlib/zlib_faq.html before asking
-for help.
+PLEASE read the zlib FAQ http://zlib.net/zlib_faq.html before asking for help.
 
-Mark Nelson  wrote an article about zlib for the Jan. 1997
-issue of  Dr. Dobb's Journal; a copy of the article is available in
-http://dogma.net/markn/articles/zlibtool/zlibtool.htm
+Mark Nelson  wrote an article about zlib for the Jan.  1997
+issue of Dr.  Dobb's Journal; a copy of the article is available at
+http://marknelson.us/1997/01/01/zlib-engine/ .
 
-The changes made in version 1.2.3 are documented in the file ChangeLog.
+The changes made in version 1.2.5 are documented in the file ChangeLog.
 
-Unsupported third party contributions are provided in directory "contrib".
+Unsupported third party contributions are provided in directory contrib/ .
 
-A Java implementation of zlib is available in the Java Development Kit
-http://java.sun.com/j2se/1.4.2/docs/api/java/util/zip/package-summary.html
-See the zlib home page http://www.zlib.org for details.
+zlib is available in Java using the java.util.zip package, documented at
+http://java.sun.com/developer/technicalArticles/Programming/compression/ .
 
-A Perl interface to zlib written by Paul Marquess  is in the
-CPAN (Comprehensive Perl Archive Network) sites
-http://www.cpan.org/modules/by-module/Compress/
+A Perl interface to zlib written by Paul Marquess  is available
+at CPAN (Comprehensive Perl Archive Network) sites, including
+http://search.cpan.org/~pmqs/IO-Compress-Zlib/ .
 
 A Python interface to zlib written by A.M. Kuchling  is
 available in Python 1.5 and later versions, see
-http://www.python.org/doc/lib/module-zlib.html
+http://www.python.org/doc/lib/module-zlib.html .
 
-A zlib binding for TCL written by Andreas Kupries  is
-availlable at http://www.oche.de/~akupries/soft/trf/trf_zip.html
+zlib is built into tcl: http://wiki.tcl.tk/4610 .
 
 An experimental package to read and write files in .zip format, written on top
 of zlib by Gilles Vollant , is available in the
@@ -74,25 +70,21 @@ Notes for some targets:
 - zlib doesn't work on HP-UX 9.05 with some versions of /bin/cc. It works with
   other compilers. Use "make test" to check your compiler.
 
-- gzdopen is not supported on RISCOS, BEOS and by some Mac compilers.
+- gzdopen is not supported on RISCOS or BEOS.
 
 - For PalmOs, see http://palmzlib.sourceforge.net/
 
-- When building a shared, i.e. dynamic library on Mac OS X, the library must be
-  installed before testing (do "make install" before "make test"), since the
-  library location is specified in the library.
-
 
 Acknowledgments:
 
-  The deflate format used by zlib was defined by Phil Katz. The deflate
-  and zlib specifications were written by L. Peter Deutsch. Thanks to all the
-  people who reported problems and suggested various improvements in zlib;
-  they are too numerous to cite here.
+  The deflate format used by zlib was defined by Phil Katz.  The deflate and
+  zlib specifications were written by L.  Peter Deutsch.  Thanks to all the
+  people who reported problems and suggested various improvements in zlib; they
+  are too numerous to cite here.
 
 Copyright notice:
 
- (C) 1995-2004 Jean-loup Gailly and Mark Adler
+ (C) 1995-2010 Jean-loup Gailly and Mark Adler
 
   This software is provided 'as-is', without any express or implied
   warranty.  In no event will the authors be held liable for any damages
@@ -113,13 +105,11 @@ Copyright notice:
   Jean-loup Gailly        Mark Adler
   jloup@gzip.org          madler@alumni.caltech.edu
 
-If you use the zlib library in a product, we would appreciate *not*
-receiving lengthy legal documents to sign. The sources are provided
-for free but without warranty of any kind.  The library has been
-entirely written by Jean-loup Gailly and Mark Adler; it does not
-include third-party code.
+If you use the zlib library in a product, we would appreciate *not* receiving
+lengthy legal documents to sign.  The sources are provided for free but without
+warranty of any kind.  The library has been entirely written by Jean-loup
+Gailly and Mark Adler; it does not include third-party code.
 
-If you redistribute modified sources, we would appreciate that you include
-in the file ChangeLog history information documenting your changes. Please
-read the FAQ for more information on the distribution of modified source
-versions.
+If you redistribute modified sources, we would appreciate that you include in
+the file ChangeLog history information documenting your changes.  Please read
+the FAQ for more information on the distribution of modified source versions.
diff --git a/security/nss/lib/zlib/README.nss b/security/nss/lib/zlib/README.nss
new file mode 100644
index 000000000000..58ad213a0abd
--- /dev/null
+++ b/security/nss/lib/zlib/README.nss
@@ -0,0 +1,18 @@
+zlib data compression library
+
+URL: http://zlib.net/
+Version: 1.2.5
+License: zlib License
+License File: http://zlib.net/zlib_license.html
+
+Description:
+
+NSS uses zlib in libSSL (for the DEFLATE compression method), modutil, and
+signtool.
+
+Local Modifications:
+
+- patches/prune-zlib.sh: run this shell script to remove unneeded files
+  from the zlib distribution.
+- patches/msvc-vsnprintf.patch: define HAVE_VSNPRINTF for Visual C++ 2008
+  (9.0) and later.
diff --git a/security/nss/lib/zlib/adler32.c b/security/nss/lib/zlib/adler32.c
index b5c0433a4d67..2d78e988c1ea 100644
--- a/security/nss/lib/zlib/adler32.c
+++ b/security/nss/lib/zlib/adler32.c
@@ -1,12 +1,15 @@
 /* adler32.c -- compute the Adler-32 checksum of a data stream
- * Copyright (C) 1995-2004 Mark Adler
+ * Copyright (C) 1995-2007 Mark Adler
  * For conditions of distribution and use, see copyright notice in zlib.h
  */
 
-/* @(#) $Id: adler32.c,v 1.5 2009/11/07 01:13:10 wtchang%redhat.com Exp $ */
+/* @(#) $Id: adler32.c,v 1.6 2010/08/22 01:07:02 wtc%google.com Exp $ */
 
-#define ZLIB_INTERNAL
-#include "zlib.h"
+#include "zutil.h"
+
+#define local static
+
+local uLong adler32_combine_(uLong adler1, uLong adler2, z_off64_t len2);
 
 #define BASE 65521UL    /* largest prime smaller than 65536 */
 #define NMAX 5552
@@ -125,10 +128,10 @@ uLong ZEXPORT adler32(adler, buf, len)
 }
 
 /* ========================================================================= */
-uLong ZEXPORT adler32_combine(adler1, adler2, len2)
+local uLong adler32_combine_(adler1, adler2, len2)
     uLong adler1;
     uLong adler2;
-    z_off_t len2;
+    z_off64_t len2;
 {
     unsigned long sum1;
     unsigned long sum2;
@@ -141,9 +144,26 @@ uLong ZEXPORT adler32_combine(adler1, adler2, len2)
     MOD(sum2);
     sum1 += (adler2 & 0xffff) + BASE - 1;
     sum2 += ((adler1 >> 16) & 0xffff) + ((adler2 >> 16) & 0xffff) + BASE - rem;
-    if (sum1 > BASE) sum1 -= BASE;
-    if (sum1 > BASE) sum1 -= BASE;
-    if (sum2 > (BASE << 1)) sum2 -= (BASE << 1);
-    if (sum2 > BASE) sum2 -= BASE;
+    if (sum1 >= BASE) sum1 -= BASE;
+    if (sum1 >= BASE) sum1 -= BASE;
+    if (sum2 >= (BASE << 1)) sum2 -= (BASE << 1);
+    if (sum2 >= BASE) sum2 -= BASE;
     return sum1 | (sum2 << 16);
 }
+
+/* ========================================================================= */
+uLong ZEXPORT adler32_combine(adler1, adler2, len2)
+    uLong adler1;
+    uLong adler2;
+    z_off_t len2;
+{
+    return adler32_combine_(adler1, adler2, len2);
+}
+
+uLong ZEXPORT adler32_combine64(adler1, adler2, len2)
+    uLong adler1;
+    uLong adler2;
+    z_off64_t len2;
+{
+    return adler32_combine_(adler1, adler2, len2);
+}
diff --git a/security/nss/lib/zlib/compress.c b/security/nss/lib/zlib/compress.c
index 61827842809f..9c3368194878 100644
--- a/security/nss/lib/zlib/compress.c
+++ b/security/nss/lib/zlib/compress.c
@@ -1,9 +1,9 @@
 /* compress.c -- compress a memory buffer
- * Copyright (C) 1995-2003 Jean-loup Gailly.
+ * Copyright (C) 1995-2005 Jean-loup Gailly.
  * For conditions of distribution and use, see copyright notice in zlib.h
  */
 
-/* @(#) $Id: compress.c,v 1.5 2009/11/07 01:13:10 wtchang%redhat.com Exp $ */
+/* @(#) $Id: compress.c,v 1.6 2010/08/22 01:07:02 wtc%google.com Exp $ */
 
 #define ZLIB_INTERNAL
 #include "zlib.h"
@@ -75,5 +75,6 @@ int ZEXPORT compress (dest, destLen, source, sourceLen)
 uLong ZEXPORT compressBound (sourceLen)
     uLong sourceLen;
 {
-    return sourceLen + (sourceLen >> 12) + (sourceLen >> 14) + 11;
+    return sourceLen + (sourceLen >> 12) + (sourceLen >> 14) +
+           (sourceLen >> 25) + 13;
 }
diff --git a/security/nss/lib/zlib/crc32.c b/security/nss/lib/zlib/crc32.c
index 3126c689ed02..70663a13707c 100644
--- a/security/nss/lib/zlib/crc32.c
+++ b/security/nss/lib/zlib/crc32.c
@@ -1,5 +1,5 @@
 /* crc32.c -- compute the CRC-32 of a data stream
- * Copyright (C) 1995-2005 Mark Adler
+ * Copyright (C) 1995-2006, 2010 Mark Adler
  * For conditions of distribution and use, see copyright notice in zlib.h
  *
  * Thanks to Rodney Brown  for his contribution of faster
@@ -9,7 +9,7 @@
  * factor of two increase in speed on a Power PC G4 (PPC7455) using gcc -O3.
  */
 
-/* @(#) $Id: crc32.c,v 1.5 2009/11/07 01:13:10 wtchang%redhat.com Exp $ */
+/* @(#) $Id: crc32.c,v 1.6 2010/08/22 01:07:03 wtc%google.com Exp $ */
 
 /*
   Note on the use of DYNAMIC_CRC_TABLE: there is no mutex or semaphore
@@ -53,7 +53,7 @@
 
 /* Definitions for doing the crc four data bytes at a time. */
 #ifdef BYFOUR
-#  define REV(w) (((w)>>24)+(((w)>>8)&0xff00)+ \
+#  define REV(w) ((((w)>>24)&0xff)+(((w)>>8)&0xff00)+ \
                 (((w)&0xff00)<<8)+(((w)&0xff)<<24))
    local unsigned long crc32_little OF((unsigned long,
                         const unsigned char FAR *, unsigned));
@@ -68,6 +68,8 @@
 local unsigned long gf2_matrix_times OF((unsigned long *mat,
                                          unsigned long vec));
 local void gf2_matrix_square OF((unsigned long *square, unsigned long *mat));
+local uLong crc32_combine_(uLong crc1, uLong crc2, z_off64_t len2);
+
 
 #ifdef DYNAMIC_CRC_TABLE
 
@@ -219,7 +221,7 @@ const unsigned long FAR * ZEXPORT get_crc_table()
 unsigned long ZEXPORT crc32(crc, buf, len)
     unsigned long crc;
     const unsigned char FAR *buf;
-    unsigned len;
+    uInt len;
 {
     if (buf == Z_NULL) return 0UL;
 
@@ -367,22 +369,22 @@ local void gf2_matrix_square(square, mat)
 }
 
 /* ========================================================================= */
-uLong ZEXPORT crc32_combine(crc1, crc2, len2)
+local uLong crc32_combine_(crc1, crc2, len2)
     uLong crc1;
     uLong crc2;
-    z_off_t len2;
+    z_off64_t len2;
 {
     int n;
     unsigned long row;
     unsigned long even[GF2_DIM];    /* even-power-of-two zeros operator */
     unsigned long odd[GF2_DIM];     /* odd-power-of-two zeros operator */
 
-    /* degenerate case */
-    if (len2 == 0)
+    /* degenerate case (also disallow negative lengths) */
+    if (len2 <= 0)
         return crc1;
 
     /* put operator for one zero bit in odd */
-    odd[0] = 0xedb88320L;           /* CRC-32 polynomial */
+    odd[0] = 0xedb88320UL;          /* CRC-32 polynomial */
     row = 1;
     for (n = 1; n < GF2_DIM; n++) {
         odd[n] = row;
@@ -421,3 +423,20 @@ uLong ZEXPORT crc32_combine(crc1, crc2, len2)
     crc1 ^= crc2;
     return crc1;
 }
+
+/* ========================================================================= */
+uLong ZEXPORT crc32_combine(crc1, crc2, len2)
+    uLong crc1;
+    uLong crc2;
+    z_off_t len2;
+{
+    return crc32_combine_(crc1, crc2, len2);
+}
+
+uLong ZEXPORT crc32_combine64(crc1, crc2, len2)
+    uLong crc1;
+    uLong crc2;
+    z_off64_t len2;
+{
+    return crc32_combine_(crc1, crc2, len2);
+}
diff --git a/security/nss/lib/zlib/deflate.c b/security/nss/lib/zlib/deflate.c
index 663eb0d4383d..6b41b51db158 100644
--- a/security/nss/lib/zlib/deflate.c
+++ b/security/nss/lib/zlib/deflate.c
@@ -1,5 +1,5 @@
 /* deflate.c -- compress data using the deflation algorithm
- * Copyright (C) 1995-2005 Jean-loup Gailly.
+ * Copyright (C) 1995-2010 Jean-loup Gailly and Mark Adler
  * For conditions of distribution and use, see copyright notice in zlib.h
  */
 
@@ -47,12 +47,12 @@
  *
  */
 
-/* @(#) $Id: deflate.c,v 1.5 2009/11/07 01:13:10 wtchang%redhat.com Exp $ */
+/* @(#) $Id: deflate.c,v 1.6 2010/08/22 01:07:03 wtc%google.com Exp $ */
 
 #include "deflate.h"
 
 const char deflate_copyright[] =
-   " deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly ";
+   " deflate 1.2.5 Copyright 1995-2010 Jean-loup Gailly and Mark Adler ";
 /*
   If you use the zlib library in a product, an acknowledgment is welcome
   in the documentation of your product. If for some reason you cannot
@@ -79,19 +79,18 @@ local block_state deflate_fast   OF((deflate_state *s, int flush));
 #ifndef FASTEST
 local block_state deflate_slow   OF((deflate_state *s, int flush));
 #endif
+local block_state deflate_rle    OF((deflate_state *s, int flush));
+local block_state deflate_huff   OF((deflate_state *s, int flush));
 local void lm_init        OF((deflate_state *s));
 local void putShortMSB    OF((deflate_state *s, uInt b));
 local void flush_pending  OF((z_streamp strm));
 local int read_buf        OF((z_streamp strm, Bytef *buf, unsigned size));
-#ifndef FASTEST
 #ifdef ASMV
       void match_init OF((void)); /* asm code initialization */
       uInt longest_match  OF((deflate_state *s, IPos cur_match));
 #else
 local uInt longest_match  OF((deflate_state *s, IPos cur_match));
 #endif
-#endif
-local uInt longest_match_fast OF((deflate_state *s, IPos cur_match));
 
 #ifdef DEBUG
 local  void check_match OF((deflate_state *s, IPos start, IPos match,
@@ -110,11 +109,6 @@ local  void check_match OF((deflate_state *s, IPos start, IPos match,
 #endif
 /* Matches of length 3 are discarded if their distance exceeds TOO_FAR */
 
-#define MIN_LOOKAHEAD (MAX_MATCH+MIN_MATCH+1)
-/* Minimum amount of lookahead, except at the end of the input file.
- * See deflate.c for comments about the MIN_MATCH+1.
- */
-
 /* Values for max_lazy_match, good_match and max_chain_length, depending on
  * the desired pack level (0..9). The values given below have been tuned to
  * exclude worst case performance for pathological files. Better values may be
@@ -288,6 +282,8 @@ int ZEXPORT deflateInit2_(strm, level, method, windowBits, memLevel, strategy,
     s->prev   = (Posf *)  ZALLOC(strm, s->w_size, sizeof(Pos));
     s->head   = (Posf *)  ZALLOC(strm, s->hash_size, sizeof(Pos));
 
+    s->high_water = 0;      /* nothing written to s->window yet */
+
     s->lit_bufsize = 1 << (memLevel + 6); /* 16K elements by default */
 
     overlay = (ushf *) ZALLOC(strm, s->lit_bufsize, sizeof(ush)+2);
@@ -332,8 +328,8 @@ int ZEXPORT deflateSetDictionary (strm, dictionary, dictLength)
         strm->adler = adler32(strm->adler, dictionary, dictLength);
 
     if (length < MIN_MATCH) return Z_OK;
-    if (length > MAX_DIST(s)) {
-        length = MAX_DIST(s);
+    if (length > s->w_size) {
+        length = s->w_size;
         dictionary += dictLength - length; /* use the tail of the dictionary */
     }
     zmemcpy(s->window, dictionary, length);
@@ -435,9 +431,10 @@ int ZEXPORT deflateParams(strm, level, strategy)
     }
     func = configuration_table[s->level].func;
 
-    if (func != configuration_table[level].func && strm->total_in != 0) {
+    if ((strategy != s->strategy || func != configuration_table[level].func) &&
+        strm->total_in != 0) {
         /* Flush the last buffer: */
-        err = deflate(strm, Z_PARTIAL_FLUSH);
+        err = deflate(strm, Z_BLOCK);
     }
     if (s->level != level) {
         s->level = level;
@@ -481,33 +478,66 @@ int ZEXPORT deflateTune(strm, good_length, max_lazy, nice_length, max_chain)
  * resulting from using fixed blocks instead of stored blocks, which deflate
  * can emit on compressed data for some combinations of the parameters.
  *
- * This function could be more sophisticated to provide closer upper bounds
- * for every combination of windowBits and memLevel, as well as wrap.
- * But even the conservative upper bound of about 14% expansion does not
- * seem onerous for output buffer allocation.
+ * This function could be more sophisticated to provide closer upper bounds for
+ * every combination of windowBits and memLevel.  But even the conservative
+ * upper bound of about 14% expansion does not seem onerous for output buffer
+ * allocation.
  */
 uLong ZEXPORT deflateBound(strm, sourceLen)
     z_streamp strm;
     uLong sourceLen;
 {
     deflate_state *s;
-    uLong destLen;
+    uLong complen, wraplen;
+    Bytef *str;
 
-    /* conservative upper bound */
-    destLen = sourceLen +
-              ((sourceLen + 7) >> 3) + ((sourceLen + 63) >> 6) + 11;
+    /* conservative upper bound for compressed data */
+    complen = sourceLen +
+              ((sourceLen + 7) >> 3) + ((sourceLen + 63) >> 6) + 5;
 
-    /* if can't get parameters, return conservative bound */
+    /* if can't get parameters, return conservative bound plus zlib wrapper */
     if (strm == Z_NULL || strm->state == Z_NULL)
-        return destLen;
+        return complen + 6;
+
+    /* compute wrapper length */
+    s = strm->state;
+    switch (s->wrap) {
+    case 0:                                 /* raw deflate */
+        wraplen = 0;
+        break;
+    case 1:                                 /* zlib wrapper */
+        wraplen = 6 + (s->strstart ? 4 : 0);
+        break;
+    case 2:                                 /* gzip wrapper */
+        wraplen = 18;
+        if (s->gzhead != Z_NULL) {          /* user-supplied gzip header */
+            if (s->gzhead->extra != Z_NULL)
+                wraplen += 2 + s->gzhead->extra_len;
+            str = s->gzhead->name;
+            if (str != Z_NULL)
+                do {
+                    wraplen++;
+                } while (*str++);
+            str = s->gzhead->comment;
+            if (str != Z_NULL)
+                do {
+                    wraplen++;
+                } while (*str++);
+            if (s->gzhead->hcrc)
+                wraplen += 2;
+        }
+        break;
+    default:                                /* for compiler happiness */
+        wraplen = 6;
+    }
 
     /* if not default parameters, return conservative bound */
-    s = strm->state;
     if (s->w_bits != 15 || s->hash_bits != 8 + 7)
-        return destLen;
+        return complen + wraplen;
 
     /* default settings: return tight bound for that case */
-    return compressBound(sourceLen);
+    return sourceLen + (sourceLen >> 12) + (sourceLen >> 14) +
+           (sourceLen >> 25) + 13 - 6 + wraplen;
 }
 
 /* =========================================================================
@@ -557,7 +587,7 @@ int ZEXPORT deflate (strm, flush)
     deflate_state *s;
 
     if (strm == Z_NULL || strm->state == Z_NULL ||
-        flush > Z_FINISH || flush < 0) {
+        flush > Z_BLOCK || flush < 0) {
         return Z_STREAM_ERROR;
     }
     s = strm->state;
@@ -581,7 +611,7 @@ int ZEXPORT deflate (strm, flush)
             put_byte(s, 31);
             put_byte(s, 139);
             put_byte(s, 8);
-            if (s->gzhead == NULL) {
+            if (s->gzhead == Z_NULL) {
                 put_byte(s, 0);
                 put_byte(s, 0);
                 put_byte(s, 0);
@@ -608,7 +638,7 @@ int ZEXPORT deflate (strm, flush)
                             (s->strategy >= Z_HUFFMAN_ONLY || s->level < 2 ?
                              4 : 0));
                 put_byte(s, s->gzhead->os & 0xff);
-                if (s->gzhead->extra != NULL) {
+                if (s->gzhead->extra != Z_NULL) {
                     put_byte(s, s->gzhead->extra_len & 0xff);
                     put_byte(s, (s->gzhead->extra_len >> 8) & 0xff);
                 }
@@ -650,7 +680,7 @@ int ZEXPORT deflate (strm, flush)
     }
 #ifdef GZIP
     if (s->status == EXTRA_STATE) {
-        if (s->gzhead->extra != NULL) {
+        if (s->gzhead->extra != Z_NULL) {
             uInt beg = s->pending;  /* start of bytes to update crc */
 
             while (s->gzindex < (s->gzhead->extra_len & 0xffff)) {
@@ -678,7 +708,7 @@ int ZEXPORT deflate (strm, flush)
             s->status = NAME_STATE;
     }
     if (s->status == NAME_STATE) {
-        if (s->gzhead->name != NULL) {
+        if (s->gzhead->name != Z_NULL) {
             uInt beg = s->pending;  /* start of bytes to update crc */
             int val;
 
@@ -709,7 +739,7 @@ int ZEXPORT deflate (strm, flush)
             s->status = COMMENT_STATE;
     }
     if (s->status == COMMENT_STATE) {
-        if (s->gzhead->comment != NULL) {
+        if (s->gzhead->comment != Z_NULL) {
             uInt beg = s->pending;  /* start of bytes to update crc */
             int val;
 
@@ -787,7 +817,9 @@ int ZEXPORT deflate (strm, flush)
         (flush != Z_NO_FLUSH && s->status != FINISH_STATE)) {
         block_state bstate;
 
-        bstate = (*(configuration_table[s->level].func))(s, flush);
+        bstate = s->strategy == Z_HUFFMAN_ONLY ? deflate_huff(s, flush) :
+                    (s->strategy == Z_RLE ? deflate_rle(s, flush) :
+                        (*(configuration_table[s->level].func))(s, flush));
 
         if (bstate == finish_started || bstate == finish_done) {
             s->status = FINISH_STATE;
@@ -808,13 +840,17 @@ int ZEXPORT deflate (strm, flush)
         if (bstate == block_done) {
             if (flush == Z_PARTIAL_FLUSH) {
                 _tr_align(s);
-            } else { /* FULL_FLUSH or SYNC_FLUSH */
+            } else if (flush != Z_BLOCK) { /* FULL_FLUSH or SYNC_FLUSH */
                 _tr_stored_block(s, (char*)0, 0L, 0);
                 /* For a full flush, this empty block will be recognized
                  * as a special marker by inflate_sync().
                  */
                 if (flush == Z_FULL_FLUSH) {
                     CLEAR_HASH(s);             /* forget history */
+                    if (s->lookahead == 0) {
+                        s->strstart = 0;
+                        s->block_start = 0L;
+                    }
                 }
             }
             flush_pending(strm);
@@ -1167,12 +1203,13 @@ local uInt longest_match(s, cur_match)
     return s->lookahead;
 }
 #endif /* ASMV */
-#endif /* FASTEST */
+
+#else /* FASTEST */
 
 /* ---------------------------------------------------------------------------
- * Optimized version for level == 1 or strategy == Z_RLE only
+ * Optimized version for FASTEST only
  */
-local uInt longest_match_fast(s, cur_match)
+local uInt longest_match(s, cur_match)
     deflate_state *s;
     IPos cur_match;                             /* current match */
 {
@@ -1225,6 +1262,8 @@ local uInt longest_match_fast(s, cur_match)
     return (uInt)len <= s->lookahead ? (uInt)len : s->lookahead;
 }
 
+#endif /* FASTEST */
+
 #ifdef DEBUG
 /* ===========================================================================
  * Check that the match at match_start is indeed a match.
@@ -1303,7 +1342,6 @@ local void fill_window(s)
                later. (Using level 0 permanently is not an optimal usage of
                zlib, so we don't care about this pathological case.)
              */
-            /* %%% avoid this when Z_RLE */
             n = s->hash_size;
             p = &s->head[n];
             do {
@@ -1355,27 +1393,61 @@ local void fill_window(s)
          */
 
     } while (s->lookahead < MIN_LOOKAHEAD && s->strm->avail_in != 0);
+
+    /* If the WIN_INIT bytes after the end of the current data have never been
+     * written, then zero those bytes in order to avoid memory check reports of
+     * the use of uninitialized (or uninitialised as Julian writes) bytes by
+     * the longest match routines.  Update the high water mark for the next
+     * time through here.  WIN_INIT is set to MAX_MATCH since the longest match
+     * routines allow scanning to strstart + MAX_MATCH, ignoring lookahead.
+     */
+    if (s->high_water < s->window_size) {
+        ulg curr = s->strstart + (ulg)(s->lookahead);
+        ulg init;
+
+        if (s->high_water < curr) {
+            /* Previous high water mark below current data -- zero WIN_INIT
+             * bytes or up to end of window, whichever is less.
+             */
+            init = s->window_size - curr;
+            if (init > WIN_INIT)
+                init = WIN_INIT;
+            zmemzero(s->window + curr, (unsigned)init);
+            s->high_water = curr + init;
+        }
+        else if (s->high_water < (ulg)curr + WIN_INIT) {
+            /* High water mark at or above current data, but below current data
+             * plus WIN_INIT -- zero out to current data plus WIN_INIT, or up
+             * to end of window, whichever is less.
+             */
+            init = (ulg)curr + WIN_INIT - s->high_water;
+            if (init > s->window_size - s->high_water)
+                init = s->window_size - s->high_water;
+            zmemzero(s->window + s->high_water, (unsigned)init);
+            s->high_water += init;
+        }
+    }
 }
 
 /* ===========================================================================
  * Flush the current block, with given end-of-file flag.
  * IN assertion: strstart is set to the end of the current match.
  */
-#define FLUSH_BLOCK_ONLY(s, eof) { \
+#define FLUSH_BLOCK_ONLY(s, last) { \
    _tr_flush_block(s, (s->block_start >= 0L ? \
                    (charf *)&s->window[(unsigned)s->block_start] : \
                    (charf *)Z_NULL), \
                 (ulg)((long)s->strstart - s->block_start), \
-                (eof)); \
+                (last)); \
    s->block_start = s->strstart; \
    flush_pending(s->strm); \
    Tracev((stderr,"[FLUSH]")); \
 }
 
 /* Same but force premature exit if necessary. */
-#define FLUSH_BLOCK(s, eof) { \
-   FLUSH_BLOCK_ONLY(s, eof); \
-   if (s->strm->avail_out == 0) return (eof) ? finish_started : need_more; \
+#define FLUSH_BLOCK(s, last) { \
+   FLUSH_BLOCK_ONLY(s, last); \
+   if (s->strm->avail_out == 0) return (last) ? finish_started : need_more; \
 }
 
 /* ===========================================================================
@@ -1449,7 +1521,7 @@ local block_state deflate_fast(s, flush)
     deflate_state *s;
     int flush;
 {
-    IPos hash_head = NIL; /* head of the hash chain */
+    IPos hash_head;       /* head of the hash chain */
     int bflush;           /* set if current block must be flushed */
 
     for (;;) {
@@ -1469,6 +1541,7 @@ local block_state deflate_fast(s, flush)
         /* Insert the string window[strstart .. strstart+2] in the
          * dictionary, and set hash_head to the head of the hash chain:
          */
+        hash_head = NIL;
         if (s->lookahead >= MIN_MATCH) {
             INSERT_STRING(s, s->strstart, hash_head);
         }
@@ -1481,19 +1554,8 @@ local block_state deflate_fast(s, flush)
              * of window index 0 (in particular we have to avoid a match
              * of the string with itself at the start of the input file).
              */
-#ifdef FASTEST
-            if ((s->strategy != Z_HUFFMAN_ONLY && s->strategy != Z_RLE) ||
-                (s->strategy == Z_RLE && s->strstart - hash_head == 1)) {
-                s->match_length = longest_match_fast (s, hash_head);
-            }
-#else
-            if (s->strategy != Z_HUFFMAN_ONLY && s->strategy != Z_RLE) {
-                s->match_length = longest_match (s, hash_head);
-            } else if (s->strategy == Z_RLE && s->strstart - hash_head == 1) {
-                s->match_length = longest_match_fast (s, hash_head);
-            }
-#endif
-            /* longest_match() or longest_match_fast() sets match_start */
+            s->match_length = longest_match (s, hash_head);
+            /* longest_match() sets match_start */
         }
         if (s->match_length >= MIN_MATCH) {
             check_match(s, s->strstart, s->match_start, s->match_length);
@@ -1555,7 +1617,7 @@ local block_state deflate_slow(s, flush)
     deflate_state *s;
     int flush;
 {
-    IPos hash_head = NIL;    /* head of hash chain */
+    IPos hash_head;          /* head of hash chain */
     int bflush;              /* set if current block must be flushed */
 
     /* Process the input block. */
@@ -1576,6 +1638,7 @@ local block_state deflate_slow(s, flush)
         /* Insert the string window[strstart .. strstart+2] in the
          * dictionary, and set hash_head to the head of the hash chain:
          */
+        hash_head = NIL;
         if (s->lookahead >= MIN_MATCH) {
             INSERT_STRING(s, s->strstart, hash_head);
         }
@@ -1591,12 +1654,8 @@ local block_state deflate_slow(s, flush)
              * of window index 0 (in particular we have to avoid a match
              * of the string with itself at the start of the input file).
              */
-            if (s->strategy != Z_HUFFMAN_ONLY && s->strategy != Z_RLE) {
-                s->match_length = longest_match (s, hash_head);
-            } else if (s->strategy == Z_RLE && s->strstart - hash_head == 1) {
-                s->match_length = longest_match_fast (s, hash_head);
-            }
-            /* longest_match() or longest_match_fast() sets match_start */
+            s->match_length = longest_match (s, hash_head);
+            /* longest_match() sets match_start */
 
             if (s->match_length <= 5 && (s->strategy == Z_FILTERED
 #if TOO_FAR <= 32767
@@ -1674,7 +1733,6 @@ local block_state deflate_slow(s, flush)
 }
 #endif /* FASTEST */
 
-#if 0
 /* ===========================================================================
  * For Z_RLE, simply look for runs of bytes, generate matches only of distance
  * one.  Do not maintain a hash table.  (It will be regenerated if this run of
@@ -1684,11 +1742,9 @@ local block_state deflate_rle(s, flush)
     deflate_state *s;
     int flush;
 {
-    int bflush;         /* set if current block must be flushed */
-    uInt run;           /* length of run */
-    uInt max;           /* maximum length of run */
-    uInt prev;          /* byte at distance one to match */
-    Bytef *scan;        /* scan for end of run */
+    int bflush;             /* set if current block must be flushed */
+    uInt prev;              /* byte at distance one to match */
+    Bytef *scan, *strend;   /* scan goes up to strend for length of run */
 
     for (;;) {
         /* Make sure that we always have enough lookahead, except
@@ -1704,23 +1760,33 @@ local block_state deflate_rle(s, flush)
         }
 
         /* See how many times the previous byte repeats */
-        run = 0;
-        if (s->strstart > 0) {      /* if there is a previous byte, that is */
-            max = s->lookahead < MAX_MATCH ? s->lookahead : MAX_MATCH;
+        s->match_length = 0;
+        if (s->lookahead >= MIN_MATCH && s->strstart > 0) {
             scan = s->window + s->strstart - 1;
-            prev = *scan++;
-            do {
-                if (*scan++ != prev)
-                    break;
-            } while (++run < max);
+            prev = *scan;
+            if (prev == *++scan && prev == *++scan && prev == *++scan) {
+                strend = s->window + s->strstart + MAX_MATCH;
+                do {
+                } while (prev == *++scan && prev == *++scan &&
+                         prev == *++scan && prev == *++scan &&
+                         prev == *++scan && prev == *++scan &&
+                         prev == *++scan && prev == *++scan &&
+                         scan < strend);
+                s->match_length = MAX_MATCH - (int)(strend - scan);
+                if (s->match_length > s->lookahead)
+                    s->match_length = s->lookahead;
+            }
         }
 
         /* Emit match if have run of MIN_MATCH or longer, else emit literal */
-        if (run >= MIN_MATCH) {
-            check_match(s, s->strstart, s->strstart - 1, run);
-            _tr_tally_dist(s, 1, run - MIN_MATCH, bflush);
-            s->lookahead -= run;
-            s->strstart += run;
+        if (s->match_length >= MIN_MATCH) {
+            check_match(s, s->strstart, s->strstart - 1, s->match_length);
+
+            _tr_tally_dist(s, 1, s->match_length - MIN_MATCH, bflush);
+
+            s->lookahead -= s->match_length;
+            s->strstart += s->match_length;
+            s->match_length = 0;
         } else {
             /* No match, output a literal byte */
             Tracevv((stderr,"%c", s->window[s->strstart]));
@@ -1733,4 +1799,36 @@ local block_state deflate_rle(s, flush)
     FLUSH_BLOCK(s, flush == Z_FINISH);
     return flush == Z_FINISH ? finish_done : block_done;
 }
-#endif
+
+/* ===========================================================================
+ * For Z_HUFFMAN_ONLY, do not look for matches.  Do not maintain a hash table.
+ * (It will be regenerated if this run of deflate switches away from Huffman.)
+ */
+local block_state deflate_huff(s, flush)
+    deflate_state *s;
+    int flush;
+{
+    int bflush;             /* set if current block must be flushed */
+
+    for (;;) {
+        /* Make sure that we have a literal to write. */
+        if (s->lookahead == 0) {
+            fill_window(s);
+            if (s->lookahead == 0) {
+                if (flush == Z_NO_FLUSH)
+                    return need_more;
+                break;      /* flush the current block */
+            }
+        }
+
+        /* Output a literal byte */
+        s->match_length = 0;
+        Tracevv((stderr,"%c", s->window[s->strstart]));
+        _tr_tally_lit (s, s->window[s->strstart], bflush);
+        s->lookahead--;
+        s->strstart++;
+        if (bflush) FLUSH_BLOCK(s, 0);
+    }
+    FLUSH_BLOCK(s, flush == Z_FINISH);
+    return flush == Z_FINISH ? finish_done : block_done;
+}
diff --git a/security/nss/lib/zlib/deflate.h b/security/nss/lib/zlib/deflate.h
index 349bbbac5386..969bbb91135b 100644
--- a/security/nss/lib/zlib/deflate.h
+++ b/security/nss/lib/zlib/deflate.h
@@ -1,5 +1,5 @@
 /* deflate.h -- internal compression state
- * Copyright (C) 1995-2004 Jean-loup Gailly
+ * Copyright (C) 1995-2010 Jean-loup Gailly
  * For conditions of distribution and use, see copyright notice in zlib.h
  */
 
@@ -8,7 +8,7 @@
    subject to change. Applications should only use zlib.h.
  */
 
-/* @(#) $Id: deflate.h,v 1.6 2010/04/25 23:37:31 nelson%bolyard.com Exp $ */
+/* @(#) $Id: deflate.h,v 1.7 2010/08/22 01:07:03 wtc%google.com Exp $ */
 
 #ifndef DEFLATE_H
 #define DEFLATE_H
@@ -188,7 +188,7 @@ typedef struct internal_state {
     int nice_match; /* Stop searching when current match exceeds this */
 
                 /* used by trees.c: */
-    /* Didn't use ct_data typedef below to suppress compiler warning */
+    /* Didn't use ct_data typedef below to supress compiler warning */
     struct ct_data_s dyn_ltree[HEAP_SIZE];   /* literal and length tree */
     struct ct_data_s dyn_dtree[2*D_CODES+1]; /* distance tree */
     struct ct_data_s bl_tree[2*BL_CODES+1];  /* Huffman tree for bit lengths */
@@ -260,6 +260,13 @@ typedef struct internal_state {
      * are always zero.
      */
 
+    ulg high_water;
+    /* High water mark offset in window for initialized bytes -- bytes above
+     * this are set to zero in order to avoid memory check warnings when
+     * longest match routines access bytes past the input.  This is then
+     * updated to the new high water mark.
+     */
+
 } FAR deflate_state;
 
 /* Output a byte on the stream.
@@ -278,14 +285,18 @@ typedef struct internal_state {
  * distances are limited to MAX_DIST instead of WSIZE.
  */
 
+#define WIN_INIT MAX_MATCH
+/* Number of bytes after end of data in window to initialize in order to avoid
+   memory checker errors from longest match routines */
+
         /* in trees.c */
-void _tr_init         OF((deflate_state *s));
-int  _tr_tally        OF((deflate_state *s, unsigned dist, unsigned lc));
-void _tr_flush_block  OF((deflate_state *s, charf *buf, ulg stored_len,
-                          int eof));
-void _tr_align        OF((deflate_state *s));
-void _tr_stored_block OF((deflate_state *s, charf *buf, ulg stored_len,
-                          int eof));
+void ZLIB_INTERNAL _tr_init OF((deflate_state *s));
+int ZLIB_INTERNAL _tr_tally OF((deflate_state *s, unsigned dist, unsigned lc));
+void ZLIB_INTERNAL _tr_flush_block OF((deflate_state *s, charf *buf,
+                        ulg stored_len, int last));
+void ZLIB_INTERNAL _tr_align OF((deflate_state *s));
+void ZLIB_INTERNAL _tr_stored_block OF((deflate_state *s, charf *buf,
+                        ulg stored_len, int last));
 
 #define d_code(dist) \
    ((dist) < 256 ? _dist_code[dist] : _dist_code[256+((dist)>>7)])
@@ -298,11 +309,11 @@ void _tr_stored_block OF((deflate_state *s, charf *buf, ulg stored_len,
 /* Inline versions of _tr_tally for speed: */
 
 #if defined(GEN_TREES_H) || !defined(STDC)
-  extern uch _length_code[];
-  extern uch _dist_code[];
+  extern uch ZLIB_INTERNAL _length_code[];
+  extern uch ZLIB_INTERNAL _dist_code[];
 #else
-  extern const uch _length_code[];
-  extern const uch _dist_code[];
+  extern const uch ZLIB_INTERNAL _length_code[];
+  extern const uch ZLIB_INTERNAL _dist_code[];
 #endif
 
 # define _tr_tally_lit(s, c, flush) \
diff --git a/security/nss/lib/zlib/example.c b/security/nss/lib/zlib/example.c
index c126d6ebd215..b6857cc972cc 100644
--- a/security/nss/lib/zlib/example.c
+++ b/security/nss/lib/zlib/example.c
@@ -1,19 +1,19 @@
 /* example.c -- usage example of the zlib compression library
- * Copyright (C) 1995-2004 Jean-loup Gailly.
+ * Copyright (C) 1995-2006 Jean-loup Gailly.
  * For conditions of distribution and use, see copyright notice in zlib.h
  */
 
-/* @(#) $Id: example.c,v 1.6 2009/11/07 01:13:10 nelson%bolyard.com Exp $ */
+/* @(#) $Id: example.c,v 1.7 2010/08/22 01:07:03 wtc%google.com Exp $ */
 
-#include 
 #include "zlib.h"
+#include 
 
 #ifdef STDC
 #  include 
 #  include 
 #endif
 
-#if defined(RISCOS)
+#if defined(VMS) || defined(RISCOS)
 #  define TESTFILE "foo-gz"
 #else
 #  define TESTFILE "foo.gz"
diff --git a/security/nss/lib/zlib/gzclose.c b/security/nss/lib/zlib/gzclose.c
new file mode 100644
index 000000000000..caeb99a3177f
--- /dev/null
+++ b/security/nss/lib/zlib/gzclose.c
@@ -0,0 +1,25 @@
+/* gzclose.c -- zlib gzclose() function
+ * Copyright (C) 2004, 2010 Mark Adler
+ * For conditions of distribution and use, see copyright notice in zlib.h
+ */
+
+#include "gzguts.h"
+
+/* gzclose() is in a separate file so that it is linked in only if it is used.
+   That way the other gzclose functions can be used instead to avoid linking in
+   unneeded compression or decompression routines. */
+int ZEXPORT gzclose(file)
+    gzFile file;
+{
+#ifndef NO_GZCOMPRESS
+    gz_statep state;
+
+    if (file == NULL)
+        return Z_STREAM_ERROR;
+    state = (gz_statep)file;
+
+    return state->mode == GZ_READ ? gzclose_r(file) : gzclose_w(file);
+#else
+    return gzclose_r(file);
+#endif
+}
diff --git a/security/nss/lib/zlib/gzguts.h b/security/nss/lib/zlib/gzguts.h
new file mode 100644
index 000000000000..0f8fb79f87d4
--- /dev/null
+++ b/security/nss/lib/zlib/gzguts.h
@@ -0,0 +1,132 @@
+/* gzguts.h -- zlib internal header definitions for gz* operations
+ * Copyright (C) 2004, 2005, 2010 Mark Adler
+ * For conditions of distribution and use, see copyright notice in zlib.h
+ */
+
+#ifdef _LARGEFILE64_SOURCE
+#  ifndef _LARGEFILE_SOURCE
+#    define _LARGEFILE_SOURCE 1
+#  endif
+#  ifdef _FILE_OFFSET_BITS
+#    undef _FILE_OFFSET_BITS
+#  endif
+#endif
+
+#if ((__GNUC__-0) * 10 + __GNUC_MINOR__-0 >= 33) && !defined(NO_VIZ)
+#  define ZLIB_INTERNAL __attribute__((visibility ("hidden")))
+#else
+#  define ZLIB_INTERNAL
+#endif
+
+#include 
+#include "zlib.h"
+#ifdef STDC
+#  include 
+#  include 
+#  include 
+#endif
+#include 
+
+#ifdef NO_DEFLATE       /* for compatibility with old definition */
+#  define NO_GZCOMPRESS
+#endif
+
+#ifdef _MSC_VER
+#  include 
+#  define vsnprintf _vsnprintf
+#endif
+
+#ifndef local
+#  define local static
+#endif
+/* compile with -Dlocal if your debugger can't find static symbols */
+
+/* gz* functions always use library allocation functions */
+#ifndef STDC
+  extern voidp  malloc OF((uInt size));
+  extern void   free   OF((voidpf ptr));
+#endif
+
+/* get errno and strerror definition */
+#if defined UNDER_CE
+#  include 
+#  define zstrerror() gz_strwinerror((DWORD)GetLastError())
+#else
+#  ifdef STDC
+#    include 
+#    define zstrerror() strerror(errno)
+#  else
+#    define zstrerror() "stdio error (consult errno)"
+#  endif
+#endif
+
+/* provide prototypes for these when building zlib without LFS */
+#if !defined(_LARGEFILE64_SOURCE) || _LFS64_LARGEFILE-0 == 0
+    ZEXTERN gzFile ZEXPORT gzopen64 OF((const char *, const char *));
+    ZEXTERN z_off64_t ZEXPORT gzseek64 OF((gzFile, z_off64_t, int));
+    ZEXTERN z_off64_t ZEXPORT gztell64 OF((gzFile));
+    ZEXTERN z_off64_t ZEXPORT gzoffset64 OF((gzFile));
+#endif
+
+/* default i/o buffer size -- double this for output when reading */
+#define GZBUFSIZE 8192
+
+/* gzip modes, also provide a little integrity check on the passed structure */
+#define GZ_NONE 0
+#define GZ_READ 7247
+#define GZ_WRITE 31153
+#define GZ_APPEND 1     /* mode set to GZ_WRITE after the file is opened */
+
+/* values for gz_state how */
+#define LOOK 0      /* look for a gzip header */
+#define COPY 1      /* copy input directly */
+#define GZIP 2      /* decompress a gzip stream */
+
+/* internal gzip file state data structure */
+typedef struct {
+        /* used for both reading and writing */
+    int mode;               /* see gzip modes above */
+    int fd;                 /* file descriptor */
+    char *path;             /* path or fd for error messages */
+    z_off64_t pos;          /* current position in uncompressed data */
+    unsigned size;          /* buffer size, zero if not allocated yet */
+    unsigned want;          /* requested buffer size, default is GZBUFSIZE */
+    unsigned char *in;      /* input buffer */
+    unsigned char *out;     /* output buffer (double-sized when reading) */
+    unsigned char *next;    /* next output data to deliver or write */
+        /* just for reading */
+    unsigned have;          /* amount of output data unused at next */
+    int eof;                /* true if end of input file reached */
+    z_off64_t start;        /* where the gzip data started, for rewinding */
+    z_off64_t raw;          /* where the raw data started, for seeking */
+    int how;                /* 0: get header, 1: copy, 2: decompress */
+    int direct;             /* true if last read direct, false if gzip */
+        /* just for writing */
+    int level;              /* compression level */
+    int strategy;           /* compression strategy */
+        /* seek request */
+    z_off64_t skip;         /* amount to skip (already rewound if backwards) */
+    int seek;               /* true if seek request pending */
+        /* error information */
+    int err;                /* error code */
+    char *msg;              /* error message */
+        /* zlib inflate or deflate stream */
+    z_stream strm;          /* stream structure in-place (not a pointer) */
+} gz_state;
+typedef gz_state FAR *gz_statep;
+
+/* shared functions */
+void ZLIB_INTERNAL gz_error OF((gz_statep, int, const char *));
+#if defined UNDER_CE
+char ZLIB_INTERNAL *gz_strwinerror OF((DWORD error));
+#endif
+
+/* GT_OFF(x), where x is an unsigned value, is true if x > maximum z_off64_t
+   value -- needed when comparing unsigned to z_off64_t, which is signed
+   (possible z_off64_t types off_t, off64_t, and long are all signed) */
+#ifdef INT_MAX
+#  define GT_OFF(x) (sizeof(int) == sizeof(z_off64_t) && (x) > INT_MAX)
+#else
+unsigned ZLIB_INTERNAL gz_intmax OF((void));
+#  define GT_OFF(x) (sizeof(int) == sizeof(z_off64_t) && (x) > gz_intmax())
+#endif
diff --git a/security/nss/lib/zlib/gzio.c b/security/nss/lib/zlib/gzio.c
deleted file mode 100644
index 846f957d2985..000000000000
--- a/security/nss/lib/zlib/gzio.c
+++ /dev/null
@@ -1,1026 +0,0 @@
-/* gzio.c -- IO on .gz files
- * Copyright (C) 1995-2005 Jean-loup Gailly.
- * For conditions of distribution and use, see copyright notice in zlib.h
- *
- * Compile this file with -DNO_GZCOMPRESS to avoid the compression code.
- */
-
-/* @(#) $Id: gzio.c,v 1.5 2009/11/07 01:13:10 wtchang%redhat.com Exp $ */
-
-#include 
-
-#include "zutil.h"
-
-#ifdef NO_DEFLATE       /* for compatibility with old definition */
-#  define NO_GZCOMPRESS
-#endif
-
-#ifndef NO_DUMMY_DECL
-struct internal_state {int dummy;}; /* for buggy compilers */
-#endif
-
-#ifndef Z_BUFSIZE
-#  ifdef MAXSEG_64K
-#    define Z_BUFSIZE 4096 /* minimize memory usage for 16-bit DOS */
-#  else
-#    define Z_BUFSIZE 16384
-#  endif
-#endif
-#ifndef Z_PRINTF_BUFSIZE
-#  define Z_PRINTF_BUFSIZE 4096
-#endif
-
-#ifdef __MVS__
-#  pragma map (fdopen , "\174\174FDOPEN")
-   FILE *fdopen(int, const char *);
-#endif
-
-#ifndef STDC
-extern voidp  malloc OF((uInt size));
-extern void   free   OF((voidpf ptr));
-#endif
-
-#define ALLOC(size) malloc(size)
-#define TRYFREE(p) {if (p) free(p);}
-
-static int const gz_magic[2] = {0x1f, 0x8b}; /* gzip magic header */
-
-/* gzip flag byte */
-#define ASCII_FLAG   0x01 /* bit 0 set: file probably ascii text */
-#define HEAD_CRC     0x02 /* bit 1 set: header CRC present */
-#define EXTRA_FIELD  0x04 /* bit 2 set: extra field present */
-#define ORIG_NAME    0x08 /* bit 3 set: original file name present */
-#define COMMENT      0x10 /* bit 4 set: file comment present */
-#define RESERVED     0xE0 /* bits 5..7: reserved */
-
-typedef struct gz_stream {
-    z_stream stream;
-    int      z_err;   /* error code for last stream operation */
-    int      z_eof;   /* set if end of input file */
-    FILE     *file;   /* .gz file */
-    Byte     *inbuf;  /* input buffer */
-    Byte     *outbuf; /* output buffer */
-    uLong    crc;     /* crc32 of uncompressed data */
-    char     *msg;    /* error message */
-    char     *path;   /* path name for debugging only */
-    int      transparent; /* 1 if input file is not a .gz file */
-    char     mode;    /* 'w' or 'r' */
-    z_off_t  start;   /* start of compressed data in file (header skipped) */
-    z_off_t  in;      /* bytes into deflate or inflate */
-    z_off_t  out;     /* bytes out of deflate or inflate */
-    int      back;    /* one character push-back */
-    int      last;    /* true if push-back is last character */
-} gz_stream;
-
-
-local gzFile gz_open      OF((const char *path, const char *mode, int  fd));
-local int do_flush        OF((gzFile file, int flush));
-local int    get_byte     OF((gz_stream *s));
-local void   check_header OF((gz_stream *s));
-local int    destroy      OF((gz_stream *s));
-local void   putLong      OF((FILE *file, uLong x));
-local uLong  getLong      OF((gz_stream *s));
-
-/* ===========================================================================
-     Opens a gzip (.gz) file for reading or writing. The mode parameter
-   is as in fopen ("rb" or "wb"). The file is given either by file descriptor
-   or path name (if fd == -1).
-     gz_open returns NULL if the file could not be opened or if there was
-   insufficient memory to allocate the (de)compression state; errno
-   can be checked to distinguish the two cases (if errno is zero, the
-   zlib error is Z_MEM_ERROR).
-*/
-local gzFile gz_open (path, mode, fd)
-    const char *path;
-    const char *mode;
-    int  fd;
-{
-    int err;
-    int level = Z_DEFAULT_COMPRESSION; /* compression level */
-    int strategy = Z_DEFAULT_STRATEGY; /* compression strategy */
-    char *p = (char*)mode;
-    gz_stream *s;
-    char fmode[80]; /* copy of mode, without the compression level */
-    char *m = fmode;
-
-    if (!path || !mode) return Z_NULL;
-
-    s = (gz_stream *)ALLOC(sizeof(gz_stream));
-    if (!s) return Z_NULL;
-
-    s->stream.zalloc = (alloc_func)0;
-    s->stream.zfree = (free_func)0;
-    s->stream.opaque = (voidpf)0;
-    s->stream.next_in = s->inbuf = Z_NULL;
-    s->stream.next_out = s->outbuf = Z_NULL;
-    s->stream.avail_in = s->stream.avail_out = 0;
-    s->file = NULL;
-    s->z_err = Z_OK;
-    s->z_eof = 0;
-    s->in = 0;
-    s->out = 0;
-    s->back = EOF;
-    s->crc = crc32(0L, Z_NULL, 0);
-    s->msg = NULL;
-    s->transparent = 0;
-
-    s->path = (char*)ALLOC(strlen(path)+1);
-    if (s->path == NULL) {
-        return destroy(s), (gzFile)Z_NULL;
-    }
-    strcpy(s->path, path); /* do this early for debugging */
-
-    s->mode = '\0';
-    do {
-        if (*p == 'r') s->mode = 'r';
-        if (*p == 'w' || *p == 'a') s->mode = 'w';
-        if (*p >= '0' && *p <= '9') {
-            level = *p - '0';
-        } else if (*p == 'f') {
-          strategy = Z_FILTERED;
-        } else if (*p == 'h') {
-          strategy = Z_HUFFMAN_ONLY;
-        } else if (*p == 'R') {
-          strategy = Z_RLE;
-        } else {
-            *m++ = *p; /* copy the mode */
-        }
-    } while (*p++ && m != fmode + sizeof(fmode));
-    if (s->mode == '\0') return destroy(s), (gzFile)Z_NULL;
-
-    if (s->mode == 'w') {
-#ifdef NO_GZCOMPRESS
-        err = Z_STREAM_ERROR;
-#else
-        err = deflateInit2(&(s->stream), level,
-                           Z_DEFLATED, -MAX_WBITS, DEF_MEM_LEVEL, strategy);
-        /* windowBits is passed < 0 to suppress zlib header */
-
-        s->stream.next_out = s->outbuf = (Byte*)ALLOC(Z_BUFSIZE);
-#endif
-        if (err != Z_OK || s->outbuf == Z_NULL) {
-            return destroy(s), (gzFile)Z_NULL;
-        }
-    } else {
-        s->stream.next_in  = s->inbuf = (Byte*)ALLOC(Z_BUFSIZE);
-
-        err = inflateInit2(&(s->stream), -MAX_WBITS);
-        /* windowBits is passed < 0 to tell that there is no zlib header.
-         * Note that in this case inflate *requires* an extra "dummy" byte
-         * after the compressed stream in order to complete decompression and
-         * return Z_STREAM_END. Here the gzip CRC32 ensures that 4 bytes are
-         * present after the compressed stream.
-         */
-        if (err != Z_OK || s->inbuf == Z_NULL) {
-            return destroy(s), (gzFile)Z_NULL;
-        }
-    }
-    s->stream.avail_out = Z_BUFSIZE;
-
-    errno = 0;
-    s->file = fd < 0 ? F_OPEN(path, fmode) : (FILE*)fdopen(fd, fmode);
-
-    if (s->file == NULL) {
-        return destroy(s), (gzFile)Z_NULL;
-    }
-    if (s->mode == 'w') {
-        /* Write a very simple .gz header:
-         */
-        fprintf(s->file, "%c%c%c%c%c%c%c%c%c%c", gz_magic[0], gz_magic[1],
-             Z_DEFLATED, 0 /*flags*/, 0,0,0,0 /*time*/, 0 /*xflags*/, OS_CODE);
-        s->start = 10L;
-        /* We use 10L instead of ftell(s->file) to because ftell causes an
-         * fflush on some systems. This version of the library doesn't use
-         * start anyway in write mode, so this initialization is not
-         * necessary.
-         */
-    } else {
-        check_header(s); /* skip the .gz header */
-        s->start = ftell(s->file) - s->stream.avail_in;
-    }
-
-    return (gzFile)s;
-}
-
-/* ===========================================================================
-     Opens a gzip (.gz) file for reading or writing.
-*/
-gzFile ZEXPORT gzopen (path, mode)
-    const char *path;
-    const char *mode;
-{
-    return gz_open (path, mode, -1);
-}
-
-/* ===========================================================================
-     Associate a gzFile with the file descriptor fd. fd is not dup'ed here
-   to mimic the behavio(u)r of fdopen.
-*/
-gzFile ZEXPORT gzdopen (fd, mode)
-    int fd;
-    const char *mode;
-{
-    char name[46];      /* allow for up to 128-bit integers */
-
-    if (fd < 0) return (gzFile)Z_NULL;
-    sprintf(name, "", fd); /* for debugging */
-
-    return gz_open (name, mode, fd);
-}
-
-/* ===========================================================================
- * Update the compression level and strategy
- */
-int ZEXPORT gzsetparams (file, level, strategy)
-    gzFile file;
-    int level;
-    int strategy;
-{
-    gz_stream *s = (gz_stream*)file;
-
-    if (s == NULL || s->mode != 'w') return Z_STREAM_ERROR;
-
-    /* Make room to allow flushing */
-    if (s->stream.avail_out == 0) {
-
-        s->stream.next_out = s->outbuf;
-        if (fwrite(s->outbuf, 1, Z_BUFSIZE, s->file) != Z_BUFSIZE) {
-            s->z_err = Z_ERRNO;
-        }
-        s->stream.avail_out = Z_BUFSIZE;
-    }
-
-    return deflateParams (&(s->stream), level, strategy);
-}
-
-/* ===========================================================================
-     Read a byte from a gz_stream; update next_in and avail_in. Return EOF
-   for end of file.
-   IN assertion: the stream s has been sucessfully opened for reading.
-*/
-local int get_byte(s)
-    gz_stream *s;
-{
-    if (s->z_eof) return EOF;
-    if (s->stream.avail_in == 0) {
-        errno = 0;
-        s->stream.avail_in = (uInt)fread(s->inbuf, 1, Z_BUFSIZE, s->file);
-        if (s->stream.avail_in == 0) {
-            s->z_eof = 1;
-            if (ferror(s->file)) s->z_err = Z_ERRNO;
-            return EOF;
-        }
-        s->stream.next_in = s->inbuf;
-    }
-    s->stream.avail_in--;
-    return *(s->stream.next_in)++;
-}
-
-/* ===========================================================================
-      Check the gzip header of a gz_stream opened for reading. Set the stream
-    mode to transparent if the gzip magic header is not present; set s->err
-    to Z_DATA_ERROR if the magic header is present but the rest of the header
-    is incorrect.
-    IN assertion: the stream s has already been created sucessfully;
-       s->stream.avail_in is zero for the first time, but may be non-zero
-       for concatenated .gz files.
-*/
-local void check_header(s)
-    gz_stream *s;
-{
-    int method; /* method byte */
-    int flags;  /* flags byte */
-    uInt len;
-    int c;
-
-    /* Assure two bytes in the buffer so we can peek ahead -- handle case
-       where first byte of header is at the end of the buffer after the last
-       gzip segment */
-    len = s->stream.avail_in;
-    if (len < 2) {
-        if (len) s->inbuf[0] = s->stream.next_in[0];
-        errno = 0;
-        len = (uInt)fread(s->inbuf + len, 1, Z_BUFSIZE >> len, s->file);
-        if (len == 0 && ferror(s->file)) s->z_err = Z_ERRNO;
-        s->stream.avail_in += len;
-        s->stream.next_in = s->inbuf;
-        if (s->stream.avail_in < 2) {
-            s->transparent = s->stream.avail_in;
-            return;
-        }
-    }
-
-    /* Peek ahead to check the gzip magic header */
-    if (s->stream.next_in[0] != gz_magic[0] ||
-        s->stream.next_in[1] != gz_magic[1]) {
-        s->transparent = 1;
-        return;
-    }
-    s->stream.avail_in -= 2;
-    s->stream.next_in += 2;
-
-    /* Check the rest of the gzip header */
-    method = get_byte(s);
-    flags = get_byte(s);
-    if (method != Z_DEFLATED || (flags & RESERVED) != 0) {
-        s->z_err = Z_DATA_ERROR;
-        return;
-    }
-
-    /* Discard time, xflags and OS code: */
-    for (len = 0; len < 6; len++) (void)get_byte(s);
-
-    if ((flags & EXTRA_FIELD) != 0) { /* skip the extra field */
-        len  =  (uInt)get_byte(s);
-        len += ((uInt)get_byte(s))<<8;
-        /* len is garbage if EOF but the loop below will quit anyway */
-        while (len-- != 0 && get_byte(s) != EOF) ;
-    }
-    if ((flags & ORIG_NAME) != 0) { /* skip the original file name */
-        while ((c = get_byte(s)) != 0 && c != EOF) ;
-    }
-    if ((flags & COMMENT) != 0) {   /* skip the .gz file comment */
-        while ((c = get_byte(s)) != 0 && c != EOF) ;
-    }
-    if ((flags & HEAD_CRC) != 0) {  /* skip the header crc */
-        for (len = 0; len < 2; len++) (void)get_byte(s);
-    }
-    s->z_err = s->z_eof ? Z_DATA_ERROR : Z_OK;
-}
-
- /* ===========================================================================
- * Cleanup then free the given gz_stream. Return a zlib error code.
-   Try freeing in the reverse order of allocations.
- */
-local int destroy (s)
-    gz_stream *s;
-{
-    int err = Z_OK;
-
-    if (!s) return Z_STREAM_ERROR;
-
-    TRYFREE(s->msg);
-
-    if (s->stream.state != NULL) {
-        if (s->mode == 'w') {
-#ifdef NO_GZCOMPRESS
-            err = Z_STREAM_ERROR;
-#else
-            err = deflateEnd(&(s->stream));
-#endif
-        } else if (s->mode == 'r') {
-            err = inflateEnd(&(s->stream));
-        }
-    }
-    if (s->file != NULL && fclose(s->file)) {
-#ifdef ESPIPE
-        if (errno != ESPIPE) /* fclose is broken for pipes in HP/UX */
-#endif
-            err = Z_ERRNO;
-    }
-    if (s->z_err < 0) err = s->z_err;
-
-    TRYFREE(s->inbuf);
-    TRYFREE(s->outbuf);
-    TRYFREE(s->path);
-    TRYFREE(s);
-    return err;
-}
-
-/* ===========================================================================
-     Reads the given number of uncompressed bytes from the compressed file.
-   gzread returns the number of bytes actually read (0 for end of file).
-*/
-int ZEXPORT gzread (file, buf, len)
-    gzFile file;
-    voidp buf;
-    unsigned len;
-{
-    gz_stream *s = (gz_stream*)file;
-    Bytef *start = (Bytef*)buf; /* starting point for crc computation */
-    Byte  *next_out; /* == stream.next_out but not forced far (for MSDOS) */
-
-    if (s == NULL || s->mode != 'r') return Z_STREAM_ERROR;
-
-    if (s->z_err == Z_DATA_ERROR || s->z_err == Z_ERRNO) return -1;
-    if (s->z_err == Z_STREAM_END) return 0;  /* EOF */
-
-    next_out = (Byte*)buf;
-    s->stream.next_out = (Bytef*)buf;
-    s->stream.avail_out = len;
-
-    if (s->stream.avail_out && s->back != EOF) {
-        *next_out++ = s->back;
-        s->stream.next_out++;
-        s->stream.avail_out--;
-        s->back = EOF;
-        s->out++;
-        start++;
-        if (s->last) {
-            s->z_err = Z_STREAM_END;
-            return 1;
-        }
-    }
-
-    while (s->stream.avail_out != 0) {
-
-        if (s->transparent) {
-            /* Copy first the lookahead bytes: */
-            uInt n = s->stream.avail_in;
-            if (n > s->stream.avail_out) n = s->stream.avail_out;
-            if (n > 0) {
-                zmemcpy(s->stream.next_out, s->stream.next_in, n);
-                next_out += n;
-                s->stream.next_out = next_out;
-                s->stream.next_in   += n;
-                s->stream.avail_out -= n;
-                s->stream.avail_in  -= n;
-            }
-            if (s->stream.avail_out > 0) {
-                s->stream.avail_out -=
-                    (uInt)fread(next_out, 1, s->stream.avail_out, s->file);
-            }
-            len -= s->stream.avail_out;
-            s->in  += len;
-            s->out += len;
-            if (len == 0) s->z_eof = 1;
-            return (int)len;
-        }
-        if (s->stream.avail_in == 0 && !s->z_eof) {
-
-            errno = 0;
-            s->stream.avail_in = (uInt)fread(s->inbuf, 1, Z_BUFSIZE, s->file);
-            if (s->stream.avail_in == 0) {
-                s->z_eof = 1;
-                if (ferror(s->file)) {
-                    s->z_err = Z_ERRNO;
-                    break;
-                }
-            }
-            s->stream.next_in = s->inbuf;
-        }
-        s->in += s->stream.avail_in;
-        s->out += s->stream.avail_out;
-        s->z_err = inflate(&(s->stream), Z_NO_FLUSH);
-        s->in -= s->stream.avail_in;
-        s->out -= s->stream.avail_out;
-
-        if (s->z_err == Z_STREAM_END) {
-            /* Check CRC and original size */
-            s->crc = crc32(s->crc, start, (uInt)(s->stream.next_out - start));
-            start = s->stream.next_out;
-
-            if (getLong(s) != s->crc) {
-                s->z_err = Z_DATA_ERROR;
-            } else {
-                (void)getLong(s);
-                /* The uncompressed length returned by above getlong() may be
-                 * different from s->out in case of concatenated .gz files.
-                 * Check for such files:
-                 */
-                check_header(s);
-                if (s->z_err == Z_OK) {
-                    inflateReset(&(s->stream));
-                    s->crc = crc32(0L, Z_NULL, 0);
-                }
-            }
-        }
-        if (s->z_err != Z_OK || s->z_eof) break;
-    }
-    s->crc = crc32(s->crc, start, (uInt)(s->stream.next_out - start));
-
-    if (len == s->stream.avail_out &&
-        (s->z_err == Z_DATA_ERROR || s->z_err == Z_ERRNO))
-        return -1;
-    return (int)(len - s->stream.avail_out);
-}
-
-
-/* ===========================================================================
-      Reads one byte from the compressed file. gzgetc returns this byte
-   or -1 in case of end of file or error.
-*/
-int ZEXPORT gzgetc(file)
-    gzFile file;
-{
-    unsigned char c;
-
-    return gzread(file, &c, 1) == 1 ? c : -1;
-}
-
-
-/* ===========================================================================
-      Push one byte back onto the stream.
-*/
-int ZEXPORT gzungetc(c, file)
-    int c;
-    gzFile file;
-{
-    gz_stream *s = (gz_stream*)file;
-
-    if (s == NULL || s->mode != 'r' || c == EOF || s->back != EOF) return EOF;
-    s->back = c;
-    s->out--;
-    s->last = (s->z_err == Z_STREAM_END);
-    if (s->last) s->z_err = Z_OK;
-    s->z_eof = 0;
-    return c;
-}
-
-
-/* ===========================================================================
-      Reads bytes from the compressed file until len-1 characters are
-   read, or a newline character is read and transferred to buf, or an
-   end-of-file condition is encountered.  The string is then terminated
-   with a null character.
-      gzgets returns buf, or Z_NULL in case of error.
-
-      The current implementation is not optimized at all.
-*/
-char * ZEXPORT gzgets(file, buf, len)
-    gzFile file;
-    char *buf;
-    int len;
-{
-    char *b = buf;
-    if (buf == Z_NULL || len <= 0) return Z_NULL;
-
-    while (--len > 0 && gzread(file, buf, 1) == 1 && *buf++ != '\n') ;
-    *buf = '\0';
-    return b == buf && len > 0 ? Z_NULL : b;
-}
-
-
-#ifndef NO_GZCOMPRESS
-/* ===========================================================================
-     Writes the given number of uncompressed bytes into the compressed file.
-   gzwrite returns the number of bytes actually written (0 in case of error).
-*/
-int ZEXPORT gzwrite (file, buf, len)
-    gzFile file;
-    voidpc buf;
-    unsigned len;
-{
-    gz_stream *s = (gz_stream*)file;
-
-    if (s == NULL || s->mode != 'w') return Z_STREAM_ERROR;
-
-    s->stream.next_in = (Bytef*)buf;
-    s->stream.avail_in = len;
-
-    while (s->stream.avail_in != 0) {
-
-        if (s->stream.avail_out == 0) {
-
-            s->stream.next_out = s->outbuf;
-            if (fwrite(s->outbuf, 1, Z_BUFSIZE, s->file) != Z_BUFSIZE) {
-                s->z_err = Z_ERRNO;
-                break;
-            }
-            s->stream.avail_out = Z_BUFSIZE;
-        }
-        s->in += s->stream.avail_in;
-        s->out += s->stream.avail_out;
-        s->z_err = deflate(&(s->stream), Z_NO_FLUSH);
-        s->in -= s->stream.avail_in;
-        s->out -= s->stream.avail_out;
-        if (s->z_err != Z_OK) break;
-    }
-    s->crc = crc32(s->crc, (const Bytef *)buf, len);
-
-    return (int)(len - s->stream.avail_in);
-}
-
-
-/* ===========================================================================
-     Converts, formats, and writes the args to the compressed file under
-   control of the format string, as in fprintf. gzprintf returns the number of
-   uncompressed bytes actually written (0 in case of error).
-*/
-#ifdef STDC
-#include 
-
-int ZEXPORTVA gzprintf (gzFile file, const char *format, /* args */ ...)
-{
-    char buf[Z_PRINTF_BUFSIZE];
-    va_list va;
-    int len;
-
-    buf[sizeof(buf) - 1] = 0;
-    va_start(va, format);
-#ifdef NO_vsnprintf
-#  ifdef HAS_vsprintf_void
-    (void)vsprintf(buf, format, va);
-    va_end(va);
-    for (len = 0; len < sizeof(buf); len++)
-        if (buf[len] == 0) break;
-#  else
-    len = vsprintf(buf, format, va);
-    va_end(va);
-#  endif
-#else
-#  ifdef HAS_vsnprintf_void
-    (void)vsnprintf(buf, sizeof(buf), format, va);
-    va_end(va);
-    len = strlen(buf);
-#  else
-    len = vsnprintf(buf, sizeof(buf), format, va);
-    va_end(va);
-#  endif
-#endif
-    if (len <= 0 || len >= (int)sizeof(buf) || buf[sizeof(buf) - 1] != 0)
-        return 0;
-    return gzwrite(file, buf, (unsigned)len);
-}
-#else /* not ANSI C */
-
-int ZEXPORTVA gzprintf (file, format, a1, a2, a3, a4, a5, a6, a7, a8, a9, a10,
-                       a11, a12, a13, a14, a15, a16, a17, a18, a19, a20)
-    gzFile file;
-    const char *format;
-    int a1, a2, a3, a4, a5, a6, a7, a8, a9, a10,
-        a11, a12, a13, a14, a15, a16, a17, a18, a19, a20;
-{
-    char buf[Z_PRINTF_BUFSIZE];
-    int len;
-
-    buf[sizeof(buf) - 1] = 0;
-#ifdef NO_snprintf
-#  ifdef HAS_sprintf_void
-    sprintf(buf, format, a1, a2, a3, a4, a5, a6, a7, a8,
-            a9, a10, a11, a12, a13, a14, a15, a16, a17, a18, a19, a20);
-    for (len = 0; len < sizeof(buf); len++)
-        if (buf[len] == 0) break;
-#  else
-    len = sprintf(buf, format, a1, a2, a3, a4, a5, a6, a7, a8,
-                a9, a10, a11, a12, a13, a14, a15, a16, a17, a18, a19, a20);
-#  endif
-#else
-#  ifdef HAS_snprintf_void
-    snprintf(buf, sizeof(buf), format, a1, a2, a3, a4, a5, a6, a7, a8,
-             a9, a10, a11, a12, a13, a14, a15, a16, a17, a18, a19, a20);
-    len = strlen(buf);
-#  else
-    len = snprintf(buf, sizeof(buf), format, a1, a2, a3, a4, a5, a6, a7, a8,
-                 a9, a10, a11, a12, a13, a14, a15, a16, a17, a18, a19, a20);
-#  endif
-#endif
-    if (len <= 0 || len >= sizeof(buf) || buf[sizeof(buf) - 1] != 0)
-        return 0;
-    return gzwrite(file, buf, len);
-}
-#endif
-
-/* ===========================================================================
-      Writes c, converted to an unsigned char, into the compressed file.
-   gzputc returns the value that was written, or -1 in case of error.
-*/
-int ZEXPORT gzputc(file, c)
-    gzFile file;
-    int c;
-{
-    unsigned char cc = (unsigned char) c; /* required for big endian systems */
-
-    return gzwrite(file, &cc, 1) == 1 ? (int)cc : -1;
-}
-
-
-/* ===========================================================================
-      Writes the given null-terminated string to the compressed file, excluding
-   the terminating null character.
-      gzputs returns the number of characters written, or -1 in case of error.
-*/
-int ZEXPORT gzputs(file, s)
-    gzFile file;
-    const char *s;
-{
-    return gzwrite(file, (char*)s, (unsigned)strlen(s));
-}
-
-
-/* ===========================================================================
-     Flushes all pending output into the compressed file. The parameter
-   flush is as in the deflate() function.
-*/
-local int do_flush (file, flush)
-    gzFile file;
-    int flush;
-{
-    uInt len;
-    int done = 0;
-    gz_stream *s = (gz_stream*)file;
-
-    if (s == NULL || s->mode != 'w') return Z_STREAM_ERROR;
-
-    s->stream.avail_in = 0; /* should be zero already anyway */
-
-    for (;;) {
-        len = Z_BUFSIZE - s->stream.avail_out;
-
-        if (len != 0) {
-            if ((uInt)fwrite(s->outbuf, 1, len, s->file) != len) {
-                s->z_err = Z_ERRNO;
-                return Z_ERRNO;
-            }
-            s->stream.next_out = s->outbuf;
-            s->stream.avail_out = Z_BUFSIZE;
-        }
-        if (done) break;
-        s->out += s->stream.avail_out;
-        s->z_err = deflate(&(s->stream), flush);
-        s->out -= s->stream.avail_out;
-
-        /* Ignore the second of two consecutive flushes: */
-        if (len == 0 && s->z_err == Z_BUF_ERROR) s->z_err = Z_OK;
-
-        /* deflate has finished flushing only when it hasn't used up
-         * all the available space in the output buffer:
-         */
-        done = (s->stream.avail_out != 0 || s->z_err == Z_STREAM_END);
-
-        if (s->z_err != Z_OK && s->z_err != Z_STREAM_END) break;
-    }
-    return  s->z_err == Z_STREAM_END ? Z_OK : s->z_err;
-}
-
-int ZEXPORT gzflush (file, flush)
-     gzFile file;
-     int flush;
-{
-    gz_stream *s = (gz_stream*)file;
-    int err = do_flush (file, flush);
-
-    if (err) return err;
-    fflush(s->file);
-    return  s->z_err == Z_STREAM_END ? Z_OK : s->z_err;
-}
-#endif /* NO_GZCOMPRESS */
-
-/* ===========================================================================
-      Sets the starting position for the next gzread or gzwrite on the given
-   compressed file. The offset represents a number of bytes in the
-      gzseek returns the resulting offset location as measured in bytes from
-   the beginning of the uncompressed stream, or -1 in case of error.
-      SEEK_END is not implemented, returns error.
-      In this version of the library, gzseek can be extremely slow.
-*/
-z_off_t ZEXPORT gzseek (file, offset, whence)
-    gzFile file;
-    z_off_t offset;
-    int whence;
-{
-    gz_stream *s = (gz_stream*)file;
-
-    if (s == NULL || whence == SEEK_END ||
-        s->z_err == Z_ERRNO || s->z_err == Z_DATA_ERROR) {
-        return -1L;
-    }
-
-    if (s->mode == 'w') {
-#ifdef NO_GZCOMPRESS
-        return -1L;
-#else
-        if (whence == SEEK_SET) {
-            offset -= s->in;
-        }
-        if (offset < 0) return -1L;
-
-        /* At this point, offset is the number of zero bytes to write. */
-        if (s->inbuf == Z_NULL) {
-            s->inbuf = (Byte*)ALLOC(Z_BUFSIZE); /* for seeking */
-            if (s->inbuf == Z_NULL) return -1L;
-            zmemzero(s->inbuf, Z_BUFSIZE);
-        }
-        while (offset > 0)  {
-            uInt size = Z_BUFSIZE;
-            if (offset < Z_BUFSIZE) size = (uInt)offset;
-
-            size = gzwrite(file, s->inbuf, size);
-            if (size == 0) return -1L;
-
-            offset -= size;
-        }
-        return s->in;
-#endif
-    }
-    /* Rest of function is for reading only */
-
-    /* compute absolute position */
-    if (whence == SEEK_CUR) {
-        offset += s->out;
-    }
-    if (offset < 0) return -1L;
-
-    if (s->transparent) {
-        /* map to fseek */
-        s->back = EOF;
-        s->stream.avail_in = 0;
-        s->stream.next_in = s->inbuf;
-        if (fseek(s->file, offset, SEEK_SET) < 0) return -1L;
-
-        s->in = s->out = offset;
-        return offset;
-    }
-
-    /* For a negative seek, rewind and use positive seek */
-    if (offset >= s->out) {
-        offset -= s->out;
-    } else if (gzrewind(file) < 0) {
-        return -1L;
-    }
-    /* offset is now the number of bytes to skip. */
-
-    if (offset != 0 && s->outbuf == Z_NULL) {
-        s->outbuf = (Byte*)ALLOC(Z_BUFSIZE);
-        if (s->outbuf == Z_NULL) return -1L;
-    }
-    if (offset && s->back != EOF) {
-        s->back = EOF;
-        s->out++;
-        offset--;
-        if (s->last) s->z_err = Z_STREAM_END;
-    }
-    while (offset > 0)  {
-        int size = Z_BUFSIZE;
-        if (offset < Z_BUFSIZE) size = (int)offset;
-
-        size = gzread(file, s->outbuf, (uInt)size);
-        if (size <= 0) return -1L;
-        offset -= size;
-    }
-    return s->out;
-}
-
-/* ===========================================================================
-     Rewinds input file.
-*/
-int ZEXPORT gzrewind (file)
-    gzFile file;
-{
-    gz_stream *s = (gz_stream*)file;
-
-    if (s == NULL || s->mode != 'r') return -1;
-
-    s->z_err = Z_OK;
-    s->z_eof = 0;
-    s->back = EOF;
-    s->stream.avail_in = 0;
-    s->stream.next_in = s->inbuf;
-    s->crc = crc32(0L, Z_NULL, 0);
-    if (!s->transparent) (void)inflateReset(&s->stream);
-    s->in = 0;
-    s->out = 0;
-    return fseek(s->file, s->start, SEEK_SET);
-}
-
-/* ===========================================================================
-     Returns the starting position for the next gzread or gzwrite on the
-   given compressed file. This position represents a number of bytes in the
-   uncompressed data stream.
-*/
-z_off_t ZEXPORT gztell (file)
-    gzFile file;
-{
-    return gzseek(file, 0L, SEEK_CUR);
-}
-
-/* ===========================================================================
-     Returns 1 when EOF has previously been detected reading the given
-   input stream, otherwise zero.
-*/
-int ZEXPORT gzeof (file)
-    gzFile file;
-{
-    gz_stream *s = (gz_stream*)file;
-
-    /* With concatenated compressed files that can have embedded
-     * crc trailers, z_eof is no longer the only/best indicator of EOF
-     * on a gz_stream. Handle end-of-stream error explicitly here.
-     */
-    if (s == NULL || s->mode != 'r') return 0;
-    if (s->z_eof) return 1;
-    return s->z_err == Z_STREAM_END;
-}
-
-/* ===========================================================================
-     Returns 1 if reading and doing so transparently, otherwise zero.
-*/
-int ZEXPORT gzdirect (file)
-    gzFile file;
-{
-    gz_stream *s = (gz_stream*)file;
-
-    if (s == NULL || s->mode != 'r') return 0;
-    return s->transparent;
-}
-
-/* ===========================================================================
-   Outputs a long in LSB order to the given file
-*/
-local void putLong (file, x)
-    FILE *file;
-    uLong x;
-{
-    int n;
-    for (n = 0; n < 4; n++) {
-        fputc((int)(x & 0xff), file);
-        x >>= 8;
-    }
-}
-
-/* ===========================================================================
-   Reads a long in LSB order from the given gz_stream. Sets z_err in case
-   of error.
-*/
-local uLong getLong (s)
-    gz_stream *s;
-{
-    uLong x = (uLong)get_byte(s);
-    int c;
-
-    x += ((uLong)get_byte(s))<<8;
-    x += ((uLong)get_byte(s))<<16;
-    c = get_byte(s);
-    if (c == EOF) s->z_err = Z_DATA_ERROR;
-    x += ((uLong)c)<<24;
-    return x;
-}
-
-/* ===========================================================================
-     Flushes all pending output if necessary, closes the compressed file
-   and deallocates all the (de)compression state.
-*/
-int ZEXPORT gzclose (file)
-    gzFile file;
-{
-    gz_stream *s = (gz_stream*)file;
-
-    if (s == NULL) return Z_STREAM_ERROR;
-
-    if (s->mode == 'w') {
-#ifdef NO_GZCOMPRESS
-        return Z_STREAM_ERROR;
-#else
-        if (do_flush (file, Z_FINISH) != Z_OK)
-            return destroy((gz_stream*)file);
-
-        putLong (s->file, s->crc);
-        putLong (s->file, (uLong)(s->in & 0xffffffff));
-#endif
-    }
-    return destroy((gz_stream*)file);
-}
-
-#ifdef STDC
-#  define zstrerror(errnum) strerror(errnum)
-#else
-#  define zstrerror(errnum) ""
-#endif
-
-/* ===========================================================================
-     Returns the error message for the last error which occurred on the
-   given compressed file. errnum is set to zlib error number. If an
-   error occurred in the file system and not in the compression library,
-   errnum is set to Z_ERRNO and the application may consult errno
-   to get the exact error code.
-*/
-const char * ZEXPORT gzerror (file, errnum)
-    gzFile file;
-    int *errnum;
-{
-    char *m;
-    gz_stream *s = (gz_stream*)file;
-
-    if (s == NULL) {
-        *errnum = Z_STREAM_ERROR;
-        return (const char*)ERR_MSG(Z_STREAM_ERROR);
-    }
-    *errnum = s->z_err;
-    if (*errnum == Z_OK) return (const char*)"";
-
-    m = (char*)(*errnum == Z_ERRNO ? zstrerror(errno) : s->stream.msg);
-
-    if (m == NULL || *m == '\0') m = (char*)ERR_MSG(s->z_err);
-
-    TRYFREE(s->msg);
-    s->msg = (char*)ALLOC(strlen(s->path) + strlen(m) + 3);
-    if (s->msg == Z_NULL) return (const char*)ERR_MSG(Z_MEM_ERROR);
-    strcpy(s->msg, s->path);
-    strcat(s->msg, ": ");
-    strcat(s->msg, m);
-    return (const char*)s->msg;
-}
-
-/* ===========================================================================
-     Clear the error and end-of-file flags, and do the same for the real file.
-*/
-void ZEXPORT gzclearerr (file)
-    gzFile file;
-{
-    gz_stream *s = (gz_stream*)file;
-
-    if (s == NULL) return;
-    if (s->z_err != Z_STREAM_END) s->z_err = Z_OK;
-    s->z_eof = 0;
-    clearerr(s->file);
-}
diff --git a/security/nss/lib/zlib/gzlib.c b/security/nss/lib/zlib/gzlib.c
new file mode 100644
index 000000000000..603e60ed5444
--- /dev/null
+++ b/security/nss/lib/zlib/gzlib.c
@@ -0,0 +1,537 @@
+/* gzlib.c -- zlib functions common to reading and writing gzip files
+ * Copyright (C) 2004, 2010 Mark Adler
+ * For conditions of distribution and use, see copyright notice in zlib.h
+ */
+
+#include "gzguts.h"
+
+#if defined(_LARGEFILE64_SOURCE) && _LFS64_LARGEFILE-0
+#  define LSEEK lseek64
+#else
+#  define LSEEK lseek
+#endif
+
+/* Local functions */
+local void gz_reset OF((gz_statep));
+local gzFile gz_open OF((const char *, int, const char *));
+
+#if defined UNDER_CE
+
+/* Map the Windows error number in ERROR to a locale-dependent error message
+   string and return a pointer to it.  Typically, the values for ERROR come
+   from GetLastError.
+
+   The string pointed to shall not be modified by the application, but may be
+   overwritten by a subsequent call to gz_strwinerror
+
+   The gz_strwinerror function does not change the current setting of
+   GetLastError. */
+char ZLIB_INTERNAL *gz_strwinerror (error)
+     DWORD error;
+{
+    static char buf[1024];
+
+    wchar_t *msgbuf;
+    DWORD lasterr = GetLastError();
+    DWORD chars = FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM
+        | FORMAT_MESSAGE_ALLOCATE_BUFFER,
+        NULL,
+        error,
+        0, /* Default language */
+        (LPVOID)&msgbuf,
+        0,
+        NULL);
+    if (chars != 0) {
+        /* If there is an \r\n appended, zap it.  */
+        if (chars >= 2
+            && msgbuf[chars - 2] == '\r' && msgbuf[chars - 1] == '\n') {
+            chars -= 2;
+            msgbuf[chars] = 0;
+        }
+
+        if (chars > sizeof (buf) - 1) {
+            chars = sizeof (buf) - 1;
+            msgbuf[chars] = 0;
+        }
+
+        wcstombs(buf, msgbuf, chars + 1);
+        LocalFree(msgbuf);
+    }
+    else {
+        sprintf(buf, "unknown win32 error (%ld)", error);
+    }
+
+    SetLastError(lasterr);
+    return buf;
+}
+
+#endif /* UNDER_CE */
+
+/* Reset gzip file state */
+local void gz_reset(state)
+    gz_statep state;
+{
+    if (state->mode == GZ_READ) {   /* for reading ... */
+        state->have = 0;            /* no output data available */
+        state->eof = 0;             /* not at end of file */
+        state->how = LOOK;          /* look for gzip header */
+        state->direct = 1;          /* default for empty file */
+    }
+    state->seek = 0;                /* no seek request pending */
+    gz_error(state, Z_OK, NULL);    /* clear error */
+    state->pos = 0;                 /* no uncompressed data yet */
+    state->strm.avail_in = 0;       /* no input data yet */
+}
+
+/* Open a gzip file either by name or file descriptor. */
+local gzFile gz_open(path, fd, mode)
+    const char *path;
+    int fd;
+    const char *mode;
+{
+    gz_statep state;
+
+    /* allocate gzFile structure to return */
+    state = malloc(sizeof(gz_state));
+    if (state == NULL)
+        return NULL;
+    state->size = 0;            /* no buffers allocated yet */
+    state->want = GZBUFSIZE;    /* requested buffer size */
+    state->msg = NULL;          /* no error message yet */
+
+    /* interpret mode */
+    state->mode = GZ_NONE;
+    state->level = Z_DEFAULT_COMPRESSION;
+    state->strategy = Z_DEFAULT_STRATEGY;
+    while (*mode) {
+        if (*mode >= '0' && *mode <= '9')
+            state->level = *mode - '0';
+        else
+            switch (*mode) {
+            case 'r':
+                state->mode = GZ_READ;
+                break;
+#ifndef NO_GZCOMPRESS
+            case 'w':
+                state->mode = GZ_WRITE;
+                break;
+            case 'a':
+                state->mode = GZ_APPEND;
+                break;
+#endif
+            case '+':       /* can't read and write at the same time */
+                free(state);
+                return NULL;
+            case 'b':       /* ignore -- will request binary anyway */
+                break;
+            case 'f':
+                state->strategy = Z_FILTERED;
+                break;
+            case 'h':
+                state->strategy = Z_HUFFMAN_ONLY;
+                break;
+            case 'R':
+                state->strategy = Z_RLE;
+                break;
+            case 'F':
+                state->strategy = Z_FIXED;
+            default:        /* could consider as an error, but just ignore */
+                ;
+            }
+        mode++;
+    }
+
+    /* must provide an "r", "w", or "a" */
+    if (state->mode == GZ_NONE) {
+        free(state);
+        return NULL;
+    }
+
+    /* save the path name for error messages */
+    state->path = malloc(strlen(path) + 1);
+    if (state->path == NULL) {
+        free(state);
+        return NULL;
+    }
+    strcpy(state->path, path);
+
+    /* open the file with the appropriate mode (or just use fd) */
+    state->fd = fd != -1 ? fd :
+        open(path,
+#ifdef O_LARGEFILE
+            O_LARGEFILE |
+#endif
+#ifdef O_BINARY
+            O_BINARY |
+#endif
+            (state->mode == GZ_READ ?
+                O_RDONLY :
+                (O_WRONLY | O_CREAT | (
+                    state->mode == GZ_WRITE ?
+                        O_TRUNC :
+                        O_APPEND))),
+            0666);
+    if (state->fd == -1) {
+        free(state->path);
+        free(state);
+        return NULL;
+    }
+    if (state->mode == GZ_APPEND)
+        state->mode = GZ_WRITE;         /* simplify later checks */
+
+    /* save the current position for rewinding (only if reading) */
+    if (state->mode == GZ_READ) {
+        state->start = LSEEK(state->fd, 0, SEEK_CUR);
+        if (state->start == -1) state->start = 0;
+    }
+
+    /* initialize stream */
+    gz_reset(state);
+
+    /* return stream */
+    return (gzFile)state;
+}
+
+/* -- see zlib.h -- */
+gzFile ZEXPORT gzopen(path, mode)
+    const char *path;
+    const char *mode;
+{
+    return gz_open(path, -1, mode);
+}
+
+/* -- see zlib.h -- */
+gzFile ZEXPORT gzopen64(path, mode)
+    const char *path;
+    const char *mode;
+{
+    return gz_open(path, -1, mode);
+}
+
+/* -- see zlib.h -- */
+gzFile ZEXPORT gzdopen(fd, mode)
+    int fd;
+    const char *mode;
+{
+    char *path;         /* identifier for error messages */
+    gzFile gz;
+
+    if (fd == -1 || (path = malloc(7 + 3 * sizeof(int))) == NULL)
+        return NULL;
+    sprintf(path, "", fd);   /* for debugging */
+    gz = gz_open(path, fd, mode);
+    free(path);
+    return gz;
+}
+
+/* -- see zlib.h -- */
+int ZEXPORT gzbuffer(file, size)
+    gzFile file;
+    unsigned size;
+{
+    gz_statep state;
+
+    /* get internal structure and check integrity */
+    if (file == NULL)
+        return -1;
+    state = (gz_statep)file;
+    if (state->mode != GZ_READ && state->mode != GZ_WRITE)
+        return -1;
+
+    /* make sure we haven't already allocated memory */
+    if (state->size != 0)
+        return -1;
+
+    /* check and set requested size */
+    if (size == 0)
+        return -1;
+    state->want = size;
+    return 0;
+}
+
+/* -- see zlib.h -- */
+int ZEXPORT gzrewind(file)
+    gzFile file;
+{
+    gz_statep state;
+
+    /* get internal structure */
+    if (file == NULL)
+        return -1;
+    state = (gz_statep)file;
+
+    /* check that we're reading and that there's no error */
+    if (state->mode != GZ_READ || state->err != Z_OK)
+        return -1;
+
+    /* back up and start over */
+    if (LSEEK(state->fd, state->start, SEEK_SET) == -1)
+        return -1;
+    gz_reset(state);
+    return 0;
+}
+
+/* -- see zlib.h -- */
+z_off64_t ZEXPORT gzseek64(file, offset, whence)
+    gzFile file;
+    z_off64_t offset;
+    int whence;
+{
+    unsigned n;
+    z_off64_t ret;
+    gz_statep state;
+
+    /* get internal structure and check integrity */
+    if (file == NULL)
+        return -1;
+    state = (gz_statep)file;
+    if (state->mode != GZ_READ && state->mode != GZ_WRITE)
+        return -1;
+
+    /* check that there's no error */
+    if (state->err != Z_OK)
+        return -1;
+
+    /* can only seek from start or relative to current position */
+    if (whence != SEEK_SET && whence != SEEK_CUR)
+        return -1;
+
+    /* normalize offset to a SEEK_CUR specification */
+    if (whence == SEEK_SET)
+        offset -= state->pos;
+    else if (state->seek)
+        offset += state->skip;
+    state->seek = 0;
+
+    /* if within raw area while reading, just go there */
+    if (state->mode == GZ_READ && state->how == COPY &&
+        state->pos + offset >= state->raw) {
+        ret = LSEEK(state->fd, offset - state->have, SEEK_CUR);
+        if (ret == -1)
+            return -1;
+        state->have = 0;
+        state->eof = 0;
+        state->seek = 0;
+        gz_error(state, Z_OK, NULL);
+        state->strm.avail_in = 0;
+        state->pos += offset;
+        return state->pos;
+    }
+
+    /* calculate skip amount, rewinding if needed for back seek when reading */
+    if (offset < 0) {
+        if (state->mode != GZ_READ)         /* writing -- can't go backwards */
+            return -1;
+        offset += state->pos;
+        if (offset < 0)                     /* before start of file! */
+            return -1;
+        if (gzrewind(file) == -1)           /* rewind, then skip to offset */
+            return -1;
+    }
+
+    /* if reading, skip what's in output buffer (one less gzgetc() check) */
+    if (state->mode == GZ_READ) {
+        n = GT_OFF(state->have) || (z_off64_t)state->have > offset ?
+            (unsigned)offset : state->have;
+        state->have -= n;
+        state->next += n;
+        state->pos += n;
+        offset -= n;
+    }
+
+    /* request skip (if not zero) */
+    if (offset) {
+        state->seek = 1;
+        state->skip = offset;
+    }
+    return state->pos + offset;
+}
+
+/* -- see zlib.h -- */
+z_off_t ZEXPORT gzseek(file, offset, whence)
+    gzFile file;
+    z_off_t offset;
+    int whence;
+{
+    z_off64_t ret;
+
+    ret = gzseek64(file, (z_off64_t)offset, whence);
+    return ret == (z_off_t)ret ? (z_off_t)ret : -1;
+}
+
+/* -- see zlib.h -- */
+z_off64_t ZEXPORT gztell64(file)
+    gzFile file;
+{
+    gz_statep state;
+
+    /* get internal structure and check integrity */
+    if (file == NULL)
+        return -1;
+    state = (gz_statep)file;
+    if (state->mode != GZ_READ && state->mode != GZ_WRITE)
+        return -1;
+
+    /* return position */
+    return state->pos + (state->seek ? state->skip : 0);
+}
+
+/* -- see zlib.h -- */
+z_off_t ZEXPORT gztell(file)
+    gzFile file;
+{
+    z_off64_t ret;
+
+    ret = gztell64(file);
+    return ret == (z_off_t)ret ? (z_off_t)ret : -1;
+}
+
+/* -- see zlib.h -- */
+z_off64_t ZEXPORT gzoffset64(file)
+    gzFile file;
+{
+    z_off64_t offset;
+    gz_statep state;
+
+    /* get internal structure and check integrity */
+    if (file == NULL)
+        return -1;
+    state = (gz_statep)file;
+    if (state->mode != GZ_READ && state->mode != GZ_WRITE)
+        return -1;
+
+    /* compute and return effective offset in file */
+    offset = LSEEK(state->fd, 0, SEEK_CUR);
+    if (offset == -1)
+        return -1;
+    if (state->mode == GZ_READ)             /* reading */
+        offset -= state->strm.avail_in;     /* don't count buffered input */
+    return offset;
+}
+
+/* -- see zlib.h -- */
+z_off_t ZEXPORT gzoffset(file)
+    gzFile file;
+{
+    z_off64_t ret;
+
+    ret = gzoffset64(file);
+    return ret == (z_off_t)ret ? (z_off_t)ret : -1;
+}
+
+/* -- see zlib.h -- */
+int ZEXPORT gzeof(file)
+    gzFile file;
+{
+    gz_statep state;
+
+    /* get internal structure and check integrity */
+    if (file == NULL)
+        return 0;
+    state = (gz_statep)file;
+    if (state->mode != GZ_READ && state->mode != GZ_WRITE)
+        return 0;
+
+    /* return end-of-file state */
+    return state->mode == GZ_READ ?
+        (state->eof && state->strm.avail_in == 0 && state->have == 0) : 0;
+}
+
+/* -- see zlib.h -- */
+const char * ZEXPORT gzerror(file, errnum)
+    gzFile file;
+    int *errnum;
+{
+    gz_statep state;
+
+    /* get internal structure and check integrity */
+    if (file == NULL)
+        return NULL;
+    state = (gz_statep)file;
+    if (state->mode != GZ_READ && state->mode != GZ_WRITE)
+        return NULL;
+
+    /* return error information */
+    if (errnum != NULL)
+        *errnum = state->err;
+    return state->msg == NULL ? "" : state->msg;
+}
+
+/* -- see zlib.h -- */
+void ZEXPORT gzclearerr(file)
+    gzFile file;
+{
+    gz_statep state;
+
+    /* get internal structure and check integrity */
+    if (file == NULL)
+        return;
+    state = (gz_statep)file;
+    if (state->mode != GZ_READ && state->mode != GZ_WRITE)
+        return;
+
+    /* clear error and end-of-file */
+    if (state->mode == GZ_READ)
+        state->eof = 0;
+    gz_error(state, Z_OK, NULL);
+}
+
+/* Create an error message in allocated memory and set state->err and
+   state->msg accordingly.  Free any previous error message already there.  Do
+   not try to free or allocate space if the error is Z_MEM_ERROR (out of
+   memory).  Simply save the error message as a static string.  If there is an
+   allocation failure constructing the error message, then convert the error to
+   out of memory. */
+void ZLIB_INTERNAL gz_error(state, err, msg)
+    gz_statep state;
+    int err;
+    const char *msg;
+{
+    /* free previously allocated message and clear */
+    if (state->msg != NULL) {
+        if (state->err != Z_MEM_ERROR)
+            free(state->msg);
+        state->msg = NULL;
+    }
+
+    /* set error code, and if no message, then done */
+    state->err = err;
+    if (msg == NULL)
+        return;
+
+    /* for an out of memory error, save as static string */
+    if (err == Z_MEM_ERROR) {
+        state->msg = (char *)msg;
+        return;
+    }
+
+    /* construct error message with path */
+    if ((state->msg = malloc(strlen(state->path) + strlen(msg) + 3)) == NULL) {
+        state->err = Z_MEM_ERROR;
+        state->msg = (char *)"out of memory";
+        return;
+    }
+    strcpy(state->msg, state->path);
+    strcat(state->msg, ": ");
+    strcat(state->msg, msg);
+    return;
+}
+
+#ifndef INT_MAX
+/* portably return maximum value for an int (when limits.h presumed not
+   available) -- we need to do this to cover cases where 2's complement not
+   used, since C standard permits 1's complement and sign-bit representations,
+   otherwise we could just use ((unsigned)-1) >> 1 */
+unsigned ZLIB_INTERNAL gz_intmax()
+{
+    unsigned p, q;
+
+    p = 1;
+    do {
+        q = p;
+        p <<= 1;
+        p++;
+    } while (p > q);
+    return q >> 1;
+}
+#endif
diff --git a/security/nss/lib/zlib/gzread.c b/security/nss/lib/zlib/gzread.c
new file mode 100644
index 000000000000..548201ab0099
--- /dev/null
+++ b/security/nss/lib/zlib/gzread.c
@@ -0,0 +1,653 @@
+/* gzread.c -- zlib functions for reading gzip files
+ * Copyright (C) 2004, 2005, 2010 Mark Adler
+ * For conditions of distribution and use, see copyright notice in zlib.h
+ */
+
+#include "gzguts.h"
+
+/* Local functions */
+local int gz_load OF((gz_statep, unsigned char *, unsigned, unsigned *));
+local int gz_avail OF((gz_statep));
+local int gz_next4 OF((gz_statep, unsigned long *));
+local int gz_head OF((gz_statep));
+local int gz_decomp OF((gz_statep));
+local int gz_make OF((gz_statep));
+local int gz_skip OF((gz_statep, z_off64_t));
+
+/* Use read() to load a buffer -- return -1 on error, otherwise 0.  Read from
+   state->fd, and update state->eof, state->err, and state->msg as appropriate.
+   This function needs to loop on read(), since read() is not guaranteed to
+   read the number of bytes requested, depending on the type of descriptor. */
+local int gz_load(state, buf, len, have)
+    gz_statep state;
+    unsigned char *buf;
+    unsigned len;
+    unsigned *have;
+{
+    int ret;
+
+    *have = 0;
+    do {
+        ret = read(state->fd, buf + *have, len - *have);
+        if (ret <= 0)
+            break;
+        *have += ret;
+    } while (*have < len);
+    if (ret < 0) {
+        gz_error(state, Z_ERRNO, zstrerror());
+        return -1;
+    }
+    if (ret == 0)
+        state->eof = 1;
+    return 0;
+}
+
+/* Load up input buffer and set eof flag if last data loaded -- return -1 on
+   error, 0 otherwise.  Note that the eof flag is set when the end of the input
+   file is reached, even though there may be unused data in the buffer.  Once
+   that data has been used, no more attempts will be made to read the file.
+   gz_avail() assumes that strm->avail_in == 0. */
+local int gz_avail(state)
+    gz_statep state;
+{
+    z_streamp strm = &(state->strm);
+
+    if (state->err != Z_OK)
+        return -1;
+    if (state->eof == 0) {
+        if (gz_load(state, state->in, state->size,
+                (unsigned *)&(strm->avail_in)) == -1)
+            return -1;
+        strm->next_in = state->in;
+    }
+    return 0;
+}
+
+/* Get next byte from input, or -1 if end or error. */
+#define NEXT() ((strm->avail_in == 0 && gz_avail(state) == -1) ? -1 : \
+                (strm->avail_in == 0 ? -1 : \
+                 (strm->avail_in--, *(strm->next_in)++)))
+
+/* Get a four-byte little-endian integer and return 0 on success and the value
+   in *ret.  Otherwise -1 is returned and *ret is not modified. */
+local int gz_next4(state, ret)
+    gz_statep state;
+    unsigned long *ret;
+{
+    int ch;
+    unsigned long val;
+    z_streamp strm = &(state->strm);
+
+    val = NEXT();
+    val += (unsigned)NEXT() << 8;
+    val += (unsigned long)NEXT() << 16;
+    ch = NEXT();
+    if (ch == -1)
+        return -1;
+    val += (unsigned long)ch << 24;
+    *ret = val;
+    return 0;
+}
+
+/* Look for gzip header, set up for inflate or copy.  state->have must be zero.
+   If this is the first time in, allocate required memory.  state->how will be
+   left unchanged if there is no more input data available, will be set to COPY
+   if there is no gzip header and direct copying will be performed, or it will
+   be set to GZIP for decompression, and the gzip header will be skipped so
+   that the next available input data is the raw deflate stream.  If direct
+   copying, then leftover input data from the input buffer will be copied to
+   the output buffer.  In that case, all further file reads will be directly to
+   either the output buffer or a user buffer.  If decompressing, the inflate
+   state and the check value will be initialized.  gz_head() will return 0 on
+   success or -1 on failure.  Failures may include read errors or gzip header
+   errors.  */
+local int gz_head(state)
+    gz_statep state;
+{
+    z_streamp strm = &(state->strm);
+    int flags;
+    unsigned len;
+
+    /* allocate read buffers and inflate memory */
+    if (state->size == 0) {
+        /* allocate buffers */
+        state->in = malloc(state->want);
+        state->out = malloc(state->want << 1);
+        if (state->in == NULL || state->out == NULL) {
+            if (state->out != NULL)
+                free(state->out);
+            if (state->in != NULL)
+                free(state->in);
+            gz_error(state, Z_MEM_ERROR, "out of memory");
+            return -1;
+        }
+        state->size = state->want;
+
+        /* allocate inflate memory */
+        state->strm.zalloc = Z_NULL;
+        state->strm.zfree = Z_NULL;
+        state->strm.opaque = Z_NULL;
+        state->strm.avail_in = 0;
+        state->strm.next_in = Z_NULL;
+        if (inflateInit2(&(state->strm), -15) != Z_OK) {    /* raw inflate */
+            free(state->out);
+            free(state->in);
+            state->size = 0;
+            gz_error(state, Z_MEM_ERROR, "out of memory");
+            return -1;
+        }
+    }
+
+    /* get some data in the input buffer */
+    if (strm->avail_in == 0) {
+        if (gz_avail(state) == -1)
+            return -1;
+        if (strm->avail_in == 0)
+            return 0;
+    }
+
+    /* look for the gzip magic header bytes 31 and 139 */
+    if (strm->next_in[0] == 31) {
+        strm->avail_in--;
+        strm->next_in++;
+        if (strm->avail_in == 0 && gz_avail(state) == -1)
+            return -1;
+        if (strm->avail_in && strm->next_in[0] == 139) {
+            /* we have a gzip header, woo hoo! */
+            strm->avail_in--;
+            strm->next_in++;
+
+            /* skip rest of header */
+            if (NEXT() != 8) {      /* compression method */
+                gz_error(state, Z_DATA_ERROR, "unknown compression method");
+                return -1;
+            }
+            flags = NEXT();
+            if (flags & 0xe0) {     /* reserved flag bits */
+                gz_error(state, Z_DATA_ERROR, "unknown header flags set");
+                return -1;
+            }
+            NEXT();                 /* modification time */
+            NEXT();
+            NEXT();
+            NEXT();
+            NEXT();                 /* extra flags */
+            NEXT();                 /* operating system */
+            if (flags & 4) {        /* extra field */
+                len = (unsigned)NEXT();
+                len += (unsigned)NEXT() << 8;
+                while (len--)
+                    if (NEXT() < 0)
+                        break;
+            }
+            if (flags & 8)          /* file name */
+                while (NEXT() > 0)
+                    ;
+            if (flags & 16)         /* comment */
+                while (NEXT() > 0)
+                    ;
+            if (flags & 2) {        /* header crc */
+                NEXT();
+                NEXT();
+            }
+            /* an unexpected end of file is not checked for here -- it will be
+               noticed on the first request for uncompressed data */
+
+            /* set up for decompression */
+            inflateReset(strm);
+            strm->adler = crc32(0L, Z_NULL, 0);
+            state->how = GZIP;
+            state->direct = 0;
+            return 0;
+        }
+        else {
+            /* not a gzip file -- save first byte (31) and fall to raw i/o */
+            state->out[0] = 31;
+            state->have = 1;
+        }
+    }
+
+    /* doing raw i/o, save start of raw data for seeking, copy any leftover
+       input to output -- this assumes that the output buffer is larger than
+       the input buffer, which also assures space for gzungetc() */
+    state->raw = state->pos;
+    state->next = state->out;
+    if (strm->avail_in) {
+        memcpy(state->next + state->have, strm->next_in, strm->avail_in);
+        state->have += strm->avail_in;
+        strm->avail_in = 0;
+    }
+    state->how = COPY;
+    state->direct = 1;
+    return 0;
+}
+
+/* Decompress from input to the provided next_out and avail_out in the state.
+   If the end of the compressed data is reached, then verify the gzip trailer
+   check value and length (modulo 2^32).  state->have and state->next are set
+   to point to the just decompressed data, and the crc is updated.  If the
+   trailer is verified, state->how is reset to LOOK to look for the next gzip
+   stream or raw data, once state->have is depleted.  Returns 0 on success, -1
+   on failure.  Failures may include invalid compressed data or a failed gzip
+   trailer verification. */
+local int gz_decomp(state)
+    gz_statep state;
+{
+    int ret;
+    unsigned had;
+    unsigned long crc, len;
+    z_streamp strm = &(state->strm);
+
+    /* fill output buffer up to end of deflate stream */
+    had = strm->avail_out;
+    do {
+        /* get more input for inflate() */
+        if (strm->avail_in == 0 && gz_avail(state) == -1)
+            return -1;
+        if (strm->avail_in == 0) {
+            gz_error(state, Z_DATA_ERROR, "unexpected end of file");
+            return -1;
+        }
+
+        /* decompress and handle errors */
+        ret = inflate(strm, Z_NO_FLUSH);
+        if (ret == Z_STREAM_ERROR || ret == Z_NEED_DICT) {
+            gz_error(state, Z_STREAM_ERROR,
+                      "internal error: inflate stream corrupt");
+            return -1;
+        }
+        if (ret == Z_MEM_ERROR) {
+            gz_error(state, Z_MEM_ERROR, "out of memory");
+            return -1;
+        }
+        if (ret == Z_DATA_ERROR) {              /* deflate stream invalid */
+            gz_error(state, Z_DATA_ERROR,
+                      strm->msg == NULL ? "compressed data error" : strm->msg);
+            return -1;
+        }
+    } while (strm->avail_out && ret != Z_STREAM_END);
+
+    /* update available output and crc check value */
+    state->have = had - strm->avail_out;
+    state->next = strm->next_out - state->have;
+    strm->adler = crc32(strm->adler, state->next, state->have);
+
+    /* check gzip trailer if at end of deflate stream */
+    if (ret == Z_STREAM_END) {
+        if (gz_next4(state, &crc) == -1 || gz_next4(state, &len) == -1) {
+            gz_error(state, Z_DATA_ERROR, "unexpected end of file");
+            return -1;
+        }
+        if (crc != strm->adler) {
+            gz_error(state, Z_DATA_ERROR, "incorrect data check");
+            return -1;
+        }
+        if (len != (strm->total_out & 0xffffffffL)) {
+            gz_error(state, Z_DATA_ERROR, "incorrect length check");
+            return -1;
+        }
+        state->how = LOOK;      /* ready for next stream, once have is 0 (leave
+                                   state->direct unchanged to remember how) */
+    }
+
+    /* good decompression */
+    return 0;
+}
+
+/* Make data and put in the output buffer.  Assumes that state->have == 0.
+   Data is either copied from the input file or decompressed from the input
+   file depending on state->how.  If state->how is LOOK, then a gzip header is
+   looked for (and skipped if found) to determine wither to copy or decompress.
+   Returns -1 on error, otherwise 0.  gz_make() will leave state->have as COPY
+   or GZIP unless the end of the input file has been reached and all data has
+   been processed.  */
+local int gz_make(state)
+    gz_statep state;
+{
+    z_streamp strm = &(state->strm);
+
+    if (state->how == LOOK) {           /* look for gzip header */
+        if (gz_head(state) == -1)
+            return -1;
+        if (state->have)                /* got some data from gz_head() */
+            return 0;
+    }
+    if (state->how == COPY) {           /* straight copy */
+        if (gz_load(state, state->out, state->size << 1, &(state->have)) == -1)
+            return -1;
+        state->next = state->out;
+    }
+    else if (state->how == GZIP) {      /* decompress */
+        strm->avail_out = state->size << 1;
+        strm->next_out = state->out;
+        if (gz_decomp(state) == -1)
+            return -1;
+    }
+    return 0;
+}
+
+/* Skip len uncompressed bytes of output.  Return -1 on error, 0 on success. */
+local int gz_skip(state, len)
+    gz_statep state;
+    z_off64_t len;
+{
+    unsigned n;
+
+    /* skip over len bytes or reach end-of-file, whichever comes first */
+    while (len)
+        /* skip over whatever is in output buffer */
+        if (state->have) {
+            n = GT_OFF(state->have) || (z_off64_t)state->have > len ?
+                (unsigned)len : state->have;
+            state->have -= n;
+            state->next += n;
+            state->pos += n;
+            len -= n;
+        }
+
+        /* output buffer empty -- return if we're at the end of the input */
+        else if (state->eof && state->strm.avail_in == 0)
+            break;
+
+        /* need more data to skip -- load up output buffer */
+        else {
+            /* get more output, looking for header if required */
+            if (gz_make(state) == -1)
+                return -1;
+        }
+    return 0;
+}
+
+/* -- see zlib.h -- */
+int ZEXPORT gzread(file, buf, len)
+    gzFile file;
+    voidp buf;
+    unsigned len;
+{
+    unsigned got, n;
+    gz_statep state;
+    z_streamp strm;
+
+    /* get internal structure */
+    if (file == NULL)
+        return -1;
+    state = (gz_statep)file;
+    strm = &(state->strm);
+
+    /* check that we're reading and that there's no error */
+    if (state->mode != GZ_READ || state->err != Z_OK)
+        return -1;
+
+    /* since an int is returned, make sure len fits in one, otherwise return
+       with an error (this avoids the flaw in the interface) */
+    if ((int)len < 0) {
+        gz_error(state, Z_BUF_ERROR, "requested length does not fit in int");
+        return -1;
+    }
+
+    /* if len is zero, avoid unnecessary operations */
+    if (len == 0)
+        return 0;
+
+    /* process a skip request */
+    if (state->seek) {
+        state->seek = 0;
+        if (gz_skip(state, state->skip) == -1)
+            return -1;
+    }
+
+    /* get len bytes to buf, or less than len if at the end */
+    got = 0;
+    do {
+        /* first just try copying data from the output buffer */
+        if (state->have) {
+            n = state->have > len ? len : state->have;
+            memcpy(buf, state->next, n);
+            state->next += n;
+            state->have -= n;
+        }
+
+        /* output buffer empty -- return if we're at the end of the input */
+        else if (state->eof && strm->avail_in == 0)
+            break;
+
+        /* need output data -- for small len or new stream load up our output
+           buffer */
+        else if (state->how == LOOK || len < (state->size << 1)) {
+            /* get more output, looking for header if required */
+            if (gz_make(state) == -1)
+                return -1;
+            continue;       /* no progress yet -- go back to memcpy() above */
+            /* the copy above assures that we will leave with space in the
+               output buffer, allowing at least one gzungetc() to succeed */
+        }
+
+        /* large len -- read directly into user buffer */
+        else if (state->how == COPY) {      /* read directly */
+            if (gz_load(state, buf, len, &n) == -1)
+                return -1;
+        }
+
+        /* large len -- decompress directly into user buffer */
+        else {  /* state->how == GZIP */
+            strm->avail_out = len;
+            strm->next_out = buf;
+            if (gz_decomp(state) == -1)
+                return -1;
+            n = state->have;
+            state->have = 0;
+        }
+
+        /* update progress */
+        len -= n;
+        buf = (char *)buf + n;
+        got += n;
+        state->pos += n;
+    } while (len);
+
+    /* return number of bytes read into user buffer (will fit in int) */
+    return (int)got;
+}
+
+/* -- see zlib.h -- */
+int ZEXPORT gzgetc(file)
+    gzFile file;
+{
+    int ret;
+    unsigned char buf[1];
+    gz_statep state;
+
+    /* get internal structure */
+    if (file == NULL)
+        return -1;
+    state = (gz_statep)file;
+
+    /* check that we're reading and that there's no error */
+    if (state->mode != GZ_READ || state->err != Z_OK)
+        return -1;
+
+    /* try output buffer (no need to check for skip request) */
+    if (state->have) {
+        state->have--;
+        state->pos++;
+        return *(state->next)++;
+    }
+
+    /* nothing there -- try gzread() */
+    ret = gzread(file, buf, 1);
+    return ret < 1 ? -1 : buf[0];
+}
+
+/* -- see zlib.h -- */
+int ZEXPORT gzungetc(c, file)
+    int c;
+    gzFile file;
+{
+    gz_statep state;
+
+    /* get internal structure */
+    if (file == NULL)
+        return -1;
+    state = (gz_statep)file;
+
+    /* check that we're reading and that there's no error */
+    if (state->mode != GZ_READ || state->err != Z_OK)
+        return -1;
+
+    /* process a skip request */
+    if (state->seek) {
+        state->seek = 0;
+        if (gz_skip(state, state->skip) == -1)
+            return -1;
+    }
+
+    /* can't push EOF */
+    if (c < 0)
+        return -1;
+
+    /* if output buffer empty, put byte at end (allows more pushing) */
+    if (state->have == 0) {
+        state->have = 1;
+        state->next = state->out + (state->size << 1) - 1;
+        state->next[0] = c;
+        state->pos--;
+        return c;
+    }
+
+    /* if no room, give up (must have already done a gzungetc()) */
+    if (state->have == (state->size << 1)) {
+        gz_error(state, Z_BUF_ERROR, "out of room to push characters");
+        return -1;
+    }
+
+    /* slide output data if needed and insert byte before existing data */
+    if (state->next == state->out) {
+        unsigned char *src = state->out + state->have;
+        unsigned char *dest = state->out + (state->size << 1);
+        while (src > state->out)
+            *--dest = *--src;
+        state->next = dest;
+    }
+    state->have++;
+    state->next--;
+    state->next[0] = c;
+    state->pos--;
+    return c;
+}
+
+/* -- see zlib.h -- */
+char * ZEXPORT gzgets(file, buf, len)
+    gzFile file;
+    char *buf;
+    int len;
+{
+    unsigned left, n;
+    char *str;
+    unsigned char *eol;
+    gz_statep state;
+
+    /* check parameters and get internal structure */
+    if (file == NULL || buf == NULL || len < 1)
+        return NULL;
+    state = (gz_statep)file;
+
+    /* check that we're reading and that there's no error */
+    if (state->mode != GZ_READ || state->err != Z_OK)
+        return NULL;
+
+    /* process a skip request */
+    if (state->seek) {
+        state->seek = 0;
+        if (gz_skip(state, state->skip) == -1)
+            return NULL;
+    }
+
+    /* copy output bytes up to new line or len - 1, whichever comes first --
+       append a terminating zero to the string (we don't check for a zero in
+       the contents, let the user worry about that) */
+    str = buf;
+    left = (unsigned)len - 1;
+    if (left) do {
+        /* assure that something is in the output buffer */
+        if (state->have == 0) {
+            if (gz_make(state) == -1)
+                return NULL;            /* error */
+            if (state->have == 0) {     /* end of file */
+                if (buf == str)         /* got bupkus */
+                    return NULL;
+                break;                  /* got something -- return it */
+            }
+        }
+
+        /* look for end-of-line in current output buffer */
+        n = state->have > left ? left : state->have;
+        eol = memchr(state->next, '\n', n);
+        if (eol != NULL)
+            n = (unsigned)(eol - state->next) + 1;
+
+        /* copy through end-of-line, or remainder if not found */
+        memcpy(buf, state->next, n);
+        state->have -= n;
+        state->next += n;
+        state->pos += n;
+        left -= n;
+        buf += n;
+    } while (left && eol == NULL);
+
+    /* found end-of-line or out of space -- terminate string and return it */
+    buf[0] = 0;
+    return str;
+}
+
+/* -- see zlib.h -- */
+int ZEXPORT gzdirect(file)
+    gzFile file;
+{
+    gz_statep state;
+
+    /* get internal structure */
+    if (file == NULL)
+        return 0;
+    state = (gz_statep)file;
+
+    /* check that we're reading */
+    if (state->mode != GZ_READ)
+        return 0;
+
+    /* if the state is not known, but we can find out, then do so (this is
+       mainly for right after a gzopen() or gzdopen()) */
+    if (state->how == LOOK && state->have == 0)
+        (void)gz_head(state);
+
+    /* return 1 if reading direct, 0 if decompressing a gzip stream */
+    return state->direct;
+}
+
+/* -- see zlib.h -- */
+int ZEXPORT gzclose_r(file)
+    gzFile file;
+{
+    int ret;
+    gz_statep state;
+
+    /* get internal structure */
+    if (file == NULL)
+        return Z_STREAM_ERROR;
+    state = (gz_statep)file;
+
+    /* check that we're reading */
+    if (state->mode != GZ_READ)
+        return Z_STREAM_ERROR;
+
+    /* free memory and close file */
+    if (state->size) {
+        inflateEnd(&(state->strm));
+        free(state->out);
+        free(state->in);
+    }
+    gz_error(state, Z_OK, NULL);
+    free(state->path);
+    ret = close(state->fd);
+    free(state);
+    return ret ? Z_ERRNO : Z_OK;
+}
diff --git a/security/nss/lib/zlib/gzwrite.c b/security/nss/lib/zlib/gzwrite.c
new file mode 100644
index 000000000000..e8defc6887a1
--- /dev/null
+++ b/security/nss/lib/zlib/gzwrite.c
@@ -0,0 +1,531 @@
+/* gzwrite.c -- zlib functions for writing gzip files
+ * Copyright (C) 2004, 2005, 2010 Mark Adler
+ * For conditions of distribution and use, see copyright notice in zlib.h
+ */
+
+#include "gzguts.h"
+
+/* Local functions */
+local int gz_init OF((gz_statep));
+local int gz_comp OF((gz_statep, int));
+local int gz_zero OF((gz_statep, z_off64_t));
+
+/* Initialize state for writing a gzip file.  Mark initialization by setting
+   state->size to non-zero.  Return -1 on failure or 0 on success. */
+local int gz_init(state)
+    gz_statep state;
+{
+    int ret;
+    z_streamp strm = &(state->strm);
+
+    /* allocate input and output buffers */
+    state->in = malloc(state->want);
+    state->out = malloc(state->want);
+    if (state->in == NULL || state->out == NULL) {
+        if (state->out != NULL)
+            free(state->out);
+        if (state->in != NULL)
+            free(state->in);
+        gz_error(state, Z_MEM_ERROR, "out of memory");
+        return -1;
+    }
+
+    /* allocate deflate memory, set up for gzip compression */
+    strm->zalloc = Z_NULL;
+    strm->zfree = Z_NULL;
+    strm->opaque = Z_NULL;
+    ret = deflateInit2(strm, state->level, Z_DEFLATED,
+                       15 + 16, 8, state->strategy);
+    if (ret != Z_OK) {
+        free(state->in);
+        gz_error(state, Z_MEM_ERROR, "out of memory");
+        return -1;
+    }
+
+    /* mark state as initialized */
+    state->size = state->want;
+
+    /* initialize write buffer */
+    strm->avail_out = state->size;
+    strm->next_out = state->out;
+    state->next = strm->next_out;
+    return 0;
+}
+
+/* Compress whatever is at avail_in and next_in and write to the output file.
+   Return -1 if there is an error writing to the output file, otherwise 0.
+   flush is assumed to be a valid deflate() flush value.  If flush is Z_FINISH,
+   then the deflate() state is reset to start a new gzip stream. */
+local int gz_comp(state, flush)
+    gz_statep state;
+    int flush;
+{
+    int ret, got;
+    unsigned have;
+    z_streamp strm = &(state->strm);
+
+    /* allocate memory if this is the first time through */
+    if (state->size == 0 && gz_init(state) == -1)
+        return -1;
+
+    /* run deflate() on provided input until it produces no more output */
+    ret = Z_OK;
+    do {
+        /* write out current buffer contents if full, or if flushing, but if
+           doing Z_FINISH then don't write until we get to Z_STREAM_END */
+        if (strm->avail_out == 0 || (flush != Z_NO_FLUSH &&
+            (flush != Z_FINISH || ret == Z_STREAM_END))) {
+            have = (unsigned)(strm->next_out - state->next);
+            if (have && ((got = write(state->fd, state->next, have)) < 0 ||
+                         (unsigned)got != have)) {
+                gz_error(state, Z_ERRNO, zstrerror());
+                return -1;
+            }
+            if (strm->avail_out == 0) {
+                strm->avail_out = state->size;
+                strm->next_out = state->out;
+            }
+            state->next = strm->next_out;
+        }
+
+        /* compress */
+        have = strm->avail_out;
+        ret = deflate(strm, flush);
+        if (ret == Z_STREAM_ERROR) {
+            gz_error(state, Z_STREAM_ERROR,
+                      "internal error: deflate stream corrupt");
+            return -1;
+        }
+        have -= strm->avail_out;
+    } while (have);
+
+    /* if that completed a deflate stream, allow another to start */
+    if (flush == Z_FINISH)
+        deflateReset(strm);
+
+    /* all done, no errors */
+    return 0;
+}
+
+/* Compress len zeros to output.  Return -1 on error, 0 on success. */
+local int gz_zero(state, len)
+    gz_statep state;
+    z_off64_t len;
+{
+    int first;
+    unsigned n;
+    z_streamp strm = &(state->strm);
+
+    /* consume whatever's left in the input buffer */
+    if (strm->avail_in && gz_comp(state, Z_NO_FLUSH) == -1)
+        return -1;
+
+    /* compress len zeros (len guaranteed > 0) */
+    first = 1;
+    while (len) {
+        n = GT_OFF(state->size) || (z_off64_t)state->size > len ?
+            (unsigned)len : state->size;
+        if (first) {
+            memset(state->in, 0, n);
+            first = 0;
+        }
+        strm->avail_in = n;
+        strm->next_in = state->in;
+        state->pos += n;
+        if (gz_comp(state, Z_NO_FLUSH) == -1)
+            return -1;
+        len -= n;
+    }
+    return 0;
+}
+
+/* -- see zlib.h -- */
+int ZEXPORT gzwrite(file, buf, len)
+    gzFile file;
+    voidpc buf;
+    unsigned len;
+{
+    unsigned put = len;
+    unsigned n;
+    gz_statep state;
+    z_streamp strm;
+
+    /* get internal structure */
+    if (file == NULL)
+        return 0;
+    state = (gz_statep)file;
+    strm = &(state->strm);
+
+    /* check that we're writing and that there's no error */
+    if (state->mode != GZ_WRITE || state->err != Z_OK)
+        return 0;
+
+    /* since an int is returned, make sure len fits in one, otherwise return
+       with an error (this avoids the flaw in the interface) */
+    if ((int)len < 0) {
+        gz_error(state, Z_BUF_ERROR, "requested length does not fit in int");
+        return 0;
+    }
+
+    /* if len is zero, avoid unnecessary operations */
+    if (len == 0)
+        return 0;
+
+    /* allocate memory if this is the first time through */
+    if (state->size == 0 && gz_init(state) == -1)
+        return 0;
+
+    /* check for seek request */
+    if (state->seek) {
+        state->seek = 0;
+        if (gz_zero(state, state->skip) == -1)
+            return 0;
+    }
+
+    /* for small len, copy to input buffer, otherwise compress directly */
+    if (len < state->size) {
+        /* copy to input buffer, compress when full */
+        do {
+            if (strm->avail_in == 0)
+                strm->next_in = state->in;
+            n = state->size - strm->avail_in;
+            if (n > len)
+                n = len;
+            memcpy(strm->next_in + strm->avail_in, buf, n);
+            strm->avail_in += n;
+            state->pos += n;
+            buf = (char *)buf + n;
+            len -= n;
+            if (len && gz_comp(state, Z_NO_FLUSH) == -1)
+                return 0;
+        } while (len);
+    }
+    else {
+        /* consume whatever's left in the input buffer */
+        if (strm->avail_in && gz_comp(state, Z_NO_FLUSH) == -1)
+            return 0;
+
+        /* directly compress user buffer to file */
+        strm->avail_in = len;
+        strm->next_in = (voidp)buf;
+        state->pos += len;
+        if (gz_comp(state, Z_NO_FLUSH) == -1)
+            return 0;
+    }
+
+    /* input was all buffered or compressed (put will fit in int) */
+    return (int)put;
+}
+
+/* -- see zlib.h -- */
+int ZEXPORT gzputc(file, c)
+    gzFile file;
+    int c;
+{
+    unsigned char buf[1];
+    gz_statep state;
+    z_streamp strm;
+
+    /* get internal structure */
+    if (file == NULL)
+        return -1;
+    state = (gz_statep)file;
+    strm = &(state->strm);
+
+    /* check that we're writing and that there's no error */
+    if (state->mode != GZ_WRITE || state->err != Z_OK)
+        return -1;
+
+    /* check for seek request */
+    if (state->seek) {
+        state->seek = 0;
+        if (gz_zero(state, state->skip) == -1)
+            return -1;
+    }
+
+    /* try writing to input buffer for speed (state->size == 0 if buffer not
+       initialized) */
+    if (strm->avail_in < state->size) {
+        if (strm->avail_in == 0)
+            strm->next_in = state->in;
+        strm->next_in[strm->avail_in++] = c;
+        state->pos++;
+        return c;
+    }
+
+    /* no room in buffer or not initialized, use gz_write() */
+    buf[0] = c;
+    if (gzwrite(file, buf, 1) != 1)
+        return -1;
+    return c;
+}
+
+/* -- see zlib.h -- */
+int ZEXPORT gzputs(file, str)
+    gzFile file;
+    const char *str;
+{
+    int ret;
+    unsigned len;
+
+    /* write string */
+    len = (unsigned)strlen(str);
+    ret = gzwrite(file, str, len);
+    return ret == 0 && len != 0 ? -1 : ret;
+}
+
+#ifdef STDC
+#include 
+
+/* -- see zlib.h -- */
+int ZEXPORTVA gzprintf (gzFile file, const char *format, ...)
+{
+    int size, len;
+    gz_statep state;
+    z_streamp strm;
+    va_list va;
+
+    /* get internal structure */
+    if (file == NULL)
+        return -1;
+    state = (gz_statep)file;
+    strm = &(state->strm);
+
+    /* check that we're writing and that there's no error */
+    if (state->mode != GZ_WRITE || state->err != Z_OK)
+        return 0;
+
+    /* make sure we have some buffer space */
+    if (state->size == 0 && gz_init(state) == -1)
+        return 0;
+
+    /* check for seek request */
+    if (state->seek) {
+        state->seek = 0;
+        if (gz_zero(state, state->skip) == -1)
+            return 0;
+    }
+
+    /* consume whatever's left in the input buffer */
+    if (strm->avail_in && gz_comp(state, Z_NO_FLUSH) == -1)
+        return 0;
+
+    /* do the printf() into the input buffer, put length in len */
+    size = (int)(state->size);
+    state->in[size - 1] = 0;
+    va_start(va, format);
+#ifdef NO_vsnprintf
+#  ifdef HAS_vsprintf_void
+    (void)vsprintf(state->in, format, va);
+    va_end(va);
+    for (len = 0; len < size; len++)
+        if (state->in[len] == 0) break;
+#  else
+    len = vsprintf(state->in, format, va);
+    va_end(va);
+#  endif
+#else
+#  ifdef HAS_vsnprintf_void
+    (void)vsnprintf(state->in, size, format, va);
+    va_end(va);
+    len = strlen(state->in);
+#  else
+    len = vsnprintf((char *)(state->in), size, format, va);
+    va_end(va);
+#  endif
+#endif
+
+    /* check that printf() results fit in buffer */
+    if (len <= 0 || len >= (int)size || state->in[size - 1] != 0)
+        return 0;
+
+    /* update buffer and position, defer compression until needed */
+    strm->avail_in = (unsigned)len;
+    strm->next_in = state->in;
+    state->pos += len;
+    return len;
+}
+
+#else /* !STDC */
+
+/* -- see zlib.h -- */
+int ZEXPORTVA gzprintf (file, format, a1, a2, a3, a4, a5, a6, a7, a8, a9, a10,
+                       a11, a12, a13, a14, a15, a16, a17, a18, a19, a20)
+    gzFile file;
+    const char *format;
+    int a1, a2, a3, a4, a5, a6, a7, a8, a9, a10,
+        a11, a12, a13, a14, a15, a16, a17, a18, a19, a20;
+{
+    int size, len;
+    gz_statep state;
+    z_streamp strm;
+
+    /* get internal structure */
+    if (file == NULL)
+        return -1;
+    state = (gz_statep)file;
+    strm = &(state->strm);
+
+    /* check that we're writing and that there's no error */
+    if (state->mode != GZ_WRITE || state->err != Z_OK)
+        return 0;
+
+    /* make sure we have some buffer space */
+    if (state->size == 0 && gz_init(state) == -1)
+        return 0;
+
+    /* check for seek request */
+    if (state->seek) {
+        state->seek = 0;
+        if (gz_zero(state, state->skip) == -1)
+            return 0;
+    }
+
+    /* consume whatever's left in the input buffer */
+    if (strm->avail_in && gz_comp(state, Z_NO_FLUSH) == -1)
+        return 0;
+
+    /* do the printf() into the input buffer, put length in len */
+    size = (int)(state->size);
+    state->in[size - 1] = 0;
+#ifdef NO_snprintf
+#  ifdef HAS_sprintf_void
+    sprintf(state->in, format, a1, a2, a3, a4, a5, a6, a7, a8,
+            a9, a10, a11, a12, a13, a14, a15, a16, a17, a18, a19, a20);
+    for (len = 0; len < size; len++)
+        if (state->in[len] == 0) break;
+#  else
+    len = sprintf(state->in, format, a1, a2, a3, a4, a5, a6, a7, a8,
+                a9, a10, a11, a12, a13, a14, a15, a16, a17, a18, a19, a20);
+#  endif
+#else
+#  ifdef HAS_snprintf_void
+    snprintf(state->in, size, format, a1, a2, a3, a4, a5, a6, a7, a8,
+             a9, a10, a11, a12, a13, a14, a15, a16, a17, a18, a19, a20);
+    len = strlen(state->in);
+#  else
+    len = snprintf(state->in, size, format, a1, a2, a3, a4, a5, a6, a7, a8,
+                 a9, a10, a11, a12, a13, a14, a15, a16, a17, a18, a19, a20);
+#  endif
+#endif
+
+    /* check that printf() results fit in buffer */
+    if (len <= 0 || len >= (int)size || state->in[size - 1] != 0)
+        return 0;
+
+    /* update buffer and position, defer compression until needed */
+    strm->avail_in = (unsigned)len;
+    strm->next_in = state->in;
+    state->pos += len;
+    return len;
+}
+
+#endif
+
+/* -- see zlib.h -- */
+int ZEXPORT gzflush(file, flush)
+    gzFile file;
+    int flush;
+{
+    gz_statep state;
+
+    /* get internal structure */
+    if (file == NULL)
+        return -1;
+    state = (gz_statep)file;
+
+    /* check that we're writing and that there's no error */
+    if (state->mode != GZ_WRITE || state->err != Z_OK)
+        return Z_STREAM_ERROR;
+
+    /* check flush parameter */
+    if (flush < 0 || flush > Z_FINISH)
+        return Z_STREAM_ERROR;
+
+    /* check for seek request */
+    if (state->seek) {
+        state->seek = 0;
+        if (gz_zero(state, state->skip) == -1)
+            return -1;
+    }
+
+    /* compress remaining data with requested flush */
+    gz_comp(state, flush);
+    return state->err;
+}
+
+/* -- see zlib.h -- */
+int ZEXPORT gzsetparams(file, level, strategy)
+    gzFile file;
+    int level;
+    int strategy;
+{
+    gz_statep state;
+    z_streamp strm;
+
+    /* get internal structure */
+    if (file == NULL)
+        return Z_STREAM_ERROR;
+    state = (gz_statep)file;
+    strm = &(state->strm);
+
+    /* check that we're writing and that there's no error */
+    if (state->mode != GZ_WRITE || state->err != Z_OK)
+        return Z_STREAM_ERROR;
+
+    /* if no change is requested, then do nothing */
+    if (level == state->level && strategy == state->strategy)
+        return Z_OK;
+
+    /* check for seek request */
+    if (state->seek) {
+        state->seek = 0;
+        if (gz_zero(state, state->skip) == -1)
+            return -1;
+    }
+
+    /* change compression parameters for subsequent input */
+    if (state->size) {
+        /* flush previous input with previous parameters before changing */
+        if (strm->avail_in && gz_comp(state, Z_PARTIAL_FLUSH) == -1)
+            return state->err;
+        deflateParams(strm, level, strategy);
+    }
+    state->level = level;
+    state->strategy = strategy;
+    return Z_OK;
+}
+
+/* -- see zlib.h -- */
+int ZEXPORT gzclose_w(file)
+    gzFile file;
+{
+    int ret = 0;
+    gz_statep state;
+
+    /* get internal structure */
+    if (file == NULL)
+        return Z_STREAM_ERROR;
+    state = (gz_statep)file;
+
+    /* check that we're writing */
+    if (state->mode != GZ_WRITE)
+        return Z_STREAM_ERROR;
+
+    /* check for seek request */
+    if (state->seek) {
+        state->seek = 0;
+        ret += gz_zero(state, state->skip);
+    }
+
+    /* flush, free memory, and close file */
+    ret += gz_comp(state, Z_FINISH);
+    (void)deflateEnd(&(state->strm));
+    free(state->out);
+    free(state->in);
+    gz_error(state, Z_OK, NULL);
+    free(state->path);
+    ret += close(state->fd);
+    free(state);
+    return ret ? Z_ERRNO : Z_OK;
+}
diff --git a/security/nss/lib/zlib/infback.c b/security/nss/lib/zlib/infback.c
index 455dbc9ee843..af3a8c965d50 100644
--- a/security/nss/lib/zlib/infback.c
+++ b/security/nss/lib/zlib/infback.c
@@ -1,5 +1,5 @@
 /* infback.c -- inflate using a call-back interface
- * Copyright (C) 1995-2005 Mark Adler
+ * Copyright (C) 1995-2009 Mark Adler
  * For conditions of distribution and use, see copyright notice in zlib.h
  */
 
@@ -55,7 +55,7 @@ int stream_size;
     state->wbits = windowBits;
     state->wsize = 1U << windowBits;
     state->window = window;
-    state->write = 0;
+    state->wnext = 0;
     state->whave = 0;
     return Z_OK;
 }
@@ -253,7 +253,7 @@ void FAR *out_desc;
     unsigned bits;              /* bits in bit buffer */
     unsigned copy;              /* number of stored or match bytes to copy */
     unsigned char FAR *from;    /* where to copy match bytes from */
-    code this;                  /* current decoding table entry */
+    code here;                  /* current decoding table entry */
     code last;                  /* parent table entry */
     unsigned len;               /* length to copy for repeats, bits to drop */
     int ret;                    /* return code */
@@ -389,19 +389,19 @@ void FAR *out_desc;
             state->have = 0;
             while (state->have < state->nlen + state->ndist) {
                 for (;;) {
-                    this = state->lencode[BITS(state->lenbits)];
-                    if ((unsigned)(this.bits) <= bits) break;
+                    here = state->lencode[BITS(state->lenbits)];
+                    if ((unsigned)(here.bits) <= bits) break;
                     PULLBYTE();
                 }
-                if (this.val < 16) {
-                    NEEDBITS(this.bits);
-                    DROPBITS(this.bits);
-                    state->lens[state->have++] = this.val;
+                if (here.val < 16) {
+                    NEEDBITS(here.bits);
+                    DROPBITS(here.bits);
+                    state->lens[state->have++] = here.val;
                 }
                 else {
-                    if (this.val == 16) {
-                        NEEDBITS(this.bits + 2);
-                        DROPBITS(this.bits);
+                    if (here.val == 16) {
+                        NEEDBITS(here.bits + 2);
+                        DROPBITS(here.bits);
                         if (state->have == 0) {
                             strm->msg = (char *)"invalid bit length repeat";
                             state->mode = BAD;
@@ -411,16 +411,16 @@ void FAR *out_desc;
                         copy = 3 + BITS(2);
                         DROPBITS(2);
                     }
-                    else if (this.val == 17) {
-                        NEEDBITS(this.bits + 3);
-                        DROPBITS(this.bits);
+                    else if (here.val == 17) {
+                        NEEDBITS(here.bits + 3);
+                        DROPBITS(here.bits);
                         len = 0;
                         copy = 3 + BITS(3);
                         DROPBITS(3);
                     }
                     else {
-                        NEEDBITS(this.bits + 7);
-                        DROPBITS(this.bits);
+                        NEEDBITS(here.bits + 7);
+                        DROPBITS(here.bits);
                         len = 0;
                         copy = 11 + BITS(7);
                         DROPBITS(7);
@@ -438,7 +438,16 @@ void FAR *out_desc;
             /* handle error breaks in while */
             if (state->mode == BAD) break;
 
-            /* build code tables */
+            /* check for end-of-block code (better have one) */
+            if (state->lens[256] == 0) {
+                strm->msg = (char *)"invalid code -- missing end-of-block";
+                state->mode = BAD;
+                break;
+            }
+
+            /* build code tables -- note: do not change the lenbits or distbits
+               values here (9 and 6) without reading the comments in inftrees.h
+               concerning the ENOUGH constants, which depend on those values */
             state->next = state->codes;
             state->lencode = (code const FAR *)(state->next);
             state->lenbits = 9;
@@ -474,28 +483,28 @@ void FAR *out_desc;
 
             /* get a literal, length, or end-of-block code */
             for (;;) {
-                this = state->lencode[BITS(state->lenbits)];
-                if ((unsigned)(this.bits) <= bits) break;
+                here = state->lencode[BITS(state->lenbits)];
+                if ((unsigned)(here.bits) <= bits) break;
                 PULLBYTE();
             }
-            if (this.op && (this.op & 0xf0) == 0) {
-                last = this;
+            if (here.op && (here.op & 0xf0) == 0) {
+                last = here;
                 for (;;) {
-                    this = state->lencode[last.val +
+                    here = state->lencode[last.val +
                             (BITS(last.bits + last.op) >> last.bits)];
-                    if ((unsigned)(last.bits + this.bits) <= bits) break;
+                    if ((unsigned)(last.bits + here.bits) <= bits) break;
                     PULLBYTE();
                 }
                 DROPBITS(last.bits);
             }
-            DROPBITS(this.bits);
-            state->length = (unsigned)this.val;
+            DROPBITS(here.bits);
+            state->length = (unsigned)here.val;
 
             /* process literal */
-            if (this.op == 0) {
-                Tracevv((stderr, this.val >= 0x20 && this.val < 0x7f ?
+            if (here.op == 0) {
+                Tracevv((stderr, here.val >= 0x20 && here.val < 0x7f ?
                         "inflate:         literal '%c'\n" :
-                        "inflate:         literal 0x%02x\n", this.val));
+                        "inflate:         literal 0x%02x\n", here.val));
                 ROOM();
                 *put++ = (unsigned char)(state->length);
                 left--;
@@ -504,21 +513,21 @@ void FAR *out_desc;
             }
 
             /* process end of block */
-            if (this.op & 32) {
+            if (here.op & 32) {
                 Tracevv((stderr, "inflate:         end of block\n"));
                 state->mode = TYPE;
                 break;
             }
 
             /* invalid code */
-            if (this.op & 64) {
+            if (here.op & 64) {
                 strm->msg = (char *)"invalid literal/length code";
                 state->mode = BAD;
                 break;
             }
 
             /* length code -- get extra bits, if any */
-            state->extra = (unsigned)(this.op) & 15;
+            state->extra = (unsigned)(here.op) & 15;
             if (state->extra != 0) {
                 NEEDBITS(state->extra);
                 state->length += BITS(state->extra);
@@ -528,30 +537,30 @@ void FAR *out_desc;
 
             /* get distance code */
             for (;;) {
-                this = state->distcode[BITS(state->distbits)];
-                if ((unsigned)(this.bits) <= bits) break;
+                here = state->distcode[BITS(state->distbits)];
+                if ((unsigned)(here.bits) <= bits) break;
                 PULLBYTE();
             }
-            if ((this.op & 0xf0) == 0) {
-                last = this;
+            if ((here.op & 0xf0) == 0) {
+                last = here;
                 for (;;) {
-                    this = state->distcode[last.val +
+                    here = state->distcode[last.val +
                             (BITS(last.bits + last.op) >> last.bits)];
-                    if ((unsigned)(last.bits + this.bits) <= bits) break;
+                    if ((unsigned)(last.bits + here.bits) <= bits) break;
                     PULLBYTE();
                 }
                 DROPBITS(last.bits);
             }
-            DROPBITS(this.bits);
-            if (this.op & 64) {
+            DROPBITS(here.bits);
+            if (here.op & 64) {
                 strm->msg = (char *)"invalid distance code";
                 state->mode = BAD;
                 break;
             }
-            state->offset = (unsigned)this.val;
+            state->offset = (unsigned)here.val;
 
             /* get distance extra bits, if any */
-            state->extra = (unsigned)(this.op) & 15;
+            state->extra = (unsigned)(here.op) & 15;
             if (state->extra != 0) {
                 NEEDBITS(state->extra);
                 state->offset += BITS(state->extra);
diff --git a/security/nss/lib/zlib/inffast.c b/security/nss/lib/zlib/inffast.c
index bbee92ed1e6b..2f1d60b43b8a 100644
--- a/security/nss/lib/zlib/inffast.c
+++ b/security/nss/lib/zlib/inffast.c
@@ -1,5 +1,5 @@
 /* inffast.c -- fast decoding
- * Copyright (C) 1995-2004 Mark Adler
+ * Copyright (C) 1995-2008, 2010 Mark Adler
  * For conditions of distribution and use, see copyright notice in zlib.h
  */
 
@@ -64,7 +64,7 @@
       requires strm->avail_out >= 258 for each loop to avoid checking for
       output space.
  */
-void inflate_fast(strm, start)
+void ZLIB_INTERNAL inflate_fast(strm, start)
 z_streamp strm;
 unsigned start;         /* inflate()'s starting value for strm->avail_out */
 {
@@ -79,7 +79,7 @@ unsigned start;         /* inflate()'s starting value for strm->avail_out */
 #endif
     unsigned wsize;             /* window size or zero if not using window */
     unsigned whave;             /* valid bytes in the window */
-    unsigned write;             /* window write index */
+    unsigned wnext;             /* window write index */
     unsigned char FAR *window;  /* allocated sliding window, if wsize != 0 */
     unsigned long hold;         /* local strm->hold */
     unsigned bits;              /* local strm->bits */
@@ -87,7 +87,7 @@ unsigned start;         /* inflate()'s starting value for strm->avail_out */
     code const FAR *dcode;      /* local strm->distcode */
     unsigned lmask;             /* mask for first level of length codes */
     unsigned dmask;             /* mask for first level of distance codes */
-    code this;                  /* retrieved table entry */
+    code here;                  /* retrieved table entry */
     unsigned op;                /* code bits, operation, extra bits, or */
                                 /*  window position, window bytes to copy */
     unsigned len;               /* match length, unused bytes */
@@ -106,7 +106,7 @@ unsigned start;         /* inflate()'s starting value for strm->avail_out */
 #endif
     wsize = state->wsize;
     whave = state->whave;
-    write = state->write;
+    wnext = state->wnext;
     window = state->window;
     hold = state->hold;
     bits = state->bits;
@@ -124,20 +124,20 @@ unsigned start;         /* inflate()'s starting value for strm->avail_out */
             hold += (unsigned long)(PUP(in)) << bits;
             bits += 8;
         }
-        this = lcode[hold & lmask];
+        here = lcode[hold & lmask];
       dolen:
-        op = (unsigned)(this.bits);
+        op = (unsigned)(here.bits);
         hold >>= op;
         bits -= op;
-        op = (unsigned)(this.op);
+        op = (unsigned)(here.op);
         if (op == 0) {                          /* literal */
-            Tracevv((stderr, this.val >= 0x20 && this.val < 0x7f ?
+            Tracevv((stderr, here.val >= 0x20 && here.val < 0x7f ?
                     "inflate:         literal '%c'\n" :
-                    "inflate:         literal 0x%02x\n", this.val));
-            PUP(out) = (unsigned char)(this.val);
+                    "inflate:         literal 0x%02x\n", here.val));
+            PUP(out) = (unsigned char)(here.val);
         }
         else if (op & 16) {                     /* length base */
-            len = (unsigned)(this.val);
+            len = (unsigned)(here.val);
             op &= 15;                           /* number of extra bits */
             if (op) {
                 if (bits < op) {
@@ -155,14 +155,14 @@ unsigned start;         /* inflate()'s starting value for strm->avail_out */
                 hold += (unsigned long)(PUP(in)) << bits;
                 bits += 8;
             }
-            this = dcode[hold & dmask];
+            here = dcode[hold & dmask];
           dodist:
-            op = (unsigned)(this.bits);
+            op = (unsigned)(here.bits);
             hold >>= op;
             bits -= op;
-            op = (unsigned)(this.op);
+            op = (unsigned)(here.op);
             if (op & 16) {                      /* distance base */
-                dist = (unsigned)(this.val);
+                dist = (unsigned)(here.val);
                 op &= 15;                       /* number of extra bits */
                 if (bits < op) {
                     hold += (unsigned long)(PUP(in)) << bits;
@@ -187,12 +187,34 @@ unsigned start;         /* inflate()'s starting value for strm->avail_out */
                 if (dist > op) {                /* see if copy from window */
                     op = dist - op;             /* distance back in window */
                     if (op > whave) {
-                        strm->msg = (char *)"invalid distance too far back";
-                        state->mode = BAD;
-                        break;
+                        if (state->sane) {
+                            strm->msg =
+                                (char *)"invalid distance too far back";
+                            state->mode = BAD;
+                            break;
+                        }
+#ifdef INFLATE_ALLOW_INVALID_DISTANCE_TOOFAR_ARRR
+                        if (len <= op - whave) {
+                            do {
+                                PUP(out) = 0;
+                            } while (--len);
+                            continue;
+                        }
+                        len -= op - whave;
+                        do {
+                            PUP(out) = 0;
+                        } while (--op > whave);
+                        if (op == 0) {
+                            from = out - dist;
+                            do {
+                                PUP(out) = PUP(from);
+                            } while (--len);
+                            continue;
+                        }
+#endif
                     }
                     from = window - OFF;
-                    if (write == 0) {           /* very common case */
+                    if (wnext == 0) {           /* very common case */
                         from += wsize - op;
                         if (op < len) {         /* some from window */
                             len -= op;
@@ -202,17 +224,17 @@ unsigned start;         /* inflate()'s starting value for strm->avail_out */
                             from = out - dist;  /* rest from output */
                         }
                     }
-                    else if (write < op) {      /* wrap around window */
-                        from += wsize + write - op;
-                        op -= write;
+                    else if (wnext < op) {      /* wrap around window */
+                        from += wsize + wnext - op;
+                        op -= wnext;
                         if (op < len) {         /* some from end of window */
                             len -= op;
                             do {
                                 PUP(out) = PUP(from);
                             } while (--op);
                             from = window - OFF;
-                            if (write < len) {  /* some from start of window */
-                                op = write;
+                            if (wnext < len) {  /* some from start of window */
+                                op = wnext;
                                 len -= op;
                                 do {
                                     PUP(out) = PUP(from);
@@ -222,7 +244,7 @@ unsigned start;         /* inflate()'s starting value for strm->avail_out */
                         }
                     }
                     else {                      /* contiguous in window */
-                        from += write - op;
+                        from += wnext - op;
                         if (op < len) {         /* some from window */
                             len -= op;
                             do {
@@ -259,7 +281,7 @@ unsigned start;         /* inflate()'s starting value for strm->avail_out */
                 }
             }
             else if ((op & 64) == 0) {          /* 2nd level distance code */
-                this = dcode[this.val + (hold & ((1U << op) - 1))];
+                here = dcode[here.val + (hold & ((1U << op) - 1))];
                 goto dodist;
             }
             else {
@@ -269,7 +291,7 @@ unsigned start;         /* inflate()'s starting value for strm->avail_out */
             }
         }
         else if ((op & 64) == 0) {              /* 2nd level length code */
-            this = lcode[this.val + (hold & ((1U << op) - 1))];
+            here = lcode[here.val + (hold & ((1U << op) - 1))];
             goto dolen;
         }
         else if (op & 32) {                     /* end-of-block */
@@ -305,7 +327,7 @@ unsigned start;         /* inflate()'s starting value for strm->avail_out */
    inflate_fast() speedups that turned out slower (on a PowerPC G3 750CXe):
    - Using bit fields for code structure
    - Different op definition to avoid & for extra bits (do & for table bits)
-   - Three separate decoding do-loops for direct, window, and write == 0
+   - Three separate decoding do-loops for direct, window, and wnext == 0
    - Special case for distance > 1 copies to do overlapped load and store copy
    - Explicit branch predictions (based on measured branch probabilities)
    - Deferring match copy and interspersed it with decoding subsequent codes
diff --git a/security/nss/lib/zlib/inffast.h b/security/nss/lib/zlib/inffast.h
index 1e88d2d97b56..e5c1aa4ca8cd 100644
--- a/security/nss/lib/zlib/inffast.h
+++ b/security/nss/lib/zlib/inffast.h
@@ -1,5 +1,5 @@
 /* inffast.h -- header to use inffast.c
- * Copyright (C) 1995-2003 Mark Adler
+ * Copyright (C) 1995-2003, 2010 Mark Adler
  * For conditions of distribution and use, see copyright notice in zlib.h
  */
 
@@ -8,4 +8,4 @@
    subject to change. Applications should only use zlib.h.
  */
 
-void inflate_fast OF((z_streamp strm, unsigned start));
+void ZLIB_INTERNAL inflate_fast OF((z_streamp strm, unsigned start));
diff --git a/security/nss/lib/zlib/inflate.c b/security/nss/lib/zlib/inflate.c
index 792fdee8e9c7..a8431abeacff 100644
--- a/security/nss/lib/zlib/inflate.c
+++ b/security/nss/lib/zlib/inflate.c
@@ -1,5 +1,5 @@
 /* inflate.c -- zlib decompression
- * Copyright (C) 1995-2005 Mark Adler
+ * Copyright (C) 1995-2010 Mark Adler
  * For conditions of distribution and use, see copyright notice in zlib.h
  */
 
@@ -45,7 +45,7 @@
  * - Rearrange window copies in inflate_fast() for speed and simplification
  * - Unroll last copy for window match in inflate_fast()
  * - Use local copies of window variables in inflate_fast() for speed
- * - Pull out common write == 0 case for speed in inflate_fast()
+ * - Pull out common wnext == 0 case for speed in inflate_fast()
  * - Make op and len in inflate_fast() unsigned for consistency
  * - Add FAR to lcode and dcode declarations in inflate_fast()
  * - Simplified bad distance check in inflate_fast()
@@ -117,28 +117,52 @@ z_streamp strm;
     state->head = Z_NULL;
     state->wsize = 0;
     state->whave = 0;
-    state->write = 0;
+    state->wnext = 0;
     state->hold = 0;
     state->bits = 0;
     state->lencode = state->distcode = state->next = state->codes;
+    state->sane = 1;
+    state->back = -1;
     Tracev((stderr, "inflate: reset\n"));
     return Z_OK;
 }
 
-int ZEXPORT inflatePrime(strm, bits, value)
+int ZEXPORT inflateReset2(strm, windowBits)
 z_streamp strm;
-int bits;
-int value;
+int windowBits;
 {
+    int wrap;
     struct inflate_state FAR *state;
 
+    /* get the state */
     if (strm == Z_NULL || strm->state == Z_NULL) return Z_STREAM_ERROR;
     state = (struct inflate_state FAR *)strm->state;
-    if (bits > 16 || state->bits + bits > 32) return Z_STREAM_ERROR;
-    value &= (1L << bits) - 1;
-    state->hold += value << state->bits;
-    state->bits += bits;
-    return Z_OK;
+
+    /* extract wrap request from windowBits parameter */
+    if (windowBits < 0) {
+        wrap = 0;
+        windowBits = -windowBits;
+    }
+    else {
+        wrap = (windowBits >> 4) + 1;
+#ifdef GUNZIP
+        if (windowBits < 48)
+            windowBits &= 15;
+#endif
+    }
+
+    /* set number of window bits, free window if different */
+    if (windowBits && (windowBits < 8 || windowBits > 15))
+        return Z_STREAM_ERROR;
+    if (state->window != Z_NULL && state->wbits != (unsigned)windowBits) {
+        ZFREE(strm, state->window);
+        state->window = Z_NULL;
+    }
+
+    /* update state and reset the rest of it */
+    state->wrap = wrap;
+    state->wbits = (unsigned)windowBits;
+    return inflateReset(strm);
 }
 
 int ZEXPORT inflateInit2_(strm, windowBits, version, stream_size)
@@ -147,6 +171,7 @@ int windowBits;
 const char *version;
 int stream_size;
 {
+    int ret;
     struct inflate_state FAR *state;
 
     if (version == Z_NULL || version[0] != ZLIB_VERSION[0] ||
@@ -164,24 +189,13 @@ int stream_size;
     if (state == Z_NULL) return Z_MEM_ERROR;
     Tracev((stderr, "inflate: allocated\n"));
     strm->state = (struct internal_state FAR *)state;
-    if (windowBits < 0) {
-        state->wrap = 0;
-        windowBits = -windowBits;
-    }
-    else {
-        state->wrap = (windowBits >> 4) + 1;
-#ifdef GUNZIP
-        if (windowBits < 48) windowBits &= 15;
-#endif
-    }
-    if (windowBits < 8 || windowBits > 15) {
+    state->window = Z_NULL;
+    ret = inflateReset2(strm, windowBits);
+    if (ret != Z_OK) {
         ZFREE(strm, state);
         strm->state = Z_NULL;
-        return Z_STREAM_ERROR;
     }
-    state->wbits = (unsigned)windowBits;
-    state->window = Z_NULL;
-    return inflateReset(strm);
+    return ret;
 }
 
 int ZEXPORT inflateInit_(strm, version, stream_size)
@@ -192,6 +206,27 @@ int stream_size;
     return inflateInit2_(strm, DEF_WBITS, version, stream_size);
 }
 
+int ZEXPORT inflatePrime(strm, bits, value)
+z_streamp strm;
+int bits;
+int value;
+{
+    struct inflate_state FAR *state;
+
+    if (strm == Z_NULL || strm->state == Z_NULL) return Z_STREAM_ERROR;
+    state = (struct inflate_state FAR *)strm->state;
+    if (bits < 0) {
+        state->hold = 0;
+        state->bits = 0;
+        return Z_OK;
+    }
+    if (bits > 16 || state->bits + bits > 32) return Z_STREAM_ERROR;
+    value &= (1L << bits) - 1;
+    state->hold += value << state->bits;
+    state->bits += bits;
+    return Z_OK;
+}
+
 /*
    Return state with length and distance decoding tables and index sizes set to
    fixed code decoding.  Normally this returns fixed tables from inffixed.h.
@@ -340,7 +375,7 @@ unsigned out;
     /* if window not in use yet, initialize */
     if (state->wsize == 0) {
         state->wsize = 1U << state->wbits;
-        state->write = 0;
+        state->wnext = 0;
         state->whave = 0;
     }
 
@@ -348,22 +383,22 @@ unsigned out;
     copy = out - strm->avail_out;
     if (copy >= state->wsize) {
         zmemcpy(state->window, strm->next_out - state->wsize, state->wsize);
-        state->write = 0;
+        state->wnext = 0;
         state->whave = state->wsize;
     }
     else {
-        dist = state->wsize - state->write;
+        dist = state->wsize - state->wnext;
         if (dist > copy) dist = copy;
-        zmemcpy(state->window + state->write, strm->next_out - copy, dist);
+        zmemcpy(state->window + state->wnext, strm->next_out - copy, dist);
         copy -= dist;
         if (copy) {
             zmemcpy(state->window, strm->next_out - copy, copy);
-            state->write = copy;
+            state->wnext = copy;
             state->whave = state->wsize;
         }
         else {
-            state->write += dist;
-            if (state->write == state->wsize) state->write = 0;
+            state->wnext += dist;
+            if (state->wnext == state->wsize) state->wnext = 0;
             if (state->whave < state->wsize) state->whave += dist;
         }
     }
@@ -564,7 +599,7 @@ int flush;
     unsigned in, out;           /* save starting available input and output */
     unsigned copy;              /* number of stored or match bytes to copy */
     unsigned char FAR *from;    /* where to copy match bytes from */
-    code this;                  /* current decoding table entry */
+    code here;                  /* current decoding table entry */
     code last;                  /* parent table entry */
     unsigned len;               /* length to copy for repeats, bits to drop */
     int ret;                    /* return code */
@@ -619,7 +654,9 @@ int flush;
             }
             DROPBITS(4);
             len = BITS(4) + 8;
-            if (len > state->wbits) {
+            if (state->wbits == 0)
+                state->wbits = len;
+            else if (len > state->wbits) {
                 strm->msg = (char *)"invalid window size";
                 state->mode = BAD;
                 break;
@@ -771,7 +808,7 @@ int flush;
             strm->adler = state->check = adler32(0L, Z_NULL, 0);
             state->mode = TYPE;
         case TYPE:
-            if (flush == Z_BLOCK) goto inf_leave;
+            if (flush == Z_BLOCK || flush == Z_TREES) goto inf_leave;
         case TYPEDO:
             if (state->last) {
                 BYTEBITS();
@@ -791,7 +828,11 @@ int flush;
                 fixedtables(state);
                 Tracev((stderr, "inflate:     fixed codes block%s\n",
                         state->last ? " (last)" : ""));
-                state->mode = LEN;              /* decode codes */
+                state->mode = LEN_;             /* decode codes */
+                if (flush == Z_TREES) {
+                    DROPBITS(2);
+                    goto inf_leave;
+                }
                 break;
             case 2:                             /* dynamic block */
                 Tracev((stderr, "inflate:     dynamic codes block%s\n",
@@ -816,6 +857,9 @@ int flush;
             Tracev((stderr, "inflate:       stored length %u\n",
                     state->length));
             INITBITS();
+            state->mode = COPY_;
+            if (flush == Z_TREES) goto inf_leave;
+        case COPY_:
             state->mode = COPY;
         case COPY:
             copy = state->length;
@@ -876,19 +920,19 @@ int flush;
         case CODELENS:
             while (state->have < state->nlen + state->ndist) {
                 for (;;) {
-                    this = state->lencode[BITS(state->lenbits)];
-                    if ((unsigned)(this.bits) <= bits) break;
+                    here = state->lencode[BITS(state->lenbits)];
+                    if ((unsigned)(here.bits) <= bits) break;
                     PULLBYTE();
                 }
-                if (this.val < 16) {
-                    NEEDBITS(this.bits);
-                    DROPBITS(this.bits);
-                    state->lens[state->have++] = this.val;
+                if (here.val < 16) {
+                    NEEDBITS(here.bits);
+                    DROPBITS(here.bits);
+                    state->lens[state->have++] = here.val;
                 }
                 else {
-                    if (this.val == 16) {
-                        NEEDBITS(this.bits + 2);
-                        DROPBITS(this.bits);
+                    if (here.val == 16) {
+                        NEEDBITS(here.bits + 2);
+                        DROPBITS(here.bits);
                         if (state->have == 0) {
                             strm->msg = (char *)"invalid bit length repeat";
                             state->mode = BAD;
@@ -898,16 +942,16 @@ int flush;
                         copy = 3 + BITS(2);
                         DROPBITS(2);
                     }
-                    else if (this.val == 17) {
-                        NEEDBITS(this.bits + 3);
-                        DROPBITS(this.bits);
+                    else if (here.val == 17) {
+                        NEEDBITS(here.bits + 3);
+                        DROPBITS(here.bits);
                         len = 0;
                         copy = 3 + BITS(3);
                         DROPBITS(3);
                     }
                     else {
-                        NEEDBITS(this.bits + 7);
-                        DROPBITS(this.bits);
+                        NEEDBITS(here.bits + 7);
+                        DROPBITS(here.bits);
                         len = 0;
                         copy = 11 + BITS(7);
                         DROPBITS(7);
@@ -925,7 +969,16 @@ int flush;
             /* handle error breaks in while */
             if (state->mode == BAD) break;
 
-            /* build code tables */
+            /* check for end-of-block code (better have one) */
+            if (state->lens[256] == 0) {
+                strm->msg = (char *)"invalid code -- missing end-of-block";
+                state->mode = BAD;
+                break;
+            }
+
+            /* build code tables -- note: do not change the lenbits or distbits
+               values here (9 and 6) without reading the comments in inftrees.h
+               concerning the ENOUGH constants, which depend on those values */
             state->next = state->codes;
             state->lencode = (code const FAR *)(state->next);
             state->lenbits = 9;
@@ -946,88 +999,102 @@ int flush;
                 break;
             }
             Tracev((stderr, "inflate:       codes ok\n"));
+            state->mode = LEN_;
+            if (flush == Z_TREES) goto inf_leave;
+        case LEN_:
             state->mode = LEN;
         case LEN:
             if (have >= 6 && left >= 258) {
                 RESTORE();
                 inflate_fast(strm, out);
                 LOAD();
+                if (state->mode == TYPE)
+                    state->back = -1;
                 break;
             }
+            state->back = 0;
             for (;;) {
-                this = state->lencode[BITS(state->lenbits)];
-                if ((unsigned)(this.bits) <= bits) break;
+                here = state->lencode[BITS(state->lenbits)];
+                if ((unsigned)(here.bits) <= bits) break;
                 PULLBYTE();
             }
-            if (this.op && (this.op & 0xf0) == 0) {
-                last = this;
+            if (here.op && (here.op & 0xf0) == 0) {
+                last = here;
                 for (;;) {
-                    this = state->lencode[last.val +
+                    here = state->lencode[last.val +
                             (BITS(last.bits + last.op) >> last.bits)];
-                    if ((unsigned)(last.bits + this.bits) <= bits) break;
+                    if ((unsigned)(last.bits + here.bits) <= bits) break;
                     PULLBYTE();
                 }
                 DROPBITS(last.bits);
+                state->back += last.bits;
             }
-            DROPBITS(this.bits);
-            state->length = (unsigned)this.val;
-            if ((int)(this.op) == 0) {
-                Tracevv((stderr, this.val >= 0x20 && this.val < 0x7f ?
+            DROPBITS(here.bits);
+            state->back += here.bits;
+            state->length = (unsigned)here.val;
+            if ((int)(here.op) == 0) {
+                Tracevv((stderr, here.val >= 0x20 && here.val < 0x7f ?
                         "inflate:         literal '%c'\n" :
-                        "inflate:         literal 0x%02x\n", this.val));
+                        "inflate:         literal 0x%02x\n", here.val));
                 state->mode = LIT;
                 break;
             }
-            if (this.op & 32) {
+            if (here.op & 32) {
                 Tracevv((stderr, "inflate:         end of block\n"));
+                state->back = -1;
                 state->mode = TYPE;
                 break;
             }
-            if (this.op & 64) {
+            if (here.op & 64) {
                 strm->msg = (char *)"invalid literal/length code";
                 state->mode = BAD;
                 break;
             }
-            state->extra = (unsigned)(this.op) & 15;
+            state->extra = (unsigned)(here.op) & 15;
             state->mode = LENEXT;
         case LENEXT:
             if (state->extra) {
                 NEEDBITS(state->extra);
                 state->length += BITS(state->extra);
                 DROPBITS(state->extra);
+                state->back += state->extra;
             }
             Tracevv((stderr, "inflate:         length %u\n", state->length));
+            state->was = state->length;
             state->mode = DIST;
         case DIST:
             for (;;) {
-                this = state->distcode[BITS(state->distbits)];
-                if ((unsigned)(this.bits) <= bits) break;
+                here = state->distcode[BITS(state->distbits)];
+                if ((unsigned)(here.bits) <= bits) break;
                 PULLBYTE();
             }
-            if ((this.op & 0xf0) == 0) {
-                last = this;
+            if ((here.op & 0xf0) == 0) {
+                last = here;
                 for (;;) {
-                    this = state->distcode[last.val +
+                    here = state->distcode[last.val +
                             (BITS(last.bits + last.op) >> last.bits)];
-                    if ((unsigned)(last.bits + this.bits) <= bits) break;
+                    if ((unsigned)(last.bits + here.bits) <= bits) break;
                     PULLBYTE();
                 }
                 DROPBITS(last.bits);
+                state->back += last.bits;
             }
-            DROPBITS(this.bits);
-            if (this.op & 64) {
+            DROPBITS(here.bits);
+            state->back += here.bits;
+            if (here.op & 64) {
                 strm->msg = (char *)"invalid distance code";
                 state->mode = BAD;
                 break;
             }
-            state->offset = (unsigned)this.val;
-            state->extra = (unsigned)(this.op) & 15;
+            state->offset = (unsigned)here.val;
+            state->extra = (unsigned)(here.op) & 15;
             state->mode = DISTEXT;
         case DISTEXT:
             if (state->extra) {
                 NEEDBITS(state->extra);
                 state->offset += BITS(state->extra);
                 DROPBITS(state->extra);
+                state->back += state->extra;
             }
 #ifdef INFLATE_STRICT
             if (state->offset > state->dmax) {
@@ -1036,11 +1103,6 @@ int flush;
                 break;
             }
 #endif
-            if (state->offset > state->whave + out - left) {
-                strm->msg = (char *)"invalid distance too far back";
-                state->mode = BAD;
-                break;
-            }
             Tracevv((stderr, "inflate:         distance %u\n", state->offset));
             state->mode = MATCH;
         case MATCH:
@@ -1048,12 +1110,32 @@ int flush;
             copy = out - left;
             if (state->offset > copy) {         /* copy from window */
                 copy = state->offset - copy;
-                if (copy > state->write) {
-                    copy -= state->write;
+                if (copy > state->whave) {
+                    if (state->sane) {
+                        strm->msg = (char *)"invalid distance too far back";
+                        state->mode = BAD;
+                        break;
+                    }
+#ifdef INFLATE_ALLOW_INVALID_DISTANCE_TOOFAR_ARRR
+                    Trace((stderr, "inflate.c too far\n"));
+                    copy -= state->whave;
+                    if (copy > state->length) copy = state->length;
+                    if (copy > left) copy = left;
+                    left -= copy;
+                    state->length -= copy;
+                    do {
+                        *put++ = 0;
+                    } while (--copy);
+                    if (state->length == 0) state->mode = LEN;
+                    break;
+#endif
+                }
+                if (copy > state->wnext) {
+                    copy -= state->wnext;
                     from = state->window + (state->wsize - copy);
                 }
                 else
-                    from = state->window + (state->write - copy);
+                    from = state->window + (state->wnext - copy);
                 if (copy > state->length) copy = state->length;
             }
             else {                              /* copy from output */
@@ -1146,7 +1228,8 @@ int flush;
         strm->adler = state->check =
             UPDATE(state->check, strm->next_out - out, out);
     strm->data_type = state->bits + (state->last ? 64 : 0) +
-                      (state->mode == TYPE ? 128 : 0);
+                      (state->mode == TYPE ? 128 : 0) +
+                      (state->mode == LEN_ || state->mode == COPY_ ? 256 : 0);
     if (((in == 0 && out == 0) || flush == Z_FINISH) && ret == Z_OK)
         ret = Z_BUF_ERROR;
     return ret;
@@ -1366,3 +1449,32 @@ z_streamp source;
     dest->state = (struct internal_state FAR *)copy;
     return Z_OK;
 }
+
+int ZEXPORT inflateUndermine(strm, subvert)
+z_streamp strm;
+int subvert;
+{
+    struct inflate_state FAR *state;
+
+    if (strm == Z_NULL || strm->state == Z_NULL) return Z_STREAM_ERROR;
+    state = (struct inflate_state FAR *)strm->state;
+    state->sane = !subvert;
+#ifdef INFLATE_ALLOW_INVALID_DISTANCE_TOOFAR_ARRR
+    return Z_OK;
+#else
+    state->sane = 1;
+    return Z_DATA_ERROR;
+#endif
+}
+
+long ZEXPORT inflateMark(strm)
+z_streamp strm;
+{
+    struct inflate_state FAR *state;
+
+    if (strm == Z_NULL || strm->state == Z_NULL) return -1L << 16;
+    state = (struct inflate_state FAR *)strm->state;
+    return ((long)(state->back) << 16) +
+        (state->mode == COPY ? state->length :
+            (state->mode == MATCH ? state->was - state->length : 0));
+}
diff --git a/security/nss/lib/zlib/inflate.h b/security/nss/lib/zlib/inflate.h
index 07bd3e78a7c7..95f4986d4002 100644
--- a/security/nss/lib/zlib/inflate.h
+++ b/security/nss/lib/zlib/inflate.h
@@ -1,5 +1,5 @@
 /* inflate.h -- internal inflate state definition
- * Copyright (C) 1995-2004 Mark Adler
+ * Copyright (C) 1995-2009 Mark Adler
  * For conditions of distribution and use, see copyright notice in zlib.h
  */
 
@@ -32,11 +32,13 @@ typedef enum {
         TYPE,       /* i: waiting for type bits, including last-flag bit */
         TYPEDO,     /* i: same, but skip check to exit inflate on new block */
         STORED,     /* i: waiting for stored size (length and complement) */
+        COPY_,      /* i/o: same as COPY below, but only first time in */
         COPY,       /* i/o: waiting for input or output to copy stored block */
         TABLE,      /* i: waiting for dynamic block table lengths */
         LENLENS,    /* i: waiting for code length code lengths */
         CODELENS,   /* i: waiting for length/lit and distance code lengths */
-            LEN,        /* i: waiting for length/lit code */
+            LEN_,       /* i: same as LEN below, but only first time in */
+            LEN,        /* i: waiting for length/lit/eob code */
             LENEXT,     /* i: waiting for length extra bits */
             DIST,       /* i: waiting for distance code */
             DISTEXT,    /* i: waiting for distance extra bits */
@@ -53,19 +55,21 @@ typedef enum {
 /*
     State transitions between above modes -
 
-    (most modes can go to the BAD or MEM mode -- not shown for clarity)
+    (most modes can go to BAD or MEM on error -- not shown for clarity)
 
     Process header:
-        HEAD -> (gzip) or (zlib)
-        (gzip) -> FLAGS -> TIME -> OS -> EXLEN -> EXTRA -> NAME
-        NAME -> COMMENT -> HCRC -> TYPE
+        HEAD -> (gzip) or (zlib) or (raw)
+        (gzip) -> FLAGS -> TIME -> OS -> EXLEN -> EXTRA -> NAME -> COMMENT ->
+                  HCRC -> TYPE
         (zlib) -> DICTID or TYPE
         DICTID -> DICT -> TYPE
+        (raw) -> TYPEDO
     Read deflate blocks:
-            TYPE -> STORED or TABLE or LEN or CHECK
-            STORED -> COPY -> TYPE
-            TABLE -> LENLENS -> CODELENS -> LEN
-    Read deflate codes:
+            TYPE -> TYPEDO -> STORED or TABLE or LEN_ or CHECK
+            STORED -> COPY_ -> COPY -> TYPE
+            TABLE -> LENLENS -> CODELENS -> LEN_
+            LEN_ -> LEN
+    Read deflate codes in fixed or dynamic block:
                 LEN -> LENEXT or LIT or TYPE
                 LENEXT -> DIST -> DISTEXT -> MATCH -> LEN
                 LIT -> LEN
@@ -73,7 +77,7 @@ typedef enum {
         CHECK -> LENGTH -> DONE
  */
 
-/* state maintained between inflate() calls.  Approximately 7K bytes. */
+/* state maintained between inflate() calls.  Approximately 10K bytes. */
 struct inflate_state {
     inflate_mode mode;          /* current inflate mode */
     int last;                   /* true if processing last block */
@@ -88,7 +92,7 @@ struct inflate_state {
     unsigned wbits;             /* log base 2 of requested window size */
     unsigned wsize;             /* window size or zero if not using window */
     unsigned whave;             /* valid bytes in the window */
-    unsigned write;             /* window write index */
+    unsigned wnext;             /* window write index */
     unsigned char FAR *window;  /* allocated sliding window, if needed */
         /* bit accumulator */
     unsigned long hold;         /* input bit accumulator */
@@ -112,4 +116,7 @@ struct inflate_state {
     unsigned short lens[320];   /* temporary storage for code lengths */
     unsigned short work[288];   /* work area for code table building */
     code codes[ENOUGH];         /* space for code tables */
+    int sane;                   /* if false, allow invalid distance too far */
+    int back;                   /* bits back of last unprocessed length/lit */
+    unsigned was;               /* initial length of match */
 };
diff --git a/security/nss/lib/zlib/inftrees.c b/security/nss/lib/zlib/inftrees.c
index 8a9c13ff03d8..11e9c52accbe 100644
--- a/security/nss/lib/zlib/inftrees.c
+++ b/security/nss/lib/zlib/inftrees.c
@@ -1,5 +1,5 @@
 /* inftrees.c -- generate Huffman trees for efficient decoding
- * Copyright (C) 1995-2005 Mark Adler
+ * Copyright (C) 1995-2010 Mark Adler
  * For conditions of distribution and use, see copyright notice in zlib.h
  */
 
@@ -9,7 +9,7 @@
 #define MAXBITS 15
 
 const char inflate_copyright[] =
-   " inflate 1.2.3 Copyright 1995-2005 Mark Adler ";
+   " inflate 1.2.5 Copyright 1995-2010 Mark Adler ";
 /*
   If you use the zlib library in a product, an acknowledgment is welcome
   in the documentation of your product. If for some reason you cannot
@@ -29,7 +29,7 @@ const char inflate_copyright[] =
    table index bits.  It will differ if the request is greater than the
    longest code or if it is less than the shortest code.
  */
-int inflate_table(type, lens, codes, table, bits, work)
+int ZLIB_INTERNAL inflate_table(type, lens, codes, table, bits, work)
 codetype type;
 unsigned short FAR *lens;
 unsigned codes;
@@ -50,7 +50,7 @@ unsigned short FAR *work;
     unsigned fill;              /* index for replicating entries */
     unsigned low;               /* low bits for current root entry */
     unsigned mask;              /* mask for low root bits */
-    code this;                  /* table entry for duplication */
+    code here;                  /* table entry for duplication */
     code FAR *next;             /* next available space in table */
     const unsigned short FAR *base;     /* base value table to use */
     const unsigned short FAR *extra;    /* extra bits table to use */
@@ -62,7 +62,7 @@ unsigned short FAR *work;
         35, 43, 51, 59, 67, 83, 99, 115, 131, 163, 195, 227, 258, 0, 0};
     static const unsigned short lext[31] = { /* Length codes 257..285 extra */
         16, 16, 16, 16, 16, 16, 16, 16, 17, 17, 17, 17, 18, 18, 18, 18,
-        19, 19, 19, 19, 20, 20, 20, 20, 21, 21, 21, 21, 16, 201, 196};
+        19, 19, 19, 19, 20, 20, 20, 20, 21, 21, 21, 21, 16, 73, 195};
     static const unsigned short dbase[32] = { /* Distance codes 0..29 base */
         1, 2, 3, 4, 5, 7, 9, 13, 17, 25, 33, 49, 65, 97, 129, 193,
         257, 385, 513, 769, 1025, 1537, 2049, 3073, 4097, 6145,
@@ -115,15 +115,15 @@ unsigned short FAR *work;
         if (count[max] != 0) break;
     if (root > max) root = max;
     if (max == 0) {                     /* no symbols to code at all */
-        this.op = (unsigned char)64;    /* invalid code marker */
-        this.bits = (unsigned char)1;
-        this.val = (unsigned short)0;
-        *(*table)++ = this;             /* make a table to force an error */
-        *(*table)++ = this;
+        here.op = (unsigned char)64;    /* invalid code marker */
+        here.bits = (unsigned char)1;
+        here.val = (unsigned short)0;
+        *(*table)++ = here;             /* make a table to force an error */
+        *(*table)++ = here;
         *bits = 1;
         return 0;     /* no symbols, but wait for decoding to report error */
     }
-    for (min = 1; min <= MAXBITS; min++)
+    for (min = 1; min < max; min++)
         if (count[min] != 0) break;
     if (root < min) root = min;
 
@@ -166,11 +166,10 @@ unsigned short FAR *work;
        entered in the tables.
 
        used keeps track of how many table entries have been allocated from the
-       provided *table space.  It is checked when a LENS table is being made
-       against the space in *table, ENOUGH, minus the maximum space needed by
-       the worst case distance code, MAXD.  This should never happen, but the
-       sufficiency of ENOUGH has not been proven exhaustively, hence the check.
-       This assumes that when type == LENS, bits == 9.
+       provided *table space.  It is checked for LENS and DIST tables against
+       the constants ENOUGH_LENS and ENOUGH_DISTS to guard against changes in
+       the initial root table size constants.  See the comments in inftrees.h
+       for more information.
 
        sym increments through all symbols, and the loop terminates when
        all codes of length max, i.e. all codes, have been processed.  This
@@ -209,24 +208,25 @@ unsigned short FAR *work;
     mask = used - 1;            /* mask for comparing low */
 
     /* check available table space */
-    if (type == LENS && used >= ENOUGH - MAXD)
+    if ((type == LENS && used >= ENOUGH_LENS) ||
+        (type == DISTS && used >= ENOUGH_DISTS))
         return 1;
 
     /* process all codes and make table entries */
     for (;;) {
         /* create table entry */
-        this.bits = (unsigned char)(len - drop);
+        here.bits = (unsigned char)(len - drop);
         if ((int)(work[sym]) < end) {
-            this.op = (unsigned char)0;
-            this.val = work[sym];
+            here.op = (unsigned char)0;
+            here.val = work[sym];
         }
         else if ((int)(work[sym]) > end) {
-            this.op = (unsigned char)(extra[work[sym]]);
-            this.val = base[work[sym]];
+            here.op = (unsigned char)(extra[work[sym]]);
+            here.val = base[work[sym]];
         }
         else {
-            this.op = (unsigned char)(32 + 64);         /* end of block */
-            this.val = 0;
+            here.op = (unsigned char)(32 + 64);         /* end of block */
+            here.val = 0;
         }
 
         /* replicate for those indices with low len bits equal to huff */
@@ -235,7 +235,7 @@ unsigned short FAR *work;
         min = fill;                 /* save offset to next table */
         do {
             fill -= incr;
-            next[(huff >> drop) + fill] = this;
+            next[(huff >> drop) + fill] = here;
         } while (fill != 0);
 
         /* backwards increment the len-bit code huff */
@@ -277,7 +277,8 @@ unsigned short FAR *work;
 
             /* check for enough space */
             used += 1U << curr;
-            if (type == LENS && used >= ENOUGH - MAXD)
+            if ((type == LENS && used >= ENOUGH_LENS) ||
+                (type == DISTS && used >= ENOUGH_DISTS))
                 return 1;
 
             /* point entry in root table to sub-table */
@@ -295,20 +296,20 @@ unsigned short FAR *work;
        through high index bits.  When the current sub-table is filled, the loop
        drops back to the root table to fill in any remaining entries there.
      */
-    this.op = (unsigned char)64;                /* invalid code marker */
-    this.bits = (unsigned char)(len - drop);
-    this.val = (unsigned short)0;
+    here.op = (unsigned char)64;                /* invalid code marker */
+    here.bits = (unsigned char)(len - drop);
+    here.val = (unsigned short)0;
     while (huff != 0) {
         /* when done with sub-table, drop back to root table */
         if (drop != 0 && (huff & mask) != low) {
             drop = 0;
             len = root;
             next = *table;
-            this.bits = (unsigned char)len;
+            here.bits = (unsigned char)len;
         }
 
         /* put invalid code marker in table */
-        next[huff >> drop] = this;
+        next[huff >> drop] = here;
 
         /* backwards increment the len-bit code huff */
         incr = 1U << (len - 1);
diff --git a/security/nss/lib/zlib/inftrees.h b/security/nss/lib/zlib/inftrees.h
index b1104c87e769..baa53a0b1a19 100644
--- a/security/nss/lib/zlib/inftrees.h
+++ b/security/nss/lib/zlib/inftrees.h
@@ -1,5 +1,5 @@
 /* inftrees.h -- header to use inftrees.c
- * Copyright (C) 1995-2005 Mark Adler
+ * Copyright (C) 1995-2005, 2010 Mark Adler
  * For conditions of distribution and use, see copyright notice in zlib.h
  */
 
@@ -35,21 +35,28 @@ typedef struct {
     01000000 - invalid code
  */
 
-/* Maximum size of dynamic tree.  The maximum found in a long but non-
-   exhaustive search was 1444 code structures (852 for length/literals
-   and 592 for distances, the latter actually the result of an
-   exhaustive search).  The true maximum is not known, but the value
-   below is more than safe. */
-#define ENOUGH 2048
-#define MAXD 592
+/* Maximum size of the dynamic table.  The maximum number of code structures is
+   1444, which is the sum of 852 for literal/length codes and 592 for distance
+   codes.  These values were found by exhaustive searches using the program
+   examples/enough.c found in the zlib distribtution.  The arguments to that
+   program are the number of symbols, the initial root table size, and the
+   maximum bit length of a code.  "enough 286 9 15" for literal/length codes
+   returns returns 852, and "enough 30 6 15" for distance codes returns 592.
+   The initial root table size (9 or 6) is found in the fifth argument of the
+   inflate_table() calls in inflate.c and infback.c.  If the root table size is
+   changed, then these maximum sizes would be need to be recalculated and
+   updated. */
+#define ENOUGH_LENS 852
+#define ENOUGH_DISTS 592
+#define ENOUGH (ENOUGH_LENS+ENOUGH_DISTS)
 
-/* Type of code to build for inftable() */
+/* Type of code to build for inflate_table() */
 typedef enum {
     CODES,
     LENS,
     DISTS
 } codetype;
 
-extern int inflate_table OF((codetype type, unsigned short FAR *lens,
+int ZLIB_INTERNAL inflate_table OF((codetype type, unsigned short FAR *lens,
                              unsigned codes, code FAR * FAR *table,
                              unsigned FAR *bits, unsigned short FAR *work));
diff --git a/security/nss/lib/zlib/manifest.mn b/security/nss/lib/zlib/manifest.mn
index ae4348295b45..1f4c9e4b9d48 100644
--- a/security/nss/lib/zlib/manifest.mn
+++ b/security/nss/lib/zlib/manifest.mn
@@ -44,15 +44,18 @@ PRIVATE_EXPORTS = zlib.h zconf.h
 CSRCS =	adler32.c 	\
 	compress.c 	\
 	crc32.c 	\
-	gzio.c  	\
-	uncompr.c 	\
 	deflate.c 	\
-	trees.c 	\
-	zutil.c 	\
-	inflate.c 	\
+	gzclose.c	\
+	gzlib.c		\
+	gzread.c	\
+	gzwrite.c	\
 	infback.c 	\
+	inffast.c	\
+	inflate.c 	\
 	inftrees.c 	\
-	inffast.c 	\
+	trees.c 	\
+	uncompr.c 	\
+	zutil.c 	\
 	$(NULL)
 
 LIBRARY_NAME = zlib
diff --git a/security/nss/lib/zlib/minigzip.c b/security/nss/lib/zlib/minigzip.c
index 19ec0c99cf7f..a158d52a88e7 100644
--- a/security/nss/lib/zlib/minigzip.c
+++ b/security/nss/lib/zlib/minigzip.c
@@ -1,5 +1,5 @@
 /* minigzip.c -- simulate gzip using the zlib compression library
- * Copyright (C) 1995-2005 Jean-loup Gailly.
+ * Copyright (C) 1995-2006, 2010 Jean-loup Gailly.
  * For conditions of distribution and use, see copyright notice in zlib.h
  */
 
@@ -13,10 +13,10 @@
  * or in pipe mode.
  */
 
-/* @(#) $Id: minigzip.c,v 1.6 2009/11/07 01:13:12 nelson%bolyard.com Exp $ */
+/* @(#) $Id: minigzip.c,v 1.7 2010/08/22 01:07:03 wtc%google.com Exp $ */
 
-#include 
 #include "zlib.h"
+#include 
 
 #ifdef STDC
 #  include 
@@ -32,11 +32,18 @@
 #if defined(MSDOS) || defined(OS2) || defined(WIN32) || defined(__CYGWIN__)
 #  include 
 #  include 
+#  ifdef UNDER_CE
+#    include 
+#  endif
 #  define SET_BINARY_MODE(file) setmode(fileno(file), O_BINARY)
 #else
 #  define SET_BINARY_MODE(file)
 #endif
 
+#ifdef VMS
+#  define unlink delete
+#  define GZ_SUFFIX "-gz"
+#endif
 #ifdef RISCOS
 #  define unlink remove
 #  define GZ_SUFFIX "-gz"
@@ -46,9 +53,75 @@
 #  include  /* for fileno */
 #endif
 
+#if !defined(Z_HAVE_UNISTD_H) && !defined(_LARGEFILE64_SOURCE)
 #ifndef WIN32 /* unlink already in stdio.h for WIN32 */
   extern int unlink OF((const char *));
 #endif
+#endif
+
+#if defined(UNDER_CE)
+#  include 
+#  define perror(s) pwinerror(s)
+
+/* Map the Windows error number in ERROR to a locale-dependent error
+   message string and return a pointer to it.  Typically, the values
+   for ERROR come from GetLastError.
+
+   The string pointed to shall not be modified by the application,
+   but may be overwritten by a subsequent call to strwinerror
+
+   The strwinerror function does not change the current setting
+   of GetLastError.  */
+
+static char *strwinerror (error)
+     DWORD error;
+{
+    static char buf[1024];
+
+    wchar_t *msgbuf;
+    DWORD lasterr = GetLastError();
+    DWORD chars = FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM
+        | FORMAT_MESSAGE_ALLOCATE_BUFFER,
+        NULL,
+        error,
+        0, /* Default language */
+        (LPVOID)&msgbuf,
+        0,
+        NULL);
+    if (chars != 0) {
+        /* If there is an \r\n appended, zap it.  */
+        if (chars >= 2
+            && msgbuf[chars - 2] == '\r' && msgbuf[chars - 1] == '\n') {
+            chars -= 2;
+            msgbuf[chars] = 0;
+        }
+
+        if (chars > sizeof (buf) - 1) {
+            chars = sizeof (buf) - 1;
+            msgbuf[chars] = 0;
+        }
+
+        wcstombs(buf, msgbuf, chars + 1);
+        LocalFree(msgbuf);
+    }
+    else {
+        sprintf(buf, "unknown win32 error (%ld)", error);
+    }
+
+    SetLastError(lasterr);
+    return buf;
+}
+
+static void pwinerror (s)
+    const char *s;
+{
+    if (s && *s)
+        fprintf(stderr, "%s: %s\n", s, strwinerror(GetLastError ()));
+    else
+        fprintf(stderr, "%s\n", strwinerror(GetLastError ()));
+}
+
+#endif /* UNDER_CE */
 
 #ifndef GZ_SUFFIX
 #  define GZ_SUFFIX ".gz"
@@ -194,6 +267,11 @@ void file_compress(file, mode)
     FILE  *in;
     gzFile out;
 
+    if (strlen(file) + strlen(GZ_SUFFIX) >= sizeof(outfile)) {
+        fprintf(stderr, "%s: filename too long\n", prog);
+        exit(1);
+    }
+
     strcpy(outfile, file);
     strcat(outfile, GZ_SUFFIX);
 
@@ -223,7 +301,12 @@ void file_uncompress(file)
     char *infile, *outfile;
     FILE  *out;
     gzFile in;
-    uInt len = (uInt)strlen(file);
+    size_t len = strlen(file);
+
+    if (len + strlen(GZ_SUFFIX) >= sizeof(buf)) {
+        fprintf(stderr, "%s: filename too long\n", prog);
+        exit(1);
+    }
 
     strcpy(buf, file);
 
@@ -254,7 +337,8 @@ void file_uncompress(file)
 
 
 /* ===========================================================================
- * Usage:  minigzip [-d] [-f] [-h] [-r] [-1 to -9] [files...]
+ * Usage:  minigzip [-c] [-d] [-f] [-h] [-r] [-1 to -9] [files...]
+ *   -c : write to standard output
  *   -d : decompress
  *   -f : compress with Z_FILTERED
  *   -h : compress with Z_HUFFMAN_ONLY
@@ -266,17 +350,30 @@ int main(argc, argv)
     int argc;
     char *argv[];
 {
+    int copyout = 0;
     int uncompr = 0;
     gzFile file;
-    char outmode[20];
+    char *bname, outmode[20];
 
     strcpy(outmode, "wb6 ");
 
     prog = argv[0];
+    bname = strrchr(argv[0], '/');
+    if (bname)
+      bname++;
+    else
+      bname = argv[0];
     argc--, argv++;
 
+    if (!strcmp(bname, "gunzip"))
+      uncompr = 1;
+    else if (!strcmp(bname, "zcat"))
+      copyout = uncompr = 1;
+
     while (argc > 0) {
-      if (strcmp(*argv, "-d") == 0)
+      if (strcmp(*argv, "-c") == 0)
+        copyout = 1;
+      else if (strcmp(*argv, "-d") == 0)
         uncompr = 1;
       else if (strcmp(*argv, "-f") == 0)
         outmode[3] = 'f';
@@ -306,11 +403,36 @@ int main(argc, argv)
             gz_compress(stdin, file);
         }
     } else {
+        if (copyout) {
+            SET_BINARY_MODE(stdout);
+        }
         do {
             if (uncompr) {
-                file_uncompress(*argv);
+                if (copyout) {
+                    file = gzopen(*argv, "rb");
+                    if (file == NULL)
+                        fprintf(stderr, "%s: can't gzopen %s\n", prog, *argv);
+                    else
+                        gz_uncompress(file, stdout);
+                } else {
+                    file_uncompress(*argv);
+                }
             } else {
-                file_compress(*argv, outmode);
+                if (copyout) {
+                    FILE * in = fopen(*argv, "rb");
+
+                    if (in == NULL) {
+                        perror(*argv);
+                    } else {
+                        file = gzdopen(fileno(stdout), outmode);
+                        if (file == NULL) error("can't gzdopen stdout");
+
+                        gz_compress(in, file);
+                    }
+
+                } else {
+                    file_compress(*argv, outmode);
+                }
             }
         } while (argv++, --argc);
     }
diff --git a/security/nss/lib/zlib/patches/msvc-vsnprintf.patch b/security/nss/lib/zlib/patches/msvc-vsnprintf.patch
new file mode 100644
index 000000000000..2b8d2a646c06
--- /dev/null
+++ b/security/nss/lib/zlib/patches/msvc-vsnprintf.patch
@@ -0,0 +1,22 @@
+--- zlib-1.2.5/zutil.h	2010-04-18 12:29:24 -0700
++++ zlib/zutil.h	2010-08-21 18:07:03 -0700
+@@ -172,17 +172,18 @@
+ #endif
+ 
+ #ifndef F_OPEN
+ #  define F_OPEN(name, mode) fopen((name), (mode))
+ #endif
+ 
+          /* functions */
+ 
+-#if defined(STDC99) || (defined(__TURBOC__) && __TURBOC__ >= 0x550)
++#if defined(STDC99) || (defined(__TURBOC__) && __TURBOC__ >= 0x550) || \
++   (defined(_MSC_VER) && _MSC_VER >= 1500)
+ #  ifndef HAVE_VSNPRINTF
+ #    define HAVE_VSNPRINTF
+ #  endif
+ #endif
+ #if defined(__CYGWIN__)
+ #  ifndef HAVE_VSNPRINTF
+ #    define HAVE_VSNPRINTF
+ #  endif
diff --git a/security/nss/lib/zlib/patches/prune-zlib.sh b/security/nss/lib/zlib/patches/prune-zlib.sh
new file mode 100644
index 000000000000..c4d3799d6853
--- /dev/null
+++ b/security/nss/lib/zlib/patches/prune-zlib.sh
@@ -0,0 +1,30 @@
+files_to_remove="
+CMakeLists.txt
+ChangeLog
+FAQ
+INDEX
+Makefile
+Makefile.in
+amiga
+configure
+contrib
+doc
+examples
+make_vms.com
+msdos
+nintendods
+old
+qnx
+treebuild.xml
+watcom
+win32
+zconf.h.cmakein
+zconf.h.in
+zlib.3
+zlib.3.pdf
+zlib.map
+zlib.pc.in
+zlib2ansi
+"
+
+rm -rf $files_to_remove
diff --git a/security/nss/lib/zlib/trees.c b/security/nss/lib/zlib/trees.c
index cb289e78f6b2..2813741c8c37 100644
--- a/security/nss/lib/zlib/trees.c
+++ b/security/nss/lib/zlib/trees.c
@@ -1,5 +1,6 @@
 /* trees.c -- output deflated data using Huffman coding
- * Copyright (C) 1995-2005 Jean-loup Gailly
+ * Copyright (C) 1995-2010 Jean-loup Gailly
+ * detect_data_type() function provided freely by Cosmin Truta, 2006
  * For conditions of distribution and use, see copyright notice in zlib.h
  */
 
@@ -29,7 +30,7 @@
  *          Addison-Wesley, 1983. ISBN 0-201-06672-6.
  */
 
-/* @(#) $Id: trees.c,v 1.5 2009/11/07 01:13:12 wtchang%redhat.com Exp $ */
+/* @(#) $Id: trees.c,v 1.6 2010/08/22 01:07:03 wtc%google.com Exp $ */
 
 /* #define GEN_TREES_H */
 
@@ -152,7 +153,7 @@ local void send_all_trees OF((deflate_state *s, int lcodes, int dcodes,
                               int blcodes));
 local void compress_block OF((deflate_state *s, ct_data *ltree,
                               ct_data *dtree));
-local void set_data_type  OF((deflate_state *s));
+local int  detect_data_type OF((deflate_state *s));
 local unsigned bi_reverse OF((unsigned value, int length));
 local void bi_windup      OF((deflate_state *s));
 local void bi_flush       OF((deflate_state *s));
@@ -203,12 +204,12 @@ local void send_bits(s, value, length)
      * unused bits in value.
      */
     if (s->bi_valid > (int)Buf_size - length) {
-        s->bi_buf |= (value << s->bi_valid);
+        s->bi_buf |= (ush)value << s->bi_valid;
         put_short(s, s->bi_buf);
         s->bi_buf = (ush)value >> (Buf_size - s->bi_valid);
         s->bi_valid += length - Buf_size;
     } else {
-        s->bi_buf |= value << s->bi_valid;
+        s->bi_buf |= (ush)value << s->bi_valid;
         s->bi_valid += length;
     }
 }
@@ -218,12 +219,12 @@ local void send_bits(s, value, length)
 { int len = length;\
   if (s->bi_valid > (int)Buf_size - len) {\
     int val = value;\
-    s->bi_buf |= (val << s->bi_valid);\
+    s->bi_buf |= (ush)val << s->bi_valid;\
     put_short(s, s->bi_buf);\
     s->bi_buf = (ush)val >> (Buf_size - s->bi_valid);\
     s->bi_valid += len - Buf_size;\
   } else {\
-    s->bi_buf |= (value) << s->bi_valid;\
+    s->bi_buf |= (ush)(value) << s->bi_valid;\
     s->bi_valid += len;\
   }\
 }
@@ -250,11 +251,13 @@ local void tr_static_init()
     if (static_init_done) return;
 
     /* For some embedded targets, global variables are not initialized: */
+#ifdef NO_INIT_GLOBAL_POINTERS
     static_l_desc.static_tree = static_ltree;
     static_l_desc.extra_bits = extra_lbits;
     static_d_desc.static_tree = static_dtree;
     static_d_desc.extra_bits = extra_dbits;
     static_bl_desc.extra_bits = extra_blbits;
+#endif
 
     /* Initialize the mapping length (0..255) -> length code (0..28) */
     length = 0;
@@ -348,13 +351,14 @@ void gen_trees_header()
                 static_dtree[i].Len, SEPARATOR(i, D_CODES-1, 5));
     }
 
-    fprintf(header, "const uch _dist_code[DIST_CODE_LEN] = {\n");
+    fprintf(header, "const uch ZLIB_INTERNAL _dist_code[DIST_CODE_LEN] = {\n");
     for (i = 0; i < DIST_CODE_LEN; i++) {
         fprintf(header, "%2u%s", _dist_code[i],
                 SEPARATOR(i, DIST_CODE_LEN-1, 20));
     }
 
-    fprintf(header, "const uch _length_code[MAX_MATCH-MIN_MATCH+1]= {\n");
+    fprintf(header,
+        "const uch ZLIB_INTERNAL _length_code[MAX_MATCH-MIN_MATCH+1]= {\n");
     for (i = 0; i < MAX_MATCH-MIN_MATCH+1; i++) {
         fprintf(header, "%2u%s", _length_code[i],
                 SEPARATOR(i, MAX_MATCH-MIN_MATCH, 20));
@@ -379,7 +383,7 @@ void gen_trees_header()
 /* ===========================================================================
  * Initialize the tree data structures for a new zlib stream.
  */
-void _tr_init(s)
+void ZLIB_INTERNAL _tr_init(s)
     deflate_state *s;
 {
     tr_static_init();
@@ -864,13 +868,13 @@ local void send_all_trees(s, lcodes, dcodes, blcodes)
 /* ===========================================================================
  * Send a stored block
  */
-void _tr_stored_block(s, buf, stored_len, eof)
+void ZLIB_INTERNAL _tr_stored_block(s, buf, stored_len, last)
     deflate_state *s;
     charf *buf;       /* input block */
     ulg stored_len;   /* length of input block */
-    int eof;          /* true if this is the last block for a file */
+    int last;         /* one if this is the last block for a file */
 {
-    send_bits(s, (STORED_BLOCK<<1)+eof, 3);  /* send block type */
+    send_bits(s, (STORED_BLOCK<<1)+last, 3);    /* send block type */
 #ifdef DEBUG
     s->compressed_len = (s->compressed_len + 3 + 7) & (ulg)~7L;
     s->compressed_len += (stored_len + 4) << 3;
@@ -889,7 +893,7 @@ void _tr_stored_block(s, buf, stored_len, eof)
  * To simplify the code, we assume the worst case of last real code encoded
  * on one bit only.
  */
-void _tr_align(s)
+void ZLIB_INTERNAL _tr_align(s)
     deflate_state *s;
 {
     send_bits(s, STATIC_TREES<<1, 3);
@@ -918,11 +922,11 @@ void _tr_align(s)
  * Determine the best encoding for the current block: dynamic trees, static
  * trees or store, and output the encoded block to the zip file.
  */
-void _tr_flush_block(s, buf, stored_len, eof)
+void ZLIB_INTERNAL _tr_flush_block(s, buf, stored_len, last)
     deflate_state *s;
     charf *buf;       /* input block, or NULL if too old */
     ulg stored_len;   /* length of input block */
-    int eof;          /* true if this is the last block for a file */
+    int last;         /* one if this is the last block for a file */
 {
     ulg opt_lenb, static_lenb; /* opt_len and static_len in bytes */
     int max_blindex = 0;  /* index of last bit length code of non zero freq */
@@ -931,8 +935,8 @@ void _tr_flush_block(s, buf, stored_len, eof)
     if (s->level > 0) {
 
         /* Check if the file is binary or text */
-        if (stored_len > 0 && s->strm->data_type == Z_UNKNOWN)
-            set_data_type(s);
+        if (s->strm->data_type == Z_UNKNOWN)
+            s->strm->data_type = detect_data_type(s);
 
         /* Construct the literal and distance trees */
         build_tree(s, (tree_desc *)(&(s->l_desc)));
@@ -978,20 +982,20 @@ void _tr_flush_block(s, buf, stored_len, eof)
          * successful. If LIT_BUFSIZE <= WSIZE, it is never too late to
          * transform a block into a stored block.
          */
-        _tr_stored_block(s, buf, stored_len, eof);
+        _tr_stored_block(s, buf, stored_len, last);
 
 #ifdef FORCE_STATIC
     } else if (static_lenb >= 0) { /* force static trees */
 #else
     } else if (s->strategy == Z_FIXED || static_lenb == opt_lenb) {
 #endif
-        send_bits(s, (STATIC_TREES<<1)+eof, 3);
+        send_bits(s, (STATIC_TREES<<1)+last, 3);
         compress_block(s, (ct_data *)static_ltree, (ct_data *)static_dtree);
 #ifdef DEBUG
         s->compressed_len += 3 + s->static_len;
 #endif
     } else {
-        send_bits(s, (DYN_TREES<<1)+eof, 3);
+        send_bits(s, (DYN_TREES<<1)+last, 3);
         send_all_trees(s, s->l_desc.max_code+1, s->d_desc.max_code+1,
                        max_blindex+1);
         compress_block(s, (ct_data *)s->dyn_ltree, (ct_data *)s->dyn_dtree);
@@ -1005,21 +1009,21 @@ void _tr_flush_block(s, buf, stored_len, eof)
      */
     init_block(s);
 
-    if (eof) {
+    if (last) {
         bi_windup(s);
 #ifdef DEBUG
         s->compressed_len += 7;  /* align on byte boundary */
 #endif
     }
     Tracev((stderr,"\ncomprlen %lu(%lu) ", s->compressed_len>>3,
-           s->compressed_len-7*eof));
+           s->compressed_len-7*last));
 }
 
 /* ===========================================================================
  * Save the match info and tally the frequency counts. Return true if
  * the current block must be flushed.
  */
-int _tr_tally (s, dist, lc)
+int ZLIB_INTERNAL _tr_tally (s, dist, lc)
     deflate_state *s;
     unsigned dist;  /* distance of matched string */
     unsigned lc;    /* match length-MIN_MATCH or unmatched char (if dist==0) */
@@ -1118,24 +1122,45 @@ local void compress_block(s, ltree, dtree)
 }
 
 /* ===========================================================================
- * Set the data type to BINARY or TEXT, using a crude approximation:
- * set it to Z_TEXT if all symbols are either printable characters (33 to 255)
- * or white spaces (9 to 13, or 32); or set it to Z_BINARY otherwise.
+ * Check if the data type is TEXT or BINARY, using the following algorithm:
+ * - TEXT if the two conditions below are satisfied:
+ *    a) There are no non-portable control characters belonging to the
+ *       "black list" (0..6, 14..25, 28..31).
+ *    b) There is at least one printable character belonging to the
+ *       "white list" (9 {TAB}, 10 {LF}, 13 {CR}, 32..255).
+ * - BINARY otherwise.
+ * - The following partially-portable control characters form a
+ *   "gray list" that is ignored in this detection algorithm:
+ *   (7 {BEL}, 8 {BS}, 11 {VT}, 12 {FF}, 26 {SUB}, 27 {ESC}).
  * IN assertion: the fields Freq of dyn_ltree are set.
  */
-local void set_data_type(s)
+local int detect_data_type(s)
     deflate_state *s;
 {
+    /* black_mask is the bit mask of black-listed bytes
+     * set bits 0..6, 14..25, and 28..31
+     * 0xf3ffc07f = binary 11110011111111111100000001111111
+     */
+    unsigned long black_mask = 0xf3ffc07fUL;
     int n;
 
-    for (n = 0; n < 9; n++)
+    /* Check for non-textual ("black-listed") bytes. */
+    for (n = 0; n <= 31; n++, black_mask >>= 1)
+        if ((black_mask & 1) && (s->dyn_ltree[n].Freq != 0))
+            return Z_BINARY;
+
+    /* Check for textual ("white-listed") bytes. */
+    if (s->dyn_ltree[9].Freq != 0 || s->dyn_ltree[10].Freq != 0
+            || s->dyn_ltree[13].Freq != 0)
+        return Z_TEXT;
+    for (n = 32; n < LITERALS; n++)
         if (s->dyn_ltree[n].Freq != 0)
-            break;
-    if (n == 9)
-        for (n = 14; n < 32; n++)
-            if (s->dyn_ltree[n].Freq != 0)
-                break;
-    s->strm->data_type = (n == 32) ? Z_TEXT : Z_BINARY;
+            return Z_TEXT;
+
+    /* There are no "black-listed" or "white-listed" bytes:
+     * this stream either is empty or has tolerated ("gray-listed") bytes only.
+     */
+    return Z_BINARY;
 }
 
 /* ===========================================================================
diff --git a/security/nss/lib/zlib/trees.h b/security/nss/lib/zlib/trees.h
index 72facf900f77..d35639d82a27 100644
--- a/security/nss/lib/zlib/trees.h
+++ b/security/nss/lib/zlib/trees.h
@@ -70,7 +70,7 @@ local const ct_data static_dtree[D_CODES] = {
 {{19},{ 5}}, {{11},{ 5}}, {{27},{ 5}}, {{ 7},{ 5}}, {{23},{ 5}}
 };
 
-const uch _dist_code[DIST_CODE_LEN] = {
+const uch ZLIB_INTERNAL _dist_code[DIST_CODE_LEN] = {
  0,  1,  2,  3,  4,  4,  5,  5,  6,  6,  6,  6,  7,  7,  7,  7,  8,  8,  8,  8,
  8,  8,  8,  8,  9,  9,  9,  9,  9,  9,  9,  9, 10, 10, 10, 10, 10, 10, 10, 10,
 10, 10, 10, 10, 10, 10, 10, 10, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11,
@@ -99,7 +99,7 @@ const uch _dist_code[DIST_CODE_LEN] = {
 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29
 };
 
-const uch _length_code[MAX_MATCH-MIN_MATCH+1]= {
+const uch ZLIB_INTERNAL _length_code[MAX_MATCH-MIN_MATCH+1]= {
  0,  1,  2,  3,  4,  5,  6,  7,  8,  8,  9,  9, 10, 10, 11, 11, 12, 12, 12, 12,
 13, 13, 13, 13, 14, 14, 14, 14, 15, 15, 15, 15, 16, 16, 16, 16, 16, 16, 16, 16,
 17, 17, 17, 17, 17, 17, 17, 17, 18, 18, 18, 18, 18, 18, 18, 18, 19, 19, 19, 19,
diff --git a/security/nss/lib/zlib/uncompr.c b/security/nss/lib/zlib/uncompr.c
index 398f3e0b9a00..81219d7d578e 100644
--- a/security/nss/lib/zlib/uncompr.c
+++ b/security/nss/lib/zlib/uncompr.c
@@ -1,9 +1,9 @@
 /* uncompr.c -- decompress a memory buffer
- * Copyright (C) 1995-2003 Jean-loup Gailly.
+ * Copyright (C) 1995-2003, 2010 Jean-loup Gailly.
  * For conditions of distribution and use, see copyright notice in zlib.h
  */
 
-/* @(#) $Id: uncompr.c,v 1.5 2009/11/07 01:13:12 wtchang%redhat.com Exp $ */
+/* @(#) $Id: uncompr.c,v 1.6 2010/08/22 01:07:03 wtc%google.com Exp $ */
 
 #define ZLIB_INTERNAL
 #include "zlib.h"
@@ -16,8 +16,6 @@
    been saved previously by the compressor and transmitted to the decompressor
    by some mechanism outside the scope of this compression library.)
    Upon exit, destLen is the actual size of the compressed buffer.
-     This function can be used to decompress a whole file at once if the
-   input file is mmap'ed.
 
      uncompress returns Z_OK if success, Z_MEM_ERROR if there was not
    enough memory, Z_BUF_ERROR if there was not enough room in the output
diff --git a/security/nss/lib/zlib/zconf.h b/security/nss/lib/zlib/zconf.h
index 224aaaa2ba69..17a245edc2c5 100644
--- a/security/nss/lib/zlib/zconf.h
+++ b/security/nss/lib/zlib/zconf.h
@@ -1,9 +1,9 @@
 /* zconf.h -- configuration of the zlib compression library
- * Copyright (C) 1995-2005 Jean-loup Gailly.
+ * Copyright (C) 1995-2010 Jean-loup Gailly.
  * For conditions of distribution and use, see copyright notice in zlib.h
  */
 
-/* @(#) $Id: zconf.h,v 1.7 2009/11/07 01:13:12 nelson%bolyard.com Exp $ */
+/* @(#) $Id: zconf.h,v 1.8 2010/08/22 01:07:03 wtc%google.com Exp $ */
 
 #ifndef ZCONF_H
 #define ZCONF_H
@@ -11,52 +11,124 @@
 /*
  * If you *really* need a unique prefix for all types and library functions,
  * compile with -DZ_PREFIX. The "standard" zlib should be compiled without it.
+ * Even better than compiling with -DZ_PREFIX would be to use configure to set
+ * this permanently in zconf.h using "./configure --zprefix".
  */
-#ifdef Z_PREFIX
-#  define deflateInit_          z_deflateInit_
-#  define deflate               z_deflate
-#  define deflateEnd            z_deflateEnd
-#  define inflateInit_          z_inflateInit_
-#  define inflate               z_inflate
-#  define inflateEnd            z_inflateEnd
-#  define deflateInit2_         z_deflateInit2_
-#  define deflateSetDictionary  z_deflateSetDictionary
-#  define deflateCopy           z_deflateCopy
-#  define deflateReset          z_deflateReset
-#  define deflateParams         z_deflateParams
-#  define deflateBound          z_deflateBound
-#  define deflatePrime          z_deflatePrime
-#  define inflateInit2_         z_inflateInit2_
-#  define inflateSetDictionary  z_inflateSetDictionary
-#  define inflateSync           z_inflateSync
-#  define inflateSyncPoint      z_inflateSyncPoint
-#  define inflateCopy           z_inflateCopy
-#  define inflateReset          z_inflateReset
-#  define inflateBack           z_inflateBack
-#  define inflateBackEnd        z_inflateBackEnd
+#ifdef Z_PREFIX     /* may be set to #if 1 by ./configure */
+
+/* all linked symbols */
+#  define _dist_code            z__dist_code
+#  define _length_code          z__length_code
+#  define _tr_align             z__tr_align
+#  define _tr_flush_block       z__tr_flush_block
+#  define _tr_init              z__tr_init
+#  define _tr_stored_block      z__tr_stored_block
+#  define _tr_tally             z__tr_tally
+#  define adler32               z_adler32
+#  define adler32_combine       z_adler32_combine
+#  define adler32_combine64     z_adler32_combine64
 #  define compress              z_compress
 #  define compress2             z_compress2
 #  define compressBound         z_compressBound
-#  define uncompress            z_uncompress
-#  define adler32               z_adler32
 #  define crc32                 z_crc32
+#  define crc32_combine         z_crc32_combine
+#  define crc32_combine64       z_crc32_combine64
+#  define deflate               z_deflate
+#  define deflateBound          z_deflateBound
+#  define deflateCopy           z_deflateCopy
+#  define deflateEnd            z_deflateEnd
+#  define deflateInit2_         z_deflateInit2_
+#  define deflateInit_          z_deflateInit_
+#  define deflateParams         z_deflateParams
+#  define deflatePrime          z_deflatePrime
+#  define deflateReset          z_deflateReset
+#  define deflateSetDictionary  z_deflateSetDictionary
+#  define deflateSetHeader      z_deflateSetHeader
+#  define deflateTune           z_deflateTune
+#  define deflate_copyright     z_deflate_copyright
 #  define get_crc_table         z_get_crc_table
+#  define gz_error              z_gz_error
+#  define gz_intmax             z_gz_intmax
+#  define gz_strwinerror        z_gz_strwinerror
+#  define gzbuffer              z_gzbuffer
+#  define gzclearerr            z_gzclearerr
+#  define gzclose               z_gzclose
+#  define gzclose_r             z_gzclose_r
+#  define gzclose_w             z_gzclose_w
+#  define gzdirect              z_gzdirect
+#  define gzdopen               z_gzdopen
+#  define gzeof                 z_gzeof
+#  define gzerror               z_gzerror
+#  define gzflush               z_gzflush
+#  define gzgetc                z_gzgetc
+#  define gzgets                z_gzgets
+#  define gzoffset              z_gzoffset
+#  define gzoffset64            z_gzoffset64
+#  define gzopen                z_gzopen
+#  define gzopen64              z_gzopen64
+#  define gzprintf              z_gzprintf
+#  define gzputc                z_gzputc
+#  define gzputs                z_gzputs
+#  define gzread                z_gzread
+#  define gzrewind              z_gzrewind
+#  define gzseek                z_gzseek
+#  define gzseek64              z_gzseek64
+#  define gzsetparams           z_gzsetparams
+#  define gztell                z_gztell
+#  define gztell64              z_gztell64
+#  define gzungetc              z_gzungetc
+#  define gzwrite               z_gzwrite
+#  define inflate               z_inflate
+#  define inflateBack           z_inflateBack
+#  define inflateBackEnd        z_inflateBackEnd
+#  define inflateBackInit_      z_inflateBackInit_
+#  define inflateCopy           z_inflateCopy
+#  define inflateEnd            z_inflateEnd
+#  define inflateGetHeader      z_inflateGetHeader
+#  define inflateInit2_         z_inflateInit2_
+#  define inflateInit_          z_inflateInit_
+#  define inflateMark           z_inflateMark
+#  define inflatePrime          z_inflatePrime
+#  define inflateReset          z_inflateReset
+#  define inflateReset2         z_inflateReset2
+#  define inflateSetDictionary  z_inflateSetDictionary
+#  define inflateSync           z_inflateSync
+#  define inflateSyncPoint      z_inflateSyncPoint
+#  define inflateUndermine      z_inflateUndermine
+#  define inflate_copyright     z_inflate_copyright
+#  define inflate_fast          z_inflate_fast
+#  define inflate_table         z_inflate_table
+#  define uncompress            z_uncompress
 #  define zError                z_zError
+#  define zcalloc               z_zcalloc
+#  define zcfree                z_zcfree
+#  define zlibCompileFlags      z_zlibCompileFlags
+#  define zlibVersion           z_zlibVersion
 
-#  define alloc_func            z_alloc_func
-#  define free_func             z_free_func
-#  define in_func               z_in_func
-#  define out_func              z_out_func
+/* all zlib typedefs in zlib.h and zconf.h */
 #  define Byte                  z_Byte
-#  define uInt                  z_uInt
-#  define uLong                 z_uLong
 #  define Bytef                 z_Bytef
+#  define alloc_func            z_alloc_func
 #  define charf                 z_charf
+#  define free_func             z_free_func
+#  define gzFile                z_gzFile
+#  define gz_header             z_gz_header
+#  define gz_headerp            z_gz_headerp
+#  define in_func               z_in_func
 #  define intf                  z_intf
+#  define out_func              z_out_func
+#  define uInt                  z_uInt
 #  define uIntf                 z_uIntf
+#  define uLong                 z_uLong
 #  define uLongf                z_uLongf
-#  define voidpf                z_voidpf
 #  define voidp                 z_voidp
+#  define voidpc                z_voidpc
+#  define voidpf                z_voidpf
+
+/* all zlib structs in zlib.h and zconf.h */
+#  define gz_header_s           z_gz_header_s
+#  define internal_state        z_internal_state
+
 #endif
 
 #if defined(__MSDOS__) && !defined(MSDOS)
@@ -284,41 +356,73 @@ typedef uLong FAR uLongf;
    typedef Byte       *voidp;
 #endif
 
+#ifdef HAVE_UNISTD_H    /* may be set to #if 1 by ./configure */
+#  define Z_HAVE_UNISTD_H
+#endif
+
+#ifdef STDC
+#  include     /* for off_t */
+#endif
+
+/* a little trick to accommodate both "#define _LARGEFILE64_SOURCE" and
+ * "#define _LARGEFILE64_SOURCE 1" as requesting 64-bit operations, (even
+ * though the former does not conform to the LFS document), but considering
+ * both "#undef _LARGEFILE64_SOURCE" and "#define _LARGEFILE64_SOURCE 0" as
+ * equivalently requesting no 64-bit operations
+ */
+#if -_LARGEFILE64_SOURCE - -1 == 1
+#  undef _LARGEFILE64_SOURCE
+#endif
+
+#if defined(Z_HAVE_UNISTD_H) || defined(_LARGEFILE64_SOURCE)
+#  include        /* for SEEK_* and off_t */
+#  ifdef VMS
+#    include      /* for off_t */
+#  endif
+#  ifndef z_off_t
+#    define z_off_t off_t
+#  endif
+#endif
+
 #ifndef SEEK_SET
 #  define SEEK_SET        0       /* Seek from beginning of file.  */
 #  define SEEK_CUR        1       /* Seek from current position.  */
 #  define SEEK_END        2       /* Set file pointer to EOF plus "offset" */
 #endif
+
 #ifndef z_off_t
 #  define z_off_t long
 #endif
 
+#if defined(_LARGEFILE64_SOURCE) && _LFS64_LARGEFILE-0
+#  define z_off64_t off64_t
+#else
+#  define z_off64_t z_off_t
+#endif
+
 #if defined(__OS400__)
 #  define NO_vsnprintf
 #endif
 
 #if defined(__MVS__)
 #  define NO_vsnprintf
-#  ifdef FAR
-#    undef FAR
-#  endif
 #endif
 
 /* MVS linker does not support external names larger than 8 bytes */
 #if defined(__MVS__)
-#   pragma map(deflateInit_,"DEIN")
-#   pragma map(deflateInit2_,"DEIN2")
-#   pragma map(deflateEnd,"DEEND")
-#   pragma map(deflateBound,"DEBND")
-#   pragma map(inflateInit_,"ININ")
-#   pragma map(inflateInit2_,"ININ2")
-#   pragma map(inflateEnd,"INEND")
-#   pragma map(inflateSync,"INSY")
-#   pragma map(inflateSetDictionary,"INSEDI")
-#   pragma map(compressBound,"CMBND")
-#   pragma map(inflate_table,"INTABL")
-#   pragma map(inflate_fast,"INFA")
-#   pragma map(inflate_copyright,"INCOPY")
+  #pragma map(deflateInit_,"DEIN")
+  #pragma map(deflateInit2_,"DEIN2")
+  #pragma map(deflateEnd,"DEEND")
+  #pragma map(deflateBound,"DEBND")
+  #pragma map(inflateInit_,"ININ")
+  #pragma map(inflateInit2_,"ININ2")
+  #pragma map(inflateEnd,"INEND")
+  #pragma map(inflateSync,"INSY")
+  #pragma map(inflateSetDictionary,"INSEDI")
+  #pragma map(compressBound,"CMBND")
+  #pragma map(inflate_table,"INTABL")
+  #pragma map(inflate_fast,"INFA")
+  #pragma map(inflate_copyright,"INCOPY")
 #endif
 
 #endif /* ZCONF_H */
diff --git a/security/nss/lib/zlib/zlib.h b/security/nss/lib/zlib/zlib.h
index 022817927ce3..bfbba83e8ee0 100644
--- a/security/nss/lib/zlib/zlib.h
+++ b/security/nss/lib/zlib/zlib.h
@@ -1,7 +1,7 @@
 /* zlib.h -- interface of the 'zlib' general purpose compression library
-  version 1.2.3, July 18th, 2005
+  version 1.2.5, April 19th, 2010
 
-  Copyright (C) 1995-2005 Jean-loup Gailly and Mark Adler
+  Copyright (C) 1995-2010 Jean-loup Gailly and Mark Adler
 
   This software is provided 'as-is', without any express or implied
   warranty.  In no event will the authors be held liable for any damages
@@ -37,41 +37,44 @@
 extern "C" {
 #endif
 
-#define ZLIB_VERSION "1.2.3"
-#define ZLIB_VERNUM 0x1230
+#define ZLIB_VERSION "1.2.5"
+#define ZLIB_VERNUM 0x1250
+#define ZLIB_VER_MAJOR 1
+#define ZLIB_VER_MINOR 2
+#define ZLIB_VER_REVISION 5
+#define ZLIB_VER_SUBREVISION 0
 
 /*
-     The 'zlib' compression library provides in-memory compression and
-  decompression functions, including integrity checks of the uncompressed
-  data.  This version of the library supports only one compression method
-  (deflation) but other algorithms will be added later and will have the same
-  stream interface.
+    The 'zlib' compression library provides in-memory compression and
+  decompression functions, including integrity checks of the uncompressed data.
+  This version of the library supports only one compression method (deflation)
+  but other algorithms will be added later and will have the same stream
+  interface.
 
-     Compression can be done in a single step if the buffers are large
-  enough (for example if an input file is mmap'ed), or can be done by
-  repeated calls of the compression function.  In the latter case, the
-  application must provide more input and/or consume the output
+    Compression can be done in a single step if the buffers are large enough,
+  or can be done by repeated calls of the compression function.  In the latter
+  case, the application must provide more input and/or consume the output
   (providing more output space) before each call.
 
-     The compressed data format used by default by the in-memory functions is
+    The compressed data format used by default by the in-memory functions is
   the zlib format, which is a zlib wrapper documented in RFC 1950, wrapped
   around a deflate stream, which is itself documented in RFC 1951.
 
-     The library also supports reading and writing files in gzip (.gz) format
+    The library also supports reading and writing files in gzip (.gz) format
   with an interface similar to that of stdio using the functions that start
   with "gz".  The gzip format is different from the zlib format.  gzip is a
   gzip wrapper, documented in RFC 1952, wrapped around a deflate stream.
 
-     This library can optionally read and write gzip streams in memory as well.
+    This library can optionally read and write gzip streams in memory as well.
 
-     The zlib format was designed to be compact and fast for use in memory
+    The zlib format was designed to be compact and fast for use in memory
   and on communications channels.  The gzip format was designed for single-
   file compression on file systems, has a larger header than zlib to maintain
   directory information, and uses a different, slower check method than zlib.
 
-     The library does not install any signal handler. The decoder checks
-  the consistency of the compressed data, so the library should never
-  crash even in case of corrupted input.
+    The library does not install any signal handler.  The decoder checks
+  the consistency of the compressed data, so the library should never crash
+  even in case of corrupted input.
 */
 
 typedef voidpf (*alloc_func) OF((voidpf opaque, uInt items, uInt size));
@@ -126,45 +129,45 @@ typedef struct gz_header_s {
 typedef gz_header FAR *gz_headerp;
 
 /*
-   The application must update next_in and avail_in when avail_in has
-   dropped to zero. It must update next_out and avail_out when avail_out
-   has dropped to zero. The application must initialize zalloc, zfree and
-   opaque before calling the init function. All other fields are set by the
-   compression library and must not be updated by the application.
+     The application must update next_in and avail_in when avail_in has dropped
+   to zero.  It must update next_out and avail_out when avail_out has dropped
+   to zero.  The application must initialize zalloc, zfree and opaque before
+   calling the init function.  All other fields are set by the compression
+   library and must not be updated by the application.
 
-   The opaque value provided by the application will be passed as the first
-   parameter for calls of zalloc and zfree. This can be useful for custom
-   memory management. The compression library attaches no meaning to the
+     The opaque value provided by the application will be passed as the first
+   parameter for calls of zalloc and zfree.  This can be useful for custom
+   memory management.  The compression library attaches no meaning to the
    opaque value.
 
-   zalloc must return Z_NULL if there is not enough memory for the object.
+     zalloc must return Z_NULL if there is not enough memory for the object.
    If zlib is used in a multi-threaded application, zalloc and zfree must be
    thread safe.
 
-   On 16-bit systems, the functions zalloc and zfree must be able to allocate
-   exactly 65536 bytes, but will not be required to allocate more than this
-   if the symbol MAXSEG_64K is defined (see zconf.h). WARNING: On MSDOS,
-   pointers returned by zalloc for objects of exactly 65536 bytes *must*
-   have their offset normalized to zero. The default allocation function
-   provided by this library ensures this (see zutil.c). To reduce memory
-   requirements and avoid any allocation of 64K objects, at the expense of
-   compression ratio, compile the library with -DMAX_WBITS=14 (see zconf.h).
+     On 16-bit systems, the functions zalloc and zfree must be able to allocate
+   exactly 65536 bytes, but will not be required to allocate more than this if
+   the symbol MAXSEG_64K is defined (see zconf.h).  WARNING: On MSDOS, pointers
+   returned by zalloc for objects of exactly 65536 bytes *must* have their
+   offset normalized to zero.  The default allocation function provided by this
+   library ensures this (see zutil.c).  To reduce memory requirements and avoid
+   any allocation of 64K objects, at the expense of compression ratio, compile
+   the library with -DMAX_WBITS=14 (see zconf.h).
 
-   The fields total_in and total_out can be used for statistics or
-   progress reports. After compression, total_in holds the total size of
-   the uncompressed data and may be saved for use in the decompressor
-   (particularly if the decompressor wants to decompress everything in
-   a single step).
+     The fields total_in and total_out can be used for statistics or progress
+   reports.  After compression, total_in holds the total size of the
+   uncompressed data and may be saved for use in the decompressor (particularly
+   if the decompressor wants to decompress everything in a single step).
 */
 
                         /* constants */
 
 #define Z_NO_FLUSH      0
-#define Z_PARTIAL_FLUSH 1 /* will be removed, use Z_SYNC_FLUSH instead */
+#define Z_PARTIAL_FLUSH 1
 #define Z_SYNC_FLUSH    2
 #define Z_FULL_FLUSH    3
 #define Z_FINISH        4
 #define Z_BLOCK         5
+#define Z_TREES         6
 /* Allowed flush values; see deflate() and inflate() below for details */
 
 #define Z_OK            0
@@ -176,8 +179,8 @@ typedef gz_header FAR *gz_headerp;
 #define Z_MEM_ERROR    (-4)
 #define Z_BUF_ERROR    (-5)
 #define Z_VERSION_ERROR (-6)
-/* Return codes for the compression/decompression functions. Negative
- * values are errors, positive values are used for special but normal events.
+/* Return codes for the compression/decompression functions. Negative values
+ * are errors, positive values are used for special but normal events.
  */
 
 #define Z_NO_COMPRESSION         0
@@ -207,119 +210,140 @@ typedef gz_header FAR *gz_headerp;
 #define zlib_version zlibVersion()
 /* for compatibility with versions < 1.0.2 */
 
+
                         /* basic functions */
 
 ZEXTERN const char * ZEXPORT zlibVersion OF((void));
 /* The application can compare zlibVersion and ZLIB_VERSION for consistency.
-   If the first character differs, the library code actually used is
-   not compatible with the zlib.h header file used by the application.
-   This check is automatically made by deflateInit and inflateInit.
+   If the first character differs, the library code actually used is not
+   compatible with the zlib.h header file used by the application.  This check
+   is automatically made by deflateInit and inflateInit.
  */
 
 /*
 ZEXTERN int ZEXPORT deflateInit OF((z_streamp strm, int level));
 
-     Initializes the internal stream state for compression. The fields
-   zalloc, zfree and opaque must be initialized before by the caller.
-   If zalloc and zfree are set to Z_NULL, deflateInit updates them to
-   use default allocation functions.
+     Initializes the internal stream state for compression.  The fields
+   zalloc, zfree and opaque must be initialized before by the caller.  If
+   zalloc and zfree are set to Z_NULL, deflateInit updates them to use default
+   allocation functions.
 
      The compression level must be Z_DEFAULT_COMPRESSION, or between 0 and 9:
-   1 gives best speed, 9 gives best compression, 0 gives no compression at
-   all (the input data is simply copied a block at a time).
-   Z_DEFAULT_COMPRESSION requests a default compromise between speed and
-   compression (currently equivalent to level 6).
+   1 gives best speed, 9 gives best compression, 0 gives no compression at all
+   (the input data is simply copied a block at a time).  Z_DEFAULT_COMPRESSION
+   requests a default compromise between speed and compression (currently
+   equivalent to level 6).
 
-     deflateInit returns Z_OK if success, Z_MEM_ERROR if there was not
-   enough memory, Z_STREAM_ERROR if level is not a valid compression level,
+     deflateInit returns Z_OK if success, Z_MEM_ERROR if there was not enough
+   memory, Z_STREAM_ERROR if level is not a valid compression level, or
    Z_VERSION_ERROR if the zlib library version (zlib_version) is incompatible
-   with the version assumed by the caller (ZLIB_VERSION).
-   msg is set to null if there is no error message.  deflateInit does not
-   perform any compression: this will be done by deflate().
+   with the version assumed by the caller (ZLIB_VERSION).  msg is set to null
+   if there is no error message.  deflateInit does not perform any compression:
+   this will be done by deflate().
 */
 
 
 ZEXTERN int ZEXPORT deflate OF((z_streamp strm, int flush));
 /*
     deflate compresses as much data as possible, and stops when the input
-  buffer becomes empty or the output buffer becomes full. It may introduce some
-  output latency (reading input without producing any output) except when
+  buffer becomes empty or the output buffer becomes full.  It may introduce
+  some output latency (reading input without producing any output) except when
   forced to flush.
 
-    The detailed semantics are as follows. deflate performs one or both of the
+    The detailed semantics are as follows.  deflate performs one or both of the
   following actions:
 
   - Compress more input starting at next_in and update next_in and avail_in
-    accordingly. If not all input can be processed (because there is not
+    accordingly.  If not all input can be processed (because there is not
     enough room in the output buffer), next_in and avail_in are updated and
     processing will resume at this point for the next call of deflate().
 
   - Provide more output starting at next_out and update next_out and avail_out
-    accordingly. This action is forced if the parameter flush is non zero.
+    accordingly.  This action is forced if the parameter flush is non zero.
     Forcing flush frequently degrades the compression ratio, so this parameter
-    should be set only when necessary (in interactive applications).
-    Some output may be provided even if flush is not set.
+    should be set only when necessary (in interactive applications).  Some
+    output may be provided even if flush is not set.
 
-  Before the call of deflate(), the application should ensure that at least
-  one of the actions is possible, by providing more input and/or consuming
-  more output, and updating avail_in or avail_out accordingly; avail_out
-  should never be zero before the call. The application can consume the
-  compressed output when it wants, for example when the output buffer is full
-  (avail_out == 0), or after each call of deflate(). If deflate returns Z_OK
-  and with zero avail_out, it must be called again after making room in the
-  output buffer because there might be more output pending.
+    Before the call of deflate(), the application should ensure that at least
+  one of the actions is possible, by providing more input and/or consuming more
+  output, and updating avail_in or avail_out accordingly; avail_out should
+  never be zero before the call.  The application can consume the compressed
+  output when it wants, for example when the output buffer is full (avail_out
+  == 0), or after each call of deflate().  If deflate returns Z_OK and with
+  zero avail_out, it must be called again after making room in the output
+  buffer because there might be more output pending.
 
     Normally the parameter flush is set to Z_NO_FLUSH, which allows deflate to
-  decide how much data to accumualte before producing output, in order to
+  decide how much data to accumulate before producing output, in order to
   maximize compression.
 
     If the parameter flush is set to Z_SYNC_FLUSH, all pending output is
   flushed to the output buffer and the output is aligned on a byte boundary, so
-  that the decompressor can get all input data available so far. (In particular
-  avail_in is zero after the call if enough output space has been provided
-  before the call.)  Flushing may degrade compression for some compression
-  algorithms and so it should be used only when necessary.
+  that the decompressor can get all input data available so far.  (In
+  particular avail_in is zero after the call if enough output space has been
+  provided before the call.) Flushing may degrade compression for some
+  compression algorithms and so it should be used only when necessary.  This
+  completes the current deflate block and follows it with an empty stored block
+  that is three bits plus filler bits to the next byte, followed by four bytes
+  (00 00 ff ff).
+
+    If flush is set to Z_PARTIAL_FLUSH, all pending output is flushed to the
+  output buffer, but the output is not aligned to a byte boundary.  All of the
+  input data so far will be available to the decompressor, as for Z_SYNC_FLUSH.
+  This completes the current deflate block and follows it with an empty fixed
+  codes block that is 10 bits long.  This assures that enough bytes are output
+  in order for the decompressor to finish the block before the empty fixed code
+  block.
+
+    If flush is set to Z_BLOCK, a deflate block is completed and emitted, as
+  for Z_SYNC_FLUSH, but the output is not aligned on a byte boundary, and up to
+  seven bits of the current block are held to be written as the next byte after
+  the next deflate block is completed.  In this case, the decompressor may not
+  be provided enough bits at this point in order to complete decompression of
+  the data provided so far to the compressor.  It may need to wait for the next
+  block to be emitted.  This is for advanced applications that need to control
+  the emission of deflate blocks.
 
     If flush is set to Z_FULL_FLUSH, all output is flushed as with
   Z_SYNC_FLUSH, and the compression state is reset so that decompression can
   restart from this point if previous compressed data has been damaged or if
-  random access is desired. Using Z_FULL_FLUSH too often can seriously degrade
+  random access is desired.  Using Z_FULL_FLUSH too often can seriously degrade
   compression.
 
     If deflate returns with avail_out == 0, this function must be called again
   with the same value of the flush parameter and more output space (updated
   avail_out), until the flush is complete (deflate returns with non-zero
-  avail_out). In the case of a Z_FULL_FLUSH or Z_SYNC_FLUSH, make sure that
+  avail_out).  In the case of a Z_FULL_FLUSH or Z_SYNC_FLUSH, make sure that
   avail_out is greater than six to avoid repeated flush markers due to
   avail_out == 0 on return.
 
     If the parameter flush is set to Z_FINISH, pending input is processed,
-  pending output is flushed and deflate returns with Z_STREAM_END if there
-  was enough output space; if deflate returns with Z_OK, this function must be
+  pending output is flushed and deflate returns with Z_STREAM_END if there was
+  enough output space; if deflate returns with Z_OK, this function must be
   called again with Z_FINISH and more output space (updated avail_out) but no
-  more input data, until it returns with Z_STREAM_END or an error. After
-  deflate has returned Z_STREAM_END, the only possible operations on the
-  stream are deflateReset or deflateEnd.
+  more input data, until it returns with Z_STREAM_END or an error.  After
+  deflate has returned Z_STREAM_END, the only possible operations on the stream
+  are deflateReset or deflateEnd.
 
     Z_FINISH can be used immediately after deflateInit if all the compression
-  is to be done in a single step. In this case, avail_out must be at least
-  the value returned by deflateBound (see below). If deflate does not return
+  is to be done in a single step.  In this case, avail_out must be at least the
+  value returned by deflateBound (see below).  If deflate does not return
   Z_STREAM_END, then it must be called again as described above.
 
     deflate() sets strm->adler to the adler32 checksum of all input read
   so far (that is, total_in bytes).
 
     deflate() may update strm->data_type if it can make a good guess about
-  the input data type (Z_BINARY or Z_TEXT). In doubt, the data is considered
-  binary. This field is only for information purposes and does not affect
-  the compression algorithm in any manner.
+  the input data type (Z_BINARY or Z_TEXT).  In doubt, the data is considered
+  binary.  This field is only for information purposes and does not affect the
+  compression algorithm in any manner.
 
     deflate() returns Z_OK if some progress has been made (more input
   processed or more output produced), Z_STREAM_END if all input has been
   consumed and all output has been produced (only when flush is set to
   Z_FINISH), Z_STREAM_ERROR if the stream state was inconsistent (for example
-  if next_in or next_out was NULL), Z_BUF_ERROR if no progress is possible
-  (for example avail_in or avail_out was zero). Note that Z_BUF_ERROR is not
+  if next_in or next_out was Z_NULL), Z_BUF_ERROR if no progress is possible
+  (for example avail_in or avail_out was zero).  Note that Z_BUF_ERROR is not
   fatal, and deflate() can be called again with more input and more output
   space to continue compressing.
 */
@@ -328,13 +352,13 @@ ZEXTERN int ZEXPORT deflate OF((z_streamp strm, int flush));
 ZEXTERN int ZEXPORT deflateEnd OF((z_streamp strm));
 /*
      All dynamically allocated data structures for this stream are freed.
-   This function discards any unprocessed input and does not flush any
-   pending output.
+   This function discards any unprocessed input and does not flush any pending
+   output.
 
      deflateEnd returns Z_OK if success, Z_STREAM_ERROR if the
    stream state was inconsistent, Z_DATA_ERROR if the stream was freed
-   prematurely (some input or output was discarded). In the error case,
-   msg may be set but then points to a static string (which must not be
+   prematurely (some input or output was discarded).  In the error case, msg
+   may be set but then points to a static string (which must not be
    deallocated).
 */
 
@@ -342,10 +366,10 @@ ZEXTERN int ZEXPORT deflateEnd OF((z_streamp strm));
 /*
 ZEXTERN int ZEXPORT inflateInit OF((z_streamp strm));
 
-     Initializes the internal stream state for decompression. The fields
+     Initializes the internal stream state for decompression.  The fields
    next_in, avail_in, zalloc, zfree and opaque must be initialized before by
-   the caller. If next_in is not Z_NULL and avail_in is large enough (the exact
-   value depends on the compression method), inflateInit determines the
+   the caller.  If next_in is not Z_NULL and avail_in is large enough (the
+   exact value depends on the compression method), inflateInit determines the
    compression method from the zlib header and allocates all data structures
    accordingly; otherwise the allocation will be deferred to the first call of
    inflate.  If zalloc and zfree are set to Z_NULL, inflateInit updates them to
@@ -353,95 +377,108 @@ ZEXTERN int ZEXPORT inflateInit OF((z_streamp strm));
 
      inflateInit returns Z_OK if success, Z_MEM_ERROR if there was not enough
    memory, Z_VERSION_ERROR if the zlib library version is incompatible with the
-   version assumed by the caller.  msg is set to null if there is no error
-   message. inflateInit does not perform any decompression apart from reading
-   the zlib header if present: this will be done by inflate().  (So next_in and
-   avail_in may be modified, but next_out and avail_out are unchanged.)
+   version assumed by the caller, or Z_STREAM_ERROR if the parameters are
+   invalid, such as a null pointer to the structure.  msg is set to null if
+   there is no error message.  inflateInit does not perform any decompression
+   apart from possibly reading the zlib header if present: actual decompression
+   will be done by inflate().  (So next_in and avail_in may be modified, but
+   next_out and avail_out are unused and unchanged.) The current implementation
+   of inflateInit() does not process any header information -- that is deferred
+   until inflate() is called.
 */
 
 
 ZEXTERN int ZEXPORT inflate OF((z_streamp strm, int flush));
 /*
     inflate decompresses as much data as possible, and stops when the input
-  buffer becomes empty or the output buffer becomes full. It may introduce
+  buffer becomes empty or the output buffer becomes full.  It may introduce
   some output latency (reading input without producing any output) except when
   forced to flush.
 
-  The detailed semantics are as follows. inflate performs one or both of the
+  The detailed semantics are as follows.  inflate performs one or both of the
   following actions:
 
   - Decompress more input starting at next_in and update next_in and avail_in
-    accordingly. If not all input can be processed (because there is not
-    enough room in the output buffer), next_in is updated and processing
-    will resume at this point for the next call of inflate().
+    accordingly.  If not all input can be processed (because there is not
+    enough room in the output buffer), next_in is updated and processing will
+    resume at this point for the next call of inflate().
 
   - Provide more output starting at next_out and update next_out and avail_out
-    accordingly.  inflate() provides as much output as possible, until there
-    is no more input data or no more space in the output buffer (see below
-    about the flush parameter).
+    accordingly.  inflate() provides as much output as possible, until there is
+    no more input data or no more space in the output buffer (see below about
+    the flush parameter).
 
-  Before the call of inflate(), the application should ensure that at least
-  one of the actions is possible, by providing more input and/or consuming
-  more output, and updating the next_* and avail_* values accordingly.
-  The application can consume the uncompressed output when it wants, for
-  example when the output buffer is full (avail_out == 0), or after each
-  call of inflate(). If inflate returns Z_OK and with zero avail_out, it
-  must be called again after making room in the output buffer because there
-  might be more output pending.
+    Before the call of inflate(), the application should ensure that at least
+  one of the actions is possible, by providing more input and/or consuming more
+  output, and updating the next_* and avail_* values accordingly.  The
+  application can consume the uncompressed output when it wants, for example
+  when the output buffer is full (avail_out == 0), or after each call of
+  inflate().  If inflate returns Z_OK and with zero avail_out, it must be
+  called again after making room in the output buffer because there might be
+  more output pending.
 
-    The flush parameter of inflate() can be Z_NO_FLUSH, Z_SYNC_FLUSH,
-  Z_FINISH, or Z_BLOCK. Z_SYNC_FLUSH requests that inflate() flush as much
-  output as possible to the output buffer. Z_BLOCK requests that inflate() stop
-  if and when it gets to the next deflate block boundary. When decoding the
-  zlib or gzip format, this will cause inflate() to return immediately after
-  the header and before the first block. When doing a raw inflate, inflate()
-  will go ahead and process the first block, and will return when it gets to
-  the end of that block, or when it runs out of data.
+    The flush parameter of inflate() can be Z_NO_FLUSH, Z_SYNC_FLUSH, Z_FINISH,
+  Z_BLOCK, or Z_TREES.  Z_SYNC_FLUSH requests that inflate() flush as much
+  output as possible to the output buffer.  Z_BLOCK requests that inflate()
+  stop if and when it gets to the next deflate block boundary.  When decoding
+  the zlib or gzip format, this will cause inflate() to return immediately
+  after the header and before the first block.  When doing a raw inflate,
+  inflate() will go ahead and process the first block, and will return when it
+  gets to the end of that block, or when it runs out of data.
 
     The Z_BLOCK option assists in appending to or combining deflate streams.
   Also to assist in this, on return inflate() will set strm->data_type to the
-  number of unused bits in the last byte taken from strm->next_in, plus 64
-  if inflate() is currently decoding the last block in the deflate stream,
-  plus 128 if inflate() returned immediately after decoding an end-of-block
-  code or decoding the complete header up to just before the first byte of the
-  deflate stream. The end-of-block will not be indicated until all of the
-  uncompressed data from that block has been written to strm->next_out.  The
-  number of unused bits may in general be greater than seven, except when
-  bit 7 of data_type is set, in which case the number of unused bits will be
-  less than eight.
+  number of unused bits in the last byte taken from strm->next_in, plus 64 if
+  inflate() is currently decoding the last block in the deflate stream, plus
+  128 if inflate() returned immediately after decoding an end-of-block code or
+  decoding the complete header up to just before the first byte of the deflate
+  stream.  The end-of-block will not be indicated until all of the uncompressed
+  data from that block has been written to strm->next_out.  The number of
+  unused bits may in general be greater than seven, except when bit 7 of
+  data_type is set, in which case the number of unused bits will be less than
+  eight.  data_type is set as noted here every time inflate() returns for all
+  flush options, and so can be used to determine the amount of currently
+  consumed input in bits.
+
+    The Z_TREES option behaves as Z_BLOCK does, but it also returns when the
+  end of each deflate block header is reached, before any actual data in that
+  block is decoded.  This allows the caller to determine the length of the
+  deflate block header for later use in random access within a deflate block.
+  256 is added to the value of strm->data_type when inflate() returns
+  immediately after reaching the end of the deflate block header.
 
     inflate() should normally be called until it returns Z_STREAM_END or an
-  error. However if all decompression is to be performed in a single step
-  (a single call of inflate), the parameter flush should be set to
-  Z_FINISH. In this case all pending input is processed and all pending
-  output is flushed; avail_out must be large enough to hold all the
-  uncompressed data. (The size of the uncompressed data may have been saved
-  by the compressor for this purpose.) The next operation on this stream must
-  be inflateEnd to deallocate the decompression state. The use of Z_FINISH
-  is never required, but can be used to inform inflate that a faster approach
-  may be used for the single inflate() call.
+  error.  However if all decompression is to be performed in a single step (a
+  single call of inflate), the parameter flush should be set to Z_FINISH.  In
+  this case all pending input is processed and all pending output is flushed;
+  avail_out must be large enough to hold all the uncompressed data.  (The size
+  of the uncompressed data may have been saved by the compressor for this
+  purpose.) The next operation on this stream must be inflateEnd to deallocate
+  the decompression state.  The use of Z_FINISH is never required, but can be
+  used to inform inflate that a faster approach may be used for the single
+  inflate() call.
 
      In this implementation, inflate() always flushes as much output as
   possible to the output buffer, and always uses the faster approach on the
-  first call. So the only effect of the flush parameter in this implementation
+  first call.  So the only effect of the flush parameter in this implementation
   is on the return value of inflate(), as noted below, or when it returns early
-  because Z_BLOCK is used.
+  because Z_BLOCK or Z_TREES is used.
 
      If a preset dictionary is needed after this call (see inflateSetDictionary
   below), inflate sets strm->adler to the adler32 checksum of the dictionary
   chosen by the compressor and returns Z_NEED_DICT; otherwise it sets
   strm->adler to the adler32 checksum of all output produced so far (that is,
   total_out bytes) and returns Z_OK, Z_STREAM_END or an error code as described
-  below. At the end of the stream, inflate() checks that its computed adler32
+  below.  At the end of the stream, inflate() checks that its computed adler32
   checksum is equal to that saved by the compressor and returns Z_STREAM_END
   only if the checksum is correct.
 
-    inflate() will decompress and check either zlib-wrapped or gzip-wrapped
-  deflate data.  The header type is detected automatically.  Any information
-  contained in the gzip header is not retained, so applications that need that
-  information should instead use raw inflate, see inflateInit2() below, or
-  inflateBack() and perform their own processing of the gzip header and
-  trailer.
+    inflate() can decompress and check either zlib-wrapped or gzip-wrapped
+  deflate data.  The header type is detected automatically, if requested when
+  initializing with inflateInit2().  Any information contained in the gzip
+  header is not retained, so applications that need that information should
+  instead use raw inflate, see inflateInit2() below, or inflateBack() and
+  perform their own processing of the gzip header and trailer.
 
     inflate() returns Z_OK if some progress has been made (more input processed
   or more output produced), Z_STREAM_END if the end of the compressed data has
@@ -449,27 +486,28 @@ ZEXTERN int ZEXPORT inflate OF((z_streamp strm, int flush));
   preset dictionary is needed at this point, Z_DATA_ERROR if the input data was
   corrupted (input stream not conforming to the zlib format or incorrect check
   value), Z_STREAM_ERROR if the stream structure was inconsistent (for example
-  if next_in or next_out was NULL), Z_MEM_ERROR if there was not enough memory,
+  next_in or next_out was Z_NULL), Z_MEM_ERROR if there was not enough memory,
   Z_BUF_ERROR if no progress is possible or if there was not enough room in the
-  output buffer when Z_FINISH is used. Note that Z_BUF_ERROR is not fatal, and
+  output buffer when Z_FINISH is used.  Note that Z_BUF_ERROR is not fatal, and
   inflate() can be called again with more input and more output space to
-  continue decompressing. If Z_DATA_ERROR is returned, the application may then
-  call inflateSync() to look for a good compression block if a partial recovery
-  of the data is desired.
+  continue decompressing.  If Z_DATA_ERROR is returned, the application may
+  then call inflateSync() to look for a good compression block if a partial
+  recovery of the data is desired.
 */
 
 
 ZEXTERN int ZEXPORT inflateEnd OF((z_streamp strm));
 /*
      All dynamically allocated data structures for this stream are freed.
-   This function discards any unprocessed input and does not flush any
-   pending output.
+   This function discards any unprocessed input and does not flush any pending
+   output.
 
      inflateEnd returns Z_OK if success, Z_STREAM_ERROR if the stream state
-   was inconsistent. In the error case, msg may be set but then points to a
+   was inconsistent.  In the error case, msg may be set but then points to a
    static string (which must not be deallocated).
 */
 
+
                         /* Advanced functions */
 
 /*
@@ -484,55 +522,57 @@ ZEXTERN int ZEXPORT deflateInit2 OF((z_streamp strm,
                                      int  memLevel,
                                      int  strategy));
 
-     This is another version of deflateInit with more compression options. The
-   fields next_in, zalloc, zfree and opaque must be initialized before by
-   the caller.
+     This is another version of deflateInit with more compression options.  The
+   fields next_in, zalloc, zfree and opaque must be initialized before by the
+   caller.
 
-     The method parameter is the compression method. It must be Z_DEFLATED in
+     The method parameter is the compression method.  It must be Z_DEFLATED in
    this version of the library.
 
      The windowBits parameter is the base two logarithm of the window size
-   (the size of the history buffer). It should be in the range 8..15 for this
-   version of the library. Larger values of this parameter result in better
-   compression at the expense of memory usage. The default value is 15 if
+   (the size of the history buffer).  It should be in the range 8..15 for this
+   version of the library.  Larger values of this parameter result in better
+   compression at the expense of memory usage.  The default value is 15 if
    deflateInit is used instead.
 
-     windowBits can also be -8..-15 for raw deflate. In this case, -windowBits
-   determines the window size. deflate() will then generate raw deflate data
+     windowBits can also be -8..-15 for raw deflate.  In this case, -windowBits
+   determines the window size.  deflate() will then generate raw deflate data
    with no zlib header or trailer, and will not compute an adler32 check value.
 
-     windowBits can also be greater than 15 for optional gzip encoding. Add
+     windowBits can also be greater than 15 for optional gzip encoding.  Add
    16 to windowBits to write a simple gzip header and trailer around the
-   compressed data instead of a zlib wrapper. The gzip header will have no
-   file name, no extra data, no comment, no modification time (set to zero),
-   no header crc, and the operating system will be set to 255 (unknown).  If a
+   compressed data instead of a zlib wrapper.  The gzip header will have no
+   file name, no extra data, no comment, no modification time (set to zero), no
+   header crc, and the operating system will be set to 255 (unknown).  If a
    gzip stream is being written, strm->adler is a crc32 instead of an adler32.
 
      The memLevel parameter specifies how much memory should be allocated
-   for the internal compression state. memLevel=1 uses minimum memory but
-   is slow and reduces compression ratio; memLevel=9 uses maximum memory
-   for optimal speed. The default value is 8. See zconf.h for total memory
-   usage as a function of windowBits and memLevel.
+   for the internal compression state.  memLevel=1 uses minimum memory but is
+   slow and reduces compression ratio; memLevel=9 uses maximum memory for
+   optimal speed.  The default value is 8.  See zconf.h for total memory usage
+   as a function of windowBits and memLevel.
 
-     The strategy parameter is used to tune the compression algorithm. Use the
+     The strategy parameter is used to tune the compression algorithm.  Use the
    value Z_DEFAULT_STRATEGY for normal data, Z_FILTERED for data produced by a
    filter (or predictor), Z_HUFFMAN_ONLY to force Huffman encoding only (no
    string match), or Z_RLE to limit match distances to one (run-length
-   encoding). Filtered data consists mostly of small values with a somewhat
-   random distribution. In this case, the compression algorithm is tuned to
-   compress them better. The effect of Z_FILTERED is to force more Huffman
+   encoding).  Filtered data consists mostly of small values with a somewhat
+   random distribution.  In this case, the compression algorithm is tuned to
+   compress them better.  The effect of Z_FILTERED is to force more Huffman
    coding and less string matching; it is somewhat intermediate between
-   Z_DEFAULT and Z_HUFFMAN_ONLY. Z_RLE is designed to be almost as fast as
-   Z_HUFFMAN_ONLY, but give better compression for PNG image data. The strategy
-   parameter only affects the compression ratio but not the correctness of the
-   compressed output even if it is not set appropriately.  Z_FIXED prevents the
-   use of dynamic Huffman codes, allowing for a simpler decoder for special
-   applications.
+   Z_DEFAULT_STRATEGY and Z_HUFFMAN_ONLY.  Z_RLE is designed to be almost as
+   fast as Z_HUFFMAN_ONLY, but give better compression for PNG image data.  The
+   strategy parameter only affects the compression ratio but not the
+   correctness of the compressed output even if it is not set appropriately.
+   Z_FIXED prevents the use of dynamic Huffman codes, allowing for a simpler
+   decoder for special applications.
 
-      deflateInit2 returns Z_OK if success, Z_MEM_ERROR if there was not enough
-   memory, Z_STREAM_ERROR if a parameter is invalid (such as an invalid
-   method). msg is set to null if there is no error message.  deflateInit2 does
-   not perform any compression: this will be done by deflate().
+     deflateInit2 returns Z_OK if success, Z_MEM_ERROR if there was not enough
+   memory, Z_STREAM_ERROR if any parameter is invalid (such as an invalid
+   method), or Z_VERSION_ERROR if the zlib library version (zlib_version) is
+   incompatible with the version assumed by the caller (ZLIB_VERSION).  msg is
+   set to null if there is no error message.  deflateInit2 does not perform any
+   compression: this will be done by deflate().
 */
 
 ZEXTERN int ZEXPORT deflateSetDictionary OF((z_streamp strm,
@@ -540,37 +580,37 @@ ZEXTERN int ZEXPORT deflateSetDictionary OF((z_streamp strm,
                                              uInt  dictLength));
 /*
      Initializes the compression dictionary from the given byte sequence
-   without producing any compressed output. This function must be called
-   immediately after deflateInit, deflateInit2 or deflateReset, before any
-   call of deflate. The compressor and decompressor must use exactly the same
+   without producing any compressed output.  This function must be called
+   immediately after deflateInit, deflateInit2 or deflateReset, before any call
+   of deflate.  The compressor and decompressor must use exactly the same
    dictionary (see inflateSetDictionary).
 
      The dictionary should consist of strings (byte sequences) that are likely
    to be encountered later in the data to be compressed, with the most commonly
-   used strings preferably put towards the end of the dictionary. Using a
+   used strings preferably put towards the end of the dictionary.  Using a
    dictionary is most useful when the data to be compressed is short and can be
    predicted with good accuracy; the data can then be compressed better than
    with the default empty dictionary.
 
      Depending on the size of the compression data structures selected by
    deflateInit or deflateInit2, a part of the dictionary may in effect be
-   discarded, for example if the dictionary is larger than the window size in
-   deflate or deflate2. Thus the strings most likely to be useful should be
-   put at the end of the dictionary, not at the front. In addition, the
-   current implementation of deflate will use at most the window size minus
-   262 bytes of the provided dictionary.
+   discarded, for example if the dictionary is larger than the window size
+   provided in deflateInit or deflateInit2.  Thus the strings most likely to be
+   useful should be put at the end of the dictionary, not at the front.  In
+   addition, the current implementation of deflate will use at most the window
+   size minus 262 bytes of the provided dictionary.
 
      Upon return of this function, strm->adler is set to the adler32 value
    of the dictionary; the decompressor may later use this value to determine
-   which dictionary has been used by the compressor. (The adler32 value
+   which dictionary has been used by the compressor.  (The adler32 value
    applies to the whole dictionary even if only a subset of the dictionary is
    actually used by the compressor.) If a raw deflate was requested, then the
    adler32 value is not computed and strm->adler is not set.
 
      deflateSetDictionary returns Z_OK if success, or Z_STREAM_ERROR if a
-   parameter is invalid (such as NULL dictionary) or the stream state is
+   parameter is invalid (e.g.  dictionary being Z_NULL) or the stream state is
    inconsistent (for example if deflate has already been called for this stream
-   or if the compression method is bsort). deflateSetDictionary does not
+   or if the compression method is bsort).  deflateSetDictionary does not
    perform any compression: this will be done by deflate().
 */
 
@@ -581,26 +621,26 @@ ZEXTERN int ZEXPORT deflateCopy OF((z_streamp dest,
 
      This function can be useful when several compression strategies will be
    tried, for example when there are several ways of pre-processing the input
-   data with a filter. The streams that will be discarded should then be freed
+   data with a filter.  The streams that will be discarded should then be freed
    by calling deflateEnd.  Note that deflateCopy duplicates the internal
-   compression state which can be quite large, so this strategy is slow and
-   can consume lots of memory.
+   compression state which can be quite large, so this strategy is slow and can
+   consume lots of memory.
 
      deflateCopy returns Z_OK if success, Z_MEM_ERROR if there was not
    enough memory, Z_STREAM_ERROR if the source stream state was inconsistent
-   (such as zalloc being NULL). msg is left unchanged in both source and
+   (such as zalloc being Z_NULL).  msg is left unchanged in both source and
    destination.
 */
 
 ZEXTERN int ZEXPORT deflateReset OF((z_streamp strm));
 /*
      This function is equivalent to deflateEnd followed by deflateInit,
-   but does not free and reallocate all the internal compression state.
-   The stream will keep the same compression level and any other attributes
-   that may have been set by deflateInit2.
+   but does not free and reallocate all the internal compression state.  The
+   stream will keep the same compression level and any other attributes that
+   may have been set by deflateInit2.
 
-      deflateReset returns Z_OK if success, or Z_STREAM_ERROR if the source
-   stream state was inconsistent (such as zalloc or state being NULL).
+     deflateReset returns Z_OK if success, or Z_STREAM_ERROR if the source
+   stream state was inconsistent (such as zalloc or state being Z_NULL).
 */
 
 ZEXTERN int ZEXPORT deflateParams OF((z_streamp strm,
@@ -610,18 +650,18 @@ ZEXTERN int ZEXPORT deflateParams OF((z_streamp strm,
      Dynamically update the compression level and compression strategy.  The
    interpretation of level and strategy is as in deflateInit2.  This can be
    used to switch between compression and straight copy of the input data, or
-   to switch to a different kind of input data requiring a different
-   strategy. If the compression level is changed, the input available so far
-   is compressed with the old level (and may be flushed); the new level will
-   take effect only at the next call of deflate().
+   to switch to a different kind of input data requiring a different strategy.
+   If the compression level is changed, the input available so far is
+   compressed with the old level (and may be flushed); the new level will take
+   effect only at the next call of deflate().
 
      Before the call of deflateParams, the stream state must be set as for
-   a call of deflate(), since the currently available input may have to
-   be compressed and flushed. In particular, strm->avail_out must be non-zero.
+   a call of deflate(), since the currently available input may have to be
+   compressed and flushed.  In particular, strm->avail_out must be non-zero.
 
      deflateParams returns Z_OK if success, Z_STREAM_ERROR if the source
-   stream state was inconsistent or if a parameter was invalid, Z_BUF_ERROR
-   if strm->avail_out was zero.
+   stream state was inconsistent or if a parameter was invalid, Z_BUF_ERROR if
+   strm->avail_out was zero.
 */
 
 ZEXTERN int ZEXPORT deflateTune OF((z_streamp strm,
@@ -645,9 +685,10 @@ ZEXTERN uLong ZEXPORT deflateBound OF((z_streamp strm,
                                        uLong sourceLen));
 /*
      deflateBound() returns an upper bound on the compressed size after
-   deflation of sourceLen bytes.  It must be called after deflateInit()
-   or deflateInit2().  This would be used to allocate an output buffer
-   for deflation in a single pass, and so would be called before deflate().
+   deflation of sourceLen bytes.  It must be called after deflateInit() or
+   deflateInit2(), and after deflateSetHeader(), if used.  This would be used
+   to allocate an output buffer for deflation in a single pass, and so would be
+   called before deflate().
 */
 
 ZEXTERN int ZEXPORT deflatePrime OF((z_streamp strm,
@@ -655,21 +696,21 @@ ZEXTERN int ZEXPORT deflatePrime OF((z_streamp strm,
                                      int value));
 /*
      deflatePrime() inserts bits in the deflate output stream.  The intent
-  is that this function is used to start off the deflate output with the
-  bits leftover from a previous deflate stream when appending to it.  As such,
-  this function can only be used for raw deflate, and must be used before the
-  first deflate() call after a deflateInit2() or deflateReset().  bits must be
-  less than or equal to 16, and that many of the least significant bits of
-  value will be inserted in the output.
+   is that this function is used to start off the deflate output with the bits
+   leftover from a previous deflate stream when appending to it.  As such, this
+   function can only be used for raw deflate, and must be used before the first
+   deflate() call after a deflateInit2() or deflateReset().  bits must be less
+   than or equal to 16, and that many of the least significant bits of value
+   will be inserted in the output.
 
-      deflatePrime returns Z_OK if success, or Z_STREAM_ERROR if the source
+     deflatePrime returns Z_OK if success, or Z_STREAM_ERROR if the source
    stream state was inconsistent.
 */
 
 ZEXTERN int ZEXPORT deflateSetHeader OF((z_streamp strm,
                                          gz_headerp head));
 /*
-      deflateSetHeader() provides gzip header information for when a gzip
+     deflateSetHeader() provides gzip header information for when a gzip
    stream is requested by deflateInit2().  deflateSetHeader() may be called
    after deflateInit2() or deflateReset() and before the first call of
    deflate().  The text, time, os, extra field, name, and comment information
@@ -682,11 +723,11 @@ ZEXTERN int ZEXPORT deflateSetHeader OF((z_streamp strm,
    1.3.x) do not support header crc's, and will report that it is a "multi-part
    gzip file" and give up.
 
-      If deflateSetHeader is not used, the default gzip header has text false,
+     If deflateSetHeader is not used, the default gzip header has text false,
    the time set to zero, and os set to 255, with no extra, name, or comment
    fields.  The gzip header is returned to the default state by deflateReset().
 
-      deflateSetHeader returns Z_OK if success, or Z_STREAM_ERROR if the source
+     deflateSetHeader returns Z_OK if success, or Z_STREAM_ERROR if the source
    stream state was inconsistent.
 */
 
@@ -694,43 +735,50 @@ ZEXTERN int ZEXPORT deflateSetHeader OF((z_streamp strm,
 ZEXTERN int ZEXPORT inflateInit2 OF((z_streamp strm,
                                      int  windowBits));
 
-     This is another version of inflateInit with an extra parameter. The
+     This is another version of inflateInit with an extra parameter.  The
    fields next_in, avail_in, zalloc, zfree and opaque must be initialized
    before by the caller.
 
      The windowBits parameter is the base two logarithm of the maximum window
    size (the size of the history buffer).  It should be in the range 8..15 for
-   this version of the library. The default value is 15 if inflateInit is used
-   instead. windowBits must be greater than or equal to the windowBits value
+   this version of the library.  The default value is 15 if inflateInit is used
+   instead.  windowBits must be greater than or equal to the windowBits value
    provided to deflateInit2() while compressing, or it must be equal to 15 if
-   deflateInit2() was not used. If a compressed stream with a larger window
+   deflateInit2() was not used.  If a compressed stream with a larger window
    size is given as input, inflate() will return with the error code
    Z_DATA_ERROR instead of trying to allocate a larger window.
 
-     windowBits can also be -8..-15 for raw inflate. In this case, -windowBits
-   determines the window size. inflate() will then process raw deflate data,
+     windowBits can also be zero to request that inflate use the window size in
+   the zlib header of the compressed stream.
+
+     windowBits can also be -8..-15 for raw inflate.  In this case, -windowBits
+   determines the window size.  inflate() will then process raw deflate data,
    not looking for a zlib or gzip header, not generating a check value, and not
-   looking for any check values for comparison at the end of the stream. This
+   looking for any check values for comparison at the end of the stream.  This
    is for use with other formats that use the deflate compressed data format
-   such as zip.  Those formats provide their own check values. If a custom
+   such as zip.  Those formats provide their own check values.  If a custom
    format is developed using the raw deflate format for compressed data, it is
    recommended that a check value such as an adler32 or a crc32 be applied to
    the uncompressed data as is done in the zlib, gzip, and zip formats.  For
-   most applications, the zlib format should be used as is. Note that comments
+   most applications, the zlib format should be used as is.  Note that comments
    above on the use in deflateInit2() applies to the magnitude of windowBits.
 
-     windowBits can also be greater than 15 for optional gzip decoding. Add
+     windowBits can also be greater than 15 for optional gzip decoding.  Add
    32 to windowBits to enable zlib and gzip decoding with automatic header
    detection, or add 16 to decode only the gzip format (the zlib format will
-   return a Z_DATA_ERROR).  If a gzip stream is being decoded, strm->adler is
-   a crc32 instead of an adler32.
+   return a Z_DATA_ERROR).  If a gzip stream is being decoded, strm->adler is a
+   crc32 instead of an adler32.
 
      inflateInit2 returns Z_OK if success, Z_MEM_ERROR if there was not enough
-   memory, Z_STREAM_ERROR if a parameter is invalid (such as a null strm). msg
-   is set to null if there is no error message.  inflateInit2 does not perform
-   any decompression apart from reading the zlib header if present: this will
-   be done by inflate(). (So next_in and avail_in may be modified, but next_out
-   and avail_out are unchanged.)
+   memory, Z_VERSION_ERROR if the zlib library version is incompatible with the
+   version assumed by the caller, or Z_STREAM_ERROR if the parameters are
+   invalid, such as a null pointer to the structure.  msg is set to null if
+   there is no error message.  inflateInit2 does not perform any decompression
+   apart from possibly reading the zlib header if present: actual decompression
+   will be done by inflate().  (So next_in and avail_in may be modified, but
+   next_out and avail_out are unused and unchanged.) The current implementation
+   of inflateInit2() does not process any header information -- that is
+   deferred until inflate() is called.
 */
 
 ZEXTERN int ZEXPORT inflateSetDictionary OF((z_streamp strm,
@@ -738,8 +786,8 @@ ZEXTERN int ZEXPORT inflateSetDictionary OF((z_streamp strm,
                                              uInt  dictLength));
 /*
      Initializes the decompression dictionary from the given uncompressed byte
-   sequence. This function must be called immediately after a call of inflate,
-   if that call returned Z_NEED_DICT. The dictionary chosen by the compressor
+   sequence.  This function must be called immediately after a call of inflate,
+   if that call returned Z_NEED_DICT.  The dictionary chosen by the compressor
    can be determined from the adler32 value returned by that call of inflate.
    The compressor and decompressor must use exactly the same dictionary (see
    deflateSetDictionary).  For raw inflate, this function can be called
@@ -748,26 +796,26 @@ ZEXTERN int ZEXPORT inflateSetDictionary OF((z_streamp strm,
    dictionary that was used for compression is provided.
 
      inflateSetDictionary returns Z_OK if success, Z_STREAM_ERROR if a
-   parameter is invalid (such as NULL dictionary) or the stream state is
+   parameter is invalid (e.g.  dictionary being Z_NULL) or the stream state is
    inconsistent, Z_DATA_ERROR if the given dictionary doesn't match the
-   expected one (incorrect adler32 value). inflateSetDictionary does not
+   expected one (incorrect adler32 value).  inflateSetDictionary does not
    perform any decompression: this will be done by subsequent calls of
    inflate().
 */
 
 ZEXTERN int ZEXPORT inflateSync OF((z_streamp strm));
 /*
-    Skips invalid compressed data until a full flush point (see above the
-  description of deflate with Z_FULL_FLUSH) can be found, or until all
-  available input is skipped. No output is provided.
+     Skips invalid compressed data until a full flush point (see above the
+   description of deflate with Z_FULL_FLUSH) can be found, or until all
+   available input is skipped.  No output is provided.
 
-    inflateSync returns Z_OK if a full flush point has been found, Z_BUF_ERROR
-  if no more input was provided, Z_DATA_ERROR if no flush point has been found,
-  or Z_STREAM_ERROR if the stream structure was inconsistent. In the success
-  case, the application may save the current current value of total_in which
-  indicates where valid compressed data was found. In the error case, the
-  application may repeatedly call inflateSync, providing more input each time,
-  until success or end of the input data.
+     inflateSync returns Z_OK if a full flush point has been found, Z_BUF_ERROR
+   if no more input was provided, Z_DATA_ERROR if no flush point has been
+   found, or Z_STREAM_ERROR if the stream structure was inconsistent.  In the
+   success case, the application may save the current current value of total_in
+   which indicates where valid compressed data was found.  In the error case,
+   the application may repeatedly call inflateSync, providing more input each
+   time, until success or end of the input data.
 */
 
 ZEXTERN int ZEXPORT inflateCopy OF((z_streamp dest,
@@ -782,18 +830,30 @@ ZEXTERN int ZEXPORT inflateCopy OF((z_streamp dest,
 
      inflateCopy returns Z_OK if success, Z_MEM_ERROR if there was not
    enough memory, Z_STREAM_ERROR if the source stream state was inconsistent
-   (such as zalloc being NULL). msg is left unchanged in both source and
+   (such as zalloc being Z_NULL).  msg is left unchanged in both source and
    destination.
 */
 
 ZEXTERN int ZEXPORT inflateReset OF((z_streamp strm));
 /*
      This function is equivalent to inflateEnd followed by inflateInit,
-   but does not free and reallocate all the internal decompression state.
-   The stream will keep attributes that may have been set by inflateInit2.
+   but does not free and reallocate all the internal decompression state.  The
+   stream will keep attributes that may have been set by inflateInit2.
 
-      inflateReset returns Z_OK if success, or Z_STREAM_ERROR if the source
-   stream state was inconsistent (such as zalloc or state being NULL).
+     inflateReset returns Z_OK if success, or Z_STREAM_ERROR if the source
+   stream state was inconsistent (such as zalloc or state being Z_NULL).
+*/
+
+ZEXTERN int ZEXPORT inflateReset2 OF((z_streamp strm,
+                                      int windowBits));
+/*
+     This function is the same as inflateReset, but it also permits changing
+   the wrap and window size requests.  The windowBits parameter is interpreted
+   the same as it is for inflateInit2.
+
+     inflateReset2 returns Z_OK if success, or Z_STREAM_ERROR if the source
+   stream state was inconsistent (such as zalloc or state being Z_NULL), or if
+   the windowBits parameter is invalid.
 */
 
 ZEXTERN int ZEXPORT inflatePrime OF((z_streamp strm,
@@ -801,54 +861,87 @@ ZEXTERN int ZEXPORT inflatePrime OF((z_streamp strm,
                                      int value));
 /*
      This function inserts bits in the inflate input stream.  The intent is
-  that this function is used to start inflating at a bit position in the
-  middle of a byte.  The provided bits will be used before any bytes are used
-  from next_in.  This function should only be used with raw inflate, and
-  should be used before the first inflate() call after inflateInit2() or
-  inflateReset().  bits must be less than or equal to 16, and that many of the
-  least significant bits of value will be inserted in the input.
+   that this function is used to start inflating at a bit position in the
+   middle of a byte.  The provided bits will be used before any bytes are used
+   from next_in.  This function should only be used with raw inflate, and
+   should be used before the first inflate() call after inflateInit2() or
+   inflateReset().  bits must be less than or equal to 16, and that many of the
+   least significant bits of value will be inserted in the input.
 
-      inflatePrime returns Z_OK if success, or Z_STREAM_ERROR if the source
+     If bits is negative, then the input stream bit buffer is emptied.  Then
+   inflatePrime() can be called again to put bits in the buffer.  This is used
+   to clear out bits leftover after feeding inflate a block description prior
+   to feeding inflate codes.
+
+     inflatePrime returns Z_OK if success, or Z_STREAM_ERROR if the source
    stream state was inconsistent.
 */
 
+ZEXTERN long ZEXPORT inflateMark OF((z_streamp strm));
+/*
+     This function returns two values, one in the lower 16 bits of the return
+   value, and the other in the remaining upper bits, obtained by shifting the
+   return value down 16 bits.  If the upper value is -1 and the lower value is
+   zero, then inflate() is currently decoding information outside of a block.
+   If the upper value is -1 and the lower value is non-zero, then inflate is in
+   the middle of a stored block, with the lower value equaling the number of
+   bytes from the input remaining to copy.  If the upper value is not -1, then
+   it is the number of bits back from the current bit position in the input of
+   the code (literal or length/distance pair) currently being processed.  In
+   that case the lower value is the number of bytes already emitted for that
+   code.
+
+     A code is being processed if inflate is waiting for more input to complete
+   decoding of the code, or if it has completed decoding but is waiting for
+   more output space to write the literal or match data.
+
+     inflateMark() is used to mark locations in the input data for random
+   access, which may be at bit positions, and to note those cases where the
+   output of a code may span boundaries of random access blocks.  The current
+   location in the input stream can be determined from avail_in and data_type
+   as noted in the description for the Z_BLOCK flush parameter for inflate.
+
+     inflateMark returns the value noted above or -1 << 16 if the provided
+   source stream state was inconsistent.
+*/
+
 ZEXTERN int ZEXPORT inflateGetHeader OF((z_streamp strm,
                                          gz_headerp head));
 /*
-      inflateGetHeader() requests that gzip header information be stored in the
+     inflateGetHeader() requests that gzip header information be stored in the
    provided gz_header structure.  inflateGetHeader() may be called after
    inflateInit2() or inflateReset(), and before the first call of inflate().
    As inflate() processes the gzip stream, head->done is zero until the header
    is completed, at which time head->done is set to one.  If a zlib stream is
    being decoded, then head->done is set to -1 to indicate that there will be
-   no gzip header information forthcoming.  Note that Z_BLOCK can be used to
-   force inflate() to return immediately after header processing is complete
-   and before any actual data is decompressed.
+   no gzip header information forthcoming.  Note that Z_BLOCK or Z_TREES can be
+   used to force inflate() to return immediately after header processing is
+   complete and before any actual data is decompressed.
 
-      The text, time, xflags, and os fields are filled in with the gzip header
+     The text, time, xflags, and os fields are filled in with the gzip header
    contents.  hcrc is set to true if there is a header CRC.  (The header CRC
-   was valid if done is set to one.)  If extra is not Z_NULL, then extra_max
+   was valid if done is set to one.) If extra is not Z_NULL, then extra_max
    contains the maximum number of bytes to write to extra.  Once done is true,
    extra_len contains the actual extra field length, and extra contains the
    extra field, or that field truncated if extra_max is less than extra_len.
    If name is not Z_NULL, then up to name_max characters are written there,
    terminated with a zero unless the length is greater than name_max.  If
    comment is not Z_NULL, then up to comm_max characters are written there,
-   terminated with a zero unless the length is greater than comm_max.  When
-   any of extra, name, or comment are not Z_NULL and the respective field is
-   not present in the header, then that field is set to Z_NULL to signal its
+   terminated with a zero unless the length is greater than comm_max.  When any
+   of extra, name, or comment are not Z_NULL and the respective field is not
+   present in the header, then that field is set to Z_NULL to signal its
    absence.  This allows the use of deflateSetHeader() with the returned
    structure to duplicate the header.  However if those fields are set to
    allocated memory, then the application will need to save those pointers
    elsewhere so that they can be eventually freed.
 
-      If inflateGetHeader is not used, then the header information is simply
+     If inflateGetHeader is not used, then the header information is simply
    discarded.  The header is always checked for validity, including the header
    CRC if present.  inflateReset() will reset the process to discard the header
    information.  The application would need to call inflateGetHeader() again to
    retrieve the header from the next gzip stream.
 
-      inflateGetHeader returns Z_OK if success, or Z_STREAM_ERROR if the source
+     inflateGetHeader returns Z_OK if success, or Z_STREAM_ERROR if the source
    stream state was inconsistent.
 */
 
@@ -869,9 +962,9 @@ ZEXTERN int ZEXPORT inflateBackInit OF((z_streamp strm, int windowBits,
      See inflateBack() for the usage of these routines.
 
      inflateBackInit will return Z_OK on success, Z_STREAM_ERROR if any of
-   the paramaters are invalid, Z_MEM_ERROR if the internal state could not
-   be allocated, or Z_VERSION_ERROR if the version of the library does not
-   match the version of the header file.
+   the paramaters are invalid, Z_MEM_ERROR if the internal state could not be
+   allocated, or Z_VERSION_ERROR if the version of the library does not match
+   the version of the header file.
 */
 
 typedef unsigned (*in_func) OF((void FAR *, unsigned char FAR * FAR *));
@@ -891,15 +984,15 @@ ZEXTERN int ZEXPORT inflateBack OF((z_streamp strm,
      inflateBackInit() must be called first to allocate the internal state
    and to initialize the state with the user-provided window buffer.
    inflateBack() may then be used multiple times to inflate a complete, raw
-   deflate stream with each call.  inflateBackEnd() is then called to free
-   the allocated state.
+   deflate stream with each call.  inflateBackEnd() is then called to free the
+   allocated state.
 
      A raw deflate stream is one with no zlib or gzip header or trailer.
    This routine would normally be used in a utility that reads zip or gzip
    files and writes out uncompressed files.  The utility would decode the
-   header and process the trailer on its own, hence this routine expects
-   only the raw deflate stream to decompress.  This is different from the
-   normal behavior of inflate(), which expects either a zlib or gzip header and
+   header and process the trailer on its own, hence this routine expects only
+   the raw deflate stream to decompress.  This is different from the normal
+   behavior of inflate(), which expects either a zlib or gzip header and
    trailer around the deflate stream.
 
      inflateBack() uses two subroutines supplied by the caller that are then
@@ -925,7 +1018,7 @@ ZEXTERN int ZEXPORT inflateBack OF((z_streamp strm,
    calling inflateBack().  If strm->next_in is Z_NULL, then in() will be called
    immediately for input.  If strm->next_in is not Z_NULL, then strm->avail_in
    must also be initialized, and then if strm->avail_in is not zero, input will
-   initially be taken from strm->next_in[0 .. strm->avail_in - 1].
+   initially be taken from strm->next_in[0 ..  strm->avail_in - 1].
 
      The in_desc and out_desc parameters of inflateBack() is passed as the
    first parameter of in() and out() respectively when they are called.  These
@@ -935,15 +1028,15 @@ ZEXTERN int ZEXPORT inflateBack OF((z_streamp strm,
      On return, inflateBack() will set strm->next_in and strm->avail_in to
    pass back any unused input that was provided by the last in() call.  The
    return values of inflateBack() can be Z_STREAM_END on success, Z_BUF_ERROR
-   if in() or out() returned an error, Z_DATA_ERROR if there was a format
-   error in the deflate stream (in which case strm->msg is set to indicate the
-   nature of the error), or Z_STREAM_ERROR if the stream was not properly
-   initialized.  In the case of Z_BUF_ERROR, an input or output error can be
-   distinguished using strm->next_in which will be Z_NULL only if in() returned
-   an error.  If strm->next is not Z_NULL, then the Z_BUF_ERROR was due to
-   out() returning non-zero.  (in() will always be called before out(), so
-   strm->next_in is assured to be defined if out() returns non-zero.)  Note
-   that inflateBack() cannot return Z_OK.
+   if in() or out() returned an error, Z_DATA_ERROR if there was a format error
+   in the deflate stream (in which case strm->msg is set to indicate the nature
+   of the error), or Z_STREAM_ERROR if the stream was not properly initialized.
+   In the case of Z_BUF_ERROR, an input or output error can be distinguished
+   using strm->next_in which will be Z_NULL only if in() returned an error.  If
+   strm->next_in is not Z_NULL, then the Z_BUF_ERROR was due to out() returning
+   non-zero.  (in() will always be called before out(), so strm->next_in is
+   assured to be defined if out() returns non-zero.) Note that inflateBack()
+   cannot return Z_OK.
 */
 
 ZEXTERN int ZEXPORT inflateBackEnd OF((z_streamp strm));
@@ -999,23 +1092,22 @@ ZEXTERN uLong ZEXPORT zlibCompileFlags OF((void));
                         /* utility functions */
 
 /*
-     The following utility functions are implemented on top of the
-   basic stream-oriented functions. To simplify the interface, some
-   default options are assumed (compression level and memory usage,
-   standard memory allocation functions). The source code of these
-   utility functions can easily be modified if you need special options.
+     The following utility functions are implemented on top of the basic
+   stream-oriented functions.  To simplify the interface, some default options
+   are assumed (compression level and memory usage, standard memory allocation
+   functions).  The source code of these utility functions can be modified if
+   you need special options.
 */
 
 ZEXTERN int ZEXPORT compress OF((Bytef *dest,   uLongf *destLen,
                                  const Bytef *source, uLong sourceLen));
 /*
      Compresses the source buffer into the destination buffer.  sourceLen is
-   the byte length of the source buffer. Upon entry, destLen is the total
-   size of the destination buffer, which must be at least the value returned
-   by compressBound(sourceLen). Upon exit, destLen is the actual size of the
+   the byte length of the source buffer.  Upon entry, destLen is the total size
+   of the destination buffer, which must be at least the value returned by
+   compressBound(sourceLen).  Upon exit, destLen is the actual size of the
    compressed buffer.
-     This function can be used to compress a whole file at once if the
-   input file is mmap'ed.
+
      compress returns Z_OK if success, Z_MEM_ERROR if there was not
    enough memory, Z_BUF_ERROR if there was not enough room in the output
    buffer.
@@ -1025,11 +1117,11 @@ ZEXTERN int ZEXPORT compress2 OF((Bytef *dest,   uLongf *destLen,
                                   const Bytef *source, uLong sourceLen,
                                   int level));
 /*
-     Compresses the source buffer into the destination buffer. The level
+     Compresses the source buffer into the destination buffer.  The level
    parameter has the same meaning as in deflateInit.  sourceLen is the byte
-   length of the source buffer. Upon entry, destLen is the total size of the
+   length of the source buffer.  Upon entry, destLen is the total size of the
    destination buffer, which must be at least the value returned by
-   compressBound(sourceLen). Upon exit, destLen is the actual size of the
+   compressBound(sourceLen).  Upon exit, destLen is the actual size of the
    compressed buffer.
 
      compress2 returns Z_OK if success, Z_MEM_ERROR if there was not enough
@@ -1040,22 +1132,20 @@ ZEXTERN int ZEXPORT compress2 OF((Bytef *dest,   uLongf *destLen,
 ZEXTERN uLong ZEXPORT compressBound OF((uLong sourceLen));
 /*
      compressBound() returns an upper bound on the compressed size after
-   compress() or compress2() on sourceLen bytes.  It would be used before
-   a compress() or compress2() call to allocate the destination buffer.
+   compress() or compress2() on sourceLen bytes.  It would be used before a
+   compress() or compress2() call to allocate the destination buffer.
 */
 
 ZEXTERN int ZEXPORT uncompress OF((Bytef *dest,   uLongf *destLen,
                                    const Bytef *source, uLong sourceLen));
 /*
      Decompresses the source buffer into the destination buffer.  sourceLen is
-   the byte length of the source buffer. Upon entry, destLen is the total
-   size of the destination buffer, which must be large enough to hold the
-   entire uncompressed data. (The size of the uncompressed data must have
-   been saved previously by the compressor and transmitted to the decompressor
-   by some mechanism outside the scope of this compression library.)
-   Upon exit, destLen is the actual size of the compressed buffer.
-     This function can be used to decompress a whole file at once if the
-   input file is mmap'ed.
+   the byte length of the source buffer.  Upon entry, destLen is the total size
+   of the destination buffer, which must be large enough to hold the entire
+   uncompressed data.  (The size of the uncompressed data must have been saved
+   previously by the compressor and transmitted to the decompressor by some
+   mechanism outside the scope of this compression library.) Upon exit, destLen
+   is the actual size of the uncompressed buffer.
 
      uncompress returns Z_OK if success, Z_MEM_ERROR if there was not
    enough memory, Z_BUF_ERROR if there was not enough room in the output
@@ -1063,136 +1153,199 @@ ZEXTERN int ZEXPORT uncompress OF((Bytef *dest,   uLongf *destLen,
 */
 
 
-typedef voidp gzFile;
+                        /* gzip file access functions */
 
-ZEXTERN gzFile ZEXPORT gzopen  OF((const char *path, const char *mode));
 /*
-     Opens a gzip (.gz) file for reading or writing. The mode parameter
-   is as in fopen ("rb" or "wb") but can also include a compression level
-   ("wb9") or a strategy: 'f' for filtered data as in "wb6f", 'h' for
-   Huffman only compression as in "wb1h", or 'R' for run-length encoding
-   as in "wb1R". (See the description of deflateInit2 for more information
-   about the strategy parameter.)
+     This library supports reading and writing files in gzip (.gz) format with
+   an interface similar to that of stdio, using the functions that start with
+   "gz".  The gzip format is different from the zlib format.  gzip is a gzip
+   wrapper, documented in RFC 1952, wrapped around a deflate stream.
+*/
+
+typedef voidp gzFile;       /* opaque gzip file descriptor */
+
+/*
+ZEXTERN gzFile ZEXPORT gzopen OF((const char *path, const char *mode));
+
+     Opens a gzip (.gz) file for reading or writing.  The mode parameter is as
+   in fopen ("rb" or "wb") but can also include a compression level ("wb9") or
+   a strategy: 'f' for filtered data as in "wb6f", 'h' for Huffman-only
+   compression as in "wb1h", 'R' for run-length encoding as in "wb1R", or 'F'
+   for fixed code compression as in "wb9F".  (See the description of
+   deflateInit2 for more information about the strategy parameter.) Also "a"
+   can be used instead of "w" to request that the gzip stream that will be
+   written be appended to the file.  "+" will result in an error, since reading
+   and writing to the same gzip file is not supported.
 
      gzopen can be used to read a file which is not in gzip format; in this
    case gzread will directly read from the file without decompression.
 
-     gzopen returns NULL if the file could not be opened or if there was
-   insufficient memory to allocate the (de)compression state; errno
-   can be checked to distinguish the two cases (if errno is zero, the
-   zlib error is Z_MEM_ERROR).  */
+     gzopen returns NULL if the file could not be opened, if there was
+   insufficient memory to allocate the gzFile state, or if an invalid mode was
+   specified (an 'r', 'w', or 'a' was not provided, or '+' was provided).
+   errno can be checked to determine if the reason gzopen failed was that the
+   file could not be opened.
+*/
 
-ZEXTERN gzFile ZEXPORT gzdopen  OF((int fd, const char *mode));
+ZEXTERN gzFile ZEXPORT gzdopen OF((int fd, const char *mode));
 /*
-     gzdopen() associates a gzFile with the file descriptor fd.  File
-   descriptors are obtained from calls like open, dup, creat, pipe or
-   fileno (in the file has been previously opened with fopen).
-   The mode parameter is as in gzopen.
-     The next call of gzclose on the returned gzFile will also close the
-   file descriptor fd, just like fclose(fdopen(fd), mode) closes the file
-   descriptor fd. If you want to keep fd open, use gzdopen(dup(fd), mode).
-     gzdopen returns NULL if there was insufficient memory to allocate
-   the (de)compression state.
+     gzdopen associates a gzFile with the file descriptor fd.  File descriptors
+   are obtained from calls like open, dup, creat, pipe or fileno (if the file
+   has been previously opened with fopen).  The mode parameter is as in gzopen.
+
+     The next call of gzclose on the returned gzFile will also close the file
+   descriptor fd, just like fclose(fdopen(fd, mode)) closes the file descriptor
+   fd.  If you want to keep fd open, use fd = dup(fd_keep); gz = gzdopen(fd,
+   mode);.  The duplicated descriptor should be saved to avoid a leak, since
+   gzdopen does not close fd if it fails.
+
+     gzdopen returns NULL if there was insufficient memory to allocate the
+   gzFile state, if an invalid mode was specified (an 'r', 'w', or 'a' was not
+   provided, or '+' was provided), or if fd is -1.  The file descriptor is not
+   used until the next gz* read, write, seek, or close operation, so gzdopen
+   will not detect if fd is invalid (unless fd is -1).
+*/
+
+ZEXTERN int ZEXPORT gzbuffer OF((gzFile file, unsigned size));
+/*
+     Set the internal buffer size used by this library's functions.  The
+   default buffer size is 8192 bytes.  This function must be called after
+   gzopen() or gzdopen(), and before any other calls that read or write the
+   file.  The buffer memory allocation is always deferred to the first read or
+   write.  Two buffers are allocated, either both of the specified size when
+   writing, or one of the specified size and the other twice that size when
+   reading.  A larger buffer size of, for example, 64K or 128K bytes will
+   noticeably increase the speed of decompression (reading).
+
+     The new buffer size also affects the maximum length for gzprintf().
+
+     gzbuffer() returns 0 on success, or -1 on failure, such as being called
+   too late.
 */
 
 ZEXTERN int ZEXPORT gzsetparams OF((gzFile file, int level, int strategy));
 /*
-     Dynamically update the compression level or strategy. See the description
+     Dynamically update the compression level or strategy.  See the description
    of deflateInit2 for the meaning of these parameters.
+
      gzsetparams returns Z_OK if success, or Z_STREAM_ERROR if the file was not
    opened for writing.
 */
 
-ZEXTERN int ZEXPORT    gzread  OF((gzFile file, voidp buf, unsigned len));
+ZEXTERN int ZEXPORT gzread OF((gzFile file, voidp buf, unsigned len));
 /*
-     Reads the given number of uncompressed bytes from the compressed file.
-   If the input file was not in gzip format, gzread copies the given number
-   of bytes into the buffer.
-     gzread returns the number of uncompressed bytes actually read (0 for
-   end of file, -1 for error). */
+     Reads the given number of uncompressed bytes from the compressed file.  If
+   the input file was not in gzip format, gzread copies the given number of
+   bytes into the buffer.
 
-ZEXTERN int ZEXPORT    gzwrite OF((gzFile file,
-                                   voidpc buf, unsigned len));
-/*
-     Writes the given number of uncompressed bytes into the compressed file.
-   gzwrite returns the number of uncompressed bytes actually written
-   (0 in case of error).
+     After reaching the end of a gzip stream in the input, gzread will continue
+   to read, looking for another gzip stream, or failing that, reading the rest
+   of the input file directly without decompression.  The entire input file
+   will be read if gzread is called until it returns less than the requested
+   len.
+
+     gzread returns the number of uncompressed bytes actually read, less than
+   len for end of file, or -1 for error.
 */
 
-ZEXTERN int ZEXPORTVA   gzprintf OF((gzFile file, const char *format, ...));
+ZEXTERN int ZEXPORT gzwrite OF((gzFile file,
+                                voidpc buf, unsigned len));
 /*
-     Converts, formats, and writes the args to the compressed file under
-   control of the format string, as in fprintf. gzprintf returns the number of
-   uncompressed bytes actually written (0 in case of error).  The number of
-   uncompressed bytes written is limited to 4095. The caller should assure that
-   this limit is not exceeded. If it is exceeded, then gzprintf() will return
-   return an error (0) with nothing written. In this case, there may also be a
-   buffer overflow with unpredictable consequences, which is possible only if
-   zlib was compiled with the insecure functions sprintf() or vsprintf()
-   because the secure snprintf() or vsnprintf() functions were not available.
+     Writes the given number of uncompressed bytes into the compressed file.
+   gzwrite returns the number of uncompressed bytes written or 0 in case of
+   error.
+*/
+
+ZEXTERN int ZEXPORTVA gzprintf OF((gzFile file, const char *format, ...));
+/*
+     Converts, formats, and writes the arguments to the compressed file under
+   control of the format string, as in fprintf.  gzprintf returns the number of
+   uncompressed bytes actually written, or 0 in case of error.  The number of
+   uncompressed bytes written is limited to 8191, or one less than the buffer
+   size given to gzbuffer().  The caller should assure that this limit is not
+   exceeded.  If it is exceeded, then gzprintf() will return an error (0) with
+   nothing written.  In this case, there may also be a buffer overflow with
+   unpredictable consequences, which is possible only if zlib was compiled with
+   the insecure functions sprintf() or vsprintf() because the secure snprintf()
+   or vsnprintf() functions were not available.  This can be determined using
+   zlibCompileFlags().
 */
 
 ZEXTERN int ZEXPORT gzputs OF((gzFile file, const char *s));
 /*
-      Writes the given null-terminated string to the compressed file, excluding
+     Writes the given null-terminated string to the compressed file, excluding
    the terminating null character.
-      gzputs returns the number of characters written, or -1 in case of error.
+
+     gzputs returns the number of characters written, or -1 in case of error.
 */
 
 ZEXTERN char * ZEXPORT gzgets OF((gzFile file, char *buf, int len));
 /*
-      Reads bytes from the compressed file until len-1 characters are read, or
-   a newline character is read and transferred to buf, or an end-of-file
-   condition is encountered.  The string is then terminated with a null
-   character.
-      gzgets returns buf, or Z_NULL in case of error.
+     Reads bytes from the compressed file until len-1 characters are read, or a
+   newline character is read and transferred to buf, or an end-of-file
+   condition is encountered.  If any characters are read or if len == 1, the
+   string is terminated with a null character.  If no characters are read due
+   to an end-of-file or len < 1, then the buffer is left untouched.
+
+     gzgets returns buf which is a null-terminated string, or it returns NULL
+   for end-of-file or in case of error.  If there was an error, the contents at
+   buf are indeterminate.
 */
 
-ZEXTERN int ZEXPORT    gzputc OF((gzFile file, int c));
+ZEXTERN int ZEXPORT gzputc OF((gzFile file, int c));
 /*
-      Writes c, converted to an unsigned char, into the compressed file.
-   gzputc returns the value that was written, or -1 in case of error.
+     Writes c, converted to an unsigned char, into the compressed file.  gzputc
+   returns the value that was written, or -1 in case of error.
 */
 
-ZEXTERN int ZEXPORT    gzgetc OF((gzFile file));
+ZEXTERN int ZEXPORT gzgetc OF((gzFile file));
 /*
-      Reads one byte from the compressed file. gzgetc returns this byte
-   or -1 in case of end of file or error.
+     Reads one byte from the compressed file.  gzgetc returns this byte or -1
+   in case of end of file or error.
 */
 
-ZEXTERN int ZEXPORT    gzungetc OF((int c, gzFile file));
+ZEXTERN int ZEXPORT gzungetc OF((int c, gzFile file));
 /*
-      Push one character back onto the stream to be read again later.
-   Only one character of push-back is allowed.  gzungetc() returns the
-   character pushed, or -1 on failure.  gzungetc() will fail if a
-   character has been pushed but not read yet, or if c is -1. The pushed
-   character will be discarded if the stream is repositioned with gzseek()
-   or gzrewind().
+     Push one character back onto the stream to be read as the first character
+   on the next read.  At least one character of push-back is allowed.
+   gzungetc() returns the character pushed, or -1 on failure.  gzungetc() will
+   fail if c is -1, and may fail if a character has been pushed but not read
+   yet.  If gzungetc is used immediately after gzopen or gzdopen, at least the
+   output buffer size of pushed characters is allowed.  (See gzbuffer above.)
+   The pushed character will be discarded if the stream is repositioned with
+   gzseek() or gzrewind().
 */
 
-ZEXTERN int ZEXPORT    gzflush OF((gzFile file, int flush));
+ZEXTERN int ZEXPORT gzflush OF((gzFile file, int flush));
 /*
-     Flushes all pending output into the compressed file. The parameter
-   flush is as in the deflate() function. The return value is the zlib
-   error number (see function gzerror below). gzflush returns Z_OK if
-   the flush parameter is Z_FINISH and all output could be flushed.
-     gzflush should be called only when strictly necessary because it can
-   degrade compression.
+     Flushes all pending output into the compressed file.  The parameter flush
+   is as in the deflate() function.  The return value is the zlib error number
+   (see function gzerror below).  gzflush is only permitted when writing.
+
+     If the flush parameter is Z_FINISH, the remaining data is written and the
+   gzip stream is completed in the output.  If gzwrite() is called again, a new
+   gzip stream will be started in the output.  gzread() is able to read such
+   concatented gzip streams.
+
+     gzflush should be called only when strictly necessary because it will
+   degrade compression if called too often.
 */
 
-ZEXTERN z_off_t ZEXPORT    gzseek OF((gzFile file,
-                                      z_off_t offset, int whence));
 /*
-      Sets the starting position for the next gzread or gzwrite on the
-   given compressed file. The offset represents a number of bytes in the
-   uncompressed data stream. The whence parameter is defined as in lseek(2);
+ZEXTERN z_off_t ZEXPORT gzseek OF((gzFile file,
+                                   z_off_t offset, int whence));
+
+     Sets the starting position for the next gzread or gzwrite on the given
+   compressed file.  The offset represents a number of bytes in the
+   uncompressed data stream.  The whence parameter is defined as in lseek(2);
    the value SEEK_END is not supported.
+
      If the file is opened for reading, this function is emulated but can be
-   extremely slow. If the file is opened for writing, only forward seeks are
+   extremely slow.  If the file is opened for writing, only forward seeks are
    supported; gzseek then compresses a sequence of zeroes up to the new
    starting position.
 
-      gzseek returns the resulting offset location as measured in bytes from
+     gzseek returns the resulting offset location as measured in bytes from
    the beginning of the uncompressed stream, or -1 in case of error, in
    particular if the file is opened for writing and the new starting position
    would be before the current position.
@@ -1202,68 +1355,127 @@ ZEXTERN int ZEXPORT    gzrewind OF((gzFile file));
 /*
      Rewinds the given file. This function is supported only for reading.
 
-   gzrewind(file) is equivalent to (int)gzseek(file, 0L, SEEK_SET)
+     gzrewind(file) is equivalent to (int)gzseek(file, 0L, SEEK_SET)
 */
 
-ZEXTERN z_off_t ZEXPORT    gztell OF((gzFile file));
 /*
-     Returns the starting position for the next gzread or gzwrite on the
-   given compressed file. This position represents a number of bytes in the
-   uncompressed data stream.
+ZEXTERN z_off_t ZEXPORT    gztell OF((gzFile file));
 
-   gztell(file) is equivalent to gzseek(file, 0L, SEEK_CUR)
+     Returns the starting position for the next gzread or gzwrite on the given
+   compressed file.  This position represents a number of bytes in the
+   uncompressed data stream, and is zero when starting, even if appending or
+   reading a gzip stream from the middle of a file using gzdopen().
+
+     gztell(file) is equivalent to gzseek(file, 0L, SEEK_CUR)
+*/
+
+/*
+ZEXTERN z_off_t ZEXPORT gzoffset OF((gzFile file));
+
+     Returns the current offset in the file being read or written.  This offset
+   includes the count of bytes that precede the gzip stream, for example when
+   appending or when using gzdopen() for reading.  When reading, the offset
+   does not include as yet unused buffered input.  This information can be used
+   for a progress indicator.  On error, gzoffset() returns -1.
 */
 
 ZEXTERN int ZEXPORT gzeof OF((gzFile file));
 /*
-     Returns 1 when EOF has previously been detected reading the given
-   input stream, otherwise zero.
+     Returns true (1) if the end-of-file indicator has been set while reading,
+   false (0) otherwise.  Note that the end-of-file indicator is set only if the
+   read tried to go past the end of the input, but came up short.  Therefore,
+   just like feof(), gzeof() may return false even if there is no more data to
+   read, in the event that the last read request was for the exact number of
+   bytes remaining in the input file.  This will happen if the input file size
+   is an exact multiple of the buffer size.
+
+     If gzeof() returns true, then the read functions will return no more data,
+   unless the end-of-file indicator is reset by gzclearerr() and the input file
+   has grown since the previous end of file was detected.
 */
 
 ZEXTERN int ZEXPORT gzdirect OF((gzFile file));
 /*
-     Returns 1 if file is being read directly without decompression, otherwise
-   zero.
+     Returns true (1) if file is being copied directly while reading, or false
+   (0) if file is a gzip stream being decompressed.  This state can change from
+   false to true while reading the input file if the end of a gzip stream is
+   reached, but is followed by data that is not another gzip stream.
+
+     If the input file is empty, gzdirect() will return true, since the input
+   does not contain a gzip stream.
+
+     If gzdirect() is used immediately after gzopen() or gzdopen() it will
+   cause buffers to be allocated to allow reading the file to determine if it
+   is a gzip file.  Therefore if gzbuffer() is used, it should be called before
+   gzdirect().
 */
 
 ZEXTERN int ZEXPORT    gzclose OF((gzFile file));
 /*
-     Flushes all pending output if necessary, closes the compressed file
-   and deallocates all the (de)compression state. The return value is the zlib
-   error number (see function gzerror below).
+     Flushes all pending output if necessary, closes the compressed file and
+   deallocates the (de)compression state.  Note that once file is closed, you
+   cannot call gzerror with file, since its structures have been deallocated.
+   gzclose must not be called more than once on the same file, just as free
+   must not be called more than once on the same allocation.
+
+     gzclose will return Z_STREAM_ERROR if file is not valid, Z_ERRNO on a
+   file operation error, or Z_OK on success.
+*/
+
+ZEXTERN int ZEXPORT gzclose_r OF((gzFile file));
+ZEXTERN int ZEXPORT gzclose_w OF((gzFile file));
+/*
+     Same as gzclose(), but gzclose_r() is only for use when reading, and
+   gzclose_w() is only for use when writing or appending.  The advantage to
+   using these instead of gzclose() is that they avoid linking in zlib
+   compression or decompression code that is not used when only reading or only
+   writing respectively.  If gzclose() is used, then both compression and
+   decompression code will be included the application when linking to a static
+   zlib library.
 */
 
 ZEXTERN const char * ZEXPORT gzerror OF((gzFile file, int *errnum));
 /*
-     Returns the error message for the last error which occurred on the
-   given compressed file. errnum is set to zlib error number. If an
-   error occurred in the file system and not in the compression library,
-   errnum is set to Z_ERRNO and the application may consult errno
-   to get the exact error code.
+     Returns the error message for the last error which occurred on the given
+   compressed file.  errnum is set to zlib error number.  If an error occurred
+   in the file system and not in the compression library, errnum is set to
+   Z_ERRNO and the application may consult errno to get the exact error code.
+
+     The application must not modify the returned string.  Future calls to
+   this function may invalidate the previously returned string.  If file is
+   closed, then the string previously returned by gzerror will no longer be
+   available.
+
+     gzerror() should be used to distinguish errors from end-of-file for those
+   functions above that do not distinguish those cases in their return values.
 */
 
 ZEXTERN void ZEXPORT gzclearerr OF((gzFile file));
 /*
-     Clears the error and end-of-file flags for file. This is analogous to the
-   clearerr() function in stdio. This is useful for continuing to read a gzip
+     Clears the error and end-of-file flags for file.  This is analogous to the
+   clearerr() function in stdio.  This is useful for continuing to read a gzip
    file that is being written concurrently.
 */
 
+
                         /* checksum functions */
 
 /*
      These functions are not related to compression but are exported
-   anyway because they might be useful in applications using the
-   compression library.
+   anyway because they might be useful in applications using the compression
+   library.
 */
 
 ZEXTERN uLong ZEXPORT adler32 OF((uLong adler, const Bytef *buf, uInt len));
 /*
      Update a running Adler-32 checksum with the bytes buf[0..len-1] and
-   return the updated checksum. If buf is NULL, this function returns
-   the required initial value for the checksum.
-   An Adler-32 checksum is almost as reliable as a CRC32 but can be computed
-   much faster. Usage example:
+   return the updated checksum.  If buf is Z_NULL, this function returns the
+   required initial value for the checksum.
+
+     An Adler-32 checksum is almost as reliable as a CRC32 but can be computed
+   much faster.
+
+   Usage example:
 
      uLong adler = adler32(0L, Z_NULL, 0);
 
@@ -1273,9 +1485,10 @@ ZEXTERN uLong ZEXPORT adler32 OF((uLong adler, const Bytef *buf, uInt len));
      if (adler != original_adler) error();
 */
 
+/*
 ZEXTERN uLong ZEXPORT adler32_combine OF((uLong adler1, uLong adler2,
                                           z_off_t len2));
-/*
+
      Combine two Adler-32 checksums into one.  For two sequences of bytes, seq1
    and seq2 with lengths len1 and len2, Adler-32 checksums were calculated for
    each, adler1 and adler2.  adler32_combine() returns the Adler-32 checksum of
@@ -1285,9 +1498,11 @@ ZEXTERN uLong ZEXPORT adler32_combine OF((uLong adler1, uLong adler2,
 ZEXTERN uLong ZEXPORT crc32   OF((uLong crc, const Bytef *buf, uInt len));
 /*
      Update a running CRC-32 with the bytes buf[0..len-1] and return the
-   updated CRC-32. If buf is NULL, this function returns the required initial
-   value for the for the crc. Pre- and post-conditioning (one's complement) is
-   performed within this function so it shouldn't be done by the application.
+   updated CRC-32.  If buf is Z_NULL, this function returns the required
+   initial value for the for the crc.  Pre- and post-conditioning (one's
+   complement) is performed within this function so it shouldn't be done by the
+   application.
+
    Usage example:
 
      uLong crc = crc32(0L, Z_NULL, 0);
@@ -1298,9 +1513,9 @@ ZEXTERN uLong ZEXPORT crc32   OF((uLong crc, const Bytef *buf, uInt len));
      if (crc != original_crc) error();
 */
 
+/*
 ZEXTERN uLong ZEXPORT crc32_combine OF((uLong crc1, uLong crc2, z_off_t len2));
 
-/*
      Combine two CRC-32 check values into one.  For two sequences of bytes,
    seq1 and seq2 with lengths len1 and len2, CRC-32 check values were
    calculated for each, crc1 and crc2.  crc32_combine() returns the CRC-32
@@ -1339,16 +1554,57 @@ ZEXTERN int ZEXPORT inflateBackInit_ OF((z_streamp strm, int windowBits,
         inflateInit2_((strm), (windowBits), ZLIB_VERSION, sizeof(z_stream))
 #define inflateBackInit(strm, windowBits, window) \
         inflateBackInit_((strm), (windowBits), (window), \
-        ZLIB_VERSION, sizeof(z_stream))
+                                            ZLIB_VERSION, sizeof(z_stream))
 
-
-#if !defined(ZUTIL_H) && !defined(NO_DUMMY_DECL)
-    struct internal_state {int dummy;}; /* hack for buggy compilers */
+/* provide 64-bit offset functions if _LARGEFILE64_SOURCE defined, and/or
+ * change the regular functions to 64 bits if _FILE_OFFSET_BITS is 64 (if
+ * both are true, the application gets the *64 functions, and the regular
+ * functions are changed to 64 bits) -- in case these are set on systems
+ * without large file support, _LFS64_LARGEFILE must also be true
+ */
+#if defined(_LARGEFILE64_SOURCE) && _LFS64_LARGEFILE-0
+   ZEXTERN gzFile ZEXPORT gzopen64 OF((const char *, const char *));
+   ZEXTERN z_off64_t ZEXPORT gzseek64 OF((gzFile, z_off64_t, int));
+   ZEXTERN z_off64_t ZEXPORT gztell64 OF((gzFile));
+   ZEXTERN z_off64_t ZEXPORT gzoffset64 OF((gzFile));
+   ZEXTERN uLong ZEXPORT adler32_combine64 OF((uLong, uLong, z_off64_t));
+   ZEXTERN uLong ZEXPORT crc32_combine64 OF((uLong, uLong, z_off64_t));
 #endif
 
+#if !defined(ZLIB_INTERNAL) && _FILE_OFFSET_BITS-0 == 64 && _LFS64_LARGEFILE-0
+#  define gzopen gzopen64
+#  define gzseek gzseek64
+#  define gztell gztell64
+#  define gzoffset gzoffset64
+#  define adler32_combine adler32_combine64
+#  define crc32_combine crc32_combine64
+#  ifdef _LARGEFILE64_SOURCE
+     ZEXTERN gzFile ZEXPORT gzopen64 OF((const char *, const char *));
+     ZEXTERN z_off_t ZEXPORT gzseek64 OF((gzFile, z_off_t, int));
+     ZEXTERN z_off_t ZEXPORT gztell64 OF((gzFile));
+     ZEXTERN z_off_t ZEXPORT gzoffset64 OF((gzFile));
+     ZEXTERN uLong ZEXPORT adler32_combine64 OF((uLong, uLong, z_off_t));
+     ZEXTERN uLong ZEXPORT crc32_combine64 OF((uLong, uLong, z_off_t));
+#  endif
+#else
+   ZEXTERN gzFile ZEXPORT gzopen OF((const char *, const char *));
+   ZEXTERN z_off_t ZEXPORT gzseek OF((gzFile, z_off_t, int));
+   ZEXTERN z_off_t ZEXPORT gztell OF((gzFile));
+   ZEXTERN z_off_t ZEXPORT gzoffset OF((gzFile));
+   ZEXTERN uLong ZEXPORT adler32_combine OF((uLong, uLong, z_off_t));
+   ZEXTERN uLong ZEXPORT crc32_combine OF((uLong, uLong, z_off_t));
+#endif
+
+/* hack for buggy compilers */
+#if !defined(ZUTIL_H) && !defined(NO_DUMMY_DECL)
+    struct internal_state {int dummy;};
+#endif
+
+/* undocumented functions */
 ZEXTERN const char   * ZEXPORT zError           OF((int));
-ZEXTERN int            ZEXPORT inflateSyncPoint OF((z_streamp z));
+ZEXTERN int            ZEXPORT inflateSyncPoint OF((z_streamp));
 ZEXTERN const uLongf * ZEXPORT get_crc_table    OF((void));
+ZEXTERN int            ZEXPORT inflateUndermine OF((z_streamp, int));
 
 #ifdef __cplusplus
 }
diff --git a/security/nss/lib/zlib/zutil.c b/security/nss/lib/zlib/zutil.c
index 4ae72283379f..697efa60da32 100644
--- a/security/nss/lib/zlib/zutil.c
+++ b/security/nss/lib/zlib/zutil.c
@@ -1,9 +1,9 @@
 /* zutil.c -- target dependent utility functions for the compression library
- * Copyright (C) 1995-2005 Jean-loup Gailly.
+ * Copyright (C) 1995-2005, 2010 Jean-loup Gailly.
  * For conditions of distribution and use, see copyright notice in zlib.h
  */
 
-/* @(#) $Id: zutil.c,v 1.6 2009/11/07 01:13:12 wtchang%redhat.com Exp $ */
+/* @(#) $Id: zutil.c,v 1.7 2010/08/22 01:07:03 wtc%google.com Exp $ */
 
 #include "zutil.h"
 
@@ -34,25 +34,25 @@ uLong ZEXPORT zlibCompileFlags()
     uLong flags;
 
     flags = 0;
-    switch (sizeof(uInt)) {
+    switch ((int)(sizeof(uInt))) {
     case 2:     break;
     case 4:     flags += 1;     break;
     case 8:     flags += 2;     break;
     default:    flags += 3;
     }
-    switch (sizeof(uLong)) {
+    switch ((int)(sizeof(uLong))) {
     case 2:     break;
     case 4:     flags += 1 << 2;        break;
     case 8:     flags += 2 << 2;        break;
     default:    flags += 3 << 2;
     }
-    switch (sizeof(voidpf)) {
+    switch ((int)(sizeof(voidpf))) {
     case 2:     break;
     case 4:     flags += 1 << 4;        break;
     case 8:     flags += 2 << 4;        break;
     default:    flags += 3 << 4;
     }
-    switch (sizeof(z_off_t)) {
+    switch ((int)(sizeof(z_off_t))) {
     case 2:     break;
     case 4:     flags += 1 << 6;        break;
     case 8:     flags += 2 << 6;        break;
@@ -117,9 +117,9 @@ uLong ZEXPORT zlibCompileFlags()
 #  ifndef verbose
 #    define verbose 0
 #  endif
-int z_verbose = verbose;
+int ZLIB_INTERNAL z_verbose = verbose;
 
-void z_error (m)
+void ZLIB_INTERNAL z_error (m)
     char *m;
 {
     fprintf(stderr, "%s\n", m);
@@ -146,7 +146,7 @@ const char * ZEXPORT zError(err)
 
 #ifndef HAVE_MEMCPY
 
-void zmemcpy(dest, source, len)
+void ZLIB_INTERNAL zmemcpy(dest, source, len)
     Bytef* dest;
     const Bytef* source;
     uInt  len;
@@ -157,7 +157,7 @@ void zmemcpy(dest, source, len)
     } while (--len != 0);
 }
 
-int zmemcmp(s1, s2, len)
+int ZLIB_INTERNAL zmemcmp(s1, s2, len)
     const Bytef* s1;
     const Bytef* s2;
     uInt  len;
@@ -170,7 +170,7 @@ int zmemcmp(s1, s2, len)
     return 0;
 }
 
-void zmemzero(dest, len)
+void ZLIB_INTERNAL zmemzero(dest, len)
     Bytef* dest;
     uInt  len;
 {
@@ -213,7 +213,7 @@ local ptr_table table[MAX_PTR];
  * a protected system like OS/2. Use Microsoft C instead.
  */
 
-voidpf zcalloc (voidpf opaque, unsigned items, unsigned size)
+voidpf ZLIB_INTERNAL zcalloc (voidpf opaque, unsigned items, unsigned size)
 {
     voidpf buf = opaque; /* just to make some compilers happy */
     ulg bsize = (ulg)items*size;
@@ -237,7 +237,7 @@ voidpf zcalloc (voidpf opaque, unsigned items, unsigned size)
     return buf;
 }
 
-void  zcfree (voidpf opaque, voidpf ptr)
+void ZLIB_INTERNAL zcfree (voidpf opaque, voidpf ptr)
 {
     int n;
     if (*(ush*)&ptr != 0) { /* object < 64K */
@@ -272,13 +272,13 @@ void  zcfree (voidpf opaque, voidpf ptr)
 #  define _hfree   hfree
 #endif
 
-voidpf zcalloc (voidpf opaque, unsigned items, unsigned size)
+voidpf ZLIB_INTERNAL zcalloc (voidpf opaque, uInt items, uInt size)
 {
     if (opaque) opaque = 0; /* to make compiler happy */
     return _halloc((long)items, size);
 }
 
-void  zcfree (voidpf opaque, voidpf ptr)
+void ZLIB_INTERNAL zcfree (voidpf opaque, voidpf ptr)
 {
     if (opaque) opaque = 0; /* to make compiler happy */
     _hfree(ptr);
@@ -297,7 +297,7 @@ extern voidp  calloc OF((uInt items, uInt size));
 extern void   free   OF((voidpf ptr));
 #endif
 
-voidpf zcalloc (opaque, items, size)
+voidpf ZLIB_INTERNAL zcalloc (opaque, items, size)
     voidpf opaque;
     unsigned items;
     unsigned size;
@@ -307,7 +307,7 @@ voidpf zcalloc (opaque, items, size)
                               (voidpf)calloc(items, size);
 }
 
-void  zcfree (opaque, ptr)
+void ZLIB_INTERNAL zcfree (opaque, ptr)
     voidpf opaque;
     voidpf ptr;
 {
diff --git a/security/nss/lib/zlib/zutil.h b/security/nss/lib/zlib/zutil.h
index c132c12d11cd..e6668bba9ce8 100644
--- a/security/nss/lib/zlib/zutil.h
+++ b/security/nss/lib/zlib/zutil.h
@@ -1,5 +1,5 @@
 /* zutil.h -- internal interface and configuration of the compression library
- * Copyright (C) 1995-2005 Jean-loup Gailly.
+ * Copyright (C) 1995-2010 Jean-loup Gailly.
  * For conditions of distribution and use, see copyright notice in zlib.h
  */
 
@@ -8,36 +8,26 @@
    subject to change. Applications should only use zlib.h.
  */
 
-/* @(#) $Id: zutil.h,v 1.8 2009/11/07 01:13:12 nelson%bolyard.com Exp $ */
+/* @(#) $Id: zutil.h,v 1.9 2010/08/22 01:07:03 wtc%google.com Exp $ */
 
 #ifndef ZUTIL_H
 #define ZUTIL_H
 
-#define ZLIB_INTERNAL
+#if ((__GNUC__-0) * 10 + __GNUC_MINOR__-0 >= 33) && !defined(NO_VIZ)
+#  define ZLIB_INTERNAL __attribute__((visibility ("hidden")))
+#else
+#  define ZLIB_INTERNAL
+#endif
+
 #include "zlib.h"
 
 #ifdef STDC
-#  ifndef _WIN32_WCE
+#  if !(defined(_WIN32_WCE) && defined(_MSC_VER))
 #    include 
 #  endif
 #  include 
 #  include 
 #endif
-#ifdef NO_ERRNO_H
-#   ifdef _WIN32_WCE
-      /* The Microsoft C Run-Time Library for Windows CE doesn't have
-       * errno.  We define it as a global variable to simplify porting.
-       * Its value is always 0 and should not be used.  We rename it to
-       * avoid conflict with other libraries that use the same workaround.
-       */
-#     define errno z_errno
-#   endif
-    extern int errno;
-#else
-#  ifndef _WIN32_WCE
-#    include 
-#  endif
-#endif
 
 #ifndef local
 #  define local static
@@ -89,7 +79,7 @@ extern const char * const z_errmsg[10]; /* indexed by 2-zlib_error */
 #if defined(MSDOS) || (defined(WINDOWS) && !defined(WIN32))
 #  define OS_CODE  0x00
 #  if defined(__TURBOC__) || defined(__BORLANDC__)
-#    if(__STDC__ == 1) && (defined(__LARGE__) || defined(__COMPACT__))
+#    if (__STDC__ == 1) && (defined(__LARGE__) || defined(__COMPACT__))
        /* Allow compilation with ANSI keywords only enabled */
        void _Cdecl farfree( void *block );
        void *_Cdecl farmalloc( unsigned long nbytes );
@@ -105,7 +95,7 @@ extern const char * const z_errmsg[10]; /* indexed by 2-zlib_error */
 #  define OS_CODE  0x01
 #endif
 
-#if defined(VAXC)
+#if defined(VAXC) || defined(VMS)
 #  define OS_CODE  0x02
 #  define F_OPEN(name, mode) \
      fopen((name), (mode), "mbc=60", "ctx=stm", "rfm=fix", "mrs=512")
@@ -118,7 +108,7 @@ extern const char * const z_errmsg[10]; /* indexed by 2-zlib_error */
 #ifdef OS2
 #  define OS_CODE  0x06
 #  ifdef M_I86
-     #include 
+#    include 
 #  endif
 #endif
 
@@ -151,7 +141,7 @@ extern const char * const z_errmsg[10]; /* indexed by 2-zlib_error */
 #  define fdopen(fd,mode) NULL /* No fdopen() */
 #endif
 
-#if (defined(_MSC_VER) && (_MSC_VER > 600))
+#if (defined(_MSC_VER) && (_MSC_VER > 600)) && !defined __INTERIX
 #  if defined(_WIN32_WCE)
 #    define fdopen(fd,mode) NULL /* No fdopen() */
 #    ifndef _PTRDIFF_T_DEFINED
@@ -163,6 +153,18 @@ extern const char * const z_errmsg[10]; /* indexed by 2-zlib_error */
 #  endif
 #endif
 
+#if defined(__BORLANDC__)
+  #pragma warn -8004
+  #pragma warn -8008
+  #pragma warn -8066
+#endif
+
+/* provide prototypes for these when building zlib without LFS */
+#if !defined(_LARGEFILE64_SOURCE) || _LFS64_LARGEFILE-0 == 0
+    ZEXTERN uLong ZEXPORT adler32_combine64 OF((uLong, uLong, z_off_t));
+    ZEXTERN uLong ZEXPORT crc32_combine64 OF((uLong, uLong, z_off_t));
+#endif
+
         /* common defaults */
 
 #ifndef OS_CODE
@@ -198,13 +200,18 @@ extern const char * const z_errmsg[10]; /* indexed by 2-zlib_error */
 #  ifdef WIN32
      /* In Win32, vsnprintf is available as the "non-ANSI" _vsnprintf. */
 #    if !defined(vsnprintf) && !defined(NO_vsnprintf)
-#      define vsnprintf _vsnprintf
+#      if !defined(_MSC_VER) || ( defined(_MSC_VER) && _MSC_VER < 1500 )
+#         define vsnprintf _vsnprintf
+#      endif
 #    endif
 #  endif
 #  ifdef __SASC
 #    define NO_vsnprintf
 #  endif
 #endif
+#ifdef VMS
+#  define NO_vsnprintf
+#endif
 
 #if defined(pyr)
 #  define NO_MEMCPY
@@ -230,16 +237,16 @@ extern const char * const z_errmsg[10]; /* indexed by 2-zlib_error */
 #    define zmemzero(dest, len) memset(dest, 0, len)
 #  endif
 #else
-   extern void zmemcpy  OF((Bytef* dest, const Bytef* source, uInt len));
-   extern int  zmemcmp  OF((const Bytef* s1, const Bytef* s2, uInt len));
-   extern void zmemzero OF((Bytef* dest, uInt len));
+   void ZLIB_INTERNAL zmemcpy OF((Bytef* dest, const Bytef* source, uInt len));
+   int ZLIB_INTERNAL zmemcmp OF((const Bytef* s1, const Bytef* s2, uInt len));
+   void ZLIB_INTERNAL zmemzero OF((Bytef* dest, uInt len));
 #endif
 
 /* Diagnostic functions */
 #ifdef DEBUG
 #  include 
-   extern int z_verbose;
-   extern void z_error    OF((char *m));
+   extern int ZLIB_INTERNAL z_verbose;
+   extern void ZLIB_INTERNAL z_error OF((char *m));
 #  define Assert(cond,msg) {if(!(cond)) z_error(msg);}
 #  define Trace(x) {if (z_verbose>=0) fprintf x ;}
 #  define Tracev(x) {if (z_verbose>0) fprintf x ;}
@@ -256,8 +263,9 @@ extern const char * const z_errmsg[10]; /* indexed by 2-zlib_error */
 #endif
 
 
-voidpf zcalloc OF((voidpf opaque, unsigned items, unsigned size));
-void   zcfree  OF((voidpf opaque, voidpf ptr));
+voidpf ZLIB_INTERNAL zcalloc OF((voidpf opaque, unsigned items,
+                        unsigned size));
+void ZLIB_INTERNAL zcfree  OF((voidpf opaque, voidpf ptr));
 
 #define ZALLOC(strm, items, size) \
            (*((strm)->zalloc))((strm)->opaque, (items), (size))
diff --git a/security/nss/tests/cert/cert.sh b/security/nss/tests/cert/cert.sh
index e835999475a5..65473588fb3b 100755
--- a/security/nss/tests/cert/cert.sh
+++ b/security/nss/tests/cert/cert.sh
@@ -645,48 +645,48 @@ cert_smime_client()
   #
   echo "$SCRIPTNAME: Importing Certificates =============================="
   CU_ACTION="Import Bob's cert into Alice's db"
-  certu -E -t "p,p,p" -d ${P_R_ALICEDIR} -f ${R_PWFILE} \
+  certu -E -t ",," -d ${P_R_ALICEDIR} -f ${R_PWFILE} \
         -i ${R_BOBDIR}/Bob.cert 2>&1
 
   CU_ACTION="Import Dave's cert into Alice's DB"
-  certu -E -t "p,p,p" -d ${P_R_ALICEDIR} -f ${R_PWFILE} \
+  certu -E -t ",," -d ${P_R_ALICEDIR} -f ${R_PWFILE} \
         -i ${R_DAVEDIR}/Dave.cert 2>&1
 
   CU_ACTION="Import Dave's cert into Bob's DB"
-  certu -E -t "p,p,p" -d ${P_R_BOBDIR} -f ${R_PWFILE} \
+  certu -E -t ",," -d ${P_R_BOBDIR} -f ${R_PWFILE} \
         -i ${R_DAVEDIR}/Dave.cert 2>&1
 
   CU_ACTION="Import Eve's cert into Alice's DB"
-  certu -E -t "p,p,p" -d ${P_R_ALICEDIR} -f ${R_PWFILE} \
+  certu -E -t ",," -d ${P_R_ALICEDIR} -f ${R_PWFILE} \
         -i ${R_EVEDIR}/Eve.cert 2>&1
 
   CU_ACTION="Import Eve's cert into Bob's DB"
-  certu -E -t "p,p,p" -d ${P_R_BOBDIR} -f ${R_PWFILE} \
+  certu -E -t ",," -d ${P_R_BOBDIR} -f ${R_PWFILE} \
         -i ${R_EVEDIR}/Eve.cert 2>&1
 
   if [ -n "$NSS_ENABLE_ECC" ] ; then
       echo "$SCRIPTNAME: Importing EC Certificates =============================="
       CU_ACTION="Import Bob's EC cert into Alice's db"
-      certu -E -t "p,p,p" -d ${P_R_ALICEDIR} -f ${R_PWFILE} \
+      certu -E -t ",," -d ${P_R_ALICEDIR} -f ${R_PWFILE} \
           -i ${R_BOBDIR}/Bob-ec.cert 2>&1
 
       CU_ACTION="Import Dave's EC cert into Alice's DB"
-      certu -E -t "p,p,p" -d ${P_R_ALICEDIR} -f ${R_PWFILE} \
+      certu -E -t ",," -d ${P_R_ALICEDIR} -f ${R_PWFILE} \
           -i ${R_DAVEDIR}/Dave-ec.cert 2>&1
 
       CU_ACTION="Import Dave's EC cert into Bob's DB"
-      certu -E -t "p,p,p" -d ${P_R_BOBDIR} -f ${R_PWFILE} \
+      certu -E -t ",," -d ${P_R_BOBDIR} -f ${R_PWFILE} \
           -i ${R_DAVEDIR}/Dave-ec.cert 2>&1
 
 ## XXXX Do not import Eve's EC cert until we can make sure that
 ## the email addresses listed in the Subject Alt Name Extension 
 ## inside Eve's ECC and non-ECC certs are different.
 #     CU_ACTION="Import Eve's EC cert into Alice's DB"
-#     certu -E -t "p,p,p" -d ${P_R_ALICEDIR} -f ${R_PWFILE} \
+#     certu -E -t ",," -d ${P_R_ALICEDIR} -f ${R_PWFILE} \
 #         -i ${R_EVEDIR}/Eve-ec.cert 2>&1
 
 #     CU_ACTION="Import Eve's EC cert into Bob's DB"
-#     certu -E -t "p,p,p" -d ${P_R_BOBDIR} -f ${R_PWFILE} \
+#     certu -E -t ",," -d ${P_R_BOBDIR} -f ${R_PWFILE} \
 #         -i ${R_EVEDIR}/Eve-ec.cert 2>&1
   fi
 
diff --git a/security/nss/tests/cipher/cipher.txt b/security/nss/tests/cipher/cipher.txt
index 44fdfd0c85e7..5085fe078759 100644
--- a/security/nss/tests/cipher/cipher.txt
+++ b/security/nss/tests/cipher/cipher.txt
@@ -73,6 +73,7 @@
 	0	md2_-H		MD2_Hash
 	0	md5_-H		MD5_Hash
 	0	sha1_-H		SHA1_Hash
+	0	sha224_-H	SHA224_Hash
 	0	sha256_-H	SHA256_Hash
 	0	sha384_-H	SHA384_Hash
 	0	sha512_-H	SHA512_Hash
diff --git a/security/nss/tests/pkcs11/netscape/suites/security/ssl/sslc.c b/security/nss/tests/pkcs11/netscape/suites/security/ssl/sslc.c
index 2fcb02e7cd77..2abaed2df160 100644
--- a/security/nss/tests/pkcs11/netscape/suites/security/ssl/sslc.c
+++ b/security/nss/tests/pkcs11/netscape/suites/security/ssl/sslc.c
@@ -259,8 +259,7 @@ int SetServerSecParms(struct ThreadData *td) {
   
   if ( (NULL == td->cert)  && ( NO_CERT != REP_ServerCert )) {
     PR_fprintf(PR_STDERR, "Can't find certificate %s\n", nicknames[REP_ServerCert]);
-    PR_fprintf(PR_STDERR, "Server: Seclib error: %s\n",
-	       SECU_ErrorString ((int16) PR_GetError()));
+    PR_fprintf(PR_STDERR, "Server: Seclib error: %s\n", SECU_Strerror(PR_GetError()));
     return Error(12);
   }
   
diff --git a/security/nss/tests/pkcs11/netscape/suites/security/ssl/sslt.c b/security/nss/tests/pkcs11/netscape/suites/security/ssl/sslt.c
index a3150ac6e4ff..19e9cd395f8a 100755
--- a/security/nss/tests/pkcs11/netscape/suites/security/ssl/sslt.c
+++ b/security/nss/tests/pkcs11/netscape/suites/security/ssl/sslt.c
@@ -1006,7 +1006,7 @@ int Client() {
 
   r = PR_Connect(cl.s, &cl.na, PR_SecondsToInterval(50));
   if (PR_FAILURE == r) {
-    dbmsg((PR_STDERR, "Client: Seclib error: %s\n",SECU_ErrorString ((int16) PR_GetError())));
+    dbmsg((PR_STDERR, "Client: Seclib error: %s\n",SECU_Strerror(PR_GetError())));
     return Error(104);
   }
 
@@ -1015,7 +1015,7 @@ int Client() {
     r = SSL_ForceHandshake(cl.s);
     if (PR_FAILURE == r) {
       dbmsg((PR_STDERR, "Client: Seclib error: %s\n",
-	     SECU_ErrorString ((int16) PR_GetError())));
+	SECU_Strerror(PR_GetError())));
       return Error(105);
     }
   }
diff --git a/services/crypto/tests/unit/xpcshell.ini b/services/crypto/tests/unit/xpcshell.ini
index 536e9e187c59..bee94247574f 100644
--- a/services/crypto/tests/unit/xpcshell.ini
+++ b/services/crypto/tests/unit/xpcshell.ini
@@ -5,3 +5,5 @@ tail =
 [test_crypto_crypt.js]
 [test_crypto_deriveKey.js]
 [test_crypto_random.js]
+# Bug 676977: test hangs consistently on Android
+skip-if = os == "android"
diff --git a/services/sync/tests/unit/xpcshell.ini b/services/sync/tests/unit/xpcshell.ini
index fee455551664..9c3d54e1c670 100644
--- a/services/sync/tests/unit/xpcshell.ini
+++ b/services/sync/tests/unit/xpcshell.ini
@@ -34,7 +34,8 @@ tail =
 [test_interval_triggers.js]
 [test_jpakeclient.js]
 # Bug 618233: this test produces random failures on Windows 7.
-skip-if = os == "win"
+# Bug 676978: test hangs on Android (see also testing/xpcshell/xpcshell.ini)
+skip-if = os == "win" || os == "android"
 [test_keys.js]
 [test_load_modules.js]
 [test_log4moz.js]
@@ -60,7 +61,8 @@ skip-if = os == "win"
 [test_service_detect_upgrade.js]
 [test_service_filelog.js]
 # Bug 664090: this test persistently fails on Windows opt builds.
-skip-if = os == "win" && !debug
+# Bug 676978: test hangs on Android (see also testing/xpcshell/xpcshell.ini)
+skip-if = (os == "win" && !debug) || os == "android"
 [test_service_getStorageInfo.js]
 [test_service_login.js]
 [test_service_migratePrefs.js]
@@ -71,14 +73,17 @@ skip-if = os == "win" && !debug
 [test_service_sync_401.js]
 [test_service_sync_checkServerError.js]
 # Bug 604565: this test intermittently hangs on OS X debug builds.
-skip-if = os == "mac" && debug
+# Bug 676978: test hangs on Android (see also testing/xpcshell/xpcshell.ini)
+skip-if = (os == "mac" && debug) || os == "android"
 [test_service_sync_locked.js]
 [test_service_sync_remoteSetup.js]
 # Bug 604565: this test intermittently hangs on OS X debug builds.
-skip-if = os == "mac" && debug
+# Bug 676978: test hangs on Android (see also testing/xpcshell/xpcshell.ini)
+skip-if = (os == "mac" && debug) || os == "android"
 [test_service_sync_updateEnabledEngines.js]
 # Bug 604565: this test intermittently hangs on OS X debug builds.
-skip-if = os == "mac" && debug
+# Bug 676978: test hangs on Android (see also testing/xpcshell/xpcshell.ini)
+skip-if = (os == "mac" && debug) || os == "android"
 [test_service_verifyLogin.js]
 [test_service_wipeClient.js]
 [test_service_wipeServer.js]
@@ -87,7 +92,8 @@ skip-if = os == "mac" && debug
 [test_syncengine.js]
 [test_syncengine_sync.js]
 # Bug 604565: this test intermittently hangs on OS X debug builds.
-skip-if = os == "mac" && debug
+# Bug 676978: test hangs on Android (see also testing/xpcshell/xpcshell.ini)
+skip-if = (os == "mac" && debug) || os == "android"
 [test_syncscheduler.js]
 [test_syncstoragerequest.js]
 [test_tab_engine.js]
diff --git a/storage/test/test_file_perms.cpp b/storage/test/test_file_perms.cpp
index f01bf2b56ffa..36b3f728b275 100644
--- a/storage/test/test_file_perms.cpp
+++ b/storage/test/test_file_perms.cpp
@@ -49,8 +49,7 @@ void
 test_file_perms()
 {
   nsCOMPtr profDir;
-  nsresult rv = NS_GetSpecialDirectory(NS_APP_USER_PROFILE_50_DIR,
-                                       getter_AddRefs(profDir));
+  (void)NS_GetSpecialDirectory(NS_APP_USER_PROFILE_50_DIR, getter_AddRefs(profDir));
   nsCOMPtr sqlite_file = do_QueryInterface(profDir);
   sqlite_file->Append(NS_LITERAL_STRING("places.sqlite"));
   PRUint32 perms = 0;
diff --git a/storage/test/unit/xpcshell.ini b/storage/test/unit/xpcshell.ini
index 5ccf28ec485c..7872158ed776 100644
--- a/storage/test/unit/xpcshell.ini
+++ b/storage/test/unit/xpcshell.ini
@@ -7,6 +7,8 @@ tail =
 [test_bug-429521.js]
 [test_bug-444233.js]
 [test_chunk_growth.js]
+# Bug 676981: test fails consistently on Android
+fail-if = os == "android"
 [test_connection_executeAsync.js]
 [test_js_helpers.js]
 [test_levenshtein.js]
@@ -30,3 +32,5 @@ tail =
 [test_unicode.js]
 [test_vacuum.js]
 [test_telemetry_vfs.js]
+# Bug 676981: test fails consistently on Android
+# fail-if = os == "android"
diff --git a/testing/testsuite-targets.mk b/testing/testsuite-targets.mk
index c5981144829d..5fa80b178861 100644
--- a/testing/testsuite-targets.mk
+++ b/testing/testsuite-targets.mk
@@ -201,6 +201,29 @@ xpcshell-tests:
 	  $(TEST_PATH_ARG) $(EXTRA_TEST_ARGS) \
 	  $(LIBXUL_DIST)/bin/xpcshell
 
+REMOTE_XPCSHELL = \
+	rm -f ./$@.log && \
+	$(PYTHON) -u $(topsrcdir)/config/pythonpath.py \
+	  -I$(topsrcdir)/build \
+	  -I$(topsrcdir)/build/mobile \
+	  $(topsrcdir)/testing/xpcshell/remotexpcshelltests.py \
+	  --manifest=$(DEPTH)/_tests/xpcshell/xpcshell.ini \
+	  --build-info-json=$(DEPTH)/mozinfo.json \
+	  --no-logfiles \
+	  --dm_trans=$(DM_TRANS) \
+	  --deviceIP=${TEST_DEVICE} \
+	  --objdir=$(DEPTH) \
+	  $(SYMBOLS_PATH) \
+	  $(TEST_PATH_ARG) $(EXTRA_TEST_ARGS)
+
+xpcshell-tests-remote: DM_TRANS?=adb
+xpcshell-tests-remote:
+	@if [ "${TEST_DEVICE}" != "" -o "$(DM_TRANS)" = "adb" ]; \
+          then $(call REMOTE_XPCSHELL); $(CHECK_TEST_ERROR); \
+        else \
+          echo "please prepare your host with environment variables for TEST_DEVICE"; \
+        fi
+
 # install and run the mozmill tests
 $(DEPTH)/_tests/mozmill:
 	$(MAKE) -C $(DEPTH)/testing/mozmill install-develop PKG_STAGE=../../_tests
diff --git a/testing/xpcshell/remotexpcshelltests.py b/testing/xpcshell/remotexpcshelltests.py
index 5f07147e62ad..a304f34543fe 100644
--- a/testing/xpcshell/remotexpcshelltests.py
+++ b/testing/xpcshell/remotexpcshelltests.py
@@ -36,265 +36,302 @@
 #
 # ***** END LICENSE BLOCK ***** */
 
-import re, sys, os, os.path, logging, shutil, signal
-from glob import glob
-from optparse import OptionParser
-from subprocess import Popen, PIPE, STDOUT
-from tempfile import mkdtemp
-
+import re, sys, os
 import runxpcshelltests as xpcshell
 from automationutils import *
-import devicemanager
+import devicemanager, devicemanagerADB, devicemanagerSUT
 
+# A specialization of XPCShellTests that runs tests on an Android device
+# via devicemanager.
 class XPCShellRemote(xpcshell.XPCShellTests, object):
 
-    def __init__(self, devmgr):
-        self.device = devmgr
-        self.testRoot = "/tests/xpcshell"
+    def __init__(self, devmgr, options, args):
         xpcshell.XPCShellTests.__init__(self)
-        self.profileDir = self.testRoot + '/profile'
-        self.device.mkDir(self.profileDir)
+        self.options = options
+        self.device = devmgr
+        self.pathMapping = []
+        self.remoteTestRoot = self.device.getTestRoot("xpcshell")
+        # Terse directory names are used here ("b" for a binaries directory)
+        # to minimize the length of the command line used to execute
+        # xpcshell on the remote device. adb has a limit to the number
+        # of characters used in a shell command, and the xpcshell command
+        # line can be quite complex.
+        self.remoteBinDir = self.remoteJoin(self.remoteTestRoot, "b")
+        self.remoteScriptsDir = self.remoteTestRoot
+        self.remoteComponentsDir = self.remoteJoin(self.remoteTestRoot, "c")
+        self.profileDir = self.remoteJoin(self.remoteTestRoot, "p")
+        if options.setup:
+          self.setupUtilities()
+          self.setupTestDir()
+        self.remoteAPK = self.remoteJoin(self.remoteBinDir, os.path.basename(options.localAPK))
+        self.remoteDebugger = options.debugger
+        self.remoteDebuggerArgs = options.debuggerArgs  
 
-    #todo: figure out the remote version of this, only used for debuggerInfo
-    def getcwd(self):
-        return "/tests/"
-        
-    def readManifest(self, manifest):
-        """Given a manifest file containing a list of test directories,
-        return a list of absolute paths to the directories contained within."""
+    def remoteJoin(self, path1, path2):
+        joined = os.path.join(path1, path2)
+        joined = joined.replace('\\', '/')
+        return joined
 
-        manifestdir = self.testRoot + '/tests'
-        testdirs = []
-        try:
-            f = self.device.getFile(manifest, "temp.txt")
-            for line in f.split():
-                dir = line.rstrip()
-                path = manifestdir + '/' + dir
-                testdirs.append(path)
-            f.close()
-        except:
-            pass # just eat exceptions
-        return testdirs
+    def remoteForLocal(self, local):
+        for mapping in self.pathMapping:
+          if (os.path.abspath(mapping.local) == os.path.abspath(local)):
+            return mapping.remote
+        return local
 
-    def verifyFilePath(self, fileName):
-        # approot - path to root of application - firefox or fennec
-        # xreroot - path to xulrunner binaries - firefox or fennec/xulrunner
-        # xpcshell - full or relative path to xpcshell binary
-        #given fileName, returns full path of existing file
-        if (self.device.fileExists(fileName)):
-            return fileName
-        
-        fileName = self.device.getAppRoot() + '/xulrunner/' + fileName.split('/')[-1]
-        if (self.device.fileExists(fileName)):
-            return fileName
-        
-        fileName = self.device.getAppRoot() + '/' + fileName.split('/')[-1]
-        if (not self.device.fileExists(fileName)):
-            raise devicemanager.FileError("No File found for: " + str(fileName))
+    def setupUtilities(self):
+        remotePrefDir = self.remoteJoin(self.remoteBinDir, "defaults/pref")
+        if (not self.device.dirExists(remotePrefDir)):
+          self.device.mkDirs(self.remoteJoin(remotePrefDir, "extra"))
+        if (not self.device.dirExists(self.remoteScriptsDir)):
+          self.device.mkDir(self.remoteScriptsDir)
+        if (not self.device.dirExists(self.remoteComponentsDir)):
+          self.device.mkDir(self.remoteComponentsDir)
 
-        return fileName
+        local = os.path.join(os.path.dirname(os.path.abspath(__file__)), 'head.js')
+        self.device.pushFile(local, self.remoteScriptsDir)
 
-    def verifyDirPath(self, fileName):
-        # approot - path to root of application - firefox or fennec
-        # xreroot - path to xulrunner binaries - firefox or fennec/xulrunner
-        # xpcshell - full or relative path to xpcshell binary
-        #given fileName, returns full path of existing file
-        if (self.device.dirExists(fileName)):
-            return fileName
-        
-        fileName = self.device.getAppRoot() + '/' + fileName.split('/')[-1]
-        if (self.device.dirExists(fileName)):
-            return fileName
-        
-        fileName = self.device.getDeviceRoot() + '/' + fileName.split('/')[-1]
-        if (not self.device.dirExists(fileName)):
-            raise devicemanager.FileError("No Dir found for: " + str(fileName))
-        return fileName
+        localBin = os.path.join(self.options.objdir, "dist/bin")
+        if not os.path.exists(localBin):
+          localBin = os.path.join(self.options.objdir, "bin")
+          if not os.path.exists(localBin):
+            print >>sys.stderr, "Error: could not find bin in objdir"
+            sys.exit(1)
 
-    def setAbsPath(self):
-        #testharnessdir is used for head.js
-        self.testharnessdir = "/tests/xpcshell/"
+        local = os.path.join(localBin, "xpcshell")
+        self.device.pushFile(local, self.remoteBinDir)
 
-        # If the file exists then we have a full path (no notion of cwd)
-        self.xpcshell = self.verifyFilePath(self.xpcshell)
-        if self.xrePath is None:
-            # If no xrePath, assume it is the directory containing xpcshell
-            self.xrePath = '/'.join(self.xpcshell.split('/')[:-1])
-        else:
-            self.xrePath = self.verifyDirPath(self.xrePath)
+        local = os.path.join(localBin, "plugin-container")
+        self.device.pushFile(local, self.remoteBinDir)
 
-        # we assume that httpd.js lives in components/ relative to xpcshell
-        self.httpdJSPath = self.xrePath + '/components/httpd.js'
+        local = os.path.join(localBin, "components/httpd.js")
+        self.device.pushFile(local, self.remoteComponentsDir)
+
+        local = os.path.join(localBin, "components/httpd.manifest")
+        self.device.pushFile(local, self.remoteComponentsDir)
+
+        local = os.path.join(localBin, "components/test_necko.xpt")
+        self.device.pushFile(local, self.remoteComponentsDir)
+
+        self.device.pushFile(self.options.localAPK, self.remoteBinDir)
+
+        localLib = os.path.join(self.options.objdir, "dist/fennec")
+        if not os.path.exists(localLib):
+          localLib = os.path.join(self.options.objdir, "fennec/lib")
+          if not os.path.exists(localLib):
+            print >>sys.stderr, "Error: could not find libs in objdir"
+            sys.exit(1)
+
+        for file in os.listdir(localLib):
+          if (file.endswith(".so")):
+            self.device.pushFile(os.path.join(localLib, file), self.remoteBinDir)
+
+    def setupTestDir(self):
+        xpcDir = os.path.join(self.options.objdir, "_tests/xpcshell")
+        self.device.pushDir(xpcDir, self.remoteScriptsDir)
+
+    def buildTestList(self):
+        xpcshell.XPCShellTests.buildTestList(self)
+        uniqueTestPaths = set([])
+        for test in self.alltests:
+          uniqueTestPaths.add(test['here'])
+        for testdir in uniqueTestPaths:
+          xpcDir = os.path.join(self.options.objdir, "_tests/xpcshell")
+          abbrevTestDir = os.path.relpath(testdir, xpcDir)
+          remoteScriptDir = self.remoteJoin(self.remoteScriptsDir, abbrevTestDir)
+          self.pathMapping.append(PathMapping(testdir, remoteScriptDir))
 
     def buildXpcsCmd(self, testdir):
-        #  has to be loaded by xpchell: it can't load itself.
-        self.env["XPCSHELL_TEST_PROFILE_DIR"] = self.profileDir
-        self.xpcsCmd = [self.xpcshell, '-g', self.xrePath, '-v', '170', '-j', '-s', \
-                        "--environ:CWD='" + testdir + "'", \
-                        "--environ:XPCSHELL_TEST_PROFILE_DIR='" + self.env["XPCSHELL_TEST_PROFILE_DIR"] + "'", \
-                        '-e', 'const _HTTPD_JS_PATH = \'%s\';' % self.httpdJSPath,
-                        '-f', self.testharnessdir + '/head.js']
+        self.xpcsCmd = [
+           self.remoteJoin(self.remoteBinDir, "xpcshell"),
+           '-r', self.remoteJoin(self.remoteComponentsDir, 'httpd.manifest'),
+           '--greomni', self.remoteAPK,
+           '-j', '-s',
+           '-e', 'const _HTTPD_JS_PATH = "%s";' % self.remoteJoin(self.remoteComponentsDir, 'httpd.js'),
+           '-e', 'const _HEAD_JS_PATH = "%s";' % self.remoteJoin(self.remoteScriptsDir, 'head.js'),
+           '-f', self.remoteScriptsDir+'/head.js']
 
-        if self.debuggerInfo:
-            self.xpcsCmd = [self.debuggerInfo["path"]] + self.debuggerInfo["args"] + self.xpcsCmd
+        if self.remoteDebugger:
+          # for example, "/data/local/gdbserver" "localhost:12345"
+          self.xpcsCmd = [
+            self.remoteDebugger, 
+            self.remoteDebuggerArgs, 
+            self.xpcsCmd]
 
-    def getHeadFiles(self, testdir):
-        # get the list of head and tail files from the directory
-        testHeadFiles = []
-        for f in self.device.listFiles(testdir):
-            hdmtch = re.compile("head_.*\.js")
-            if (hdmtch.match(f)):
-                testHeadFiles += [(testdir + '/' + f).replace('/', '//')]
-                
-        return sorted(testHeadFiles)
-                
-    def getTailFiles(self, testdir):
-        testTailFiles = []
-        # Tails are executed in the reverse order, to "match" heads order,
-        # as in "h1-h2-h3 then t3-t2-t1".
-        for f in self.device.listFiles(testdir):
-            tlmtch = re.compile("tail_.*\.js")
-            if (tlmtch.match(f)):
-                testTailFiles += [(testdir + '/' + f).replace('/', '//')]
-        return reversed(sorted(testTailFiles))
+    def getHeadFiles(self, test):
+        self.remoteHere = self.remoteForLocal(test['here'])
+        return [f.strip() for f in sorted(test['head'].split(' ')) if self.device.fileExists(self.remoteJoin(self.remoteHere, f))]
+    
+    def getTailFiles(self, test):
+        return [f.strip() for f in sorted(test['tail'].split(' ')) if self.device.fileExists(self.remoteJoin(self.remoteHere, f))]
         
-    def getTestFiles(self, testdir):
-        testfiles = []
-        # if a single test file was specified, we only want to execute that test
-        for f in self.device.listFiles(testdir):
-            tstmtch = re.compile("test_.*\.js")
-            if (tstmtch.match(f)):
-                testfiles += [(testdir + '/' + f).replace('/', '//')]
-        
-        for f in testfiles:
-            if (self.singleFile == f.split('/')[-1]):
-                return [(testdir + '/' + f).replace('/', '//')]
-            else:
-                pass
-        return testfiles
+    def buildCmdTestFile(self, name):
+        remoteDir = self.remoteForLocal(os.path.dirname(name))
+        if remoteDir == self.remoteHere:
+          remoteName = os.path.basename(name)
+        else:
+          remoteName = self.remoteJoin(remoteDir, os.path.basename(name))
+        return ['-e', 'const _TEST_FILE = ["%s"];' %
+                 replaceBackSlashes(remoteName)]
 
     def setupProfileDir(self):
         self.device.removeDir(self.profileDir)
         self.device.mkDir(self.profileDir)
-        self.env["XPCSHELL_TEST_PROFILE_DIR"] = self.profileDir
+        if self.interactive or self.singleFile:
+          self.log.info("TEST-INFO | profile dir is %s" % self.profileDir)
         return self.profileDir
 
-    def setupLeakLogging(self):
-        filename = "runxpcshelltests_leaks.log"
-        
-        # Enable leaks (only) detection to its own log file.
-        leakLogFile = self.profileDir + '/' + filename
-        self.env["XPCOM_MEM_LEAK_LOG"] = leakLogFile
-        return leakLogFile
-
     def launchProcess(self, cmd, stdout, stderr, env, cwd):
-        print "launching : " + " ".join(cmd)
-        proc = self.device.launchProcess(cmd, cwd=cwd)
+        # Some xpcshell arguments contain characters that are interpretted
+        # by the adb shell; enclose these arguments in quotes.
+        index = 0
+        for part in cmd:
+          if (part.find(" ")>=0 or part.find("(")>=0 or part.find(")")>=0 or part.find("\"")>=0):
+            part = '\''+part+'\''
+            cmd[index] = part
+          index = index + 1
+
+        xpcshell = self.remoteJoin(self.remoteBinDir, "xpcshell")
+
+        shellArgs = "cd "+self.remoteHere
+        shellArgs += "; LD_LIBRARY_PATH="+self.remoteBinDir
+        shellArgs += "; export CACHE_PATH="+self.remoteBinDir
+        shellArgs += "; export GRE_HOME="+self.device.getAppRoot()
+        shellArgs += "; export XPCSHELL_TEST_PROFILE_DIR="+self.profileDir
+        shellArgs += "; "+xpcshell+" "
+        shellArgs += " ".join(cmd[1:])
+
+        if self.verbose:
+          self.log.info(shellArgs)
+
+        # If the adb version of devicemanager is used and the arguments passed
+        # to adb exceed ~1024 characters, the command may not execute.
+        if len(shellArgs) > 1000:
+          self.log.info("adb command length is excessive and may cause failure")
+
+        proc = self.device.runCmd(["shell", shellArgs])
         return proc
 
-    def setSignal(self, proc, sig1, sig2):
-        self.device.signal(proc, sig1, sig2)
-
     def communicate(self, proc):
-        return self.device.communicate(proc)
+        return proc.communicate()
 
     def removeDir(self, dirname):
         self.device.removeDir(dirname)
 
     def getReturnCode(self, proc):
-        return self.device.getReturnCode(proc)
+        return proc.returncode
 
     #TODO: consider creating a separate log dir.  We don't have the test file structure,
     #      so we use filename.log.  Would rather see ./logs/filename.log
-    def createLogFile(self, test, stdout):
+    def createLogFile(self, test, stdout, leakLogs):
         try:
             f = None
             filename = test.replace('\\', '/').split('/')[-1] + ".log"
             f = open(filename, "w")
             f.write(stdout)
 
-            if os.path.exists(self.leakLogFile):
-                leaks = open(self.leakLogFile, "r")
+            for leakLog in leakLogs:
+              if os.path.exists(leakLog):
+                leaks = open(leakLog, "r")
                 f.write(leaks.read())
                 leaks.close()
         finally:
             if f <> None:
                 f.close()
 
-    #NOTE: the only difference between this and parent is the " vs ' arond the filename
-    def buildCmdHead(self, headfiles, tailfiles, xpcscmd):
-        cmdH = ", ".join(['\'' + f.replace('\\', '/') + '\''
-                       for f in headfiles])
-        cmdT = ", ".join(['\'' + f.replace('\\', '/') + '\''
-                       for f in tailfiles])
-        cmdH = xpcscmd + \
-                ['-e', 'const _HEAD_FILES = [%s];' % cmdH] + \
-                ['-e', 'const _TAIL_FILES = [%s];' % cmdT]
-        return cmdH
-
 class RemoteXPCShellOptions(xpcshell.XPCShellOptions):
 
-  def __init__(self):
-    xpcshell.XPCShellOptions.__init__(self)
-    self.add_option("--device",
-                    type="string", dest="device", default='',
-                    help="ip address for the device")
+    def __init__(self):
+        xpcshell.XPCShellOptions.__init__(self)
+        defaults = {}
 
+        self.add_option("--deviceIP", action="store",
+                        type = "string", dest = "deviceIP",
+                        help = "ip address of remote device to test")
+        defaults["deviceIP"] = None
+ 
+        self.add_option("--devicePort", action="store",
+                        type = "string", dest = "devicePort",
+                        help = "port of remote device to test")
+        defaults["devicePort"] = 20701
+
+        self.add_option("--dm_trans", action="store",
+                        type = "string", dest = "dm_trans",
+                        help = "the transport to use to communicate with device: [adb|sut]; default=sut")
+        defaults["dm_trans"] = "sut"
+ 
+        self.add_option("--objdir", action="store",
+                        type = "string", dest = "objdir",
+                        help = "local objdir, containing xpcshell binaries")
+        defaults["objdir"] = None
+ 
+        self.add_option("--apk", action="store",
+                        type = "string", dest = "localAPK",
+                        help = "local path to Fennec APK")
+        defaults["localAPK"] = None
+
+        self.add_option("--noSetup", action="store_false",
+                        dest = "setup",
+                        help = "do not copy any files to device (to be used only if device is already setup)")
+        defaults["setup"] = True
+
+        self.set_defaults(**defaults)
+
+class PathMapping:
+
+    def __init__(self, localDir, remoteDir):
+        self.local = localDir
+        self.remote = remoteDir
 
 def main():
 
-  parser = RemoteXPCShellOptions()
-  options, args = parser.parse_args()
+    dm_none = devicemanagerADB.DeviceManagerADB(None, None)
+    parser = RemoteXPCShellOptions()
+    options, args = parser.parse_args()
 
-  if len(args) < 2 and options.manifest is None or \
-     (len(args) < 1 and options.manifest is not None):
-     print "len(args): " + str(len(args))
-     print >>sys.stderr, """Usage: %s  
-           or: %s --manifest=test.manifest """ % (sys.argv[0],
-                                                           sys.argv[0])
-     sys.exit(1)
+    if len(args) < 1 and options.manifest is None:
+      print >>sys.stderr, """Usage: %s 
+           or: %s --manifest=test.manifest """ % (sys.argv[0], sys.argv[0])
+      sys.exit(1)
 
-  if (options.device == ''):
-    print >>sys.stderr, "Error: Please provide an ip address for the remote device with the --device option"
-    sys.exit(1)
+    if (options.dm_trans == "adb"):
+      if (options.deviceIP):
+        dm = devicemanagerADB.DeviceManagerADB(options.deviceIP, options.devicePort)
+      else:
+        dm = dm_none
+    else:
+      dm = devicemanagerSUT.DeviceManagerSUT(options.deviceIP, options.devicePort)
+      if (options.deviceIP == None):
+        print "Error: you must provide a device IP to connect to via the --device option"
+        sys.exit(1)
 
+    if options.interactive and not options.testPath:
+      print >>sys.stderr, "Error: You must specify a test filename in interactive mode!"
+      sys.exit(1)
 
-  dm = devicemanager.DeviceManager(options.device, 20701)
-  xpcsh = XPCShellRemote(dm)
-  debuggerInfo = getDebuggerInfo(xpcsh.oldcwd, options.debugger, options.debuggerArgs,
-    options.debuggerInteractive);
+    if not options.objdir:
+      print >>sys.stderr, "Error: You must specify an objdir"
+      sys.exit(1)
 
-  if options.interactive and not options.testPath:
-    print >>sys.stderr, "Error: You must specify a test filename in interactive mode!"
-    sys.exit(1)
+    if not options.localAPK:
+      for file in os.listdir(os.path.join(options.objdir, "dist")):
+        if (file.endswith(".apk") and file.startswith("fennec")):
+          options.localAPK = os.path.join(options.objdir, "dist")
+          options.localAPK = os.path.join(options.localAPK, file)
+          print >>sys.stderr, "using APK: " + options.localAPK
+          break
+      
+    if not options.localAPK:
+      print >>sys.stderr, "Error: please specify an APK"
+      sys.exit(1)
 
-  # Zip up the xpcshell directory: 7z a  xpcshell/*, assuming we are in the xpcshell directory
-  # TODO: ensure the system has 7z, this is adding a new dependency to the overall system
-  zipName = 'xpcshell.7z'
-  try:
-    Popen(['7z', 'a', zipName, '../xpcshell']).wait()
-  except:
-    print "to run these tests remotely, we require 7z to be installed and in your path"
-    sys.exit(1)
+    xpcsh = XPCShellRemote(dm, options, args)
 
-  if dm.pushFile(zipName, '/tests/xpcshell.7z') == None:
-     raise devicemanager.FileError("failed to copy xpcshell.7z to device")
-  if dm.unpackFile('xpcshell.7z') == None:
-     raise devicemanager.FileError("failed to unpack xpcshell.7z on the device")
+    if not xpcsh.runTests(xpcshell='xpcshell', 
+                          testdirs=args[0:], 
+                          **options.__dict__):
+      sys.exit(1)
 
-  if not xpcsh.runTests(args[0],
-                        xrePath=options.xrePath,
-                        symbolsPath=options.symbolsPath,
-                        manifest=options.manifest,
-                        testdirs=args[1:],
-                        testPath=options.testPath,
-                        interactive=options.interactive,
-                        logfiles=options.logfiles,
-                        debuggerInfo=debuggerInfo):
-    sys.exit(1)
 
 if __name__ == '__main__':
   main()
 
-
-
diff --git a/testing/xpcshell/runxpcshelltests.py b/testing/xpcshell/runxpcshelltests.py
index 6424683a2ff9..ecda7556ee2e 100644
--- a/testing/xpcshell/runxpcshelltests.py
+++ b/testing/xpcshell/runxpcshelltests.py
@@ -261,7 +261,7 @@ class XPCShellTests(object):
       test['head'] is a whitespace delimited list of head files.
       return the list of head files as paths including the subdir if the head file exists
 
-      On a remote system, this is overloaded to list files in a remote directory structure.
+      On a remote system, this may be overloaded to list files in a remote directory structure.
     """
     return [os.path.join(test['here'], f).strip() for f in sorted(test['head'].split(' ')) if os.path.isfile(os.path.join(test['here'], f))]
 
@@ -270,7 +270,7 @@ class XPCShellTests(object):
       test['tail'] is a whitespace delimited list of head files.
       return the list of tail files as paths including the subdir if the tail file exists
 
-      On a remote system, this is overloaded to list files in a remote directory structure.
+      On a remote system, this may be overloaded to list files in a remote directory structure.
     """
     return [os.path.join(test['here'], f).strip() for f in sorted(test['tail'].split(' ')) if os.path.isfile(os.path.join(test['here'], f))]
 
@@ -280,7 +280,7 @@ class XPCShellTests(object):
       When running check-interactive and check-one, the directory is well-defined and
       retained for inspection once the tests complete.
 
-      On a remote system, we overload this to use a remote path structure.
+      On a remote system, this may be overloaded to use a remote path structure.
     """
     if self.interactive or self.singleFile:
       profileDir = os.path.join(gettempdir(), self.profileName, "xpcshellprofile")
@@ -301,7 +301,7 @@ class XPCShellTests(object):
     """
       Enable leaks (only) detection to its own log file and set environment variables.
 
-      On a remote system, we overload this to use a remote filename and path structure
+      On a remote system, this may be overloaded to use a remote filename and path structure
     """
     filename = "runxpcshelltests_leaks.log"
 
@@ -381,12 +381,20 @@ class XPCShellTests(object):
              '-e', 'const _HEAD_FILES = [%s];' % cmdH,
              '-e', 'const _TAIL_FILES = [%s];' % cmdT]
 
+  def buildCmdTestFile(self, name):
+    """
+      Build the command line arguments for the test file.
+      On a remote system, this may be overloaded to use a remote path structure.
+    """
+    return ['-e', 'const _TEST_FILE = ["%s"];' %
+              replaceBackSlashes(name)]
+
   def runTests(self, xpcshell, xrePath=None, appPath=None, symbolsPath=None,
                manifest=None, testdirs=[], testPath=None,
                interactive=False, verbose=False, keepGoing=False, logfiles=True,
                thisChunk=1, totalChunks=1, debugger=None,
                debuggerArgs=None, debuggerInteractive=False,
-               profileName=None, mozInfo=None):
+               profileName=None, mozInfo=None, **otherOptions):
     """Run xpcshell tests.
 
     |xpcshell|, is the xpcshell executable to use to run the tests.
@@ -410,6 +418,7 @@ class XPCShellTests(object):
     |profileName|, if set, specifies the name of the application for the profile
       directory if running only a subset of tests.
     |mozInfo|, if set, specifies specifies build configuration information, either as a filename containing JSON, or a dict.
+    |otherOptions| may be present for the convenience of subclasses
     """
 
     global gotSIGINT 
@@ -491,8 +500,7 @@ class XPCShellTests(object):
       self.leakLogFile = self.setupLeakLogging()
 
       # The test file will have to be loaded after the head files.
-      cmdT = ['-e', 'const _TEST_FILE = ["%s"];' %
-                replaceBackSlashes(name)]
+      cmdT = self.buildCmdTestFile(name)
 
       try:
         self.log.info("TEST-INFO | %s | running test ..." % name)
@@ -515,8 +523,9 @@ class XPCShellTests(object):
         def print_stdout(stdout):
           """Print stdout line-by-line to avoid overflowing buffers."""
           self.log.info(">>>>>>>")
-          for line in stdout.splitlines():
-            self.log.info(line)
+          if (stdout):
+            for line in stdout.splitlines():
+              self.log.info(line)
           self.log.info("<<<<<<<")
 
         result = not ((self.getReturnCode(proc) != 0) or
diff --git a/testing/xpcshell/xpcshell.ini b/testing/xpcshell/xpcshell.ini
index 82a81276174e..730cf3029a82 100644
--- a/testing/xpcshell/xpcshell.ini
+++ b/testing/xpcshell/xpcshell.ini
@@ -15,6 +15,8 @@
 [include:toolkit/components/commandlines/test/unit/xpcshell.ini]
 [include:toolkit/components/contentprefs/tests/unit/xpcshell.ini]
 [include:toolkit/components/passwordmgr/test/unit/xpcshell.ini]
+# Bug 676989: tests hang on Android
+skip-if = os == "android"
 [include:toolkit/components/places/tests/migration/xpcshell.ini]
 [include:toolkit/components/places/tests/autocomplete/xpcshell.ini]
 [include:toolkit/components/places/tests/expiration/xpcshell.ini]
@@ -59,6 +61,8 @@
 [include:services/crypto/tests/unit/xpcshell.ini]
 [include:services/crypto/components/tests/unit/xpcshell.ini]
 [include:services/sync/tests/unit/xpcshell.ini]
+# Bug 676978: tests hang on Android 
+skip-if = os == "android"
 [include:browser/components/dirprovider/tests/unit/xpcshell.ini]
 [include:browser/components/feeds/test/unit/xpcshell.ini]
 [include:browser/components/places/tests/unit/xpcshell.ini]
diff --git a/toolkit/components/ctypes/tests/unit/xpcshell.ini b/toolkit/components/ctypes/tests/unit/xpcshell.ini
index e0fc8e295b7f..a91504be69e2 100644
--- a/toolkit/components/ctypes/tests/unit/xpcshell.ini
+++ b/toolkit/components/ctypes/tests/unit/xpcshell.ini
@@ -3,3 +3,5 @@ head =
 tail = 
 
 [test_jsctypes.js]
+# Bug 676989: test fails consistently on Android
+fail-if = os == "android"
diff --git a/toolkit/components/downloads/test/unit/xpcshell.ini b/toolkit/components/downloads/test/unit/xpcshell.ini
index 4c53f3b6bffc..1215e5d9a81f 100644
--- a/toolkit/components/downloads/test/unit/xpcshell.ini
+++ b/toolkit/components/downloads/test/unit/xpcshell.ini
@@ -11,8 +11,12 @@ tail =
 [test_bug_409179.js]
 [test_bug_420230.js]
 [test_cancel_download_files_removed.js]
+# Bug 676989: test hangs consistently on Android
+skip-if = os == "android"
 [test_download_manager.js]
 [test_download_samename.js]
+# Bug 676989: test hangs consistently on Android
+skip-if = os == "android" 
 [test_history_expiration.js]
 [test_memory_db_support.js]
 [test_offline_support.js]
diff --git a/toolkit/components/places/History.cpp b/toolkit/components/places/History.cpp
index cff3b34cbe07..054e96264bf7 100644
--- a/toolkit/components/places/History.cpp
+++ b/toolkit/components/places/History.cpp
@@ -56,6 +56,7 @@
 #include "nsThreadUtils.h"
 #include "nsNetUtil.h"
 #include "nsIXPConnect.h"
+#include "mozilla/unused.h"
 #include "mozilla/Util.h"
 #include "nsContentUtils.h"
 
@@ -63,6 +64,7 @@
 #define VISIT_OBSERVERS_INITIAL_CACHE_SIZE 128
 
 using namespace mozilla::dom;
+using mozilla::unused;
 
 namespace mozilla {
 namespace places {
@@ -1323,10 +1325,11 @@ History::NotifyVisited(nsIURI* aURI)
   nsAutoScriptBlocker scriptBlocker;
 
   if (XRE_GetProcessType() == GeckoProcessType_Default) {
-    mozilla::dom::ContentParent* cpp = 
-      mozilla::dom::ContentParent::GetSingleton(PR_FALSE);
-    if (cpp)
-      (void)cpp->SendNotifyVisited(aURI);
+    nsTArray cplist;
+    ContentParent::GetAll(cplist);
+    for (PRUint32 i = 0; i < cplist.Length(); ++i) {
+      unused << cplist[i]->SendNotifyVisited(aURI);
+    }
   }
 
   // If the hash table has not been initialized, then we have nothing to notify
diff --git a/toolkit/components/places/PlacesUtils.jsm b/toolkit/components/places/PlacesUtils.jsm
index 5f0ccedb6683..602a3337812e 100644
--- a/toolkit/components/places/PlacesUtils.jsm
+++ b/toolkit/components/places/PlacesUtils.jsm
@@ -2166,10 +2166,6 @@ XPCOMUtils.defineLazyGetter(PlacesUtils, "ghistory2", function() {
   return PlacesUtils.history.QueryInterface(Ci.nsIGlobalHistory2);
 });
 
-XPCOMUtils.defineLazyGetter(PlacesUtils, "ghistory3", function() {
-  return PlacesUtils.history.QueryInterface(Ci.nsIGlobalHistory3);
-});
-
 XPCOMUtils.defineLazyServiceGetter(PlacesUtils, "favicons",
                                    "@mozilla.org/browser/favicon-service;1",
                                    "nsIFaviconService");
diff --git a/toolkit/components/places/nsNavHistory.cpp b/toolkit/components/places/nsNavHistory.cpp
index 8059fa65676c..1c4ab49379c8 100644
--- a/toolkit/components/places/nsNavHistory.cpp
+++ b/toolkit/components/places/nsNavHistory.cpp
@@ -212,8 +212,7 @@ NS_IMPL_CLASSINFO(nsNavHistory, NULL, nsIClassInfo::SINGLETON,
                   NS_NAVHISTORYSERVICE_CID)
 NS_INTERFACE_MAP_BEGIN(nsNavHistory)
   NS_INTERFACE_MAP_ENTRY(nsINavHistoryService)
-  NS_INTERFACE_MAP_ENTRY_AMBIGUOUS(nsIGlobalHistory2, nsIGlobalHistory3)
-  NS_INTERFACE_MAP_ENTRY(nsIGlobalHistory3)
+  NS_INTERFACE_MAP_ENTRY(nsIGlobalHistory2)
   NS_INTERFACE_MAP_ENTRY(nsIDownloadHistory)
   NS_INTERFACE_MAP_ENTRY(nsIBrowserHistory)
   NS_INTERFACE_MAP_ENTRY(nsIObserver)
@@ -227,10 +226,9 @@ NS_INTERFACE_MAP_BEGIN(nsNavHistory)
 NS_INTERFACE_MAP_END
 
 // We don't care about flattening everything
-NS_IMPL_CI_INTERFACE_GETTER5(
+NS_IMPL_CI_INTERFACE_GETTER4(
   nsNavHistory
 , nsINavHistoryService
-, nsIGlobalHistory3
 , nsIGlobalHistory2
 , nsIDownloadHistory
 , nsIBrowserHistory
@@ -471,8 +469,6 @@ nsNavHistory::Init()
                  NS_ERROR_OUT_OF_MEMORY);
   NS_ENSURE_TRUE(mRecentBookmark.Init(RECENT_EVENTS_INITIAL_CACHE_SIZE),
                  NS_ERROR_OUT_OF_MEMORY);
-  NS_ENSURE_TRUE(mRecentRedirects.Init(RECENT_EVENTS_INITIAL_CACHE_SIZE),
-                 NS_ERROR_OUT_OF_MEMORY);
 
   // Embed visits hash table.
   NS_ENSURE_TRUE(mEmbedVisits.Init(EMBED_VISITS_INITIAL_CACHE_SIZE),
@@ -2726,9 +2722,8 @@ nsNavHistory::AddVisit(nsIURI* aURI, PRTime aTime, nsIURI* aReferringURI,
 
   // Normally docshell sends the link visited observer notification for us (this
   // will tell all the documents to update their visited link coloring).
-  // However, for redirects (since we implement nsIGlobalHistory3) and downloads
-  // (since we implement nsIDownloadHistory) this will not happen and we need to
-  // send it ourselves.
+  // However, for redirects and downloads (since we implement nsIDownloadHistory)
+  // this will not happen and we need to send it ourselves.
   if (newItem && (aIsRedirect || aTransitionType == TRANSITION_DOWNLOAD)) {
     nsCOMPtr obsService =
       do_GetService(NS_OBSERVERSERVICE_CONTRACTID);
@@ -4839,11 +4834,7 @@ nsNavHistory::AddURIInternal(nsIURI* aURI, PRTime aTime, PRBool aRedirect,
 //    (like referring visit ID and typed/bookmarked state).
 //
 //    This function walks up the referring chain and recursively calls itself,
-//    each time calling InternalAdd to create a new history entry. (When we
-//    get notified of redirects, we don't actually add any history entries, just
-//    save them in mRecentRedirects. This function will add all of them for a
-//    given destination page when that page is actually visited.)
-//    See GetRedirectFor for more information about how redirects work.
+//    each time calling InternalAdd to create a new history entry.
 
 nsresult
 nsNavHistory::AddVisitChain(nsIURI* aURI,
@@ -4869,52 +4860,10 @@ nsNavHistory::AddVisitChain(nsIURI* aURI,
   PRBool isEmbedVisit = !aToplevel &&
                         !CheckIsRecentEvent(&mRecentLink, spec);
 
-  // Check if this visit came from a redirect.
   PRUint32 transitionType = 0;
-  PRTime redirectTime = 0;
-  nsCAutoString redirectSourceUrl;
-  if (GetRedirectFor(spec, redirectSourceUrl, &redirectTime, &transitionType)) {
-    // redirectSourceUrl redirected to aURL, at redirectTime, with
-    // a transitionType redirect.
-    nsCOMPtr redirectSourceURI;
-    rv = NS_NewURI(getter_AddRefs(redirectSourceURI), redirectSourceUrl);
-    NS_ENSURE_SUCCESS(rv, rv);
 
-    // Don't add a new visit if a page redirects to itself.
-    PRBool redirectIsSame;
-    if (NS_SUCCEEDED(aURI->Equals(redirectSourceURI, &redirectIsSame)) &&
-        redirectIsSame)
-      return NS_OK;
-
-    // Recusively call addVisitChain to walk up the chain till the first
-    // not-redirected URI.
-    // Ensure that the sources have a visit time smaller than aTime, otherwise
-    // visits would end up incorrectly ordered.
-    PRTime sourceTime = NS_MIN(redirectTime, aTime - 1);
-    PRInt64 sourceVisitId = 0;
-    rv = AddVisitChain(redirectSourceURI, sourceTime, aToplevel,
-                       PR_TRUE, // Is a redirect.
-                       aReferrerURI, // This one is the originating source.
-                       &sourceVisitId, // Get back the visit id of the source.
-                       aSessionID);
-    NS_ENSURE_SUCCESS(rv, rv);
-
-    // All the visits for preceding pages in the redirects chain have been
-    // added, now add the visit to aURI.
-    if (isEmbedVisit)
-      transitionType = nsINavHistoryService::TRANSITION_EMBED;
-    else if (!aToplevel)
-      transitionType = nsINavHistoryService::TRANSITION_FRAMED_LINK;
-
-    // This page is result of a redirect, save the source page in from_visit,
-    // to be able to walk up the chain.
-    // See bug 411966 and bug 428690 for details.
-    // TODO: Add a closure table with a chain id to easily reconstruct chains
-    // without having to recurse through the table.  See bug 468710.
-    fromVisitURI = redirectSourceURI;
-  }
-  else if (aReferrerURI) {
-    // This page does not come from a redirect and had a referrer.
+  if (aReferrerURI) {
+  // This page had a referrer.
 
     // Check if the referrer has a previous visit.
     PRTime lastVisitTime;
@@ -5082,107 +5031,6 @@ nsNavHistory::GetPageTitle(nsIURI* aURI, nsAString& aTitle)
   return NS_OK;
 }
 
-// nsNavHistory::GetURIGeckoFlags
-//
-//    FIXME: should we try to use annotations for this stuff?
-
-NS_IMETHODIMP
-nsNavHistory::GetURIGeckoFlags(nsIURI* aURI, PRUint32* aResult)
-{
-  NS_ASSERTION(NS_IsMainThread(), "This can only be called on the main thread");
-  NS_ENSURE_ARG(aURI);
-  NS_ENSURE_ARG_POINTER(aResult);
-
-  return NS_ERROR_NOT_IMPLEMENTED;
-}
-
-
-// nsNavHistory::SetURIGeckoFlags
-//
-//    FIXME: should we try to use annotations for this stuff?
-
-NS_IMETHODIMP
-nsNavHistory::SetURIGeckoFlags(nsIURI* aURI, PRUint32 aFlags)
-{
-  NS_ASSERTION(NS_IsMainThread(), "This can only be called on the main thread");
-  NS_ENSURE_ARG(aURI);
-
-  return NS_ERROR_NOT_IMPLEMENTED;
-}
-
-// nsIGlobalHistory3 ***********************************************************
-
-// nsNavHistory::AddDocumentRedirect
-//
-//    This adds a redirect mapping from the destination of the redirect to the
-//    source, time, and type. This mapping is used by GetRedirectFor when we
-//    get a page added to reconstruct the redirects that happened when a page
-//    is visited. See GetRedirectFor for more information
-
-// this is the expiration callback function that deletes stale entries
-PLDHashOperator nsNavHistory::ExpireNonrecentRedirects(
-    nsCStringHashKey::KeyType aKey, RedirectInfo& aData, void* aUserArg)
-{
-  PRInt64* threshold = reinterpret_cast(aUserArg);
-  if (aData.mTimeCreated < *threshold)
-    return PL_DHASH_REMOVE;
-  return PL_DHASH_NEXT;
-}
-
-NS_IMETHODIMP
-nsNavHistory::AddDocumentRedirect(nsIChannel *aOldChannel,
-                                  nsIChannel *aNewChannel,
-                                  PRInt32 aFlags,
-                                  PRBool aToplevel)
-{
-  NS_ASSERTION(NS_IsMainThread(), "This can only be called on the main thread");
-  NS_ENSURE_ARG(aOldChannel);
-  NS_ENSURE_ARG(aNewChannel);
-
-  // Ignore internal redirects.
-  // These redirects are not initiated by the remote server, but specific to the
-  // channel implementation, so they are ignored.
-  if (aFlags & nsIChannelEventSink::REDIRECT_INTERNAL)
-    return NS_OK;
-
-  nsresult rv;
-  nsCOMPtr oldURI, newURI;
-  rv = aOldChannel->GetURI(getter_AddRefs(oldURI));
-  NS_ENSURE_SUCCESS(rv, rv);
-  rv = aNewChannel->GetURI(getter_AddRefs(newURI));
-  NS_ENSURE_SUCCESS(rv, rv);
-
-  nsCString oldSpec, newSpec;
-  rv = oldURI->GetSpec(oldSpec);
-  NS_ENSURE_SUCCESS(rv, rv);
-  rv = newURI->GetSpec(newSpec);
-  NS_ENSURE_SUCCESS(rv, rv);
-
-  if (mRecentRedirects.Count() > RECENT_EVENT_QUEUE_MAX_LENGTH) {
-    // Expire outdated cached redirects.
-    PRInt64 threshold = PR_Now() - RECENT_EVENT_THRESHOLD;
-    mRecentRedirects.Enumerate(ExpireNonrecentRedirects,
-                               reinterpret_cast(&threshold));
-  }
-
-  RedirectInfo info;
-
-  // Remove any old entries for this redirect destination, since they are going
-  // to be replaced.
-  if (mRecentRedirects.Get(newSpec, &info))
-    mRecentRedirects.Remove(newSpec);
-  // Save the new redirect info.
-  info.mSourceURI = oldSpec;
-  info.mTimeCreated = PR_Now();
-  if (aFlags & nsIChannelEventSink::REDIRECT_TEMPORARY)
-    info.mType = TRANSITION_REDIRECT_TEMPORARY;
-  else
-    info.mType = TRANSITION_REDIRECT_PERMANENT;
-  mRecentRedirects.Put(newSpec, info);
-
-  return NS_OK;
-}
-
 
 ////////////////////////////////////////////////////////////////////////////////
 //// mozIStorageVacuumParticipant
@@ -6333,77 +6181,6 @@ nsNavHistory::ExpireNonrecentEvents(RecentEventHash* hashTable)
 }
 
 
-// nsNavHistory::GetRedirectFor
-//
-//    Given a destination URI, this finds a recent redirect that resulted in
-//    this URI. If it finds one, it will put the redirect source info into
-//    the out params and return true. If there is no matching redirect, it will
-//    return false.
-//
-//    @param aDestination The destination URI spec of the redirect to look for.
-//    @param aSource      Will be filled with the redirect source URI when a
-//                        redirect is found.
-//    @param aTime        Will be filled with the time the redirect happened
-//                         when a redirect is found.
-//    @param aRedirectType Will be filled with the redirect type when a redirect
-//                         is found. Will be either
-//                         TRANSITION_REDIRECT_PERMANENT or
-//                         TRANSITION_REDIRECT_TEMPORARY
-//    @returns True if the redirect is found.
-//
-//    HOW REDIRECT TRACKING WORKS
-//    ---------------------------
-//    When we get an AddDocumentRedirect message, we store the redirect in
-//    our mRecentRedirects which maps the destination URI to a source,time pair.
-//    When we get a new URI, we see if there were any redirects to this page
-//    in the hash table. If found, we know that the page came through the given
-//    redirect and add it.
-//
-//    Example: Page S redirects throught R1, then R2, to give page D. Page S
-//    will have been already added to history.
-//    - AddDocumentRedirect(R1, R2)
-//    - AddDocumentRedirect(R2, D)
-//    - AddURI(uri=D, referrer=S)
-//
-//    When we get the AddURI(D), we see the hash table has a value for D from R2.
-//    We have to recursively check that source since there could be more than
-//    one redirect, as in this case. Here we see there was a redirect to R2 from
-//    R1. The referrer for D is S, so we know S->R1->R2->D.
-//
-//    Alternatively, the user could have typed or followed a bookmark from S.
-//    In this case, with two redirects we'll get:
-//    - MarkPageAsTyped(S)
-//    - AddDocumentRedirect(S, R)
-//    - AddDocumentRedirect(R, D)
-//    - AddURI(uri=D, referrer=null)
-//    We need to be careful to add a visit to S in this case with an incoming
-//    transition of typed and an outgoing transition of redirect.
-//
-//    Note that this can get confused in some cases where you have a page
-//    open in more than one window loading at the same time. This should be rare,
-//    however, and should not affect much.
-
-PRBool
-nsNavHistory::GetRedirectFor(const nsACString& aDestination,
-                             nsACString& aSource,
-                             PRTime* aTime,
-                             PRUint32* aRedirectType)
-{
-  RedirectInfo info;
-  if (mRecentRedirects.Get(aDestination, &info)) {
-    // Consume the redirect entry, it's no longer useful.
-    mRecentRedirects.Remove(aDestination);
-    if (info.mTimeCreated < GetNow() - RECENT_EVENT_THRESHOLD)
-      return PR_FALSE; // too long ago, probably invalid
-    aSource = info.mSourceURI;
-    *aTime = info.mTimeCreated;
-    *aRedirectType = info.mType;
-    return PR_TRUE;
-  }
-  return PR_FALSE;
-}
-
-
 // nsNavHistory::RowToResult
 //
 //    Here, we just have a generic row. It could be a query, URL, visit,
diff --git a/toolkit/components/places/nsNavHistory.h b/toolkit/components/places/nsNavHistory.h
index bbcab98b4b83..90f71dbb0ab1 100644
--- a/toolkit/components/places/nsNavHistory.h
+++ b/toolkit/components/places/nsNavHistory.h
@@ -47,7 +47,6 @@
 #include "nsPIPlacesHistoryListenersNotifier.h"
 #include "nsIBrowserHistory.h"
 #include "nsIGlobalHistory.h"
-#include "nsIGlobalHistory3.h"
 #include "nsIDownloadHistory.h"
 
 #include "nsIPrefService.h"
@@ -101,9 +100,6 @@
 // Fired after frecency has been updated.
 #define TOPIC_FRECENCY_UPDATED "places-frecency-updated"
 
-// Fired after frecency has been updated.
-#define TOPIC_FRECENCY_UPDATED "places-frecency-updated"
-
 // Fired when Places is shutting down.  Any code should stop accessing Places
 // APIs after this notification.  If you need to listen for Places shutdown
 // you should only use this notification, next ones are intended only for
@@ -171,7 +167,6 @@ class nsNavHistory : public nsSupportsWeakReference
                    , public nsINavHistoryService
                    , public nsIObserver
                    , public nsIBrowserHistory
-                   , public nsIGlobalHistory3
                    , public nsIDownloadHistory
                    , public nsICharsetResolver
                    , public nsPIPlacesDatabase
@@ -187,7 +182,6 @@ public:
 
   NS_DECL_NSINAVHISTORYSERVICE
   NS_DECL_NSIGLOBALHISTORY2
-  NS_DECL_NSIGLOBALHISTORY3
   NS_DECL_NSIDOWNLOADHISTORY
   NS_DECL_NSIBROWSERHISTORY
   NS_DECL_NSIOBSERVER
@@ -850,19 +844,6 @@ protected:
                             const nsACString& url);
   void ExpireNonrecentEvents(RecentEventHash* hashTable);
 
-  // redirect tracking. See GetRedirectFor for a description of how this works.
-  struct RedirectInfo {
-    nsCString mSourceURI;
-    PRTime mTimeCreated;
-    PRUint32 mType; // one of TRANSITION_REDIRECT_[TEMPORARY,PERMANENT]
-  };
-  typedef nsDataHashtable RedirectHash;
-  RedirectHash mRecentRedirects;
-  static PLDHashOperator ExpireNonrecentRedirects(
-      nsCStringHashKey::KeyType aKey, RedirectInfo& aData, void* aUserArg);
-  PRBool GetRedirectFor(const nsACString& aDestination, nsACString& aSource,
-                        PRTime* aTime, PRUint32* aRedirectType);
-
   // Sessions tracking.
   PRInt64 mLastSessionID;
 
diff --git a/toolkit/components/places/tests/autocomplete/xpcshell.ini b/toolkit/components/places/tests/autocomplete/xpcshell.ini
index cfc542768d68..f67bfe320255 100644
--- a/toolkit/components/places/tests/autocomplete/xpcshell.ini
+++ b/toolkit/components/places/tests/autocomplete/xpcshell.ini
@@ -8,8 +8,14 @@ tail =
 [test_418257.js]
 [test_422277.js]
 [test_autocomplete_on_value_removed_479089.js]
+# Bug 676989: test fails consistently on Android
+fail-if = os == "android"
 [test_download_embed_bookmarks.js]
+# Bug 676989: test fails consistently on Android
+fail-if = os == "android"
 [test_empty_search.js]
+# Bug 676989: test fails consistently on Android
+fail-if = os == "android"
 [test_enabled.js]
 [test_escape_self.js]
 [test_ignore_protocol.js]
diff --git a/toolkit/components/places/tests/expiration/xpcshell.ini b/toolkit/components/places/tests/expiration/xpcshell.ini
index 7a962504cec0..be26a60c37f4 100644
--- a/toolkit/components/places/tests/expiration/xpcshell.ini
+++ b/toolkit/components/places/tests/expiration/xpcshell.ini
@@ -3,14 +3,24 @@ head = head_expiration.js
 tail = 
 
 [test_analyze_runs.js]
+# Bug 676989: test hangs consistently on Android
+skip-if = os == "android"
 [test_annos_expire_history.js]
 [test_annos_expire_never.js]
 [test_annos_expire_policy.js]
 [test_annos_expire_session.js]
+# Bug 676989: test fails consistently on Android
+fail-if = os == "android"
 [test_notifications.js]
+# Bug 676989: test fails consistently on Android
+fail-if = os == "android"
 [test_notifications_onDeleteURI.js]
 [test_notifications_onDeleteVisits.js]
 [test_pref_interval.js]
+# Bug 676989: test fails consistently on Android
+fail-if = os == "android"
 [test_pref_maxpages.js]
+# Bug 676989: test fails consistently on Android
+fail-if = os == "android" 
 [test_removeAllPages.js]
 [test_debug_expiration.js]
diff --git a/toolkit/components/places/tests/mochitest/bug_411966/redirect.js b/toolkit/components/places/tests/mochitest/bug_411966/redirect.js
index c5affe85da9d..25a23095c3ad 100644
--- a/toolkit/components/places/tests/mochitest/bug_411966/redirect.js
+++ b/toolkit/components/places/tests/mochitest/bug_411966/redirect.js
@@ -53,8 +53,6 @@ ok(bhist != null, "Could not get Browser History Service");
 var ghist = Cc["@mozilla.org/browser/global-history;2"].
             getService(Ci.nsIGlobalHistory2);
 ok(ghist != null, "Could not get Global History Service");
-var ghist3 = ghist.QueryInterface(Ci.nsIGlobalHistory3);
-ok(ghist3 != null, "Could not get Global History Service");
 var ios = Cc["@mozilla.org/network/io-service;1"].
           getService(Components.interfaces.nsIIOService);
 ok(ios != null, "Could not get IO Service");
@@ -113,7 +111,6 @@ StreamListener.prototype = {
   // nsIChannelEventSink
   asyncOnChannelRedirect: function (aOldChannel, aNewChannel, aFlags, callback) {
     netscape.security.PrivilegeManager.enablePrivilege('UniversalXPConnect');
-    ghist3.addDocumentRedirect(aOldChannel, aNewChannel, aFlags, true);
     // If redirecting, store the new channel
     this.mChannel = aNewChannel;
     callback.onRedirectVerifyCallback(Components.results.NS_OK);
diff --git a/toolkit/components/places/tests/network/test_history_redirects.js b/toolkit/components/places/tests/network/test_history_redirects.js
index db910edcb5fb..eff6b06510f7 100644
--- a/toolkit/components/places/tests/network/test_history_redirects.js
+++ b/toolkit/components/places/tests/network/test_history_redirects.js
@@ -8,7 +8,6 @@
 let hs = Cc["@mozilla.org/browser/nav-history-service;1"].
          getService(Ci.nsINavHistoryService);
 let bh = hs.QueryInterface(Ci.nsIBrowserHistory);
-let ghist3 = hs.QueryInterface(Ci.nsIGlobalHistory3);
 
 const PERMA_REDIR_PATH = "/permaredir";
 const TEMP_REDIR_PATH = "/tempredir";
@@ -181,10 +180,6 @@ ChannelListener.prototype = {
     do_check_true(this._got_onchannelredirect);
     do_check_true(this._buffer.length > 0);
 
-    // The referrer is wrong since it's the first element in the redirects
-    // chain, but this is good, since it will test a special path.
-    ghist3.addURI(uri(FOUND_URL), false, true, uri(PERMA_REDIR_URL));
-
     continue_test();
   },
 
@@ -192,7 +187,6 @@ ChannelListener.prototype = {
   asyncOnChannelRedirect: function (aOldChannel, aNewChannel, aFlags, callback) {
     do_log_info("onChannelRedirect");
     this._got_onchannelredirect = true;
-    ghist3.addDocumentRedirect(aOldChannel, aNewChannel, aFlags, true);
     callback.onRedirectVerifyCallback(Components.results.NS_OK);
   },
 };
diff --git a/toolkit/components/places/tests/queries/xpcshell.ini b/toolkit/components/places/tests/queries/xpcshell.ini
index d8b4f2e4b904..7f48d7a69059 100644
--- a/toolkit/components/places/tests/queries/xpcshell.ini
+++ b/toolkit/components/places/tests/queries/xpcshell.ini
@@ -13,6 +13,8 @@ tail =
 [test_onlyBookmarked.js]
 [test_querySerialization.js]
 [test_redirectsMode.js]
+# Bug 676989: test hangs consistently on Android
+skip-if = os == "android"
 [test_results-as-tag-contents-query.js]
 [test_results-as-visit.js]
 [test_searchterms-domain.js]
@@ -20,5 +22,11 @@ tail =
 [test_searchterms-bookmarklets.js]
 [test_sort-date-site-grouping.js]
 [test_sorting.js]
+# Bug 676989: test hangs consistently on Android
+skip-if = os == "android" 
 [test_tags.js]
+# Bug 676989: test hangs consistently on Android
+skip-if = os == "android"
 [test_transitions.js]
+# Bug 676989: test hangs consistently on Android
+skip-if = os == "android"
diff --git a/toolkit/components/places/tests/unit/xpcshell.ini b/toolkit/components/places/tests/unit/xpcshell.ini
index 0f4c39528614..216534878854 100644
--- a/toolkit/components/places/tests/unit/xpcshell.ini
+++ b/toolkit/components/places/tests/unit/xpcshell.ini
@@ -5,6 +5,8 @@ tail =
 [test_000_frecency.js]
 [test_248970.js]
 [test_317472.js]
+# Bug 676989: test hangs consistently on Android
+skip-if = os == "android"
 [test_331487.js]
 [test_385397.js]
 [test_399264_query_to_string.js]
@@ -16,6 +18,8 @@ tail =
 [test_405497.js]
 [test_408221.js]
 [test_412132.js]
+# Bug 676989: test hangs consistently on Android
+skip-if = os == "android"
 [test_413784.js]
 [test_415460.js]
 [test_415757.js]
@@ -37,9 +41,13 @@ tail =
 [test_486978_sort_by_date_queries.js]
 [test_536081.js]
 [test_adaptive.js]
+# Bug 676989: test hangs consistently on Android
+skip-if = os == "android"
 [test_adaptive_bug527311.js]
 [test_annotations.js]
 [test_asyncExecuteLegacyQueries.js]
+# Bug 676989: test hangs consistently on Android
+skip-if = os == "android"
 [test_async_history_api.js]
 [test_autocomplete_stopSearch_no_throw.js]
 [test_bookmark_catobs.js]
@@ -52,12 +60,20 @@ tail =
 [test_database_replaceOnStartup.js]
 [test_doSetAndLoadFaviconForPage.js]
 [test_doSetAndLoadFaviconForPage_failures.js]
+# Bug 676989: test fails consistently on Android
+fail-if = os == "android"
 [test_download_history.js]
+# Bug 676989: test fails consistently on Android
+fail-if = os == "android"
 [test_dynamic_containers.js]
 [test_exclude_livemarks.js]
 [test_faviconService_expireAllFavicons.js]
 [test_favicons.js]
+# Bug 676989: test fails consistently on Android
+fail-if = os == "android"
 [test_frecency.js]
+# Bug 676989: test hangs consistently on Android
+skip-if = os == "android"
 [test_getChildIndex.js]
 [test_history.js]
 [test_history_autocomplete_tags.js]
@@ -65,6 +81,8 @@ tail =
 [test_history_notifications.js]
 [test_history_observer.js]
 [test_history_removeAllPages.js]
+# Bug 676989: test hangs consistently on Android
+skip-if = os == "android"
 [test_history_sidebar.js]
 [test_isvisited.js]
 [test_lastModified.js]
@@ -79,15 +97,23 @@ tail =
 [test_onItemChanged_tags.js]
 [test_placeURIs.js]
 [test_preventive_maintenance.js]
+# Bug 676989: test hangs consistently on Android
+skip-if = os == "android"
 [test_preventive_maintenance_checkAndFixDatabase.js]
+# Bug 676989: test hangs consistently on Android
+skip-if = os == "android"
 [test_preventive_maintenance_console.js]
 [test_removeVisitsByTimeframe.js]
+# Bug 676989: test hangs consistently on Android
+skip-if = os == "android"
 [test_resolveNullBookmarkTitles.js]
 [test_result_sort.js]
 [test_sql_guid_functions.js]
 [test_tag_autocomplete_search.js]
 [test_tagging.js]
 [test_update_frecency_after_delete.js]
+# Bug 676989: test hangs consistently on Android
+skip-if = os == "android"
 [test_utils_backups_create.js]
 [test_utils_getURLsForContainerNode.js]
 [test_utils_setAnnotationsFor.js]
diff --git a/toolkit/components/satchel/test/unit/xpcshell.ini b/toolkit/components/satchel/test/unit/xpcshell.ini
index af7ffae37fa1..f3844754b692 100644
--- a/toolkit/components/satchel/test/unit/xpcshell.ini
+++ b/toolkit/components/satchel/test/unit/xpcshell.ini
@@ -4,6 +4,8 @@ tail =
 
 [test_autocomplete.js]
 [test_bug_248970.js]
+# Bug 676989: test hangs on Android
+skip-if = os == "android"
 [test_db_corrupt.js]
 [test_db_update_v1.js]
 [test_db_update_v1b.js]
diff --git a/toolkit/components/telemetry/tests/unit/xpcshell.ini b/toolkit/components/telemetry/tests/unit/xpcshell.ini
index 56b5dfdb08bf..ee7c3a22a1c7 100644
--- a/toolkit/components/telemetry/tests/unit/xpcshell.ini
+++ b/toolkit/components/telemetry/tests/unit/xpcshell.ini
@@ -4,3 +4,5 @@ tail =
 
 [test_nsITelemetry.js]
 [test_TelemetryPing.js]
+# Bug 676989: test fails consistently on Android
+# fail-if = os == "android"
diff --git a/toolkit/components/url-classifier/Makefile.in b/toolkit/components/url-classifier/Makefile.in
index 52aab01d2547..9dfe0e864375 100644
--- a/toolkit/components/url-classifier/Makefile.in
+++ b/toolkit/components/url-classifier/Makefile.in
@@ -61,6 +61,7 @@ CPPSRCS = \
   nsUrlClassifierDBService.cpp \
   nsUrlClassifierStreamUpdater.cpp \
   nsUrlClassifierUtils.cpp \
+  nsUrlClassifierProxies.cpp \
   $(NULL)
 
 LOCAL_INCLUDES = \
diff --git a/toolkit/components/url-classifier/nsUrlClassifierDBService.cpp b/toolkit/components/url-classifier/nsUrlClassifierDBService.cpp
index 771c07d643e3..ec45accb8e62 100644
--- a/toolkit/components/url-classifier/nsUrlClassifierDBService.cpp
+++ b/toolkit/components/url-classifier/nsUrlClassifierDBService.cpp
@@ -59,12 +59,12 @@
 #include "nsIPrefBranch2.h"
 #include "nsIPrefService.h"
 #include "nsIProperties.h"
-#include "nsIProxyObjectManager.h"
 #include "nsToolkitCompsCID.h"
 #include "nsIUrlClassifierUtils.h"
 #include "nsIRandomGenerator.h"
 #include "nsUrlClassifierDBService.h"
 #include "nsUrlClassifierUtils.h"
+#include "nsUrlClassifierProxies.h"
 #include "nsURILoader.h"
 #include "nsString.h"
 #include "nsReadableUtils.h"
@@ -181,8 +181,7 @@ class nsUrlClassifierDBServiceWorker;
 // Singleton instance.
 static nsUrlClassifierDBService* sUrlClassifierDBService;
 
-// Thread that we do the updates on.
-static nsIThread* gDbBackgroundThread = nsnull;
+nsIThread* nsUrlClassifierDBService::gDbBackgroundThread = nsnull;
 
 // Once we've committed to shutting down, don't do work in the background
 // thread.
@@ -3920,12 +3919,7 @@ nsUrlClassifierDBService::Init()
   }
 
   // Proxy for calling the worker on the background thread
-  rv = NS_GetProxyForObject(gDbBackgroundThread,
-                            NS_GET_IID(nsIUrlClassifierDBServiceWorker),
-                            mWorker,
-                            NS_PROXY_ASYNC,
-                            getter_AddRefs(mWorkerProxy));
-  NS_ENSURE_SUCCESS(rv, rv);
+  mWorkerProxy = new UrlClassifierDBServiceWorkerProxy(mWorker);
 
   mCompleters.Init();
 
@@ -4038,14 +4032,8 @@ nsUrlClassifierDBService::LookupURI(nsIURI* uri,
   if (!callback)
     return NS_ERROR_OUT_OF_MEMORY;
 
-  nsCOMPtr proxyCallback;
-  // The proxy callback uses the current thread.
-  rv = NS_GetProxyForObject(NS_PROXY_TO_CURRENT_THREAD,
-                            NS_GET_IID(nsIUrlClassifierLookupCallback),
-                            callback,
-                            NS_PROXY_ASYNC,
-                            getter_AddRefs(proxyCallback));
-  NS_ENSURE_SUCCESS(rv, rv);
+  nsCOMPtr proxyCallback =
+    new UrlClassifierLookupCallbackProxy(callback);
 
   // Queue this lookup and call the lookup function to flush the queue if
   // necessary.
@@ -4062,13 +4050,8 @@ nsUrlClassifierDBService::GetTables(nsIUrlClassifierCallback* c)
 
   nsresult rv;
   // The proxy callback uses the current thread.
-  nsCOMPtr proxyCallback;
-  rv = NS_GetProxyForObject(NS_PROXY_TO_CURRENT_THREAD,
-                            NS_GET_IID(nsIUrlClassifierCallback),
-                            c,
-                            NS_PROXY_ASYNC,
-                            getter_AddRefs(proxyCallback));
-  NS_ENSURE_SUCCESS(rv, rv);
+  nsCOMPtr proxyCallback =
+    new UrlClassifierCallbackProxy(c);
 
   return mWorkerProxy->GetTables(proxyCallback);
 }
@@ -4103,13 +4086,8 @@ nsUrlClassifierDBService::BeginUpdate(nsIUrlClassifierUpdateObserver *observer,
   nsresult rv;
 
   // The proxy observer uses the current thread
-  nsCOMPtr proxyObserver;
-  rv = NS_GetProxyForObject(NS_PROXY_TO_CURRENT_THREAD,
-                            NS_GET_IID(nsIUrlClassifierUpdateObserver),
-                            observer,
-                            NS_PROXY_ASYNC,
-                            getter_AddRefs(proxyObserver));
-  NS_ENSURE_SUCCESS(rv, rv);
+  nsCOMPtr proxyObserver =
+    new UrlClassifierUpdateObserverProxy(observer);
 
   return mWorkerProxy->BeginUpdate(proxyObserver, updateTables, clientKey);
 }
@@ -4284,3 +4262,10 @@ nsUrlClassifierDBService::Shutdown()
 
   return NS_OK;
 }
+
+nsIThread*
+nsUrlClassifierDBService::BackgroundThread()
+{
+  return gDbBackgroundThread;
+}
+
diff --git a/toolkit/components/url-classifier/nsUrlClassifierDBService.h b/toolkit/components/url-classifier/nsUrlClassifierDBService.h
index afd6a1f677f9..55ed78898f87 100644
--- a/toolkit/components/url-classifier/nsUrlClassifierDBService.h
+++ b/toolkit/components/url-classifier/nsUrlClassifierDBService.h
@@ -60,6 +60,7 @@
 #define COMPLETE_LENGTH 32
 
 class nsUrlClassifierDBServiceWorker;
+class nsIThread;
 
 // This is a proxy class that just creates a background thread and delagates
 // calls to the background thread.
@@ -86,6 +87,8 @@ public:
                       nsIUrlClassifierHashCompleter** completer);
   nsresult CacheCompletions(nsTArray *results);
 
+  static nsIThread* BackgroundThread();
+
 private:
   // No subclassing
   ~nsUrlClassifierDBService();
@@ -100,7 +103,7 @@ private:
   nsresult Shutdown();
   
   nsCOMPtr mWorker;
-  nsCOMPtr mWorkerProxy;
+  nsCOMPtr mWorkerProxy;
 
   nsInterfaceHashtable mCompleters;
 
@@ -120,6 +123,9 @@ private:
 
   // The list of tables that can use the default hash completer object.
   nsTArray mGethashWhitelist;
+
+  // Thread that we do the updates on.
+  static nsIThread* gDbBackgroundThread;
 };
 
 NS_DEFINE_STATIC_IID_ACCESSOR(nsUrlClassifierDBService, NS_URLCLASSIFIERDBSERVICE_CID)
diff --git a/toolkit/components/url-classifier/nsUrlClassifierProxies.cpp b/toolkit/components/url-classifier/nsUrlClassifierProxies.cpp
new file mode 100644
index 000000000000..dabcf59ac38e
--- /dev/null
+++ b/toolkit/components/url-classifier/nsUrlClassifierProxies.cpp
@@ -0,0 +1,307 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is Mozilla Firefox.
+ *
+ * The Initial Developer of the Original Code is
+ * the Mozilla Foundation .
+ * Portions created by the Initial Developer are Copyright (C) 2011
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "nsUrlClassifierProxies.h"
+#include "nsUrlClassifierDBService.h"
+
+static nsresult
+DispatchToWorkerThread(nsIRunnable* r)
+{
+  nsIThread* t = nsUrlClassifierDBService::BackgroundThread();
+  if (!t)
+    return NS_ERROR_FAILURE;
+
+  return t->Dispatch(r, NS_DISPATCH_NORMAL);
+}
+
+NS_IMPL_THREADSAFE_ISUPPORTS1(UrlClassifierDBServiceWorkerProxy,
+                              nsIUrlClassifierDBServiceWorker)
+
+NS_IMETHODIMP
+UrlClassifierDBServiceWorkerProxy::Lookup(const nsACString& aSpec,
+                                          nsIUrlClassifierCallback* aCB)
+{
+  nsCOMPtr r = new LookupRunnable(mTarget, aSpec, aCB);
+  return DispatchToWorkerThread(r);
+}
+
+NS_IMETHODIMP
+UrlClassifierDBServiceWorkerProxy::LookupRunnable::Run()
+{
+  mTarget->Lookup(mSpec, mCB);
+  return NS_OK;
+}
+
+NS_IMETHODIMP
+UrlClassifierDBServiceWorkerProxy::GetTables(nsIUrlClassifierCallback* aCB)
+{
+  nsCOMPtr r = new GetTablesRunnable(mTarget, aCB);
+  return DispatchToWorkerThread(r);
+}
+
+NS_IMETHODIMP
+UrlClassifierDBServiceWorkerProxy::GetTablesRunnable::Run()
+{
+  mTarget->GetTables(mCB);
+  return NS_OK;
+}
+
+NS_IMETHODIMP
+UrlClassifierDBServiceWorkerProxy::SetHashCompleter
+  (const nsACString&, nsIUrlClassifierHashCompleter*)
+{
+  NS_NOTREACHED("This method should not be called!");
+  return NS_ERROR_NOT_IMPLEMENTED;
+}
+
+NS_IMETHODIMP
+UrlClassifierDBServiceWorkerProxy::BeginUpdate
+  (nsIUrlClassifierUpdateObserver* aUpdater,
+   const nsACString& aTables,
+   const nsACString& aClientKey)
+{
+  nsCOMPtr r = new BeginUpdateRunnable(mTarget, aUpdater,
+                                                    aTables, aClientKey);
+  return DispatchToWorkerThread(r);
+}
+
+NS_IMETHODIMP
+UrlClassifierDBServiceWorkerProxy::BeginUpdateRunnable::Run()
+{
+  mTarget->BeginUpdate(mUpdater, mTables, mClientKey);
+  return NS_OK;
+}
+
+NS_IMETHODIMP
+UrlClassifierDBServiceWorkerProxy::BeginStream(const nsACString& aTable,
+                                               const nsACString& aServerMAC)
+{
+  nsCOMPtr r =
+    new BeginStreamRunnable(mTarget, aTable, aServerMAC);
+  return DispatchToWorkerThread(r);
+}
+
+NS_IMETHODIMP
+UrlClassifierDBServiceWorkerProxy::BeginStreamRunnable::Run()
+{
+  mTarget->BeginStream(mTable, mServerMAC);
+  return NS_OK;
+}
+
+NS_IMETHODIMP
+UrlClassifierDBServiceWorkerProxy::UpdateStream(const nsACString& aUpdateChunk)
+{
+  nsCOMPtr r =
+    new UpdateStreamRunnable(mTarget, aUpdateChunk);
+  return DispatchToWorkerThread(r);
+}
+
+NS_IMETHODIMP
+UrlClassifierDBServiceWorkerProxy::UpdateStreamRunnable::Run()
+{
+  mTarget->UpdateStream(mUpdateChunk);
+  return NS_OK;
+}
+
+NS_IMETHODIMP
+UrlClassifierDBServiceWorkerProxy::FinishStream()
+{
+  nsCOMPtr r =
+    NS_NewRunnableMethod(mTarget,
+                         &nsIUrlClassifierDBServiceWorker::FinishStream);
+  return DispatchToWorkerThread(r);
+}
+
+NS_IMETHODIMP
+UrlClassifierDBServiceWorkerProxy::FinishUpdate()
+{
+  nsCOMPtr r =
+    NS_NewRunnableMethod(mTarget,
+                         &nsIUrlClassifierDBServiceWorker::FinishUpdate);
+  return DispatchToWorkerThread(r);
+}
+
+NS_IMETHODIMP
+UrlClassifierDBServiceWorkerProxy::CancelUpdate()
+{
+  nsCOMPtr r =
+    NS_NewRunnableMethod(mTarget,
+                         &nsIUrlClassifierDBServiceWorker::CancelUpdate);
+  return DispatchToWorkerThread(r);
+}
+
+NS_IMETHODIMP
+UrlClassifierDBServiceWorkerProxy::ResetDatabase()
+{
+  nsCOMPtr r =
+    NS_NewRunnableMethod(mTarget,
+                         &nsIUrlClassifierDBServiceWorker::ResetDatabase);
+  return DispatchToWorkerThread(r);
+}
+
+NS_IMETHODIMP
+UrlClassifierDBServiceWorkerProxy::CloseDb()
+{
+  nsCOMPtr r =
+    NS_NewRunnableMethod(mTarget,
+                         &nsIUrlClassifierDBServiceWorker::CloseDb);
+  return DispatchToWorkerThread(r);
+}
+
+NS_IMETHODIMP
+UrlClassifierDBServiceWorkerProxy::CacheCompletions(nsTArray* aEntries)
+{
+  nsCOMPtr r = new CacheCompletionsRunnable(mTarget, aEntries);
+  return DispatchToWorkerThread(r);
+}
+
+NS_IMETHODIMP
+UrlClassifierDBServiceWorkerProxy::CacheCompletionsRunnable::Run()
+{
+  mTarget->CacheCompletions(mEntries);
+  return NS_OK;
+}
+
+NS_IMPL_THREADSAFE_ISUPPORTS1(UrlClassifierLookupCallbackProxy,
+                              nsIUrlClassifierLookupCallback)
+
+NS_IMETHODIMP
+UrlClassifierLookupCallbackProxy::LookupComplete
+  (nsTArray* aResults)
+{
+  nsCOMPtr r = new LookupCompleteRunnable(mTarget, aResults);
+  return NS_DispatchToMainThread(r);
+}
+
+NS_IMETHODIMP
+UrlClassifierLookupCallbackProxy::LookupCompleteRunnable::Run()
+{
+  mTarget->LookupComplete(mResults);
+  return NS_OK;
+}
+
+NS_IMPL_THREADSAFE_ISUPPORTS1(UrlClassifierCallbackProxy,
+                              nsIUrlClassifierCallback)
+
+NS_IMETHODIMP
+UrlClassifierCallbackProxy::HandleEvent(const nsACString& aValue)
+{
+  nsCOMPtr r = new HandleEventRunnable(mTarget, aValue);
+  return NS_DispatchToMainThread(r);
+}
+
+NS_IMETHODIMP
+UrlClassifierCallbackProxy::HandleEventRunnable::Run()
+{
+  mTarget->HandleEvent(mValue);
+  return NS_OK;
+}
+
+NS_IMPL_THREADSAFE_ISUPPORTS1(UrlClassifierUpdateObserverProxy,
+                              nsIUrlClassifierUpdateObserver)
+
+NS_IMETHODIMP
+UrlClassifierUpdateObserverProxy::UpdateUrlRequested
+  (const nsACString& aURL,
+   const nsACString& aTable,
+   const nsACString& aServerMAC)
+{
+  nsCOMPtr r =
+    new UpdateUrlRequestedRunnable(mTarget, aURL, aTable, aServerMAC);
+  return NS_DispatchToMainThread(r);
+}
+
+NS_IMETHODIMP
+UrlClassifierUpdateObserverProxy::UpdateUrlRequestedRunnable::Run()
+{
+  mTarget->UpdateUrlRequested(mURL, mTable, mServerMAC);
+  return NS_OK;
+}
+
+NS_IMETHODIMP
+UrlClassifierUpdateObserverProxy::RekeyRequested()
+{
+  nsCOMPtr r =
+    NS_NewRunnableMethod(mTarget, &nsIUrlClassifierUpdateObserver::RekeyRequested);
+  return NS_DispatchToMainThread(r);
+}
+
+NS_IMETHODIMP
+UrlClassifierUpdateObserverProxy::StreamFinished(nsresult aStatus,
+                                                 PRUint32 aDelay)
+{
+  nsCOMPtr r =
+    new StreamFinishedRunnable(mTarget, aStatus, aDelay);
+  return NS_DispatchToMainThread(r);
+}
+
+NS_IMETHODIMP
+UrlClassifierUpdateObserverProxy::StreamFinishedRunnable::Run()
+{
+  mTarget->StreamFinished(mStatus, mDelay);
+  return NS_OK;
+}
+
+NS_IMETHODIMP
+UrlClassifierUpdateObserverProxy::UpdateError(nsresult aError)
+{
+  nsCOMPtr r =
+    new UpdateErrorRunnable(mTarget, aError);
+  return NS_DispatchToMainThread(r);
+}
+
+NS_IMETHODIMP
+UrlClassifierUpdateObserverProxy::UpdateErrorRunnable::Run()
+{
+  mTarget->UpdateError(mError);
+  return NS_OK;
+}
+
+NS_IMETHODIMP
+UrlClassifierUpdateObserverProxy::UpdateSuccess(PRUint32 aRequestedTimeout)
+{
+  nsCOMPtr r =
+    new UpdateSuccessRunnable(mTarget, aRequestedTimeout);
+  return NS_DispatchToMainThread(r);
+}
+
+NS_IMETHODIMP
+UrlClassifierUpdateObserverProxy::UpdateSuccessRunnable::Run()
+{
+  mTarget->UpdateSuccess(mRequestedTimeout);
+  return NS_OK;
+}
diff --git a/toolkit/components/url-classifier/nsUrlClassifierProxies.h b/toolkit/components/url-classifier/nsUrlClassifierProxies.h
new file mode 100644
index 000000000000..843f43a2673d
--- /dev/null
+++ b/toolkit/components/url-classifier/nsUrlClassifierProxies.h
@@ -0,0 +1,315 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is Mozilla Firefox.
+ *
+ * The Initial Developer of the Original Code is
+ * the Mozilla Foundation .
+ * Portions created by the Initial Developer are Copyright (C) 2011
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifndef nsUrlClassifierProxies_h
+#define nsUrlClassifierProxies_h
+
+#include "nsIUrlClassifierDBService.h"
+#include "nsThreadUtils.h"
+
+/**
+ * Thread proxy from the main thread to the worker thread.
+ */
+class UrlClassifierDBServiceWorkerProxy :
+  public nsIUrlClassifierDBServiceWorker
+{
+public:
+  UrlClassifierDBServiceWorkerProxy(nsIUrlClassifierDBServiceWorker* aTarget)
+    : mTarget(aTarget)
+  { }
+
+  NS_DECL_ISUPPORTS
+  NS_DECL_NSIURLCLASSIFIERDBSERVICE
+  NS_DECL_NSIURLCLASSIFIERDBSERVICEWORKER
+
+  class LookupRunnable : public nsRunnable
+  {
+  public:
+    LookupRunnable(nsIUrlClassifierDBServiceWorker* aTarget,
+                   const nsACString& aSpec,
+                   nsIUrlClassifierCallback* aCB)
+      : mTarget(aTarget)
+      , mSpec(aSpec)
+      , mCB(aCB)
+    { }
+
+    NS_DECL_NSIRUNNABLE
+
+  private:
+    nsCOMPtr mTarget;
+    nsCString mSpec;
+    nsCOMPtr mCB;
+  };
+
+  class GetTablesRunnable : public nsRunnable
+  {
+  public:
+    GetTablesRunnable(nsIUrlClassifierDBServiceWorker* aTarget,
+                      nsIUrlClassifierCallback* aCB)
+      : mTarget(aTarget)
+      , mCB(aCB)
+    { }
+
+    NS_DECL_NSIRUNNABLE
+
+  private:
+    nsCOMPtr mTarget;
+    nsCOMPtr mCB;
+  };
+
+  class BeginUpdateRunnable : public nsRunnable
+  {
+  public:
+    BeginUpdateRunnable(nsIUrlClassifierDBServiceWorker* aTarget,
+                        nsIUrlClassifierUpdateObserver* aUpdater,
+                        const nsACString& aTables,
+                        const nsACString& aClientKey)
+      : mTarget(aTarget)
+      , mUpdater(aUpdater)
+      , mTables(aTables)
+      , mClientKey(aClientKey)
+    { }
+
+    NS_DECL_NSIRUNNABLE
+
+  private:
+    nsCOMPtr mTarget;
+    nsCOMPtr mUpdater;
+    nsCString mTables, mClientKey;
+  };
+
+  class BeginStreamRunnable : public nsRunnable
+  {
+  public:
+    BeginStreamRunnable(nsIUrlClassifierDBServiceWorker* aTarget,
+                        const nsACString& aTable,
+                        const nsACString& aServerMAC)
+      : mTarget(aTarget)
+      , mTable(aTable)
+      , mServerMAC(aServerMAC)
+    { }
+
+    NS_DECL_NSIRUNNABLE
+
+  private:
+    nsCOMPtr mTarget;
+    nsCString mTable, mServerMAC;
+  };
+
+  class UpdateStreamRunnable : public nsRunnable
+  {
+  public:
+    UpdateStreamRunnable(nsIUrlClassifierDBServiceWorker* aTarget,
+                         const nsACString& aUpdateChunk)
+      : mTarget(aTarget)
+      , mUpdateChunk(aUpdateChunk)
+    { }
+
+    NS_DECL_NSIRUNNABLE
+
+  private:
+    nsCOMPtr mTarget;
+    nsCString mUpdateChunk;
+  };
+
+  class CacheCompletionsRunnable : public nsRunnable
+  {
+  public:
+    CacheCompletionsRunnable(nsIUrlClassifierDBServiceWorker* aTarget,
+                             nsTArray* aEntries)
+      : mTarget(aTarget)
+      , mEntries(aEntries)
+    { }
+
+    NS_DECL_NSIRUNNABLE
+
+  private:
+    nsCOMPtr mTarget;
+    nsTArray* mEntries;
+  };
+
+private:
+  nsCOMPtr mTarget;
+};
+
+// The remaining classes here are all proxies to the main thread
+
+class UrlClassifierLookupCallbackProxy : public nsIUrlClassifierLookupCallback
+{
+public:
+  UrlClassifierLookupCallbackProxy(nsIUrlClassifierLookupCallback* aTarget)
+    : mTarget(aTarget)
+  { }
+
+  NS_DECL_ISUPPORTS
+  NS_DECL_NSIURLCLASSIFIERLOOKUPCALLBACK
+
+  class LookupCompleteRunnable : public nsRunnable
+  {
+  public:
+    LookupCompleteRunnable(nsIUrlClassifierLookupCallback* aTarget,
+                           nsTArray* aResults)
+      : mTarget(aTarget)
+      , mResults(aResults)
+    { }
+
+    NS_DECL_NSIRUNNABLE
+
+  private:
+    nsCOMPtr mTarget;
+    nsTArray* mResults;
+  };
+
+private:
+  nsCOMPtr mTarget;
+};
+
+class UrlClassifierCallbackProxy : public nsIUrlClassifierCallback
+{
+public:
+  UrlClassifierCallbackProxy(nsIUrlClassifierCallback* aTarget)
+    : mTarget(aTarget)
+  { }
+
+  NS_DECL_ISUPPORTS
+  NS_DECL_NSIURLCLASSIFIERCALLBACK
+
+  class HandleEventRunnable : public nsRunnable
+  {
+  public:
+    HandleEventRunnable(nsIUrlClassifierCallback* aTarget,
+                        const nsACString& aValue)
+      : mTarget(aTarget)
+      , mValue(aValue)
+    { }
+
+    NS_DECL_NSIRUNNABLE
+
+  private:
+    nsCOMPtr mTarget;
+    nsCString mValue;
+  };
+
+private:
+  nsCOMPtr mTarget;
+};
+
+class UrlClassifierUpdateObserverProxy : public nsIUrlClassifierUpdateObserver
+{
+public:
+  UrlClassifierUpdateObserverProxy(nsIUrlClassifierUpdateObserver* aTarget)
+    : mTarget(aTarget)
+  { }
+
+  NS_DECL_ISUPPORTS
+  NS_DECL_NSIURLCLASSIFIERUPDATEOBSERVER
+
+  class UpdateUrlRequestedRunnable : public nsRunnable
+  {
+  public:
+    UpdateUrlRequestedRunnable(nsIUrlClassifierUpdateObserver* aTarget,
+                               const nsACString& aURL,
+                               const nsACString& aTable,
+                               const nsACString& aServerMAC)
+      : mTarget(aTarget)
+      , mURL(aURL)
+      , mTable(aTable)
+      , mServerMAC(aServerMAC)
+    { }
+
+    NS_DECL_NSIRUNNABLE
+
+  private:
+    nsCOMPtr mTarget;
+    nsCString mURL, mTable, mServerMAC;
+  };
+
+  class StreamFinishedRunnable : public nsRunnable
+  {
+  public:
+    StreamFinishedRunnable(nsIUrlClassifierUpdateObserver* aTarget,
+                           nsresult aStatus, PRUint32 aDelay)
+      : mTarget(aTarget)
+      , mStatus(aStatus)
+      , mDelay(aDelay)
+    { }
+
+    NS_DECL_NSIRUNNABLE
+
+  private:
+    nsCOMPtr mTarget;
+    nsresult mStatus;
+    PRUint32 mDelay;
+  };
+
+  class UpdateErrorRunnable : public nsRunnable
+  {
+  public:
+    UpdateErrorRunnable(nsIUrlClassifierUpdateObserver* aTarget,
+                        nsresult aError)
+      : mTarget(aTarget)
+      , mError(aError)
+    { }
+
+    NS_DECL_NSIRUNNABLE
+
+  private:
+    nsCOMPtr mTarget;
+    nsresult mError;
+  };
+
+  class UpdateSuccessRunnable : public nsRunnable
+  {
+  public:
+    UpdateSuccessRunnable(nsIUrlClassifierUpdateObserver* aTarget,
+                          PRUint32 aRequestedTimeout)
+      : mTarget(aTarget)
+      , mRequestedTimeout(aRequestedTimeout)
+    { }
+
+    NS_DECL_NSIRUNNABLE
+
+  private:
+    nsCOMPtr mTarget;
+    PRUint32 mRequestedTimeout;
+  };
+
+private:
+  nsCOMPtr mTarget;
+};
+
+#endif // nsUrlClassifierProxies_h
diff --git a/toolkit/content/PageMenu.jsm b/toolkit/content/PageMenu.jsm
index 808b7be6c113..ac09e9d70bdc 100644
--- a/toolkit/content/PageMenu.jsm
+++ b/toolkit/content/PageMenu.jsm
@@ -40,13 +40,12 @@ function PageMenu() {
 
 PageMenu.prototype = {
   PAGEMENU_ATTR: "pagemenu",
-  GENERATED_ATTR: "generated",
-  IDENT_ATTR: "ident",
+  GENERATEDITEMID_ATTR: "generateditemid",
 
   popup: null,
   builder: null,
 
-  init: function(aTarget, aPopup) {
+  maybeBuildAndAttachMenu: function(aTarget, aPopup) {
     var pageMenu = null;
     var target = aTarget;
     while (target) {
@@ -78,16 +77,16 @@ PageMenu.prototype = {
       return false;
     }
     builder.QueryInterface(Components.interfaces.nsIXULContextMenuBuilder);
-    builder.init(fragment, this.GENERATED_ATTR, this.IDENT_ATTR);
+    builder.init(fragment, this.GENERATEDITEMID_ATTR);
 
     pageMenu.build(builder);
 
     var pos = insertionPoint.getAttribute(this.PAGEMENU_ATTR);
-    if (pos == "end") {
-      insertionPoint.appendChild(fragment);
-    } else {
+    if (pos == "start") {
       insertionPoint.insertBefore(fragment,
                                   insertionPoint.firstChild);
+    } else {
+      insertionPoint.appendChild(fragment);
     }
 
     this.builder = builder;
@@ -102,8 +101,8 @@ PageMenu.prototype = {
   handleEvent: function(event) {
     var type = event.type;
     var target = event.target;
-    if (type == "command" && target.hasAttribute(this.GENERATED_ATTR)) {
-      this.builder.click(target.getAttribute(this.IDENT_ATTR));
+    if (type == "command" && target.hasAttribute(this.GENERATEDITEMID_ATTR)) {
+      this.builder.click(target.getAttribute(this.GENERATEDITEMID_ATTR));
     } else if (type == "popuphidden" && this.popup == target) {
       this.removeGeneratedContent(this.popup);
 
@@ -160,7 +159,7 @@ PageMenu.prototype = {
       var i = element.childNodes.length;
       while (i-- > 0) {
         var child = element.childNodes[i];
-        if (!child.hasAttribute(this.GENERATED_ATTR)) {
+        if (!child.hasAttribute(this.GENERATEDITEMID_ATTR)) {
           ungenerated.push(child);
           continue;
         }
diff --git a/toolkit/content/aboutSupport.js b/toolkit/content/aboutSupport.js
index 943f45a5075a..ee2d6e983ee2 100644
--- a/toolkit/content/aboutSupport.js
+++ b/toolkit/content/aboutSupport.js
@@ -66,7 +66,6 @@ const PREFS_WHITELIST = [
   "general.useragent.",
   "gfx.",
   "html5.",
-  "mozilla.widget.render-mode",
   "layers.",
   "javascript.",
   "keyword.",
diff --git a/toolkit/content/tests/widgets/Makefile.in b/toolkit/content/tests/widgets/Makefile.in
index 5e9688c19b26..9bf02061b49e 100644
--- a/toolkit/content/tests/widgets/Makefile.in
+++ b/toolkit/content/tests/widgets/Makefile.in
@@ -77,6 +77,10 @@ _TEST_FILES =	\
 		videomask.css \
 		$(NULL)
 
+_CHROME_TEST_FILES = \
+		test_editor_currentURI.xul \
+		$(NULL)
+
 ifneq (cocoa,$(MOZ_WIDGET_TOOLKIT))
 _TEST_FILES += test_menubar.xul \
                window_menubar.xul
@@ -87,3 +91,7 @@ libs:: $(_CHROME_FILES)
 
 libs:: $(_TEST_FILES)
 	$(INSTALL) $(foreach f,$^,"$f") $(DEPTH)/_tests/testing/mochitest/tests/$(relativesrcdir)
+
+libs:: $(_CHROME_TEST_FILES)
+	$(INSTALL) $(foreach f,$^,"$f") $(DEPTH)/_tests/testing/mochitest/chrome/$(relativesrcdir)
+
diff --git a/toolkit/content/tests/widgets/test_editor_currentURI.xul b/toolkit/content/tests/widgets/test_editor_currentURI.xul
new file mode 100644
index 000000000000..2821b8196e3a
--- /dev/null
+++ b/toolkit/content/tests/widgets/test_editor_currentURI.xul
@@ -0,0 +1,40 @@
+
+
+
+
+  Editor currentURI Tests
+  
+
diff --git a/toolkit/content/widgets/editor.xml b/toolkit/content/widgets/editor.xml
index 539891833933..459b86c1a505 100644
--- a/toolkit/content/widgets/editor.xml
+++ b/toolkit/content/widgets/editor.xml
@@ -102,6 +102,9 @@
       
+      
       
diff --git a/toolkit/mozapps/extensions/XPIProvider.jsm b/toolkit/mozapps/extensions/XPIProvider.jsm
index 93533f60c493..0bb75a172493 100644
--- a/toolkit/mozapps/extensions/XPIProvider.jsm
+++ b/toolkit/mozapps/extensions/XPIProvider.jsm
@@ -3461,13 +3461,18 @@ var XPIProvider = {
 
     let principal = Cc["@mozilla.org/systemprincipal;1"].
                     createInstance(Ci.nsIPrincipal);
-    this.bootstrapScopes[aId] = new Components.utils.Sandbox(principal);
 
     if (!aFile.exists()) {
+      this.bootstrapScopes[aId] = new Components.utils.Sandbox(principal,
+                                                               {sandboxName: aFile.path});
       ERROR("Attempted to load bootstrap scope from missing directory " + bootstrap.path);
       return;
     }
 
+    let uri = getURIForResourceInFile(aFile, "bootstrap.js").spec;
+    this.bootstrapScopes[aId] = new Components.utils.Sandbox(principal,
+                                                             {sandboxName: uri});
+
     let loader = Cc["@mozilla.org/moz/jssubscript-loader;1"].
                  createInstance(Ci.mozIJSSubScriptLoader);
 
@@ -3475,8 +3480,7 @@ var XPIProvider = {
       // As we don't want our caller to control the JS version used for the
       // bootstrap file, we run loadSubScript within the context of the
       // sandbox with the latest JS version set explicitly.
-      this.bootstrapScopes[aId].__SCRIPT_URI_SPEC__ =
-          getURIForResourceInFile(aFile, "bootstrap.js").spec;
+      this.bootstrapScopes[aId].__SCRIPT_URI_SPEC__ = uri;
       Components.utils.evalInSandbox(
         "Components.classes['@mozilla.org/moz/jssubscript-loader;1'] \
                    .createInstance(Components.interfaces.mozIJSSubScriptLoader) \
diff --git a/toolkit/mozapps/extensions/content/selectAddons.xul b/toolkit/mozapps/extensions/content/selectAddons.xul
index e206bea0b2d7..4392ee056f89 100644
--- a/toolkit/mozapps/extensions/content/selectAddons.xul
+++ b/toolkit/mozapps/extensions/content/selectAddons.xul
@@ -148,8 +148,7 @@
   
 
   
-    
-    
+