summary refs log tree commit diff
path: root/gnu/packages/patches
diff options
context:
space:
mode:
Diffstat (limited to 'gnu/packages/patches')
-rw-r--r--gnu/packages/patches/icecat-CVE-2015-2722-pt1.patch77
-rw-r--r--gnu/packages/patches/icecat-CVE-2015-2722-pt2.patch73
-rw-r--r--gnu/packages/patches/icecat-CVE-2015-2724-pt1.patch57
-rw-r--r--gnu/packages/patches/icecat-CVE-2015-2724-pt2.patch391
-rw-r--r--gnu/packages/patches/icecat-CVE-2015-2724-pt3.patch90
-rw-r--r--gnu/packages/patches/icecat-CVE-2015-2724-pt4.patch65
-rw-r--r--gnu/packages/patches/icecat-CVE-2015-2728-pt1.patch95
-rw-r--r--gnu/packages/patches/icecat-CVE-2015-2728-pt2.patch27
-rw-r--r--gnu/packages/patches/icecat-CVE-2015-2733-pt1.patch29
-rw-r--r--gnu/packages/patches/icecat-CVE-2015-2733-pt2.patch31
-rw-r--r--gnu/packages/patches/icecat-CVE-2015-2735.patch86
-rw-r--r--gnu/packages/patches/icecat-CVE-2015-2736.patch34
-rw-r--r--gnu/packages/patches/icecat-CVE-2015-2738.patch151
-rw-r--r--gnu/packages/patches/icecat-CVE-2015-2739.patch66
-rw-r--r--gnu/packages/patches/icecat-CVE-2015-2740.patch52
-rw-r--r--gnu/packages/patches/icecat-CVE-2015-2743.patch73
-rw-r--r--gnu/packages/patches/icecat-enable-acceleration-and-webgl.patch12
17 files changed, 12 insertions, 1397 deletions
diff --git a/gnu/packages/patches/icecat-CVE-2015-2722-pt1.patch b/gnu/packages/patches/icecat-CVE-2015-2722-pt1.patch
deleted file mode 100644
index e2c44ccaf8..0000000000
--- a/gnu/packages/patches/icecat-CVE-2015-2722-pt1.patch
+++ /dev/null
@@ -1,77 +0,0 @@
-From 7805485b75d06915bcb018b8fe5cb7de4ddebddb Mon Sep 17 00:00:00 2001
-From: Andrea Marchesini <amarchesini@mozilla.com>
-Date: Wed, 27 May 2015 14:21:44 -0700
-Subject: [PATCH] Bug 1166924 part 0 r=bent a=lizzard
-
---HG--
-extra : source : 36bf5bcceb272fc9e303996f8dfe7350984a5e96
----
- dom/workers/XMLHttpRequest.cpp | 18 ++++++++++++++++--
- 1 file changed, 16 insertions(+), 2 deletions(-)
-
-diff --git a/dom/workers/XMLHttpRequest.cpp b/dom/workers/XMLHttpRequest.cpp
-index 748fd39..8e4200a 100644
---- a/dom/workers/XMLHttpRequest.cpp
-+++ b/dom/workers/XMLHttpRequest.cpp
-@@ -113,6 +113,7 @@ public:
-   bool mLastUploadLengthComputable;
-   bool mSeenLoadStart;
-   bool mSeenUploadLoadStart;
-+  bool mOpening;
- 
-   // Only touched on the main thread.
-   bool mUploadEventListenersAttached;
-@@ -127,7 +128,7 @@ public:
-     mOuterEventStreamId(0), mOuterChannelId(0), mLastLoaded(0), mLastTotal(0),
-     mLastUploadLoaded(0), mLastUploadTotal(0), mIsSyncXHR(false),
-     mLastLengthComputable(false), mLastUploadLengthComputable(false),
--    mSeenLoadStart(false), mSeenUploadLoadStart(false),
-+    mSeenLoadStart(false), mSeenUploadLoadStart(false), mOpening(false),
-     mUploadEventListenersAttached(false), mMainThreadSeenLoadStart(false),
-     mInOpen(false)
-   { }
-@@ -1498,7 +1499,11 @@ SendRunnable::MainThreadRun()
-     variant = wvariant;
-   }
- 
--  MOZ_ASSERT(!mProxy->mWorkerPrivate);
-+  // Send() has been already called.
-+  if (mProxy->mWorkerPrivate) {
-+    return NS_ERROR_FAILURE;
-+  }
-+
-   mProxy->mWorkerPrivate = mWorkerPrivate;
- 
-   MOZ_ASSERT(!mProxy->mSyncLoopTarget);
-@@ -1789,6 +1794,12 @@ XMLHttpRequest::SendInternal(const nsAString& aStringBody,
- {
-   mWorkerPrivate->AssertIsOnWorkerThread();
- 
-+  // No send() calls when open is running.
-+  if (mProxy->mOpening) {
-+    aRv.Throw(NS_ERROR_FAILURE);
-+    return;
-+  }
-+
-   bool hasUploadListeners = mUpload ? mUpload->HasListeners() : false;
- 
-   MaybePin(aRv);
-@@ -1874,12 +1885,15 @@ XMLHttpRequest::Open(const nsACString& aMethod, const nsAString& aUrl,
-                      mBackgroundRequest, mWithCredentials,
-                      mTimeout);
- 
-+  mProxy->mOpening = true;
-   if (!runnable->Dispatch(mWorkerPrivate->GetJSContext())) {
-     ReleaseProxy();
-+    mProxy->mOpening = false;
-     aRv.Throw(NS_ERROR_FAILURE);
-     return;
-   }
- 
-+  mProxy->mOpening = false;
-   mProxy->mIsSyncXHR = !aAsync;
- }
- 
--- 
-2.4.3
-
diff --git a/gnu/packages/patches/icecat-CVE-2015-2722-pt2.patch b/gnu/packages/patches/icecat-CVE-2015-2722-pt2.patch
deleted file mode 100644
index c82d0f7e6f..0000000000
--- a/gnu/packages/patches/icecat-CVE-2015-2722-pt2.patch
+++ /dev/null
@@ -1,73 +0,0 @@
-From 6eb772aa6a0c1b21aafcfa606cc3bf07659b53b9 Mon Sep 17 00:00:00 2001
-From: Wes Kocher <wkocher@mozilla.com>
-Date: Wed, 27 May 2015 14:33:22 -0700
-Subject: [PATCH] Bug 1166924 part 1 r=baku a=lizzard
-
---HG--
-extra : source : 528d47773256bfee72e7adedc78b89c9fa573b7b
----
- dom/workers/XMLHttpRequest.cpp | 20 ++++++++++++--------
- 1 file changed, 12 insertions(+), 8 deletions(-)
-
-diff --git a/dom/workers/XMLHttpRequest.cpp b/dom/workers/XMLHttpRequest.cpp
-index 8e4200a..bf0cd3f 100644
---- a/dom/workers/XMLHttpRequest.cpp
-+++ b/dom/workers/XMLHttpRequest.cpp
-@@ -140,7 +140,7 @@ public:
-   Init();
- 
-   void
--  Teardown();
-+  Teardown(bool aSendUnpin);
- 
-   bool
-   AddRemoveEventListeners(bool aUpload, bool aAdd);
-@@ -308,7 +308,9 @@ private:
-   {
-     AssertIsOnMainThread();
- 
--    mProxy->Teardown();
-+    // This means the XHR was GC'd, so we can't be pinned, and we don't need to
-+    // try to unpin.
-+    mProxy->Teardown(/* aSendUnpin */ false);
-     mProxy = nullptr;
- 
-     return NS_OK;
-@@ -563,7 +565,7 @@ private:
-   virtual nsresult
-   MainThreadRun() MOZ_OVERRIDE
-   {
--    mProxy->Teardown();
-+    mProxy->Teardown(/* aSendUnpin */ true);
-     MOZ_ASSERT(!mProxy->mSyncLoopTarget);
-     return NS_OK;
-   }
-@@ -935,7 +937,7 @@ Proxy::Init()
- }
- 
- void
--Proxy::Teardown()
-+Proxy::Teardown(bool aSendUnpin)
- {
-   AssertIsOnMainThread();
- 
-@@ -948,10 +950,12 @@ Proxy::Teardown()
-     mXHR->Abort();
- 
-     if (mOutstandingSendCount) {
--      nsRefPtr<XHRUnpinRunnable> runnable =
--        new XHRUnpinRunnable(mWorkerPrivate, mXMLHttpRequestPrivate);
--      if (!runnable->Dispatch(nullptr)) {
--        NS_RUNTIMEABORT("We're going to hang at shutdown anyways.");
-+      if (aSendUnpin) {
-+        nsRefPtr<XHRUnpinRunnable> runnable =
-+          new XHRUnpinRunnable(mWorkerPrivate, mXMLHttpRequestPrivate);
-+        if (!runnable->Dispatch(nullptr)) {
-+          NS_RUNTIMEABORT("We're going to hang at shutdown anyways.");
-+        }
-       }
- 
-       if (mSyncLoopTarget) {
--- 
-2.4.3
-
diff --git a/gnu/packages/patches/icecat-CVE-2015-2724-pt1.patch b/gnu/packages/patches/icecat-CVE-2015-2724-pt1.patch
deleted file mode 100644
index 0b91b1ec86..0000000000
--- a/gnu/packages/patches/icecat-CVE-2015-2724-pt1.patch
+++ /dev/null
@@ -1,57 +0,0 @@
-From 6465a9f57b13fdf3d21016a41973f13d1e7f447c Mon Sep 17 00:00:00 2001
-From: Bobby Holley <bobbyholley@gmail.com>
-Date: Wed, 13 May 2015 11:08:30 -0700
-Subject: [PATCH] Bug 1164567 - Grab the principal when we need it in
- MediaDecodeTask. r=jww, a=sledru
-
----
- content/media/webaudio/MediaBufferDecoder.cpp | 17 ++++++++---------
- 1 file changed, 8 insertions(+), 9 deletions(-)
-
-diff --git a/content/media/webaudio/MediaBufferDecoder.cpp b/content/media/webaudio/MediaBufferDecoder.cpp
-index b9409ad..ee6538c 100644
---- a/content/media/webaudio/MediaBufferDecoder.cpp
-+++ b/content/media/webaudio/MediaBufferDecoder.cpp
-@@ -101,13 +101,6 @@ public:
-   {
-     MOZ_ASSERT(aBuffer);
-     MOZ_ASSERT(NS_IsMainThread());
--
--    nsCOMPtr<nsPIDOMWindow> pWindow = do_QueryInterface(mDecodeJob.mContext->GetParentObject());
--    nsCOMPtr<nsIScriptObjectPrincipal> scriptPrincipal =
--      do_QueryInterface(pWindow);
--    if (scriptPrincipal) {
--      mPrincipal = scriptPrincipal->GetPrincipal();
--    }
-   }
- 
-   NS_IMETHOD Run();
-@@ -150,7 +143,6 @@ private:
-   WebAudioDecodeJob& mDecodeJob;
-   PhaseEnum mPhase;
-   nsCOMPtr<nsIThreadPool> mThreadPool;
--  nsCOMPtr<nsIPrincipal> mPrincipal;
-   nsRefPtr<BufferDecoder> mBufferDecoder;
-   nsAutoPtr<MediaDecoderReader> mDecoderReader;
- };
-@@ -179,9 +171,16 @@ MediaDecodeTask::CreateReader()
- {
-   MOZ_ASSERT(NS_IsMainThread());
- 
-+
-+  nsCOMPtr<nsIPrincipal> principal;
-+  nsCOMPtr<nsIScriptObjectPrincipal> sop = do_QueryInterface(mDecodeJob.mContext->GetParentObject());
-+  if (sop) {
-+    principal = sop->GetPrincipal();
-+  }
-+
-   nsRefPtr<BufferMediaResource> resource =
-     new BufferMediaResource(static_cast<uint8_t*> (mBuffer),
--                            mLength, mPrincipal, mContentType);
-+                            mLength, principal, mContentType);
- 
-   MOZ_ASSERT(!mBufferDecoder);
-   mBufferDecoder = new BufferDecoder(resource);
--- 
-2.4.3
-
diff --git a/gnu/packages/patches/icecat-CVE-2015-2724-pt2.patch b/gnu/packages/patches/icecat-CVE-2015-2724-pt2.patch
deleted file mode 100644
index 486e92c66d..0000000000
--- a/gnu/packages/patches/icecat-CVE-2015-2724-pt2.patch
+++ /dev/null
@@ -1,391 +0,0 @@
-From 99641aa4446dc9df04dcfeede8b49ff03abcac42 Mon Sep 17 00:00:00 2001
-From: Jan de Mooij <jdemooij@mozilla.com>
-Date: Thu, 28 May 2015 10:16:24 +0200
-Subject: [PATCH] Bug 1160884 - Add KeepAlive instructions after elements/slots
- uses. r=nbp, a=abillings
-
----
- js/src/jit/CodeGenerator.cpp            |   7 ++
- js/src/jit/CodeGenerator.h              |   1 +
- js/src/jit/Ion.cpp                      |   7 ++
- js/src/jit/IonAnalysis.cpp              | 112 ++++++++++++++++++++++++++++++++
- js/src/jit/IonAnalysis.h                |   3 +
- js/src/jit/LIR-Common.h                 |  14 ++++
- js/src/jit/LOpcodes.h                   |   1 +
- js/src/jit/Lowering.cpp                 |   9 +++
- js/src/jit/Lowering.h                   |   1 +
- js/src/jit/MIR.h                        |  26 ++++++++
- js/src/jit/MOpcodes.h                   |   1 +
- js/src/jit/ParallelSafetyAnalysis.cpp   |   1 +
- js/src/jit/shared/Lowering-shared-inl.h |   8 ++-
- js/src/jit/shared/Lowering-shared.h     |   1 +
- js/src/vm/TraceLogging.h                |   3 +-
- 15 files changed, 193 insertions(+), 2 deletions(-)
-
-diff --git a/js/src/jit/CodeGenerator.cpp b/js/src/jit/CodeGenerator.cpp
-index 5dff9df..7364178 100644
---- a/js/src/jit/CodeGenerator.cpp
-+++ b/js/src/jit/CodeGenerator.cpp
-@@ -1476,6 +1476,13 @@ CodeGenerator::visitPointer(LPointer* lir)
- }
- 
- bool
-+CodeGenerator::visitKeepAliveObject(LKeepAliveObject* lir)
-+{
-+    // No-op.
-+    return true;
-+}
-+
-+bool
- CodeGenerator::visitSlots(LSlots* lir)
- {
-     Address slots(ToRegister(lir->object()), JSObject::offsetOfSlots());
-diff --git a/js/src/jit/CodeGenerator.h b/js/src/jit/CodeGenerator.h
-index 95fb33b..e3b4fd7 100644
---- a/js/src/jit/CodeGenerator.h
-+++ b/js/src/jit/CodeGenerator.h
-@@ -106,6 +106,7 @@ class CodeGenerator : public CodeGeneratorSpecific
-     bool visitLambdaForSingleton(LLambdaForSingleton* lir);
-     bool visitLambdaPar(LLambdaPar* lir);
-     bool visitPointer(LPointer* lir);
-+    bool visitKeepAliveObject(LKeepAliveObject* lir);
-     bool visitSlots(LSlots* lir);
-     bool visitStoreSlotV(LStoreSlotV* store);
-     bool visitElements(LElements* lir);
-diff --git a/js/src/jit/Ion.cpp b/js/src/jit/Ion.cpp
-index 015d387..1551a80 100644
---- a/js/src/jit/Ion.cpp
-+++ b/js/src/jit/Ion.cpp
-@@ -1536,6 +1536,13 @@ OptimizeMIR(MIRGenerator* mir)
-         AssertGraphCoherency(graph);
-     }
- 
-+    if (!mir->compilingAsmJS()) {
-+        AutoTraceLog log(logger, TraceLogger::AddKeepAliveInstructions);
-+        AddKeepAliveInstructions(graph);
-+        IonSpewPass("Add KeepAlive Instructions");
-+        AssertGraphCoherency(graph);
-+    }
-+
-     return true;
- }
- 
-diff --git a/js/src/jit/IonAnalysis.cpp b/js/src/jit/IonAnalysis.cpp
-index 8965724..af58aae 100644
---- a/js/src/jit/IonAnalysis.cpp
-+++ b/js/src/jit/IonAnalysis.cpp
-@@ -1971,6 +1971,118 @@ jit::UnsplitEdges(LIRGraph* lir)
-     return true;
- }
- 
-+static bool
-+NeedsKeepAlive(MInstruction* slotsOrElements, MInstruction* use)
-+{
-+    MOZ_ASSERT(slotsOrElements->type() == MIRType_Elements ||
-+               slotsOrElements->type() == MIRType_Slots);
-+
-+    if (slotsOrElements->block() != use->block())
-+        return true;
-+
-+    MBasicBlock* block = use->block();
-+    MInstructionIterator iter(block->begin(slotsOrElements));
-+    MOZ_ASSERT(*iter == slotsOrElements);
-+    ++iter;
-+
-+    while (true) {
-+        if (*iter == use)
-+            return false;
-+
-+        switch (iter->op()) {
-+          case MDefinition::Op_Nop:
-+          case MDefinition::Op_Constant:
-+          case MDefinition::Op_KeepAliveObject:
-+          case MDefinition::Op_Unbox:
-+          case MDefinition::Op_LoadSlot:
-+          case MDefinition::Op_StoreSlot:
-+          case MDefinition::Op_LoadFixedSlot:
-+          case MDefinition::Op_StoreFixedSlot:
-+          case MDefinition::Op_LoadElement:
-+          case MDefinition::Op_StoreElement:
-+          case MDefinition::Op_InitializedLength:
-+          case MDefinition::Op_ArrayLength:
-+          case MDefinition::Op_BoundsCheck:
-+            iter++;
-+            break;
-+          default:
-+            return true;
-+        }
-+    }
-+
-+    MOZ_CRASH("Unreachable");
-+}
-+
-+void
-+jit::AddKeepAliveInstructions(MIRGraph& graph)
-+{
-+    for (MBasicBlockIterator i(graph.begin()); i != graph.end(); i++) {
-+        MBasicBlock* block = *i;
-+
-+        for (MInstructionIterator insIter(block->begin()); insIter != block->end(); insIter++) {
-+            MInstruction* ins = *insIter;
-+            if (ins->type() != MIRType_Elements && ins->type() != MIRType_Slots)
-+                continue;
-+
-+            MDefinition* ownerObject;
-+            switch (ins->op()) {
-+              case MDefinition::Op_ConstantElements:
-+              case MDefinition::Op_NewSlots:
-+                continue;
-+              case MDefinition::Op_ConvertElementsToDoubles:
-+                // EliminateRedundantChecks should have replaced all uses.
-+                MOZ_ASSERT(!ins->hasUses());
-+                continue;
-+              case MDefinition::Op_Elements:
-+              case MDefinition::Op_TypedArrayElements:
-+              case MDefinition::Op_TypedObjectElements:
-+                MOZ_ASSERT(ins->numOperands() == 1);
-+                ownerObject = ins->getOperand(0);
-+                break;
-+              case MDefinition::Op_Slots:
-+                ownerObject = ins->toSlots()->object();
-+                break;
-+              default:
-+                MOZ_CRASH("Unexpected op");
-+            }
-+
-+            MOZ_ASSERT(ownerObject->type() == MIRType_Object);
-+
-+            if (ownerObject->isConstant()) {
-+                // Constants are kept alive by other pointers, for instance
-+                // ImmGCPtr in JIT code.
-+                continue;
-+            }
-+
-+            for (MUseDefIterator uses(ins); uses; uses++) {
-+                MInstruction* use = uses.def()->toInstruction();
-+
-+                if (use->isStoreElementHole()) {
-+                    // StoreElementHole has an explicit object operand. If GVN
-+                    // is disabled, we can get different unbox instructions with
-+                    // the same object as input, so we check for that case.
-+                    MOZ_ASSERT_IF(!use->toStoreElementHole()->object()->isUnbox() && !ownerObject->isUnbox(),
-+                                  use->toStoreElementHole()->object() == ownerObject);
-+                    continue;
-+                }
-+
-+                if (use->isInArray()) {
-+                    // See StoreElementHole case above.
-+                    MOZ_ASSERT_IF(!use->toInArray()->object()->isUnbox() && !ownerObject->isUnbox(),
-+                                  use->toInArray()->object() == ownerObject);
-+                    continue;
-+                }
-+
-+                if (!NeedsKeepAlive(ins, use))
-+                    continue;
-+
-+                MKeepAliveObject* keepAlive = MKeepAliveObject::New(graph.alloc(), ownerObject);
-+                use->block()->insertAfter(use, keepAlive);
-+            }
-+        }
-+    }
-+}
-+
- bool
- LinearSum::multiply(int32_t scale)
- {
-diff --git a/js/src/jit/IonAnalysis.h b/js/src/jit/IonAnalysis.h
-index aabf835..a320418 100644
---- a/js/src/jit/IonAnalysis.h
-+++ b/js/src/jit/IonAnalysis.h
-@@ -64,6 +64,9 @@ AssertExtendedGraphCoherency(MIRGraph& graph);
- bool
- EliminateRedundantChecks(MIRGraph& graph);
- 
-+void
-+AddKeepAliveInstructions(MIRGraph& graph);
-+
- bool
- UnsplitEdges(LIRGraph* lir);
- 
-diff --git a/js/src/jit/LIR-Common.h b/js/src/jit/LIR-Common.h
-index 5fe0ee9..6b03a42 100644
---- a/js/src/jit/LIR-Common.h
-+++ b/js/src/jit/LIR-Common.h
-@@ -3591,6 +3591,20 @@ class LImplicitThis : public LInstructionHelper<BOX_PIECES, 1, 0>
-     }
- };
- 
-+class LKeepAliveObject : public LInstructionHelper<0, 1, 0>
-+{
-+  public:
-+    LIR_HEADER(KeepAliveObject)
-+
-+    explicit LKeepAliveObject(const LAllocation& object) {
-+        setOperand(0, object);
-+    }
-+
-+    const LAllocation* object() {
-+        return getOperand(0);
-+    }
-+};
-+
- // Load the "slots" member out of a JSObject.
- //   Input: JSObject pointer
- //   Output: slots pointer
-diff --git a/js/src/jit/LOpcodes.h b/js/src/jit/LOpcodes.h
-index cd7eef8..424b22c 100644
---- a/js/src/jit/LOpcodes.h
-+++ b/js/src/jit/LOpcodes.h
-@@ -166,6 +166,7 @@
-     _(LambdaForSingleton)           \
-     _(LambdaPar)                    \
-     _(ImplicitThis)                 \
-+    _(KeepAliveObject)              \
-     _(Slots)                        \
-     _(Elements)                     \
-     _(ConvertElementsToDoubles)     \
-diff --git a/js/src/jit/Lowering.cpp b/js/src/jit/Lowering.cpp
-index d671fd4..c0d434e 100644
---- a/js/src/jit/Lowering.cpp
-+++ b/js/src/jit/Lowering.cpp
-@@ -2110,6 +2110,15 @@ LIRGenerator::visitImplicitThis(MImplicitThis* ins)
- }
- 
- bool
-+LIRGenerator::visitKeepAliveObject(MKeepAliveObject* ins)
-+{
-+    MDefinition* obj = ins->object();
-+    MOZ_ASSERT(obj->type() == MIRType_Object);
-+
-+    return add(new(alloc()) LKeepAliveObject(useKeepalive(obj)), ins);
-+}
-+
-+bool
- LIRGenerator::visitSlots(MSlots* ins)
- {
-     return define(new(alloc()) LSlots(useRegisterAtStart(ins->object())), ins);
-diff --git a/js/src/jit/Lowering.h b/js/src/jit/Lowering.h
-index ea50cab..a60dc30 100644
---- a/js/src/jit/Lowering.h
-+++ b/js/src/jit/Lowering.h
-@@ -160,6 +160,7 @@ class LIRGenerator : public LIRGeneratorSpecific
-     bool visitLambdaArrow(MLambdaArrow* ins);
-     bool visitLambdaPar(MLambdaPar* ins);
-     bool visitImplicitThis(MImplicitThis* ins);
-+    bool visitKeepAliveObject(MKeepAliveObject* ins);
-     bool visitSlots(MSlots* ins);
-     bool visitElements(MElements* ins);
-     bool visitConstantElements(MConstantElements* ins);
-diff --git a/js/src/jit/MIR.h b/js/src/jit/MIR.h
-index 48e1dfb..a6060a2 100644
---- a/js/src/jit/MIR.h
-+++ b/js/src/jit/MIR.h
-@@ -5790,6 +5790,32 @@ class MSetTypedObjectOffset
-     }
- };
- 
-+class MKeepAliveObject
-+  : public MUnaryInstruction,
-+    public SingleObjectPolicy
-+{
-+    explicit MKeepAliveObject(MDefinition* object)
-+      : MUnaryInstruction(object)
-+    {
-+        setResultType(MIRType_None);
-+        setGuard();
-+    }
-+
-+  public:
-+    INSTRUCTION_HEADER(KeepAliveObject)
-+
-+    static MKeepAliveObject* New(TempAllocator& alloc, MDefinition* object) {
-+        return new(alloc) MKeepAliveObject(object);
-+    }
-+
-+    MDefinition* object() const {
-+        return getOperand(0);
-+    }
-+    TypePolicy* typePolicy() {
-+        return this;
-+    }
-+};
-+
- // Perform !-operation
- class MNot
-   : public MUnaryInstruction,
-diff --git a/js/src/jit/MOpcodes.h b/js/src/jit/MOpcodes.h
-index 83b9e63..cfc3895 100644
---- a/js/src/jit/MOpcodes.h
-+++ b/js/src/jit/MOpcodes.h
-@@ -110,6 +110,7 @@ namespace jit {
-     _(Lambda)                                                               \
-     _(LambdaArrow)                                                          \
-     _(ImplicitThis)                                                         \
-+    _(KeepAliveObject)                                                      \
-     _(Slots)                                                                \
-     _(Elements)                                                             \
-     _(ConstantElements)                                                     \
-diff --git a/js/src/jit/ParallelSafetyAnalysis.cpp b/js/src/jit/ParallelSafetyAnalysis.cpp
-index a6a1202..13c577b 100644
---- a/js/src/jit/ParallelSafetyAnalysis.cpp
-+++ b/js/src/jit/ParallelSafetyAnalysis.cpp
-@@ -199,6 +199,7 @@ class ParallelSafetyVisitor : public MInstructionVisitor
-     CUSTOM_OP(Lambda)
-     UNSAFE_OP(LambdaArrow)
-     UNSAFE_OP(ImplicitThis)
-+    SAFE_OP(KeepAliveObject)
-     SAFE_OP(Slots)
-     SAFE_OP(Elements)
-     SAFE_OP(ConstantElements)
-diff --git a/js/src/jit/shared/Lowering-shared-inl.h b/js/src/jit/shared/Lowering-shared-inl.h
-index 17bb74a..832cc61 100644
---- a/js/src/jit/shared/Lowering-shared-inl.h
-+++ b/js/src/jit/shared/Lowering-shared-inl.h
-@@ -372,11 +372,17 @@ LIRGeneratorShared::useStorableAtStart(MDefinition* mir)
- #endif
- 
- LAllocation
-+LIRGeneratorShared::useKeepalive(MDefinition* mir)
-+{
-+    return use(mir, LUse(LUse::KEEPALIVE));
-+}
-+
-+LAllocation
- LIRGeneratorShared::useKeepaliveOrConstant(MDefinition* mir)
- {
-     if (mir->isConstant())
-         return LAllocation(mir->toConstant()->vp());
--    return use(mir, LUse(LUse::KEEPALIVE));
-+    return useKeepalive(mir);
- }
- 
- LUse
-diff --git a/js/src/jit/shared/Lowering-shared.h b/js/src/jit/shared/Lowering-shared.h
-index 4bd13b0..b23d20e 100644
---- a/js/src/jit/shared/Lowering-shared.h
-+++ b/js/src/jit/shared/Lowering-shared.h
-@@ -85,6 +85,7 @@ class LIRGeneratorShared : public MInstructionVisitorWithDefaults
-     // this is a generic "things we can expect to write into memory in 1 instruction"
-     inline LAllocation useStorable(MDefinition* mir);
-     inline LAllocation useStorableAtStart(MDefinition* mir);
-+    inline LAllocation useKeepalive(MDefinition* mir);
-     inline LAllocation useKeepaliveOrConstant(MDefinition* mir);
-     inline LAllocation useRegisterOrConstant(MDefinition* mir);
-     inline LAllocation useRegisterOrConstantAtStart(MDefinition* mir);
-diff --git a/js/src/vm/TraceLogging.h b/js/src/vm/TraceLogging.h
-index 4c2ebfe..8447679 100644
---- a/js/src/vm/TraceLogging.h
-+++ b/js/src/vm/TraceLogging.h
-@@ -145,7 +145,8 @@ namespace jit {
-     _(EffectiveAddressAnalysis)                       \
-     _(EliminateDeadCode)                              \
-     _(EdgeCaseAnalysis)                               \
--    _(EliminateRedundantChecks)
-+    _(EliminateRedundantChecks)                       \
-+    _(AddKeepAliveInstructions)
- 
- class AutoTraceLog;
- 
--- 
-2.4.3
-
diff --git a/gnu/packages/patches/icecat-CVE-2015-2724-pt3.patch b/gnu/packages/patches/icecat-CVE-2015-2724-pt3.patch
deleted file mode 100644
index 4b31bf1c6e..0000000000
--- a/gnu/packages/patches/icecat-CVE-2015-2724-pt3.patch
+++ /dev/null
@@ -1,90 +0,0 @@
-From 5da8e2ffd63deac27c0faca7dabee3623867dd6e Mon Sep 17 00:00:00 2001
-From: Steven Michaud <smichaud@pobox.com>
-Date: Wed, 3 Jun 2015 11:18:25 -0500
-Subject: [PATCH] Bug 1154876 - Block calls to hooked methods off the plugin
- thread. r=spohl a=abillings
-
----
- dom/plugins/ipc/PluginInterposeOSX.mm | 17 ++++++++---------
- 1 file changed, 8 insertions(+), 9 deletions(-)
-
-diff --git a/dom/plugins/ipc/PluginInterposeOSX.mm b/dom/plugins/ipc/PluginInterposeOSX.mm
-index f43192b..cfd8e57 100644
---- a/dom/plugins/ipc/PluginInterposeOSX.mm
-+++ b/dom/plugins/ipc/PluginInterposeOSX.mm
-@@ -38,8 +38,7 @@
- #import <objc/runtime.h>
- #import <Carbon/Carbon.h>
- 
--using mozilla::plugins::PluginModuleChild;
--using mozilla::plugins::AssertPluginThread;
-+using namespace mozilla::plugins;
- 
- namespace mac_plugin_interposing {
- 
-@@ -544,7 +543,7 @@ void NSCursorInfo::SetCustomImageData(uint8_t* aData, uint32_t aDataLength)
- bool NSCursorInfo::GetNativeCursorsSupported()
- {
-   if (mNativeCursorsSupported == -1) {
--    AssertPluginThread();
-+    ENSURE_PLUGIN_THREAD(false);
-     PluginModuleChild *pmc = PluginModuleChild::current();
-     if (pmc) {
-       bool result = pmc->GetNativeCursorsSupported();
-@@ -689,7 +688,7 @@ void FocusPluginProcess() {
- 
- void NotifyBrowserOfPluginShowWindow(uint32_t window_id, CGRect bounds,
-                                      bool modal) {
--  AssertPluginThread();
-+  ENSURE_PLUGIN_THREAD_VOID();
- 
-   PluginModuleChild *pmc = PluginModuleChild::current();
-   if (pmc)
-@@ -697,7 +696,7 @@ void NotifyBrowserOfPluginShowWindow(uint32_t window_id, CGRect bounds,
- }
- 
- void NotifyBrowserOfPluginHideWindow(uint32_t window_id, CGRect bounds) {
--  AssertPluginThread();
-+  ENSURE_PLUGIN_THREAD_VOID();
- 
-   PluginModuleChild *pmc = PluginModuleChild::current();
-   if (pmc)
-@@ -706,7 +705,7 @@ void NotifyBrowserOfPluginHideWindow(uint32_t window_id, CGRect bounds) {
- 
- void NotifyBrowserOfSetCursor(NSCursorInfo& aCursorInfo)
- {
--  AssertPluginThread();
-+  ENSURE_PLUGIN_THREAD_VOID();
-   PluginModuleChild *pmc = PluginModuleChild::current();
-   if (pmc) {
-     pmc->SetCursor(aCursorInfo);
-@@ -715,7 +714,7 @@ void NotifyBrowserOfSetCursor(NSCursorInfo& aCursorInfo)
- 
- void NotifyBrowserOfShowCursor(bool show)
- {
--  AssertPluginThread();
-+  ENSURE_PLUGIN_THREAD_VOID();
-   PluginModuleChild *pmc = PluginModuleChild::current();
-   if (pmc) {
-     pmc->ShowCursor(show);
-@@ -724,7 +723,7 @@ void NotifyBrowserOfShowCursor(bool show)
- 
- void NotifyBrowserOfPushCursor(NSCursorInfo& aCursorInfo)
- {
--  AssertPluginThread();
-+  ENSURE_PLUGIN_THREAD_VOID();
-   PluginModuleChild *pmc = PluginModuleChild::current();
-   if (pmc) {
-     pmc->PushCursor(aCursorInfo);
-@@ -733,7 +732,7 @@ void NotifyBrowserOfPushCursor(NSCursorInfo& aCursorInfo)
- 
- void NotifyBrowserOfPopCursor()
- {
--  AssertPluginThread();
-+  ENSURE_PLUGIN_THREAD_VOID();
-   PluginModuleChild *pmc = PluginModuleChild::current();
-   if (pmc) {
-     pmc->PopCursor();
--- 
-2.4.3
-
diff --git a/gnu/packages/patches/icecat-CVE-2015-2724-pt4.patch b/gnu/packages/patches/icecat-CVE-2015-2724-pt4.patch
deleted file mode 100644
index 90c15e663e..0000000000
--- a/gnu/packages/patches/icecat-CVE-2015-2724-pt4.patch
+++ /dev/null
@@ -1,65 +0,0 @@
-From 96dc9518fab0929293a8fc388f6a4a64d05b0f6f Mon Sep 17 00:00:00 2001
-From: Jan de Mooij <jdemooij@mozilla.com>
-Date: Wed, 10 Jun 2015 18:01:09 +0200
-Subject: [PATCH] Bug 1143679 - Make TryNoteIterIon behave more like
- Baseline/interpreter iterators. r=shu, a=lizzard
-
---HG--
-extra : transplant_source : W%D0%1FGe%29%2A%E2%BC%0C%09%3BH%92%2A%A0%5CO%FD%89
----
- js/src/jit/IonFrames.cpp | 20 +++++++++++++++++---
- 1 file changed, 17 insertions(+), 3 deletions(-)
-
-diff --git a/js/src/jit/IonFrames.cpp b/js/src/jit/IonFrames.cpp
-index 51f4301..3e41c0a 100644
---- a/js/src/jit/IonFrames.cpp
-+++ b/js/src/jit/IonFrames.cpp
-@@ -356,14 +356,20 @@ JitFrameIterator::machineState() const
-     return machine;
- }
- 
-+static uint32_t
-+NumArgAndLocalSlots(const InlineFrameIterator& frame)
-+{
-+    JSScript* script = frame.script();
-+    return CountArgSlots(script, frame.maybeCallee()) + script->nfixed();
-+}
-+
- static void
--CloseLiveIterator(JSContext* cx, const InlineFrameIterator& frame, uint32_t localSlot)
-+CloseLiveIterator(JSContext* cx, const InlineFrameIterator& frame, uint32_t stackSlot)
- {
-     SnapshotIterator si = frame.snapshotIterator();
- 
-     // Skip stack slots until we reach the iterator object.
--    uint32_t base = CountArgSlots(frame.script(), frame.maybeCallee()) + frame.script()->nfixed();
--    uint32_t skipSlots = base + localSlot - 1;
-+    uint32_t skipSlots = NumArgAndLocalSlots(frame) + stackSlot - 1;
- 
-     for (unsigned i = 0; i < skipSlots; i++)
-         si.skip();
-@@ -407,6 +413,11 @@ HandleExceptionIon(JSContext* cx, const InlineFrameIterator& frame, ResumeFromEx
-     if (!script->hasTrynotes())
-         return;
- 
-+    uint32_t base = NumArgAndLocalSlots(frame);
-+    SnapshotIterator si = frame.snapshotIterator();
-+    JS_ASSERT(si.numAllocations() >= base);
-+    const uint32_t stackDepth = si.numAllocations() - base;
-+
-     JSTryNote* tn = script->trynotes()->vector;
-     JSTryNote* tnEnd = tn + script->trynotes()->length;
- 
-@@ -417,6 +428,9 @@ HandleExceptionIon(JSContext* cx, const InlineFrameIterator& frame, ResumeFromEx
-         if (pcOffset >= tn->start + tn->length)
-             continue;
- 
-+        if (tn->stackDepth > stackDepth)
-+            continue;
-+
-         switch (tn->kind) {
-           case JSTRY_ITER: {
-             JS_ASSERT(JSOp(*(script->main() + tn->start + tn->length)) == JSOP_ENDITER);
--- 
-2.4.3
-
diff --git a/gnu/packages/patches/icecat-CVE-2015-2728-pt1.patch b/gnu/packages/patches/icecat-CVE-2015-2728-pt1.patch
deleted file mode 100644
index 8bcae6177a..0000000000
--- a/gnu/packages/patches/icecat-CVE-2015-2728-pt1.patch
+++ /dev/null
@@ -1,95 +0,0 @@
-From 81ce99255a0ef65c98eaac300d90c1dc161efc54 Mon Sep 17 00:00:00 2001
-From: Ben Turner <bent.mozilla@gmail.com>
-Date: Tue, 9 Jun 2015 09:46:58 -0400
-Subject: [PATCH] Bug 1142210. r=khuey, a=dveditz CLOSED TREE
-
---HG--
-extra : amend_source : 5626188ba4b79f7c25286d4f29c63dc387e63c75
-extra : transplant_source : %F0%A1%D6F%E6%1B%1FJO%BFH%29%FFo%97%2A%89%03%ECm
----
- dom/indexedDB/IDBRequest.cpp             |  5 +++++
- dom/indexedDB/IDBRequest.h               |  3 +++
- dom/indexedDB/IndexedDatabaseManager.cpp | 22 +++++++++++++++++-----
- 3 files changed, 25 insertions(+), 5 deletions(-)
-
-diff --git a/dom/indexedDB/IDBRequest.cpp b/dom/indexedDB/IDBRequest.cpp
-index 36e8a96..695f2ee 100644
---- a/dom/indexedDB/IDBRequest.cpp
-+++ b/dom/indexedDB/IDBRequest.cpp
-@@ -35,6 +35,8 @@
- 
- namespace {
- 
-+NS_DEFINE_IID(kIDBRequestIID, PRIVATE_IDBREQUEST_IID);
-+
- #ifdef MOZ_ENABLE_PROFILER_SPS
- uint64_t gNextRequestSerialNumber = 1;
- #endif
-@@ -382,6 +384,9 @@ NS_IMPL_CYCLE_COLLECTION_TRACE_BEGIN_INHERITED(IDBRequest, IDBWrapperCache)
- NS_IMPL_CYCLE_COLLECTION_TRACE_END
- 
- NS_INTERFACE_MAP_BEGIN_CYCLE_COLLECTION_INHERITED(IDBRequest)
-+  if (aIID.Equals(kIDBRequestIID)) {
-+    foundInterface = this;
-+  } else
- NS_INTERFACE_MAP_END_INHERITING(IDBWrapperCache)
- 
- NS_IMPL_ADDREF_INHERITED(IDBRequest, IDBWrapperCache)
-diff --git a/dom/indexedDB/IDBRequest.h b/dom/indexedDB/IDBRequest.h
-index c835ae8..c8d1081 100644
---- a/dom/indexedDB/IDBRequest.h
-+++ b/dom/indexedDB/IDBRequest.h
-@@ -19,6 +19,9 @@
- 
- #include "mozilla/dom/indexedDB/IDBWrapperCache.h"
- 
-+#define PRIVATE_IDBREQUEST_IID \
-+  {0xe68901e5, 0x1d50, 0x4ee9, {0xaf, 0x49, 0x90, 0x99, 0x4a, 0xff, 0xc8, 0x39}}
-+
- class nsIScriptContext;
- class nsPIDOMWindow;
- 
-diff --git a/dom/indexedDB/IndexedDatabaseManager.cpp b/dom/indexedDB/IndexedDatabaseManager.cpp
-index 466d0ff..820dfa6 100644
---- a/dom/indexedDB/IndexedDatabaseManager.cpp
-+++ b/dom/indexedDB/IndexedDatabaseManager.cpp
-@@ -318,19 +318,31 @@ IndexedDatabaseManager::FireWindowOnError(nsPIDOMWindow* aOwner,
-     return NS_OK;
-   }
- 
-+  Event* internalEvent = aVisitor.mDOMEvent->InternalDOMEvent();
-+  MOZ_ASSERT(internalEvent);
-+
-+  if (!internalEvent->IsTrusted()) {
-+    return NS_OK;
-+  }
-+
-   nsString type;
--  nsresult rv = aVisitor.mDOMEvent->GetType(type);
-+  nsresult rv = internalEvent->GetType(type);
-   NS_ENSURE_SUCCESS(rv, rv);
- 
-   if (!type.EqualsLiteral(ERROR_EVT_STR)) {
-     return NS_OK;
-   }
- 
--  nsCOMPtr<EventTarget> eventTarget =
--    aVisitor.mDOMEvent->InternalDOMEvent()->GetTarget();
-+  nsCOMPtr<EventTarget> eventTarget = internalEvent->GetTarget();
-+  MOZ_ASSERT(eventTarget);
- 
--  IDBRequest* request = static_cast<IDBRequest*>(eventTarget.get());
--  NS_ENSURE_TRUE(request, NS_ERROR_UNEXPECTED);
-+  // Only mess with events that were originally targeted to an IDBRequest.
-+  nsRefPtr<IDBRequest> request;
-+  if (NS_FAILED(eventTarget->QueryInterface(kIDBRequestIID,
-+                                            getter_AddRefs(request))) ||
-+      !request) {
-+    return NS_OK;
-+  }
- 
-   ErrorResult ret;
-   nsRefPtr<DOMError> error = request->GetError(ret);
--- 
-2.4.3
-
diff --git a/gnu/packages/patches/icecat-CVE-2015-2728-pt2.patch b/gnu/packages/patches/icecat-CVE-2015-2728-pt2.patch
deleted file mode 100644
index 5097cd0aef..0000000000
--- a/gnu/packages/patches/icecat-CVE-2015-2728-pt2.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-From ecb3805b4425165d35b82874d4f9c55b75fb5390 Mon Sep 17 00:00:00 2001
-From: Ryan VanderMeulen <ryanvm@gmail.com>
-Date: Tue, 9 Jun 2015 12:12:13 -0400
-Subject: [PATCH] Bug 1142210 - Bustage follow-up on a CLOSED TREE.
-
---HG--
-extra : transplant_source : %06B%8EGN%40%985%DC%D5%0E%DD%13%29%8AC%BF%1A%BA%B6
----
- dom/indexedDB/IndexedDatabaseManager.cpp | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/dom/indexedDB/IndexedDatabaseManager.cpp b/dom/indexedDB/IndexedDatabaseManager.cpp
-index 820dfa6..eabfe09 100644
---- a/dom/indexedDB/IndexedDatabaseManager.cpp
-+++ b/dom/indexedDB/IndexedDatabaseManager.cpp
-@@ -108,6 +108,8 @@ END_INDEXEDDB_NAMESPACE
- 
- namespace {
- 
-+NS_DEFINE_IID(kIDBRequestIID, PRIVATE_IDBREQUEST_IID);
-+
- mozilla::StaticRefPtr<IndexedDatabaseManager> gDBManager;
- 
- mozilla::Atomic<bool> gInitialized(false);
--- 
-2.4.3
-
diff --git a/gnu/packages/patches/icecat-CVE-2015-2733-pt1.patch b/gnu/packages/patches/icecat-CVE-2015-2733-pt1.patch
deleted file mode 100644
index 261d3e0e2c..0000000000
--- a/gnu/packages/patches/icecat-CVE-2015-2733-pt1.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-From bfad3fb6fc3ab05819be144567ad99921c0c87be Mon Sep 17 00:00:00 2001
-From: Andrea Marchesini <amarchesini@mozilla.com>
-Date: Thu, 4 Jun 2015 15:04:09 +0100
-Subject: [PATCH] Bug 1169867 - nsXMLHttpRequest should use and free mProxy
- correctly. r=ehsan, a=abillings
-
---HG--
-extra : transplant_source : 7%D0%8A%F8G%3E%E3%D5%07%5B%7F%D4%2Ct%A6v%CCk%A1%F5
----
- dom/workers/XMLHttpRequest.cpp | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/dom/workers/XMLHttpRequest.cpp b/dom/workers/XMLHttpRequest.cpp
-index bf0cd3f..5690af5 100644
---- a/dom/workers/XMLHttpRequest.cpp
-+++ b/dom/workers/XMLHttpRequest.cpp
-@@ -1891,8 +1891,8 @@ XMLHttpRequest::Open(const nsACString& aMethod, const nsAString& aUrl,
- 
-   mProxy->mOpening = true;
-   if (!runnable->Dispatch(mWorkerPrivate->GetJSContext())) {
--    ReleaseProxy();
-     mProxy->mOpening = false;
-+    ReleaseProxy();
-     aRv.Throw(NS_ERROR_FAILURE);
-     return;
-   }
--- 
-2.4.3
-
diff --git a/gnu/packages/patches/icecat-CVE-2015-2733-pt2.patch b/gnu/packages/patches/icecat-CVE-2015-2733-pt2.patch
deleted file mode 100644
index cc74a33871..0000000000
--- a/gnu/packages/patches/icecat-CVE-2015-2733-pt2.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-From 72cd6e97ae12b89659cd59788bad08cd2f514eff Mon Sep 17 00:00:00 2001
-From: Andrea Marchesini <amarchesini@mozilla.com>
-Date: Fri, 12 Jun 2015 10:06:19 -0400
-Subject: [PATCH] Bug 1169867 - XMLHttpRequest::SendInternal should not unpin
- itself when the worker goes away. r=bent, a=abillings
-
---HG--
-extra : transplant_source : %28%B3%BD%9D%E2p%F3%BE%94S%CCD%08%8B%07%8A%CC%17%B0%7B
----
- dom/workers/XMLHttpRequest.cpp | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/dom/workers/XMLHttpRequest.cpp b/dom/workers/XMLHttpRequest.cpp
-index 5690af5..d425eac 100644
---- a/dom/workers/XMLHttpRequest.cpp
-+++ b/dom/workers/XMLHttpRequest.cpp
-@@ -1829,6 +1829,11 @@ XMLHttpRequest::SendInternal(const nsAString& aStringBody,
-     new SendRunnable(mWorkerPrivate, mProxy, aStringBody, Move(aBody),
-                      aClonedObjects, syncLoopTarget, hasUploadListeners);
-   if (!runnable->Dispatch(cx)) {
-+    // Dispatch() may have spun the event loop and we may have already unrooted.
-+    // If so we don't want autoUnpin to try again.
-+    if (!mRooted) {
-+      autoUnpin.Clear();
-+    }
-     aRv.Throw(NS_ERROR_FAILURE);
-     return;
-   }
--- 
-2.4.3
-
diff --git a/gnu/packages/patches/icecat-CVE-2015-2735.patch b/gnu/packages/patches/icecat-CVE-2015-2735.patch
deleted file mode 100644
index fd39bde113..0000000000
--- a/gnu/packages/patches/icecat-CVE-2015-2735.patch
+++ /dev/null
@@ -1,86 +0,0 @@
-From 8c8a52d7c05d75c3c608e4deed4bb33ab90883b0 Mon Sep 17 00:00:00 2001
-From: Andrea Marchesini <amarchesini@mozilla.com>
-Date: Thu, 4 Jun 2015 15:04:10 +0100
-Subject: [PATCH] Bug 1166900 - Better string length check in
- nsZipArchive::GetDataOffset. r+a=dveditz
-
----
- dom/file/ArchiveZipFile.cpp     |  6 ++++--
- modules/libjar/nsZipArchive.cpp | 15 +++++++++------
- 2 files changed, 13 insertions(+), 8 deletions(-)
-
-diff --git a/dom/file/ArchiveZipFile.cpp b/dom/file/ArchiveZipFile.cpp
-index c206b64..d28b5ba 100644
---- a/dom/file/ArchiveZipFile.cpp
-+++ b/dom/file/ArchiveZipFile.cpp
-@@ -102,7 +102,8 @@ ArchiveInputStream::Init()
-   uint32_t offset = ArchiveZipItem::StrToInt32(mCentral.localhdr_offset);
- 
-   // The file is corrupt
--  if (offset + ZIPLOCAL_SIZE > mData.parentSize) {
-+  if (mData.parentSize < ZIPLOCAL_SIZE ||
-+      offset > mData.parentSize - ZIPLOCAL_SIZE) {
-     return NS_ERROR_UNEXPECTED;
-   }
- 
-@@ -137,7 +138,8 @@ ArchiveInputStream::Init()
-             ArchiveZipItem::StrToInt16(local.extrafield_len);
- 
-   // The file is corrupt if there is not enough data
--  if (offset + mData.sizeToBeRead > mData.parentSize) {
-+  if (mData.parentSize < mData.sizeToBeRead ||
-+      offset > mData.parentSize - mData.sizeToBeRead) {
-     return NS_ERROR_UNEXPECTED;
-   }
- 
-diff --git a/modules/libjar/nsZipArchive.cpp b/modules/libjar/nsZipArchive.cpp
-index f8af715..5ec8225 100644
---- a/modules/libjar/nsZipArchive.cpp
-+++ b/modules/libjar/nsZipArchive.cpp
-@@ -637,18 +637,20 @@ MOZ_WIN_MEM_TRY_BEGIN
-     uint16_t namelen = xtoint(central->filename_len);
-     uint16_t extralen = xtoint(central->extrafield_len);
-     uint16_t commentlen = xtoint(central->commentfield_len);
--
--    // Point to the next item at the top of loop
--    buf += ZIPCENTRAL_SIZE + namelen + extralen + commentlen;
-+    uint32_t diff = ZIPCENTRAL_SIZE + namelen + extralen + commentlen;
- 
-     // Sanity check variable sizes and refuse to deal with
-     // anything too big: it's likely a corrupt archive.
-     if (namelen < 1 ||
-         namelen > kMaxNameLength ||
--        buf >= endp) {
-+        buf >= buf + diff || // No overflow
-+        buf >= endp - diff) {
-       return NS_ERROR_FILE_CORRUPTED;
-     }
- 
-+    // Point to the next item at the top of loop
-+    buf += diff;
-+
-     nsZipItem* item = CreateZipItem();
-     if (!item)
-       return NS_ERROR_OUT_OF_MEMORY;
-@@ -779,7 +781,7 @@ MOZ_WIN_MEM_TRY_BEGIN
-   uint32_t len = mFd->mLen;
-   const uint8_t* data = mFd->mFileData;
-   uint32_t offset = aItem->LocalOffset();
--  if (offset + ZIPLOCAL_SIZE > len)
-+  if (len < ZIPLOCAL_SIZE || offset > len - ZIPLOCAL_SIZE)
-     return nullptr;
- 
-   // -- check signature before using the structure, in case the zip file is corrupt
-@@ -795,7 +797,8 @@ MOZ_WIN_MEM_TRY_BEGIN
-             xtoint(Local->extrafield_len);
- 
-   // -- check if there is enough source data in the file
--  if (offset + aItem->Size() > len)
-+  if (len < aItem->Size() ||
-+      offset > len - aItem->Size())
-     return nullptr;
- 
-   return data + offset;
--- 
-2.4.3
-
diff --git a/gnu/packages/patches/icecat-CVE-2015-2736.patch b/gnu/packages/patches/icecat-CVE-2015-2736.patch
deleted file mode 100644
index a59cc64d10..0000000000
--- a/gnu/packages/patches/icecat-CVE-2015-2736.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From 6daa986c7fdf27835a0f5d897c88f6b8dc42b8db Mon Sep 17 00:00:00 2001
-From: Andrea Marchesini <amarchesini@mozilla.com>
-Date: Thu, 4 Jun 2015 15:04:10 +0100
-Subject: [PATCH] Bug 1167888 - Better string length check in
- nsZipArchive::BuildFileList. r=smaug, a=dveditz
-
---HG--
-extra : transplant_source : %5E6%3E%84%B6a%7F%1F%D21zGc%BD%E1%80%EF%0C%B5%F0
----
- modules/libjar/nsZipArchive.cpp | 7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/modules/libjar/nsZipArchive.cpp b/modules/libjar/nsZipArchive.cpp
-index cb3e5d0..f8af715 100644
---- a/modules/libjar/nsZipArchive.cpp
-+++ b/modules/libjar/nsZipArchive.cpp
-@@ -617,8 +617,13 @@ MOZ_WIN_MEM_TRY_BEGIN
-   if (!centralOffset)
-     return NS_ERROR_FILE_CORRUPTED;
- 
--  //-- Read the central directory headers
-   buf = startp + centralOffset;
-+
-+  // avoid overflow of startp + centralOffset.
-+  if (buf < startp)
-+    return NS_ERROR_FILE_CORRUPTED;
-+
-+  //-- Read the central directory headers
-   uint32_t sig = 0;
-   while (buf + int32_t(sizeof(uint32_t)) <= endp &&
-          (sig = xtolong(buf)) == CENTRALSIG) {
--- 
-2.4.3
-
diff --git a/gnu/packages/patches/icecat-CVE-2015-2738.patch b/gnu/packages/patches/icecat-CVE-2015-2738.patch
deleted file mode 100644
index beb784c615..0000000000
--- a/gnu/packages/patches/icecat-CVE-2015-2738.patch
+++ /dev/null
@@ -1,151 +0,0 @@
-From cda807c21650d0678761d6af8fd324ce622962d6 Mon Sep 17 00:00:00 2001
-From: Andrew Comminos <acomminos@mozilla.com>
-Date: Fri, 19 Jun 2015 11:32:17 -0400
-Subject: [PATCH] Bug 1167356 - Handle return value of DataSourceSurface::Map
- wherever possible. r=Bas, a=abillings CLOSED TREE
-
----
- gfx/2d/SourceSurfaceD2D1.cpp            | 11 +++++++++--
- gfx/gl/GLScreenBuffer.cpp               |  5 ++++-
- gfx/gl/SharedSurfaceGL.cpp              |  5 ++++-
- gfx/layers/YCbCrImageDataSerializer.cpp |  4 +++-
- gfx/layers/opengl/CompositorOGL.cpp     |  6 +++++-
- gfx/thebes/gfxPlatform.cpp              |  6 ++++--
- widget/gtk/nsImageToPixbuf.cpp          |  4 +++-
- 7 files changed, 32 insertions(+), 9 deletions(-)
-
-diff --git a/gfx/2d/SourceSurfaceD2D1.cpp b/gfx/2d/SourceSurfaceD2D1.cpp
-index fc64327..01f3a67 100644
---- a/gfx/2d/SourceSurfaceD2D1.cpp
-+++ b/gfx/2d/SourceSurfaceD2D1.cpp
-@@ -5,6 +5,7 @@
- 
- #include "SourceSurfaceD2D1.h"
- #include "DrawTargetD2D1.h"
-+#include "Logging.h"
- #include "Tools.h"
- 
- namespace mozilla {
-@@ -156,7 +157,10 @@ DataSourceSurfaceD2D1::Map(MapType aMapType, MappedSurface *aMappedSurface)
-   }
- 
-   D2D1_MAPPED_RECT map;
--  mBitmap->Map(D2D1_MAP_OPTIONS_READ, &map);
-+  if (FAILED(mBitmap->Map(D2D1_MAP_OPTIONS_READ, &map))) {
-+    gfxCriticalError() << "Failed to map bitmap.";
-+    return false;
-+  }
-   aMappedSurface->mData = map.bits;
-   aMappedSurface->mStride = map.pitch;
- 
-@@ -189,7 +193,10 @@ DataSourceSurfaceD2D1::EnsureMapped()
-   if (mMapped) {
-     return;
-   }
--  mBitmap->Map(D2D1_MAP_OPTIONS_READ, &mMap);
-+  if (FAILED(mBitmap->Map(D2D1_MAP_OPTIONS_READ, &mMap))) {
-+    gfxCriticalError() << "Failed to map bitmap.";
-+    return;
-+  }
-   mMapped = true;
- }
- 
-diff --git a/gfx/gl/GLScreenBuffer.cpp b/gfx/gl/GLScreenBuffer.cpp
-index 432bdbc..d31e848 100755
---- a/gfx/gl/GLScreenBuffer.cpp
-+++ b/gfx/gl/GLScreenBuffer.cpp
-@@ -483,7 +483,10 @@ GLScreenBuffer::Readback(SharedSurface_GL* src, DataSourceSurface* dest)
- {
-   MOZ_ASSERT(src && dest);
-   DataSourceSurface::MappedSurface ms;
--  dest->Map(DataSourceSurface::MapType::READ, &ms);
-+  if (!dest->Map(DataSourceSurface::MapType::READ, &ms)) {
-+    NS_ERROR("Failed to map surface for reading.");
-+    return;
-+  }
-   nsRefPtr<gfxImageSurface> wrappedDest =
-     new gfxImageSurface(ms.mData,
-                         ThebesIntSize(dest->GetSize()),
-diff --git a/gfx/gl/SharedSurfaceGL.cpp b/gfx/gl/SharedSurfaceGL.cpp
-index 1aab56f..1f80c28 100644
---- a/gfx/gl/SharedSurfaceGL.cpp
-+++ b/gfx/gl/SharedSurfaceGL.cpp
-@@ -326,7 +326,10 @@ SharedSurface_Basic::Fence()
-     ScopedBindFramebuffer autoFB(mGL, mFB);
- 
-     DataSourceSurface::MappedSurface map;
--    mData->Map(DataSourceSurface::MapType::WRITE, &map);
-+    if (!mData->Map(DataSourceSurface::MapType::WRITE, &map)) {
-+      NS_ERROR("Failed to map surface for writing.");
-+      return;
-+    }
-     nsRefPtr<gfxImageSurface> wrappedData =
-       new gfxImageSurface(map.mData,
-                           ThebesIntSize(mData->GetSize()),
-diff --git a/gfx/layers/YCbCrImageDataSerializer.cpp b/gfx/layers/YCbCrImageDataSerializer.cpp
-index e16db18..6e7a908 100644
---- a/gfx/layers/YCbCrImageDataSerializer.cpp
-+++ b/gfx/layers/YCbCrImageDataSerializer.cpp
-@@ -278,7 +278,9 @@ YCbCrImageDataDeserializer::ToDataSourceSurface()
-     Factory::CreateDataSourceSurface(GetYSize(), gfx::SurfaceFormat::B8G8R8X8);
- 
-   DataSourceSurface::MappedSurface map;
--  result->Map(DataSourceSurface::MapType::WRITE, &map);
-+  if (NS_WARN_IF(!result->Map(DataSourceSurface::MapType::WRITE, &map))) {
-+    return nullptr;
-+  }
- 
-   gfx::ConvertYCbCrToRGB32(GetYData(), GetCbData(), GetCrData(),
-                            map.mData,
-diff --git a/gfx/layers/opengl/CompositorOGL.cpp b/gfx/layers/opengl/CompositorOGL.cpp
-index 92432c3..2e0b51e 100644
---- a/gfx/layers/opengl/CompositorOGL.cpp
-+++ b/gfx/layers/opengl/CompositorOGL.cpp
-@@ -1346,7 +1346,11 @@ CompositorOGL::CopyToTarget(DrawTarget *aTarget, const gfx::Matrix& aTransform)
-         Factory::CreateDataSourceSurface(rect.Size(), gfx::SurfaceFormat::B8G8R8A8);
- 
-   DataSourceSurface::MappedSurface map;
--  source->Map(DataSourceSurface::MapType::WRITE, &map);
-+  if (!source->Map(DataSourceSurface::MapType::WRITE, &map)) {
-+    NS_ERROR("Failed to map surface for writing!");
-+    return;
-+  }
-+
-   // XXX we should do this properly one day without using the gfxImageSurface
-   nsRefPtr<gfxImageSurface> surf =
-     new gfxImageSurface(map.mData,
-diff --git a/gfx/thebes/gfxPlatform.cpp b/gfx/thebes/gfxPlatform.cpp
-index c869e53..8a2122c 100644
---- a/gfx/thebes/gfxPlatform.cpp
-+++ b/gfx/thebes/gfxPlatform.cpp
-@@ -662,8 +662,10 @@ CopySurface(gfxASurface* aSurface)
-   }
- 
-   DataSourceSurface::MappedSurface map;
--  DebugOnly<bool> result = data->Map(DataSourceSurface::WRITE, &map);
--  MOZ_ASSERT(result, "Should always succeed mapping raw data surfaces!");
-+  if (!data->Map(DataSourceSurface::WRITE, &map)) {
-+    NS_ERROR("Failed to map surface for reading!");
-+    return nullptr;
-+  }
- 
-   nsRefPtr<gfxImageSurface> image = new gfxImageSurface(map.mData, size, map.mStride, format);
-   nsRefPtr<gfxContext> ctx = new gfxContext(image);
-diff --git a/widget/gtk/nsImageToPixbuf.cpp b/widget/gtk/nsImageToPixbuf.cpp
-index ca05b3b..a83a570 100644
---- a/widget/gtk/nsImageToPixbuf.cpp
-+++ b/widget/gtk/nsImageToPixbuf.cpp
-@@ -75,7 +75,9 @@ nsImageToPixbuf::SourceSurfaceToPixbuf(SourceSurface* aSurface,
- 
-     RefPtr<DataSourceSurface> dataSurface = aSurface->GetDataSurface();
-     DataSourceSurface::MappedSurface map;
--    dataSurface->Map(DataSourceSurface::MapType::READ, &map);
-+    if (!dataSurface->Map(DataSourceSurface::MapType::READ, &map))
-+        return nullptr;
-+
-     uint8_t* srcData = map.mData;
-     int32_t srcStride = map.mStride;
- 
--- 
-2.4.3
-
diff --git a/gnu/packages/patches/icecat-CVE-2015-2739.patch b/gnu/packages/patches/icecat-CVE-2015-2739.patch
deleted file mode 100644
index 9f70db8cf9..0000000000
--- a/gnu/packages/patches/icecat-CVE-2015-2739.patch
+++ /dev/null
@@ -1,66 +0,0 @@
-From 55d0298956b8a3cfbd5b70fe32fb07e120d364c2 Mon Sep 17 00:00:00 2001
-From: Boris Zbarsky <bzbarsky@mit.edu>
-Date: Mon, 1 Jun 2015 16:59:26 -0700
-Subject: [PATCH] Bug 1168207. Be a bit more careful with overflow checking in
- XHR. r=baku a=lizzard
-
----
- content/base/src/nsXMLHttpRequest.cpp | 25 +++++++++++++++----------
- 1 file changed, 15 insertions(+), 10 deletions(-)
-
-diff --git a/content/base/src/nsXMLHttpRequest.cpp b/content/base/src/nsXMLHttpRequest.cpp
-index 58a9ee0..56d1aa3 100644
---- a/content/base/src/nsXMLHttpRequest.cpp
-+++ b/content/base/src/nsXMLHttpRequest.cpp
-@@ -7,6 +7,7 @@
- #include "nsXMLHttpRequest.h"
- 
- #include "mozilla/ArrayUtils.h"
-+#include "mozilla/CheckedInt.h"
- #include "mozilla/dom/XMLHttpRequestUploadBinding.h"
- #include "mozilla/EventDispatcher.h"
- #include "mozilla/EventListenerManager.h"
-@@ -3897,26 +3898,30 @@ bool
- ArrayBufferBuilder::append(const uint8_t *aNewData, uint32_t aDataLen,
-                            uint32_t aMaxGrowth)
- {
-+  CheckedUint32 neededCapacity = mLength;
-+  neededCapacity += aDataLen;
-+  if (!neededCapacity.isValid()) {
-+    return false;
-+  }
-   if (mLength + aDataLen > mCapacity) {
--    uint32_t newcap;
-+    CheckedUint32 newcap = mCapacity;
-     // Double while under aMaxGrowth or if not specified.
-     if (!aMaxGrowth || mCapacity < aMaxGrowth) {
--      newcap = mCapacity * 2;
-+      newcap *= 2;
-     } else {
--      newcap = mCapacity + aMaxGrowth;
-+      newcap += aMaxGrowth;
-     }
- 
--    // But make sure there's always enough to satisfy our request.
--    if (newcap < mLength + aDataLen) {
--      newcap = mLength + aDataLen;
-+    if (!newcap.isValid()) {
-+      return false;
-     }
- 
--    // Did we overflow?
--    if (newcap < mCapacity) {
--      return false;
-+    // But make sure there's always enough to satisfy our request.
-+    if (newcap.value() < neededCapacity.value()) {
-+      newcap = neededCapacity;
-     }
- 
--    if (!setCapacity(newcap)) {
-+    if (!setCapacity(newcap.value())) {
-       return false;
-     }
-   }
--- 
-2.4.3
-
diff --git a/gnu/packages/patches/icecat-CVE-2015-2740.patch b/gnu/packages/patches/icecat-CVE-2015-2740.patch
deleted file mode 100644
index caafa52a23..0000000000
--- a/gnu/packages/patches/icecat-CVE-2015-2740.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-From ccbae7ff07c2e72c48e0676adaa3e798990f33a1 Mon Sep 17 00:00:00 2001
-From: Andrea Marchesini <amarchesini@mozilla.com>
-Date: Tue, 23 Jun 2015 10:47:38 -0400
-Subject: [PATCH] Bug 1170809 - Improve the buffer size check in
- nsXMLHttpRequest::AppendToResponseText. r=ehsan, r=bz, a=abillings
-
----
- content/base/src/nsXMLHttpRequest.cpp | 15 +++++++++++----
- 1 file changed, 11 insertions(+), 4 deletions(-)
-
-diff --git a/content/base/src/nsXMLHttpRequest.cpp b/content/base/src/nsXMLHttpRequest.cpp
-index 56d1aa3..86425d7 100644
---- a/content/base/src/nsXMLHttpRequest.cpp
-+++ b/content/base/src/nsXMLHttpRequest.cpp
-@@ -655,13 +655,18 @@ nsXMLHttpRequest::AppendToResponseText(const char * aSrcBuffer,
-                                        &destBufferLen);
-   NS_ENSURE_SUCCESS(rv, rv);
- 
--  if (!mResponseText.SetCapacity(mResponseText.Length() + destBufferLen, fallible_t())) {
-+  uint32_t size = mResponseText.Length() + destBufferLen;
-+  if (size < (uint32_t)destBufferLen) {
-+    return NS_ERROR_OUT_OF_MEMORY;
-+  }
-+
-+  if (!mResponseText.SetCapacity(size, fallible_t())) {
-     return NS_ERROR_OUT_OF_MEMORY;
-   }
- 
-   char16_t* destBuffer = mResponseText.BeginWriting() + mResponseText.Length();
- 
--  int32_t totalChars = mResponseText.Length();
-+  CheckedInt32 totalChars = mResponseText.Length();
- 
-   // This code here is basically a copy of a similar thing in
-   // nsScanner::Append(const char* aBuffer, uint32_t aLen).
-@@ -674,9 +679,11 @@ nsXMLHttpRequest::AppendToResponseText(const char * aSrcBuffer,
-   MOZ_ASSERT(NS_SUCCEEDED(rv));
- 
-   totalChars += destlen;
-+  if (!totalChars.isValid()) {
-+    return NS_ERROR_OUT_OF_MEMORY;
-+  }
- 
--  mResponseText.SetLength(totalChars);
--
-+  mResponseText.SetLength(totalChars.value());
-   return NS_OK;
- }
- 
--- 
-2.4.3
-
diff --git a/gnu/packages/patches/icecat-CVE-2015-2743.patch b/gnu/packages/patches/icecat-CVE-2015-2743.patch
deleted file mode 100644
index a74fe7b270..0000000000
--- a/gnu/packages/patches/icecat-CVE-2015-2743.patch
+++ /dev/null
@@ -1,73 +0,0 @@
-From 9ed97d606aaaf79776b0e19a73ba30d8ad0685b5 Mon Sep 17 00:00:00 2001
-From: Ben Turner <bent.mozilla@gmail.com>
-Date: Tue, 26 May 2015 17:27:01 -0400
-Subject: [PATCH] Bug 1163109 - Restrict the resource:// weirdness in workers
- to loads from a system principal. r=bzbarsky, a=lizzard
-
---HG--
-extra : transplant_source : sQUdu%7C%ED%84%CA%5B%91%89/%1B2%25%CFY%B0%C3
----
- dom/workers/ScriptLoader.cpp | 37 ++++++++++++++++---------------------
- 1 file changed, 16 insertions(+), 21 deletions(-)
-
-diff --git a/dom/workers/ScriptLoader.cpp b/dom/workers/ScriptLoader.cpp
-index 0dfe625..3335c3e 100644
---- a/dom/workers/ScriptLoader.cpp
-+++ b/dom/workers/ScriptLoader.cpp
-@@ -509,22 +509,6 @@ private:
-       rv = ssm->GetChannelPrincipal(channel, getter_AddRefs(channelPrincipal));
-       NS_ENSURE_SUCCESS(rv, rv);
- 
--      // See if this is a resource URI. Since JSMs usually come from resource://
--      // URIs we're currently considering all URIs with the URI_IS_UI_RESOURCE
--      // flag as valid for creating privileged workers.
--      if (!nsContentUtils::IsSystemPrincipal(channelPrincipal)) {
--        bool isResource;
--        rv = NS_URIChainHasFlags(finalURI,
--                                 nsIProtocolHandler::URI_IS_UI_RESOURCE,
--                                 &isResource);
--        NS_ENSURE_SUCCESS(rv, rv);
--
--        if (isResource) {
--          rv = ssm->GetSystemPrincipal(getter_AddRefs(channelPrincipal));
--          NS_ENSURE_SUCCESS(rv, rv);
--        }
--      }
--
-       // If the load principal is the system principal then the channel
-       // principal must also be the system principal (we do not allow chrome
-       // code to create workers with non-chrome scripts). Otherwise this channel
-@@ -532,14 +516,25 @@ private:
-       // here in case redirects changed the location of the script).
-       if (nsContentUtils::IsSystemPrincipal(loadPrincipal)) {
-         if (!nsContentUtils::IsSystemPrincipal(channelPrincipal)) {
--          return NS_ERROR_DOM_BAD_URI;
-+          // See if this is a resource URI. Since JSMs usually come from
-+          // resource:// URIs we're currently considering all URIs with the
-+          // URI_IS_UI_RESOURCE flag as valid for creating privileged workers.
-+          bool isResource;
-+          rv = NS_URIChainHasFlags(finalURI,
-+                                   nsIProtocolHandler::URI_IS_UI_RESOURCE,
-+                                   &isResource);
-+          NS_ENSURE_SUCCESS(rv, rv);
-+
-+          if (isResource) {
-+            // Assign the system principal to the resource:// worker only if it
-+            // was loaded from code using the system principal.
-+            channelPrincipal = loadPrincipal;
-+          } else {
-+            return NS_ERROR_DOM_BAD_URI;
-+          }
-         }
-       }
-       else  {
--        nsCString scheme;
--        rv = finalURI->GetScheme(scheme);
--        NS_ENSURE_SUCCESS(rv, rv);
--
-         // We exempt data urls and other URI's that inherit their
-         // principal again.
-         if (NS_FAILED(loadPrincipal->CheckMayLoad(finalURI, false, true))) {
--- 
-2.4.3
-
diff --git a/gnu/packages/patches/icecat-enable-acceleration-and-webgl.patch b/gnu/packages/patches/icecat-enable-acceleration-and-webgl.patch
new file mode 100644
index 0000000000..3d3c4c592a
--- /dev/null
+++ b/gnu/packages/patches/icecat-enable-acceleration-and-webgl.patch
@@ -0,0 +1,12 @@
+Re-enable hardware acceleration and WebGL.
+
+--- icecat-31.8.0/browser/app/profile/icecat.js.orig	2015-07-13 18:14:27.000000000 -0400
++++ icecat-31.8.0/browser/app/profile/icecat.js	2015-07-15 13:55:39.273124982 -0400
+@@ -1756,7 +1756,3 @@
+ pref("security.ssl3.dhe_rsa_aes_256_sha", false);
+ pref("security.ssl3.dhe_dss_aes_128_sha", false);
+ pref("security.ssl3.dhe_rsa_des_ede3_sha", false);
+-
+-// Disable hardware acceleration and WebGL
+-pref("layers.acceleration.disabled", true);
+-pref("webgl.disabled", true);