Update NSS to 3.41

nsprpub/pr/tests/abstract.c

@@ -0,0 +1,157 @@
+/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include <stdio.h>
+
+#if defined(LINUX)
+
+#include <string.h>
+#include "nspr.h"
+
+static const char abstractSocketName[] = "\0testsocket";
+
+static void
+ClientThread(void* aArg)
+{
+  PRFileDesc* socket;
+  PRNetAddr addr;
+  PRUint8 buf[1024];
+  PRInt32 len;
+  PRInt32 total;
+
+  addr.local.family = PR_AF_LOCAL;
+  memcpy(addr.local.path, abstractSocketName, sizeof(abstractSocketName));
+
+  socket = PR_OpenTCPSocket(addr.raw.family);
+  if (!socket) {
+    fprintf(stderr, "PR_OpenTCPSokcet failed\n");
+    exit(1);
+  }
+
+  if (PR_Connect(socket, &addr, PR_INTERVAL_NO_TIMEOUT) == PR_FAILURE) {
+    fprintf(stderr, "PR_Connect failed\n");
+    exit(1);
+  }
+
+  total = 0;
+  while (total < sizeof(buf)) {
+    len = PR_Recv(socket, buf + total, sizeof(buf) - total, 0,
+                  PR_INTERVAL_NO_TIMEOUT);
+    if (len < 1) {
+      fprintf(stderr, "PR_Recv failed\n");
+      exit(1);
+    }
+    total += len;
+  }
+
+  total = 0;
+  while (total < sizeof(buf)) {
+    len = PR_Send(socket, buf + total, sizeof(buf) - total, 0,
+                  PR_INTERVAL_NO_TIMEOUT);
+    if (len < 1) {
+      fprintf(stderr, "PR_Send failed\n");
+      exit(1);
+    }
+    total += len;
+  }
+
+  if (PR_Close(socket) == PR_FAILURE) {
+    fprintf(stderr, "PR_Close failed\n");
+    exit(1);
+  }
+}
+
+int
+main()
+{
+  PRFileDesc* socket;
+  PRFileDesc* acceptSocket;
+  PRThread* thread;
+  PRNetAddr addr;
+  PRUint8 buf[1024];
+  PRInt32 len;
+  PRInt32 total;
+
+  addr.local.family = PR_AF_LOCAL;
+  memcpy(addr.local.path, abstractSocketName, sizeof(abstractSocketName));
+
+  socket = PR_OpenTCPSocket(addr.raw.family);
+  if (!socket) {
+    fprintf(stderr, "PR_OpenTCPSocket failed\n");
+    exit(1);
+  }
+  if (PR_Bind(socket, &addr) == PR_FAILURE) {
+    fprintf(stderr, "PR_Bind failed\n");
+    exit(1);
+  }
+
+  if (PR_Listen(socket, 5) == PR_FAILURE) {
+    fprintf(stderr, "PR_Listen failed\n");
+    exit(1);
+  }
+
+  thread = PR_CreateThread(PR_USER_THREAD, ClientThread, 0, PR_PRIORITY_NORMAL,
+                           PR_GLOBAL_THREAD, PR_JOINABLE_THREAD, 0);
+  if (!thread) {
+    fprintf(stderr, "PR_CreateThread failed");
+    exit(1);
+  }
+
+  acceptSocket  = PR_Accept(socket, NULL, PR_INTERVAL_NO_TIMEOUT);
+  if (!acceptSocket) {
+    fprintf(stderr, "PR_Accept failed\n");
+    exit(1);
+  }
+
+  memset(buf, 'A', sizeof(buf));
+
+  total = 0;
+  while (total < sizeof(buf)) {
+    len = PR_Send(acceptSocket, buf + total, sizeof(buf) - total, 0,
+                  PR_INTERVAL_NO_TIMEOUT);
+    if (len < 1) {
+      fprintf(stderr, "PR_Send failed\n");
+      exit(1);
+    }
+    total += len;
+  }
+
+  total = 0;
+  while (total < sizeof(buf)) {
+    len = PR_Recv(acceptSocket, buf + total, sizeof(buf) - total, 0,
+                  PR_INTERVAL_NO_TIMEOUT);
+    if (len < 1) {
+      fprintf(stderr, "PR_Recv failed\n");
+      exit(1);
+    }
+    total += len;
+  }
+
+  if (PR_Close(acceptSocket) == PR_FAILURE) {
+    fprintf(stderr, "PR_Close failed\n");
+    exit(1);
+  }
+
+  if (PR_JoinThread(thread) == PR_FAILURE) {
+    fprintf(stderr, "PR_JoinThread failed\n");
+    exit(1);
+  }
+
+  if (PR_Close(socket) == PR_FAILURE) {
+    fprintf(stderr, "PR_Close failed\n");
+    exit(1);
+  }
+  printf("PASS\n");
+  return 0;
+}
+
+#else
+int
+main()
+{
+  prinf("PASS\n");
+  return 0;
+}
+#endif

old-configure.in

@@ -2049,7 +2049,7 @@ MOZ_ARG_WITH_BOOL(system-nss,
     _USE_SYSTEM_NSS=1 )
 
 if test -n "$_USE_SYSTEM_NSS"; then
-    AM_PATH_NSS(3.38, [MOZ_SYSTEM_NSS=1], [AC_MSG_ERROR([you don't have NSS installed or your version is too old])])
+    AM_PATH_NSS(3.41, [MOZ_SYSTEM_NSS=1], [AC_MSG_ERROR([you don't have NSS installed or your version is too old])])
 fi
 
 if test -z "$MOZ_SYSTEM_NSS"; then

security/nss/TAG-INFO

@@ -1 +0,0 @@
-NSS_3_38_RTM

security/nss/automation/abi-check/expected-report-libnss3.so.txt

@@ -0,0 +1,18 @@
+
+1 function with some indirect sub-type change:
+
+  [C]'function SECStatus CERT_AddOCSPAcceptableResponses(CERTOCSPRequest*, SECOidTag, ...)' at ocsp.c:2203:1 has some indirect sub-type changes:
+    parameter 2 of type 'typedef SECOidTag' has sub-type changes:
+      underlying type 'enum __anonymous_enum__' at secoidt.h:34:1 changed:
+        type size hasn't changed
+        4 enumerator insertions:
+          '__anonymous_enum__::SEC_OID_X509_ANY_EXT_KEY_USAGE' value '357'
+          '__anonymous_enum__::SEC_OID_EXT_KEY_USAGE_IPSEC_IKE' value '358'
+          '__anonymous_enum__::SEC_OID_IPSEC_IKE_END' value '359'
+          '__anonymous_enum__::SEC_OID_IPSEC_IKE_INTERMEDIATE' value '360'
+
+        1 enumerator change:
+          '__anonymous_enum__::SEC_OID_TOTAL' from value '357' to '361' at secoidt.h:34:1
+
+
+

security/nss/automation/abi-check/expected-report-libnssutil3.so.txt

@@ -1,4 +1,18 @@
 
-1 Added function:
+1 function with some indirect sub-type change:
+
+  [C]'function SECStatus NSS_GetAlgorithmPolicy(SECOidTag, PRUint32*)' at secoid.c:2217:1 has some indirect sub-type changes:
+    parameter 1 of type 'typedef SECOidTag' has sub-type changes:
+      underlying type 'enum __anonymous_enum__' at secoidt.h:34:1 changed:
+        type size hasn't changed
+        4 enumerator insertions:
+          '__anonymous_enum__::SEC_OID_X509_ANY_EXT_KEY_USAGE' value '357'
+          '__anonymous_enum__::SEC_OID_EXT_KEY_USAGE_IPSEC_IKE' value '358'
+          '__anonymous_enum__::SEC_OID_IPSEC_IKE_END' value '359'
+          '__anonymous_enum__::SEC_OID_IPSEC_IKE_INTERMEDIATE' value '360'
+
+        1 enumerator change:
+          '__anonymous_enum__::SEC_OID_TOTAL' from value '357' to '361' at secoidt.h:34:1
+
+
 
-  'function SECStatus SECITEM_MakeItem(PLArenaPool*, SECItem*, unsigned char*, unsigned int)'    {SECITEM_MakeItem@@NSSUTIL_3.38}

security/nss/automation/abi-check/expected-report-libsmime3.so.txt

@@ -0,0 +1,48 @@
+
+1 function with some indirect sub-type change:
+
+  [C]'function PK11SymKey* NSS_CMSContentInfo_GetBulkKey(NSSCMSContentInfo*)' at cmscinfo.c:363:1 has some indirect sub-type changes:
+    parameter 1 of type 'NSSCMSContentInfo*' has sub-type changes:
+      in pointed to type 'typedef NSSCMSContentInfo' at cmst.h:54:1:
+        underlying type 'struct NSSCMSContentInfoStr' at cmst.h:126:1 changed:
+          type size hasn't changed
+          1 data member changes (2 filtered):
+           type of 'NSSCMSContent NSSCMSContentInfoStr::content' changed:
+             underlying type 'union NSSCMSContentUnion' at cmst.h:113:1 changed:
+               type size hasn't changed
+               1 data member changes (3 filtered):
+                type of 'NSSCMSEncryptedData* NSSCMSContentUnion::encryptedData' changed:
+                  in pointed to type 'typedef NSSCMSEncryptedData' at cmst.h:65:1:
+                    underlying type 'struct NSSCMSEncryptedDataStr' at cmst.h:463:1 changed:
+                      type size hasn't changed
+                      1 data member changes (1 filtered):
+                       type of 'NSSCMSAttribute** NSSCMSEncryptedDataStr::unprotectedAttr' changed:
+                         in pointed to type 'NSSCMSAttribute*':
+                           in pointed to type 'typedef NSSCMSAttribute' at cmst.h:69:1:
+                             underlying type 'struct NSSCMSAttributeStr' at cmst.h:482:1 changed:
+                               type size hasn't changed
+                               1 data member change:
+                                type of 'SECOidData* NSSCMSAttributeStr::typeTag' changed:
+                                  in pointed to type 'typedef SECOidData' at secoidt.h:16:1:
+                                    underlying type 'struct SECOidDataStr' at secoidt.h:513:1 changed:
+                                      type size hasn't changed
+                                      1 data member change:
+                                       type of 'SECOidTag SECOidDataStr::offset' changed:
+                                         underlying type 'enum __anonymous_enum__' at secoidt.h:34:1 changed:
+                                           type size hasn't changed
+                                           4 enumerator insertions:
+                                             '__anonymous_enum__::SEC_OID_X509_ANY_EXT_KEY_USAGE' value '357'
+                                             '__anonymous_enum__::SEC_OID_EXT_KEY_USAGE_IPSEC_IKE' value '358'
+                                             '__anonymous_enum__::SEC_OID_IPSEC_IKE_END' value '359'
+                                             '__anonymous_enum__::SEC_OID_IPSEC_IKE_INTERMEDIATE' value '360'
+
+                                           1 enumerator change:
+                                             '__anonymous_enum__::SEC_OID_TOTAL' from value '357' to '361' at secoidt.h:34:1
+
+
+
+
+
+
+
+

security/nss/automation/abi-check/previous-nss-release

@@ -1 +1 @@
-NSS_3_37_BRANCH
+NSS_3_40_BRANCH

security/nss/automation/clang-format/Dockerfile

@@ -1,26 +1,35 @@
-FROM ubuntu:16.04
-MAINTAINER Franziskus Kiefer <franziskuskiefer@gmail.com>
+# Minimal image with clang-format 3.9.
+FROM ubuntu:18.04
+LABEL maintainer="Martin Thomson <martin.thomson@gmail.com>"
 
-RUN useradd -d /home/worker -s /bin/bash -m worker
-WORKDIR /home/worker
+RUN apt-get update \
+ && apt-get install -y --no-install-recommends \
+    ca-certificates \
+    clang-format-3.9 \
+    locales \
+    mercurial \
+ && rm -rf /var/lib/apt/lists/* \
+ && apt-get autoremove -y && apt-get clean -y
 
-# Install dependencies.
-ADD setup.sh /tmp/setup.sh
-RUN bash /tmp/setup.sh
+RUN update-alternatives --install /usr/bin/clang-format \
+    clang-format $(which clang-format-3.9) 10
 
-# Change user.
-USER worker
-
-# Env variables.
-ENV HOME /home/worker
 ENV SHELL /bin/bash
 ENV USER worker
-ENV LOGNAME worker
+ENV LOGNAME $USER
+ENV HOME /home/$USER
 ENV HOSTNAME taskcluster-worker
 ENV LANG en_US.UTF-8
-ENV LC_ALL en_US.UTF-8
+ENV LC_ALL $LANG
 ENV HOST localhost
 ENV DOMSUF localdomain
 
-# Entrypoint.
+RUN locale-gen $LANG \
+ && DEBIAN_FRONTEND=noninteractive dpkg-reconfigure locales
+
+RUN useradd -d $HOME -s $SHELL -m $USER
+WORKDIR $HOME
+USER $USER
+
+# Entrypoint - which only works if /home/worker/nss is mounted.
 ENTRYPOINT ["/home/worker/nss/automation/clang-format/run_clang_format.sh"]

security/nss/automation/clang-format/setup.sh

@@ -1,44 +0,0 @@
-#!/usr/bin/env bash
-
-set -v -e -x
-
-# Update packages.
-export DEBIAN_FRONTEND=noninteractive
-apt-get -y update && apt-get -y upgrade
-
-# Install packages.
-apt_packages=()
-apt_packages+=('ca-certificates')
-apt_packages+=('curl')
-apt_packages+=('xz-utils')
-apt_packages+=('mercurial')
-apt_packages+=('git')
-apt_packages+=('locales')
-apt-get install -y --no-install-recommends ${apt_packages[@]}
-
-# Download clang.
-curl -L https://releases.llvm.org/3.9.1/clang+llvm-3.9.1-x86_64-linux-gnu-ubuntu-16.04.tar.xz -o clang.tar.xz
-curl -L https://releases.llvm.org/3.9.1/clang+llvm-3.9.1-x86_64-linux-gnu-ubuntu-16.04.tar.xz.sig -o clang.tar.xz.sig
-# Verify the signature.
-gpg --keyserver pool.sks-keyservers.net --recv-keys B6C8F98282B944E3B0D5C2530FC3042E345AD05D
-gpg --verify clang.tar.xz.sig
-# Install into /usr/local/.
-tar xJvf *.tar.xz -C /usr/local --strip-components=1
-
-# Cleanup.
-function cleanup() {
-  rm -f clang.tar.xz clang.tar.xz.sig
-}
-trap cleanup ERR EXIT
-
-locale-gen en_US.UTF-8
-dpkg-reconfigure locales
-
-# Cleanup.
-rm -rf ~/.ccache ~/.cache
-apt-get autoremove -y
-apt-get clean
-apt-get autoclean
-
-# We're done. Remove this script.
-rm $0

security/nss/automation/release/nspr-version.txt

@@ -1,4 +1,4 @@
-4.19
+4.20
 
 # The first line of this file must contain the human readable NSPR
 # version number, which is the minimum required version of NSPR

security/nss/automation/taskcluster/docker-aarch64/Dockerfile

@@ -20,7 +20,6 @@ ENV HOME /home/worker
 ENV SHELL /bin/bash
 ENV USER worker
 ENV LOGNAME worker
-ENV HOSTNAME taskcluster-worker
 ENV LANG en_US.UTF-8
 ENV LC_ALL en_US.UTF-8
 ENV HOST localhost

security/nss/automation/taskcluster/docker-arm/Dockerfile

@@ -17,7 +17,6 @@ ENV HOME /home/worker
 ENV SHELL /bin/bash
 ENV USER worker
 ENV LOGNAME worker
-ENV HOSTNAME taskcluster-worker
 ENV LANG en_US.UTF-8
 ENV LC_ALL en_US.UTF-8
 ENV HOST localhost

security/nss/automation/taskcluster/docker-builds/Dockerfile

@@ -0,0 +1,75 @@
+# Dockerfile for building extra builds.  This includes more tools than the
+# default image, so it's a fair bit bigger.  Only use this for builds where
+# the smaller docker image is missing something.  These builds will run on
+# the leaner configuration.
+FROM ubuntu:18.04
+LABEL maintainer="Martin Thomson <martin.thomson@gmail.com>"
+
+RUN dpkg --add-architecture i386
+RUN apt-get update \
+ && apt-get install -y --no-install-recommends \
+    build-essential \
+    ca-certificates \
+    clang-4.0 \
+    clang \
+    cmake \
+    curl \
+    g++-4.8-multilib \
+    g++-5-multilib \
+    g++-6-multilib \
+    g++-multilib \
+    git \
+    gyp \
+    libelf-dev \
+    libdw-dev \
+    libssl-dev \
+    libssl-dev:i386 \
+    libxml2-utils \
+    lib32z1-dev \
+    linux-libc-dev:i386 \
+    llvm-dev \
+    locales \
+    mercurial \
+    ninja-build \
+    pkg-config \
+    valgrind \
+    zlib1g-dev \
+ && rm -rf /var/lib/apt/lists/* \
+ && apt-get autoremove -y && apt-get clean -y
+
+# Latest version of abigail-tools
+RUN apt-get update \
+ && apt-get install -y --no-install-recommends automake libtool libxml2-dev \
+ && git clone git://sourceware.org/git/libabigail.git /tmp/libabigail \
+ && cd /tmp/libabigail \
+ && autoreconf -fi \
+ && ./configure --prefix=/usr --disable-static --disable-apidoc --disable-manual \
+ && make && make install \
+ && rm -rf /tmp/libabigail \
+ && apt-get remove -y automake libtool libxml2-dev \
+ && rm -rf /var/lib/apt/lists/* \
+ && apt-get autoremove -y && apt-get clean -y
+
+ENV SHELL /bin/bash
+ENV USER worker
+ENV LOGNAME $USER
+ENV HOME /home/$USER
+ENV LANG en_US.UTF-8
+ENV LC_ALL $LANG
+ENV HOST localhost
+ENV DOMSUF localdomain
+
+RUN locale-gen $LANG \
+ && DEBIAN_FRONTEND=noninteractive dpkg-reconfigure locales
+
+RUN useradd -d $HOME -s $SHELL -m $USER
+WORKDIR $HOME
+
+# Add build and test scripts.
+ADD bin $HOME/bin
+RUN chmod +x $HOME/bin/*
+
+USER $USER
+
+# Set a default command for debugging.
+CMD ["/bin/bash", "--login"]

security/nss/automation/taskcluster/docker-clang-3.9/Dockerfile

@@ -1,30 +0,0 @@
-FROM ubuntu:16.04
-MAINTAINER Tim Taubert <ttaubert@mozilla.com>
-
-RUN useradd -d /home/worker -s /bin/bash -m worker
-WORKDIR /home/worker
-
-# Add build and test scripts.
-ADD bin /home/worker/bin
-RUN chmod +x /home/worker/bin/*
-
-# Install dependencies.
-ADD setup.sh /tmp/setup.sh
-RUN bash /tmp/setup.sh
-
-# Change user.
-USER worker
-
-# Env variables.
-ENV HOME /home/worker
-ENV SHELL /bin/bash
-ENV USER worker
-ENV LOGNAME worker
-ENV HOSTNAME taskcluster-worker
-ENV LANG en_US.UTF-8
-ENV LC_ALL en_US.UTF-8
-ENV HOST localhost
-ENV DOMSUF localdomain
-
-# Set a default command for debugging.
-CMD ["/bin/bash", "--login"]

security/nss/automation/taskcluster/docker-clang-3.9/setup.sh

@@ -1,46 +0,0 @@
-#!/usr/bin/env bash
-
-set -v -e -x
-
-# Update packages.
-export DEBIAN_FRONTEND=noninteractive
-apt-get -y update && apt-get -y upgrade
-
-# Need this to add keys for PPAs below.
-apt-get install -y --no-install-recommends apt-utils
-
-apt_packages=()
-apt_packages+=('ca-certificates')
-apt_packages+=('curl')
-apt_packages+=('locales')
-apt_packages+=('xz-utils')
-
-# Latest Mercurial.
-apt_packages+=('mercurial')
-apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 41BD8711B1F0EC2B0D85B91CF59CE3A8323293EE
-echo "deb http://ppa.launchpad.net/mercurial-ppa/releases/ubuntu xenial main" > /etc/apt/sources.list.d/mercurial.list
-
-# Install packages.
-apt-get -y update
-apt-get install -y --no-install-recommends ${apt_packages[@]}
-
-# Download clang.
-curl -LO https://releases.llvm.org/3.9.1/clang+llvm-3.9.1-x86_64-linux-gnu-ubuntu-16.04.tar.xz
-curl -LO https://releases.llvm.org/3.9.1/clang+llvm-3.9.1-x86_64-linux-gnu-ubuntu-16.04.tar.xz.sig
-# Verify the signature.
-gpg --keyserver pool.sks-keyservers.net --recv-keys B6C8F98282B944E3B0D5C2530FC3042E345AD05D
-gpg --verify *.tar.xz.sig
-# Install into /usr/local/.
-tar xJvf *.tar.xz -C /usr/local --strip-components=1
-# Cleanup.
-rm *.tar.xz*
-
-locale-gen en_US.UTF-8
-dpkg-reconfigure locales
-
-# Cleanup.
-rm -rf ~/.ccache ~/.cache
-apt-get autoremove -y
-apt-get clean
-apt-get autoclean
-rm $0

security/nss/automation/taskcluster/docker-clang-format/Dockerfile

@@ -0,0 +1,38 @@
+# Minimal image with clang-format 3.9.
+FROM ubuntu:18.04
+LABEL maintainer="Martin Thomson <martin.thomson@gmail.com>"
+
+RUN apt-get update \
+ && apt-get install -y --no-install-recommends \
+    ca-certificates \
+    clang-format-3.9 \
+    locales \
+    mercurial \
+ && rm -rf /var/lib/apt/lists/* \
+ && apt-get autoremove -y && apt-get clean -y
+
+RUN update-alternatives --install /usr/bin/clang-format \
+    clang-format $(which clang-format-3.9) 10
+
+ENV SHELL /bin/bash
+ENV USER worker
+ENV LOGNAME $USER
+ENV HOME /home/$USER
+ENV LANG en_US.UTF-8
+ENV LC_ALL $LANG
+ENV HOST localhost
+ENV DOMSUF localdomain
+
+RUN locale-gen $LANG \
+ && DEBIAN_FRONTEND=noninteractive dpkg-reconfigure locales
+
+RUN useradd -d $HOME -s $SHELL -m $USER
+WORKDIR $HOME
+
+ADD bin $HOME/bin
+RUN chmod +x $HOME/bin/*
+
+USER $USER
+
+# Set a default command for debugging.
+CMD ["/bin/bash", "--login"]

security/nss/automation/taskcluster/docker-clang-format/bin/checkout.sh

@@ -0,0 +1,20 @@
+#!/usr/bin/env bash
+
+set -v -e -x
+
+if [ $(id -u) = 0 ]; then
+    # Drop privileges by re-running this script.
+    exec su worker $0
+fi
+
+# Default values for testing.
+REVISION=${NSS_HEAD_REVISION:-default}
+REPOSITORY=${NSS_HEAD_REPOSITORY:-https://hg.mozilla.org/projects/nss}
+
+# Clone NSS.
+for i in 0 2 5; do
+    sleep $i
+    hg clone -r $REVISION $REPOSITORY nss && exit 0
+    rm -rf nss
+done
+exit 1

security/nss/automation/taskcluster/docker-decision/Dockerfile

@@ -1,30 +1,37 @@
-FROM ubuntu:16.04
-MAINTAINER Tim Taubert <ttaubert@mozilla.com>
+# Minimal image for running the decision task.
+FROM ubuntu:18.04
+LABEL maintainer="Martin Thomson <martin.thomson@gmail.com>"
 
-RUN useradd -d /home/worker -s /bin/bash -m worker
-WORKDIR /home/worker
+RUN apt-get update \
+ && apt-get install -y --no-install-recommends \
+    ca-certificates \
+    curl \
+    locales \
+    mercurial \
+    nodejs \
+ && rm -rf /var/lib/apt/lists/* \
+ && apt-get autoremove -y && apt-get clean -y
 
-# Add build and test scripts.
-ADD bin /home/worker/bin
-RUN chmod +x /home/worker/bin/*
-
-# Install dependencies.
-ADD setup.sh /tmp/setup.sh
-RUN bash /tmp/setup.sh
-
-# Change user.
-USER worker
-
-# Env variables.
-ENV HOME /home/worker
 ENV SHELL /bin/bash
 ENV USER worker
-ENV LOGNAME worker
-ENV HOSTNAME taskcluster-worker
+ENV LOGNAME $USER
+ENV HOME /home/$USER
 ENV LANG en_US.UTF-8
-ENV LC_ALL en_US.UTF-8
+ENV LC_ALL $LANG
 ENV HOST localhost
 ENV DOMSUF localdomain
 
+RUN locale-gen $LANG \
+ && DEBIAN_FRONTEND=noninteractive dpkg-reconfigure locales
+
+RUN useradd -d $HOME -s $SHELL -m $USER
+WORKDIR $HOME
+
+# Add build and test scripts.
+ADD bin $HOME/bin
+RUN chmod +x $HOME/bin/*
+
+USER $USER
+
 # Set a default command for debugging.
 CMD ["/bin/bash", "--login"]

security/nss/automation/taskcluster/docker-decision/setup.sh

@@ -1,31 +0,0 @@
-#!/usr/bin/env bash
-
-set -v -e -x
-
-# Update packages.
-export DEBIAN_FRONTEND=noninteractive
-apt-get -y update && apt-get -y upgrade
-
-# Need those to install newer packages below.
-apt-get install -y --no-install-recommends apt-utils curl ca-certificates locales
-
-# Latest Mercurial.
-apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 41BD8711B1F0EC2B0D85B91CF59CE3A8323293EE
-echo "deb http://ppa.launchpad.net/mercurial-ppa/releases/ubuntu xenial main" > /etc/apt/sources.list.d/mercurial.list
-
-# Install packages.
-apt-get -y update && apt-get install -y --no-install-recommends mercurial
-
-# Latest Node.JS.
-curl -sL https://deb.nodesource.com/setup_6.x | bash -
-apt-get install -y --no-install-recommends nodejs
-
-locale-gen en_US.UTF-8
-dpkg-reconfigure locales
-
-# Cleanup.
-rm -rf ~/.ccache ~/.cache
-apt-get autoremove -y
-apt-get clean
-apt-get autoclean
-rm $0

security/nss/automation/taskcluster/docker-fuzz/Dockerfile

@@ -1,33 +1,59 @@
-FROM ubuntu:16.04
-MAINTAINER Tim Taubert <ttaubert@mozilla.com>
+# Dockerfile for running fuzzing tests.
+#
+# Note that when running this, you need to add `--cap-add SYS_PTRACE` to the
+# docker invocation or ASAN won't work.
+# On taskcluster use `features: ["allowPtrace"]`.
+# See https://github.com/google/sanitizers/issues/764#issuecomment-276700920
+FROM ubuntu:18.04
+LABEL maintainer="Martin Thomson <martin.thomson@gmail.com>"
 
-RUN useradd -d /home/worker -s /bin/bash -m worker
-WORKDIR /home/worker
+RUN dpkg --add-architecture i386
+RUN apt-get update \
+ && apt-get install -y --no-install-recommends \
+    build-essential \
+    ca-certificates \
+    clang \
+    clang-tools \
+    curl \
+    g++-multilib \
+    git \
+    gyp \
+    libssl-dev \
+    libssl-dev:i386 \
+    libxml2-utils \
+    lib32z1-dev \
+    linux-libc-dev:i386 \
+    llvm-dev \
+    locales \
+    mercurial \
+    ninja-build \
+    pkg-config \
+    valgrind \
+    zlib1g-dev \
+ && rm -rf /var/lib/apt/lists/* \
+ && apt-get autoremove -y && apt-get clean -y
 
-# Add build and test scripts.
-ADD bin /home/worker/bin
-RUN chmod +x /home/worker/bin/*
-
-# Install dependencies.
-ADD setup.sh /tmp/setup.sh
-RUN bash /tmp/setup.sh
-
-# Change user.
-USER worker
-
-# Env variables.
-ENV HOME /home/worker
 ENV SHELL /bin/bash
 ENV USER worker
-ENV LOGNAME worker
-ENV HOSTNAME taskcluster-worker
+ENV LOGNAME $USER
+ENV HOME /home/$USER
 ENV LANG en_US.UTF-8
-ENV LC_ALL en_US.UTF-8
+ENV LC_ALL $LANG
 ENV HOST localhost
 ENV DOMSUF localdomain
 
-# LLVM 4.0
-ENV PATH "${PATH}:/home/worker/third_party/llvm-build/Release+Asserts/bin/"
+RUN locale-gen $LANG \
+ && DEBIAN_FRONTEND=noninteractive dpkg-reconfigure locales
+
+RUN useradd -d $HOME -s $SHELL -m $USER
+WORKDIR $HOME
+
+# Add build and test scripts.
+ADD bin $HOME/bin
+RUN chmod +x $HOME/bin/*
+
+# Change user.
+USER $USER
 
 # Set a default command for debugging.
 CMD ["/bin/bash", "--login"]

security/nss/automation/taskcluster/docker-fuzz/setup.sh

@@ -1,58 +0,0 @@
-#!/usr/bin/env bash
-
-set -v -e -x
-
-# Update packages.
-export DEBIAN_FRONTEND=noninteractive
-apt-get -y update && apt-get -y upgrade
-
-# Need this to add keys for PPAs below.
-apt-get install -y --no-install-recommends apt-utils
-
-apt_packages=()
-apt_packages+=('build-essential')
-apt_packages+=('ca-certificates')
-apt_packages+=('curl')
-apt_packages+=('git')
-apt_packages+=('gyp')
-apt_packages+=('libssl-dev')
-apt_packages+=('libxml2-utils')
-apt_packages+=('locales')
-apt_packages+=('ninja-build')
-apt_packages+=('pkg-config')
-apt_packages+=('zlib1g-dev')
-
-# 32-bit builds
-apt_packages+=('gcc-multilib')
-apt_packages+=('g++-multilib')
-
-# Latest Mercurial.
-apt_packages+=('mercurial')
-apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 41BD8711B1F0EC2B0D85B91CF59CE3A8323293EE
-echo "deb http://ppa.launchpad.net/mercurial-ppa/releases/ubuntu xenial main" > /etc/apt/sources.list.d/mercurial.list
-
-# Install packages.
-apt-get -y update
-apt-get install -y --no-install-recommends ${apt_packages[@]}
-
-# 32-bit builds
-dpkg --add-architecture i386
-apt-get -y update
-apt-get install -y --no-install-recommends libssl-dev:i386
-
-# Install LLVM/clang-4.0.
-mkdir clang-tmp
-git clone -n --depth 1 https://chromium.googlesource.com/chromium/src/tools/clang clang-tmp/clang
-git -C clang-tmp/clang checkout HEAD scripts/update.py
-clang-tmp/clang/scripts/update.py
-rm -fr clang-tmp
-
-locale-gen en_US.UTF-8
-dpkg-reconfigure locales
-
-# Cleanup.
-rm -rf ~/.ccache ~/.cache
-apt-get autoremove -y
-apt-get clean
-apt-get autoclean
-rm $0

security/nss/automation/taskcluster/docker-fuzz32/Dockerfile

@@ -0,0 +1,73 @@
+# Dockerfile for running fuzzing tests on linux32.
+#
+# This is a temporary workaround for bugs in clang that make it incompatible
+# with Ubuntu 18.04 (see bug 1488148). This image can be removed once a new
+# release of LLVM includes the necessary fixes.
+
+FROM ubuntu:16.04
+LABEL maintainer="Martin Thomson <martin.thomson@gmail.com>"
+
+RUN dpkg --add-architecture i386
+RUN apt-get update \
+ && apt-get install -y --no-install-recommends \
+    build-essential \
+    ca-certificates \
+    curl \
+    g++-multilib \
+    git \
+    gyp \
+    libssl-dev \
+    libssl-dev:i386 \
+    libxml2-utils \
+    lib32z1-dev \
+    linux-libc-dev:i386 \
+    locales \
+    mercurial \
+    ninja-build \
+    pkg-config \
+    software-properties-common \
+    valgrind \
+    zlib1g-dev \
+ && rm -rf /var/lib/apt/lists/* \
+ && apt-get autoremove -y && apt-get clean -y
+
+# Install clang and tools from the LLVM PPA.
+RUN curl -sf https://apt.llvm.org/llvm-snapshot.gpg.key | apt-key add - \
+ && apt-add-repository "deb http://apt.llvm.org/xenial/ llvm-toolchain-xenial-6.0 main" \
+ && apt-get update \
+ && apt-get install -y --no-install-recommends \
+    clang-6.0 \
+    clang-tools-6.0 \
+    llvm-6.0-dev \
+ && rm -rf /var/lib/apt/lists/* \
+ && apt-get autoremove -y && apt-get clean -y
+
+# Alias all the clang commands.
+RUN for i in $(dpkg -L clang-6.0 clang-tools-6.0 | grep '^/usr/bin/' | xargs -i basename {} -6.0); do \
+      update-alternatives --install "/usr/bin/$i" "$i" "/usr/bin/${i}-6.0" 10; \
+    done
+
+ENV SHELL /bin/bash
+ENV USER worker
+ENV LOGNAME $USER
+ENV HOME /home/$USER
+ENV LANG en_US.UTF-8
+ENV LC_ALL $LANG
+ENV HOST localhost
+ENV DOMSUF localdomain
+
+RUN locale-gen $LANG \
+ && DEBIAN_FRONTEND=noninteractive dpkg-reconfigure locales
+
+RUN useradd -d $HOME -s $SHELL -m $USER
+WORKDIR $HOME
+
+# Add build and test scripts.
+ADD bin $HOME/bin
+RUN chmod +x $HOME/bin/*
+
+# Change user.
+USER $USER
+
+# Set a default command for debugging.
+CMD ["/bin/bash", "--login"]

security/nss/automation/taskcluster/docker-fuzz32/bin/checkout.sh

@@ -0,0 +1,20 @@
+#!/usr/bin/env bash
+
+set -v -e -x
+
+if [ $(id -u) = 0 ]; then
+    # Drop privileges by re-running this script.
+    exec su worker $0
+fi
+
+# Default values for testing.
+REVISION=${NSS_HEAD_REVISION:-default}
+REPOSITORY=${NSS_HEAD_REPOSITORY:-https://hg.mozilla.org/projects/nss}
+
+# Clone NSS.
+for i in 0 2 5; do
+    sleep $i
+    hg clone -r $REVISION $REPOSITORY nss && exit 0
+    rm -rf nss
+done
+exit 1

security/nss/automation/taskcluster/docker-gcc-4.4/Dockerfile

@@ -1,30 +1,39 @@
 FROM ubuntu:14.04
-MAINTAINER Tim Taubert <ttaubert@mozilla.com>
+LABEL maintainer="Martin Thomson <martin.thomson@gmail.com>"
 
-RUN useradd -d /home/worker -s /bin/bash -m worker
-WORKDIR /home/worker
+RUN dpkg --add-architecture i386
+RUN apt-get update \
+ && apt-get install -y --no-install-recommends \
+    ca-certificates \
+    g++-4.4 \
+    gcc-4.4 \
+    locales \
+    make \
+    mercurial \
+    zlib1g-dev \
+ && rm -rf /var/lib/apt/lists/* \
+ && apt-get autoremove -y && apt-get clean -y
 
-# Add build and test scripts.
-ADD bin /home/worker/bin
-RUN chmod +x /home/worker/bin/*
-
-# Install dependencies.
-ADD setup.sh /tmp/setup.sh
-RUN bash /tmp/setup.sh
-
-# Change user.
-USER worker
-
-# Env variables.
-ENV HOME /home/worker
 ENV SHELL /bin/bash
 ENV USER worker
-ENV LOGNAME worker
-ENV HOSTNAME taskcluster-worker
+ENV LOGNAME $USER
+ENV HOME /home/$USER
 ENV LANG en_US.UTF-8
-ENV LC_ALL en_US.UTF-8
+ENV LC_ALL $LANG
 ENV HOST localhost
 ENV DOMSUF localdomain
 
+RUN locale-gen $LANG \
+ && DEBIAN_FRONTEND=noninteractive dpkg-reconfigure locales
+
+RUN useradd -d $HOME -s $SHELL -m $USER
+WORKDIR $HOME
+
+# Add build and test scripts.
+ADD bin $HOME/bin
+RUN chmod +x $HOME/bin/*
+
+USER $USER
+
 # Set a default command for debugging.
 CMD ["/bin/bash", "--login"]

security/nss/automation/taskcluster/docker-gcc-4.4/setup.sh

@@ -1,30 +0,0 @@
-#!/usr/bin/env bash
-
-set -v -e -x
-
-# Update packages.
-export DEBIAN_FRONTEND=noninteractive
-apt-get -y update && apt-get -y upgrade
-
-apt_packages=()
-apt_packages+=('ca-certificates')
-apt_packages+=('g++-4.4')
-apt_packages+=('gcc-4.4')
-apt_packages+=('locales')
-apt_packages+=('make')
-apt_packages+=('mercurial')
-apt_packages+=('zlib1g-dev')
-
-# Install packages.
-apt-get -y update
-apt-get install -y --no-install-recommends ${apt_packages[@]}
-
-locale-gen en_US.UTF-8
-dpkg-reconfigure locales
-
-# Cleanup.
-rm -rf ~/.ccache ~/.cache
-apt-get autoremove -y
-apt-get clean
-apt-get autoclean
-rm $0

security/nss/automation/taskcluster/docker-interop/Dockerfile

@@ -0,0 +1,56 @@
+# Dockerfile for running interop tests.
+# This includes Rust, golang, and nodejs.
+FROM ubuntu:18.04
+LABEL maintainer="Martin Thomson <martin.thomson@gmail.com>"
+
+RUN dpkg --add-architecture i386
+RUN apt-get update \
+ && apt-get install -y --no-install-recommends \
+    build-essential \
+    ca-certificates \
+    clang \
+    cmake \
+    curl \
+    g++-multilib \
+    git \
+    golang \
+    gyp \
+    libxml2-utils \
+    lib32z1-dev \
+    linux-libc-dev:i386 \
+    llvm-dev \
+    locales \
+    mercurial \
+    ninja-build \
+    npm \
+    pkg-config \
+    zlib1g-dev \
+ && rm -rf /var/lib/apt/lists/* \
+ && apt-get autoremove -y && apt-get clean -y
+
+ENV SHELL /bin/bash
+ENV USER worker
+ENV LOGNAME $USER
+ENV HOME /home/$USER
+ENV LANG en_US.UTF-8
+ENV LC_ALL $LANG
+ENV HOST localhost
+ENV DOMSUF localdomain
+
+RUN locale-gen $LANG \
+ && DEBIAN_FRONTEND=noninteractive dpkg-reconfigure locales
+
+RUN useradd -d $HOME -s $SHELL -m $USER
+WORKDIR $HOME
+
+# Add build and test scripts.
+ADD bin $HOME/bin
+RUN chmod +x $HOME/bin/*
+
+USER $USER
+
+# Install Rust stable as $USER.
+RUN curl https://sh.rustup.rs -sSf | sh -s -- -y
+
+# Set a default command for debugging.
+CMD ["/bin/bash", "--login"]

security/nss/automation/taskcluster/docker-interop/bin/checkout.sh

@@ -0,0 +1,20 @@
+#!/usr/bin/env bash
+
+set -v -e -x
+
+if [ $(id -u) = 0 ]; then
+    # Drop privileges by re-running this script.
+    exec su worker $0
+fi
+
+# Default values for testing.
+REVISION=${NSS_HEAD_REVISION:-default}
+REPOSITORY=${NSS_HEAD_REPOSITORY:-https://hg.mozilla.org/projects/nss}
+
+# Clone NSS.
+for i in 0 2 5; do
+    sleep $i
+    hg clone -r $REVISION $REPOSITORY nss && exit 0
+    rm -rf nss
+done
+exit 1

security/nss/automation/taskcluster/docker/Dockerfile

@@ -1,30 +1,49 @@
-FROM ubuntu:16.04
-MAINTAINER Tim Taubert <ttaubert@mozilla.com>
+# Lean image for running the bulk of the NSS CI tests on taskcluster.
+FROM ubuntu:18.04
+LABEL maintainer="Martin Thomson <martin.thomson@gmail.com>"
 
-RUN useradd -d /home/worker -s /bin/bash -m worker
-WORKDIR /home/worker
+RUN dpkg --add-architecture i386
+RUN apt-get update \
+ && apt-get install -y --no-install-recommends \
+    build-essential \
+    ca-certificates \
+    clang \
+    curl \
+    g++-multilib \
+    git \
+    gyp \
+    libxml2-utils \
+    lib32z1-dev \
+    linux-libc-dev:i386 \
+    llvm-dev \
+    locales \
+    mercurial \
+    ninja-build \
+    pkg-config \
+    zlib1g-dev \
+ && rm -rf /var/lib/apt/lists/* \
+ && apt-get autoremove -y && apt-get clean -y
 
-# Add build and test scripts.
-ADD bin /home/worker/bin
-RUN chmod +x /home/worker/bin/*
-
-# Install dependencies.
-ADD setup.sh /tmp/setup.sh
-RUN bash /tmp/setup.sh
-
-# Env variables.
-ENV HOME /home/worker
 ENV SHELL /bin/bash
 ENV USER worker
-ENV LOGNAME worker
-ENV HOSTNAME taskcluster-worker
+ENV LOGNAME $USER
+ENV HOME /home/$USER
 ENV LANG en_US.UTF-8
-ENV LC_ALL en_US.UTF-8
+ENV LC_ALL $LANG
 ENV HOST localhost
 ENV DOMSUF localdomain
 
-# Rust + Go
-ENV PATH "${PATH}:/home/worker/.cargo/bin/:/usr/lib/go-1.6/bin"
+RUN locale-gen $LANG \
+ && DEBIAN_FRONTEND=noninteractive dpkg-reconfigure locales
+
+RUN useradd -d $HOME -s $SHELL -m $USER
+WORKDIR $HOME
+
+# Add build and test scripts.
+ADD bin $HOME/bin
+RUN chmod +x $HOME/bin/*
+
+USER $USER
 
 # Set a default command for debugging.
 CMD ["/bin/bash", "--login"]

security/nss/automation/taskcluster/docker/setup.sh

@@ -1,74 +0,0 @@
-#!/usr/bin/env bash
-
-set -v -e -x
-
-# Update packages.
-export DEBIAN_FRONTEND=noninteractive
-apt-get -y update && apt-get -y upgrade
-
-# Need this to add keys for PPAs below.
-apt-get install -y --no-install-recommends apt-utils
-
-apt_packages=()
-apt_packages+=('build-essential')
-apt_packages+=('ca-certificates')
-apt_packages+=('clang-5.0')
-apt_packages+=('curl')
-apt_packages+=('npm')
-apt_packages+=('git')
-apt_packages+=('golang-1.6')
-apt_packages+=('libxml2-utils')
-apt_packages+=('locales')
-apt_packages+=('ninja-build')
-apt_packages+=('pkg-config')
-apt_packages+=('zlib1g-dev')
-
-# 32-bit builds
-apt_packages+=('lib32z1-dev')
-apt_packages+=('gcc-multilib')
-apt_packages+=('g++-multilib')
-
-# ct-verif and sanitizers
-apt_packages+=('valgrind')
-
-# Latest Mercurial.
-apt_packages+=('mercurial')
-apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 41BD8711B1F0EC2B0D85B91CF59CE3A8323293EE
-echo "deb http://ppa.launchpad.net/mercurial-ppa/releases/ubuntu xenial main" > /etc/apt/sources.list.d/mercurial.list
-
-# gcc 4.8 and 6
-apt_packages+=('g++-6')
-apt_packages+=('g++-4.8')
-apt_packages+=('g++-6-multilib')
-apt_packages+=('g++-4.8-multilib')
-apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 60C317803A41BA51845E371A1E9377A2BA9EF27F
-echo "deb http://ppa.launchpad.net/ubuntu-toolchain-r/test/ubuntu xenial main" > /etc/apt/sources.list.d/toolchain.list
-
-# Install packages.
-apt-get -y update
-apt-get install -y --no-install-recommends ${apt_packages[@]}
-
-# Latest version of abigail-tools
-apt-get install -y libxml2-dev autoconf libelf-dev libdw-dev libtool
-git clone git://sourceware.org/git/libabigail.git
-cd ./libabigail
-autoreconf -fi
-./configure --prefix=/usr --disable-static --disable-apidoc --disable-manual
-make
-make install
-cd ..
-apt-get remove -y libxml2-dev autoconf libtool
-rm -rf libabigail
-
-# Install latest Rust (stable).
-su worker -c "curl https://sh.rustup.rs -sSf | sh -s -- -y"
-
-locale-gen en_US.UTF-8
-dpkg-reconfigure locales
-
-# Cleanup.
-rm -rf ~/.ccache ~/.cache
-apt-get autoremove -y
-apt-get clean
-apt-get autoclean
-rm $0

security/nss/automation/taskcluster/graph/src/extend.js

@@ -10,9 +10,19 @@ const LINUX_IMAGE = {
   path: "automation/taskcluster/docker"
 };
 
-const LINUX_CLANG39_IMAGE = {
-  name: "linux-clang-3.9",
-  path: "automation/taskcluster/docker-clang-3.9"
+const LINUX_BUILDS_IMAGE = {
+  name: "linux-builds",
+  path: "automation/taskcluster/docker-builds"
+};
+
+const LINUX_INTEROP_IMAGE = {
+  name: "linux-interop",
+  path: "automation/taskcluster/docker-interop"
+};
+
+const CLANG_FORMAT_IMAGE = {
+  name: "clang-format",
+  path: "automation/taskcluster/docker-clang-format"
 };
 
 const LINUX_GCC44_IMAGE = {
@@ -25,6 +35,12 @@ const FUZZ_IMAGE = {
   path: "automation/taskcluster/docker-fuzz"
 };
 
+// Bug 1488148 - temporary image for fuzzing 32-bit builds.
+const FUZZ_IMAGE_32 = {
+  name: "fuzz32",
+  path: "automation/taskcluster/docker-fuzz32"
+};
+
 const HACL_GEN_IMAGE = {
   name: "hacl",
   path: "automation/taskcluster/docker-hacl"
@@ -59,7 +75,7 @@ queue.filter(task => {
     }
   }
 
-  if (task.tests == "bogo" || task.tests == "interop") {
+  if (task.tests == "bogo" || task.tests == "interop" || task.tests == "tlsfuzzer") {
     // No windows
     if (task.platform == "windows2012-64" ||
         task.platform == "windows2012-32") {
@@ -89,7 +105,9 @@ queue.filter(task => {
 
   if (task.group == "Test") {
     // Don't run test builds on old make platforms, and not for fips gyp.
-    if (task.collection == "make" || task.collection == "fips") {
+    // Disable on aarch64, see bug 1488331.
+    if (task.collection == "make" || task.collection == "fips"
+        || task.platform == "aarch64") {
       return false;
     }
   }
@@ -134,13 +152,13 @@ export default async function main() {
   await scheduleLinux("Linux 32 (opt)", {
     platform: "linux32",
     image: LINUX_IMAGE
-  }, "-m32 --opt");
+  }, "-t ia32 --opt");
 
   await scheduleLinux("Linux 32 (debug)", {
     platform: "linux32",
     collection: "debug",
     image: LINUX_IMAGE
-  }, "-m32");
+  }, "-t ia32");
 
   await scheduleLinux("Linux 64 (opt)", {
     platform: "linux64",
@@ -193,8 +211,8 @@ export default async function main() {
       UBSAN_OPTIONS: "print_stacktrace=1",
       NSS_DISABLE_ARENA_FREE_LIST: "1",
       NSS_DISABLE_UNLOAD: "1",
-      CC: "clang-5.0",
-      CCC: "clang++-5.0",
+      CC: "clang",
+      CCC: "clang++",
     },
     platform: "linux64",
     collection: "asan",
@@ -230,12 +248,12 @@ export default async function main() {
 
   await scheduleWindows("Windows 2012 32 (opt)", {
     platform: "windows2012-32",
-  }, "build_gyp.sh --opt -m32");
+  }, "build_gyp.sh --opt -t ia32");
 
   await scheduleWindows("Windows 2012 32 (debug)", {
     platform: "windows2012-32",
     collection: "debug"
-  }, "build_gyp.sh -m32");
+  }, "build_gyp.sh -t ia32");
 
   await scheduleFuzzing();
   await scheduleFuzzing32();
@@ -251,29 +269,29 @@ export default async function main() {
   };
 
   await scheduleLinux("Linux AArch64 (debug)",
-    merge({
+    merge(aarch64_base, {
       command: [
         "/bin/bash",
         "-c",
         "bin/checkout.sh && nss/automation/taskcluster/scripts/build_gyp.sh"
       ],
       collection: "debug",
-    }, aarch64_base)
+    })
   );
 
   await scheduleLinux("Linux AArch64 (opt)",
-    merge({
+    merge(aarch64_base, {
       command: [
         "/bin/bash",
         "-c",
         "bin/checkout.sh && nss/automation/taskcluster/scripts/build_gyp.sh --opt"
       ],
       collection: "opt",
-    }, aarch64_base)
+    })
   );
 
   await scheduleLinux("Linux AArch64 (debug, make)",
-    merge({
+    merge(aarch64_base, {
       env: {USE_64: "1"},
       command: [
          "/bin/bash",
@@ -281,7 +299,7 @@ export default async function main() {
          "bin/checkout.sh && nss/automation/taskcluster/scripts/build.sh"
       ],
       collection: "make",
-    }, aarch64_base)
+    })
   );
 
   await scheduleMac("Mac (opt)", {collection: "opt"}, "--opt");
@@ -303,7 +321,7 @@ async function scheduleMac(name, base, args = "") {
   });
 
   // Build base definition.
-  let build_base = merge({
+  let build_base = merge(mac_base, {
     command: [
       MAC_CHECKOUT_CMD,
       ["bash", "-c",
@@ -320,7 +338,7 @@ async function scheduleMac(name, base, args = "") {
     }],
     kind: "build",
     symbol: "B"
-  }, mac_base);
+  });
 
   // The task that builds NSPR+NSS.
   let task_build = queue.scheduleTask(merge(build_base, {name}));