diff --git a/accessible/generic/Accessible.cpp b/accessible/generic/Accessible.cpp
index 05ee9a9db..1a9e6e85a 100644
--- a/accessible/generic/Accessible.cpp
+++ b/accessible/generic/Accessible.cpp
@@ -43,6 +43,7 @@
 #include "nsIForm.h"
 #include "nsIFormControl.h"
 
+#include "nsContentUtils.h"
 #include "nsDeckFrame.h"
 #include "nsLayoutUtils.h"
 #include "nsIPresShell.h"
@@ -2409,6 +2410,12 @@ Accessible::CurrentItem()
     nsIDocument* DOMDoc = mContent->OwnerDoc();
     dom::Element* activeDescendantElm = DOMDoc->GetElementById(id);
     if (activeDescendantElm) {
+      if (nsContentUtils::ContentIsDescendantOf(mContent,
+                                                activeDescendantElm)) {
+        // Don't want a cyclical descendant relationship. That would be bad.
+        return nullptr;
+      }
+
       DocAccessible* document = Document();
       if (document)
         return document->GetAccessible(activeDescendantElm);
diff --git a/dom/events/DataTransfer.cpp b/dom/events/DataTransfer.cpp
index 2ad0effce..9c1026f0a 100644
--- a/dom/events/DataTransfer.cpp
+++ b/dom/events/DataTransfer.cpp
@@ -708,6 +708,7 @@ DataTransfer::SetDataAtInternal(const nsAString& aFormat, nsIVariant* aData,
   // don't allow non-chrome to add file data
   // XXX perhaps this should also limit any non-string type as well
   if ((aFormat.EqualsLiteral("application/x-moz-file-promise") ||
+       aFormat.EqualsLiteral("text/x-moz-place") ||
        aFormat.EqualsLiteral("application/x-moz-file")) &&
        !nsContentUtils::IsSystemPrincipal(aSubjectPrincipal)) {
     return NS_ERROR_DOM_SECURITY_ERR;
diff --git a/dom/indexedDB/ActorsParent.cpp b/dom/indexedDB/ActorsParent.cpp
index 3d688ec9a..a9cb6e3c0 100644
--- a/dom/indexedDB/ActorsParent.cpp
+++ b/dom/indexedDB/ActorsParent.cpp
@@ -21994,29 +21994,36 @@ TransactionDatabaseOperationBase::RunOnOwningThread()
   MOZ_ASSERT(mTransaction);
 
   if (NS_WARN_IF(IsActorDestroyed())) {
-    // Don't send any notifications if the actor was destroyed already.
+    // Normally we wouldn't need to send any notifications if the actor was
+    // already destroyed, but this can be a VersionChangeOp which needs to
+    // notify its parent operation (OpenDatabaseOp) about the failure.
+    // So SendFailureResult needs to be called even when the actor was
+    // destroyed.  Normal operations redundantly check if the actor was
+    // destroyed in SendSuccessResult and SendFailureResult, therefore it's
+    // ok to call it in all cases here.
     if (NS_SUCCEEDED(mResultCode)) {
       IDB_REPORT_INTERNAL_ERR();
       mResultCode = NS_ERROR_DOM_INDEXEDDB_UNKNOWN_ERR;
     }
-  } else {
-    if (mTransaction->IsInvalidated()) {
-      mResultCode = NS_ERROR_DOM_INDEXEDDB_UNKNOWN_ERR;
-    } else if (mTransaction->IsAborted()) {
-      // Aborted transactions always see their requests fail with ABORT_ERR,
-      // even if the request succeeded or failed with another error.
-      mResultCode = NS_ERROR_DOM_INDEXEDDB_ABORT_ERR;
-    } else if (NS_SUCCEEDED(mResultCode)) {
-      // This may release the IPDL reference.
-      mResultCode = SendSuccessResult();
-    }
+  } else if (mTransaction->IsInvalidated() || mTransaction->IsAborted()) {
+    // Aborted transactions always see their requests fail with ABORT_ERR,
+    // even if the request succeeded or failed with another error.
+    mResultCode = NS_ERROR_DOM_INDEXEDDB_ABORT_ERR;
+  }
 
-    if (NS_FAILED(mResultCode)) {
-      // This should definitely release the IPDL reference.
-      if (!SendFailureResult(mResultCode)) {
-        // Abort the transaction.
-        mTransaction->Abort(mResultCode, /* aForce */ false);
-      }
+  if (NS_SUCCEEDED(mResultCode)) {
+    // This may release the IPDL reference.
+    mResultCode = SendSuccessResult();
+  } else {
+    // I'm not sure why the code was originally this way, nor why bug 1538619
+    // didn't clean it up, but it looks stupid the way it was written before.
+    // -- Cameron (TenFourFox issue 551)
+    NS_ASSERTION(NS_FAILED(mResultCode), "wtf? we didn't succeed OR fail??");
+
+    // This should definitely release the IPDL reference.
+    if (!SendFailureResult(mResultCode)) {
+      // Abort the transaction.
+      mTransaction->Abort(mResultCode, /* aForce */ false);
     }
   }
 
diff --git a/gfx/layers/composite/CanvasLayerComposite.cpp b/gfx/layers/composite/CanvasLayerComposite.cpp
index 38aff390e..ffb80eb2e 100644
--- a/gfx/layers/composite/CanvasLayerComposite.cpp
+++ b/gfx/layers/composite/CanvasLayerComposite.cpp
@@ -44,9 +44,13 @@ bool
 CanvasLayerComposite::SetCompositableHost(CompositableHost* aHost)
 {
   switch (aHost->GetType()) {
-    case CompositableType::IMAGE:
+    case CompositableType::IMAGE: {
+      if (mCompositableHost && aHost != mCompositableHost) {
+        mCompositableHost->Detach(this);
+      }
       mCompositableHost = aHost;
       return true;
+    }
     default:
       return false;
   }
diff --git a/gfx/layers/composite/ImageLayerComposite.cpp b/gfx/layers/composite/ImageLayerComposite.cpp
index 8d2643e5d..827fc8d2d 100644
--- a/gfx/layers/composite/ImageLayerComposite.cpp
+++ b/gfx/layers/composite/ImageLayerComposite.cpp
@@ -50,9 +50,14 @@ ImageLayerComposite::SetCompositableHost(CompositableHost* aHost)
 {
   switch (aHost->GetType()) {
     case CompositableType::IMAGE:
-    case CompositableType::IMAGE_OVERLAY:
-      mImageHost = aHost;
+    case CompositableType::IMAGE_OVERLAY: {
+      ImageHost* newImageHost = static_cast<ImageHost*>(aHost);
+      if (mImageHost && newImageHost != mImageHost) {
+        mImageHost->Detach(this);
+      }
+      mImageHost = newImageHost;
       return true;
+    }
     default:
       return false;
   }
diff --git a/gfx/layers/composite/PaintedLayerComposite.cpp b/gfx/layers/composite/PaintedLayerComposite.cpp
index 87dd79b3a..b98c280ed 100644
--- a/gfx/layers/composite/PaintedLayerComposite.cpp
+++ b/gfx/layers/composite/PaintedLayerComposite.cpp
@@ -49,9 +49,14 @@ PaintedLayerComposite::SetCompositableHost(CompositableHost* aHost)
   switch (aHost->GetType()) {
     case CompositableType::CONTENT_TILED:
     case CompositableType::CONTENT_SINGLE:
-    case CompositableType::CONTENT_DOUBLE:
-      mBuffer = static_cast<ContentHost*>(aHost);
+    case CompositableType::CONTENT_DOUBLE: {
+      ContentHost* newBuffer = static_cast<ContentHost*>(aHost);
+      if (mBuffer && newBuffer != mBuffer) {
+        mBuffer->Detach(this);
+      }
+      mBuffer = newBuffer;
       return true;
+    }
     default:
       return false;
   }
diff --git a/media/libpng/png.c b/media/libpng/png.c
index ea7730231..5caa6e8b0 100644
--- a/media/libpng/png.c
+++ b/media/libpng/png.c
@@ -4599,7 +4599,7 @@ png_image_free(png_imagep image)
       image->opaque->error_buf == NULL)
    {
       /* Ignore errors here: */
-      (void)png_safe_execute(image, png_image_free_function, image);
+      png_image_free_function(image);
       image->opaque = NULL;
    }
 }
diff --git a/toolkit/components/places/PlacesUtils.jsm b/toolkit/components/places/PlacesUtils.jsm
index 518b7c897..a7bbc7df1 100644
--- a/toolkit/components/places/PlacesUtils.jsm
+++ b/toolkit/components/places/PlacesUtils.jsm
@@ -688,6 +688,7 @@ this.PlacesUtils = {
    * @param   type
    *          The content type of the blob.
    * @returns An array of objects representing each item contained by the source.
+   * @throws if the blob contains invalid data.
    */
   unwrapNodes: function PU_unwrapNodes(blob, type) {
     // We split on "\n"  because the transferable system converts "\r\n" to "\n"
@@ -719,7 +720,8 @@ this.PlacesUtils = {
             catch (e) {}
           }
           // note:  this._uri() will throw if uriString is not a valid URI
-          if (this._uri(uriString)) {
+          let uri = this._uri(uriString);
+          if (uri && uri.scheme != "place") {
             nodes.push({ uri: uriString,
                          title: titleString ? titleString : uriString ,
                          type: this.TYPE_X_MOZ_URL });
@@ -731,14 +733,17 @@ this.PlacesUtils = {
         for (var i = 0; i < parts.length; i++) {
           var uriString = parts[i];
           // text/uri-list is converted to TYPE_UNICODE but it could contain
-          // comments line prepended by #, we should skip them
-          if (uriString.substr(0, 1) == '\x23')
+          // comments line prepended by #, we should skip them, as well as
+          // empty uris.
+          if (uriString == "" || uriString.substr(0, 1) == '\x23')
             continue;
           // note: this._uri() will throw if uriString is not a valid URI
-          if (uriString != "" && this._uri(uriString))
+          let uri = this._uri(uriString);
+          if (uri.scheme != "place") {
             nodes.push({ uri: uriString,
                          title: uriString,
                          type: this.TYPE_X_MOZ_URL });
+          }
         }
         break;
       default:
diff --git a/xpcom/base/nsCycleCollector.cpp b/xpcom/base/nsCycleCollector.cpp
index 2b698aa9f..10dbf3cc9 100644
--- a/xpcom/base/nsCycleCollector.cpp
+++ b/xpcom/base/nsCycleCollector.cpp
@@ -2820,6 +2820,10 @@ nsCycleCollector::ForgetSkippable(bool aRemoveChildlessNodes,
 {
   CheckThreadSafety();
 
+  if (mFreeingSnowWhite) {
+    return;
+  }
+
   mozilla::Maybe<mozilla::AutoGlobalTimelineMarker> marker;
   if (NS_IsMainThread()) {
     marker.emplace("nsCycleCollector::ForgetSkippable", MarkerStackRequest::NO_STACK);