Bug 784048

Summary: Typing into Web Console in Firefox causes crashing - gcc 4.4.3
Product: Red Hat Enterprise Linux 6 Reporter: Matthew Mosesohn <mmosesoh>
Component: firefoxAssignee: Martin Stransky <stransky>
Status: CLOSED ERRATA QA Contact: Desktop QE <desktop-qa-list>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.3CC: jakub, jcpunk, jhorak, mishu, msanders, pasteur, stransky, tpelka
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 799491 (view as bug list) Environment:
Last Closed: 2012-03-14 07:40:38 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 670971, 799491    
Attachments:
Description Flags
testcase none

Description Matthew Mosesohn 2012-01-23 16:30:54 UTC 
Description of problem:
In testing Firefox 10 beta 3, I was trying to hack up some website for testing something with Javascript.  I discovered that all javascript commands need to be run from the Web console.  Upon trying to input to the console, I've realized that inputting about 4 characters or so will cause it to crash every time on my system.  This occurs both on an existing Firefox profile and a new one (even in safe mode with all plugins disabled)

Version-Release number of selected component (if applicable):
firefox-10.0-0.1.b3.el6.x86_64
xulrunner-10.0-0.1.b3.el6.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Launch Firefox
2. Tools -> Web Developer -> Web Consle
3. Type any characters into the toolbar
  
Actual results:
The application hangs for a few seconds then crashes

Expected results:
Text should be input into the web console

Additional info:
I tried disabling iBus and running in safe mode with a new profile. None of this seems to fix the issue.

The only workaround is to copy and paste the entire command into the Web Console, rather than typing.
Comment 2 Matthew Mosesohn 2012-01-23 19:27:55 UTC 
I found upstream bug: https://bugzilla.mozilla.org/show_bug.cgi?id=645886

This issue looks identical.  Comment 5 recommends running "call DumpJSStack()" while the program is crashed.  I have, and here is the output:

(gdb) call DumpJSStack()
0 hidePopup() ["chrome://global/content/bindings/popup.xml":108]
    menuBox = [object BoxObject]
    popupBox = [object BoxObject]
    this = [object XULElement]
1 AP_hidePopup() ["resource:///modules/AutocompletePopup.jsm":136]
    this = [object Object]
2 JSTF_clearCompletion() ["resource:///modules/HUDService.jsm":5476]
    this = [object Object]
3 JSTF_complete(type = 2) ["resource:///modules/HUDService.jsm":5410]
    accepted = undefined
    popup = [object Object]
    inputValue = "as"
    inputNode = [object XULElement]
    this = [object Object]
4 JSTF_inputEventHandler(aEvent = [object UIEvent]) ["resource:///modules/HUDService.jsm":5164]
    this = [object Object]
Comment 3 Jan Horak 2012-02-08 11:41:16 UTC 
It's more related to optimized build of Firefox with gcc 4.4.x:
https://bugzilla.mozilla.org/show_bug.cgi?id=723900
Comment 5 Martin Stransky 2012-02-24 06:41:41 UTC 
Upstream bug - https://bugzilla.mozilla.org/show_bug.cgi?id=694594
Comment 6 RHEL Program Management 2012-02-24 06:49:36 UTC 
This request was evaluated by Red Hat Product Management for inclusion
in a Red Hat Enterprise Linux maintenance release. Product Management has 
requested further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed 
products. This request is not yet committed for inclusion in an Update release.
Comment 7 Martin Stransky 2012-02-28 15:24:12 UTC 
Some description: https://bugzilla.mozilla.org/show_bug.cgi?id=694594#c19
Comment 8 Martin Stransky 2012-02-28 15:26:21 UTC 
Created attachment 566323 [details]
testcase
Comment 9 Jakub Jelinek 2012-02-29 10:49:40 UTC 
Looks like a GCC 4.4 bug, I've filed http://gcc.gnu.org/PR52430 to track it.
As a quick workaround, you can compile that single TU (preferably for gcc 4.4 only) with -fno-ipa-cp, or you could tweak the callers of the growStorageBy method in the TU like:
 Vector<T,N,AP>::append(U t)
 {
     ReentrancyGuard g(*this); ((void) 0); ((void) 0); ((void) 0); ((void) 0);
-    if (mLength == mCapacity && !growStorageBy(1))
+    int incr = 1;
+#if defined (__GNUC__) && __GNUC__ == 4 && __GNUC_MINOR__ == 4
+    asm ("" : "+r" (incr));
+#endif
+    if (mLength == mCapacity && !growStorageBy(incr))
         return false;

(or add a dummy
#if defined (__GNUC__) && __GNUC__ == 4 && __GNUC_MINOR__ == 4
__attribute__((used)) static void
foo (Vector<whatever,whatever,whatever> *p, int incr)
{
  p->growStorageBy(incr);
}
#endif
) to make sure all the calls to growStorageBy aren't with argument constant 1 in the TU.
Comment 12 errata-xmlrpc 2012-03-14 07:40:38 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2012-0387.html