Bug 784048 - Typing into Web Console in Firefox causes crashing - gcc 4.4.3
Typing into Web Console in Firefox causes crashing - gcc 4.4.3
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: firefox (Show other bugs)
6.3
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Martin Stransky
Desktop QE
:
Depends On:
Blocks: 670971 799491
  Show dependency treegraph
 
Reported: 2012-01-23 11:30 EST by Matthew Mosesohn
Modified: 2013-01-10 08:07 EST (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 799491 (view as bug list)
Environment:
Last Closed: 2012-03-14 03:40:38 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
testcase (1.15 MB, application/x-gzip)
2012-02-28 10:26 EST, Martin Stransky
no flags Details


External Trackers
Tracker ID Priority Status Summary Last Updated
Mozilla Foundation 694594 None None None Never

  None (edit)
Description Matthew Mosesohn 2012-01-23 11:30:54 EST
Description of problem:
In testing Firefox 10 beta 3, I was trying to hack up some website for testing something with Javascript.  I discovered that all javascript commands need to be run from the Web console.  Upon trying to input to the console, I've realized that inputting about 4 characters or so will cause it to crash every time on my system.  This occurs both on an existing Firefox profile and a new one (even in safe mode with all plugins disabled)

Version-Release number of selected component (if applicable):
firefox-10.0-0.1.b3.el6.x86_64
xulrunner-10.0-0.1.b3.el6.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Launch Firefox
2. Tools -> Web Developer -> Web Consle
3. Type any characters into the toolbar
  
Actual results:
The application hangs for a few seconds then crashes

Expected results:
Text should be input into the web console

Additional info:
I tried disabling iBus and running in safe mode with a new profile. None of this seems to fix the issue.

The only workaround is to copy and paste the entire command into the Web Console, rather than typing.
Comment 2 Matthew Mosesohn 2012-01-23 14:27:55 EST
I found upstream bug: https://bugzilla.mozilla.org/show_bug.cgi?id=645886

This issue looks identical.  Comment 5 recommends running "call DumpJSStack()" while the program is crashed.  I have, and here is the output:

(gdb) call DumpJSStack()
0 hidePopup() ["chrome://global/content/bindings/popup.xml":108]
    menuBox = [object BoxObject]
    popupBox = [object BoxObject]
    this = [object XULElement]
1 AP_hidePopup() ["resource:///modules/AutocompletePopup.jsm":136]
    this = [object Object]
2 JSTF_clearCompletion() ["resource:///modules/HUDService.jsm":5476]
    this = [object Object]
3 JSTF_complete(type = 2) ["resource:///modules/HUDService.jsm":5410]
    accepted = undefined
    popup = [object Object]
    inputValue = "as"
    inputNode = [object XULElement]
    this = [object Object]
4 JSTF_inputEventHandler(aEvent = [object UIEvent]) ["resource:///modules/HUDService.jsm":5164]
    this = [object Object]
Comment 3 Jan Horak 2012-02-08 06:41:16 EST
It's more related to optimized build of Firefox with gcc 4.4.x:
https://bugzilla.mozilla.org/show_bug.cgi?id=723900
Comment 5 Martin Stransky 2012-02-24 01:41:41 EST
Upstream bug - https://bugzilla.mozilla.org/show_bug.cgi?id=694594
Comment 6 RHEL Product and Program Management 2012-02-24 01:49:36 EST
This request was evaluated by Red Hat Product Management for inclusion
in a Red Hat Enterprise Linux maintenance release. Product Management has 
requested further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed 
products. This request is not yet committed for inclusion in an Update release.
Comment 7 Martin Stransky 2012-02-28 10:24:12 EST
Some description: https://bugzilla.mozilla.org/show_bug.cgi?id=694594#c19
Comment 8 Martin Stransky 2012-02-28 10:26:21 EST
Created attachment 566323 [details]
testcase
Comment 9 Jakub Jelinek 2012-02-29 05:49:40 EST
Looks like a GCC 4.4 bug, I've filed http://gcc.gnu.org/PR52430 to track it.
As a quick workaround, you can compile that single TU (preferably for gcc 4.4 only) with -fno-ipa-cp, or you could tweak the callers of the growStorageBy method in the TU like:
 Vector<T,N,AP>::append(U t)
 {
     ReentrancyGuard g(*this); ((void) 0); ((void) 0); ((void) 0); ((void) 0);
-    if (mLength == mCapacity && !growStorageBy(1))
+    int incr = 1;
+#if defined (__GNUC__) && __GNUC__ == 4 && __GNUC_MINOR__ == 4
+    asm ("" : "+r" (incr));
+#endif
+    if (mLength == mCapacity && !growStorageBy(incr))
         return false;

(or add a dummy
#if defined (__GNUC__) && __GNUC__ == 4 && __GNUC_MINOR__ == 4
__attribute__((used)) static void
foo (Vector<whatever,whatever,whatever> *p, int incr)
{
  p->growStorageBy(incr);
}
#endif
) to make sure all the calls to growStorageBy aren't with argument constant 1 in the TU.
Comment 12 errata-xmlrpc 2012-03-14 03:40:38 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2012-0387.html

Note You need to log in before you can comment on or make changes to this bug.