Firefox crash was worked around by disabling optimizations in xulrunner, but there are other applications that are reported to be crashing:

qupzilla, chromium, WebKit's and QtScript's JavaScriptCore JIT, kactivitymanagerd

That is nowhere close to a usable bugreport if you suspect a gcc problem.
If building with -O0 works and with -O2 (or is it -O3?) doesn't, please try to narrow it down using a binary search to a single compilation unit, which when compiled with -O2 (or -O3?) makes the test (what is it?) fail, even when all other compilation units are -O0, and where it works if that CU is -O0 even if all other are -O2/-O3.  You can just do two full builds, one -O0, one -O2, make a copy of both trees and then just mix and match *.o files, touch them and relink.  Compile the problematic compilation unit with -fno-aggressive-loop-optimizations -fwrapv -fno-strict-aliasing -Wall -W in addition to normal optimization options, see if it doesn't fix the issue or doesn't show any warnings that might explain it.  Attach the preprocessed source for that file here, including all the g++ options.  Try to narrow it down to a single function (e.g. with __attribute__((optimize (0))), or from debugger try to see where things go wrong.  This all should be done preferrably by package maintainers who know the code well.

The default KDE browser Konqueror doesn't seem to be affected, so I'm not proposing this as an Alpha blocker.

Please propose as a Beta blocker if any of the required applications in Beta criteria [1] are affected by this bug.

[1] http://fedoraproject.org/wiki/Fedora_19_Beta_Release_Criteria

AIUI, this works with -Os and crashes with -O3.

(At least that's what the Firefox patch changed. I'm not sure whether WebKit or QtScript compiles the offending files with -O2 or -O3. All offending pieces of code appear to be JITs, whether that's a property of the bug or just chance, I have no idea.)

Also, so far we have no evidence that Konqueror (with kwebkitpart) is NOT affected by the bug, but we also have no evidence that it IS affected (no concrete crash report). So I really don't know. That qupzilla, which also uses QtWebKit, is crashing makes me suspicious, but without a concrete crash report against Konqueror, I don't think I can claim this to be a blocker.

I didn't write that explicitly, but I tested Konqueror with the offending web pages and it rendered them correctly.

Any progress on bisecting this or even coming up with a self-contained testcase?

The problem lies in libmozjs.so.  When this library is compiled with -Os, and everything else with -O3, firefox seems to run just fine; when libmozjs.so is compiled with -O3 and everything else with -Os, firefox crashes.
I'm bisecting it more.

And more precisely, the jsinfer.o file seems to be miscompiled.

Created attachment 736832 [details]
.ii

Adding preprocessed file.

c++ -o jsinfer.o -c  -I./../../dist/system_wrappers_js -include /builddir/build/BUILD/xulrunner-20.0/mozilla-release/js/src/config/gcc_hidden.h -DENABLE_TYPEDARRAY_MOVE -DENABLE_YARR_JIT=1 -DMOZ_GLUE_IN_PROGRAM -DNO_NSPR_10_SUPPORT -DEXPORT_JS_API -DJS_HAS_CTYPES -DDLL_PREFIX=\"lib\" -DDLL_SUFFIX=\".so\" -DUSE_ZLIB -Ictypes/libffi/include -I.  -I/builddir/build/BUILD/xulrunner-20.0/mozilla-release/js/src/../../mfbt/double-conversion -I/builddir/build/BUILD/xulrunner-20.0/mozilla-release/js/src -I. -I./../../dist/include  -I/usr/include/nspr4      -I/builddir/build/BUILD/xulrunner-20.0/mozilla-release/js/src -I/builddir/build/BUILD/xulrunner-20.0/mozilla-release/js/src/assembler -I/builddir/build/BUILD/xulrunner-20.0/mozilla-release/js/src/yarr  -fPIC  -pedantic -Wall -Wpointer-arith -Woverloaded-virtual -Werror=return-type -Wtype-limits -Wempty-body -Werror=conversion-null -Wno-ctor-dtor-privacy -Wno-overlength-strings -Wno-invalid-offsetof -Wno-variadic-macros -Wcast-align -Wno-long-long -O2 -g -pipe -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m32 -march=i686 -mtune=atom -fasynchronous-unwind-tables -fpermissive -gdwarf-2 -fno-rtti -ffunction-sections -fdata-sections -fno-exceptions -pthread -pipe  -DNDEBUG -DTRIMMED -g -O3 -freorder-blocks  -fomit-frame-pointer -DUSE_SYSTEM_MALLOC=1 -DENABLE_ASSEMBLER=1 -DENABLE_JIT=1   -DMOZILLA_CLIENT -include ./js-confdefs.h -MD -MF .deps/jsinfer.o.pp  /builddir/build/BUILD/xulrunner-20.0/mozilla-release/js/src/jsinfer.cpp

Ok, after several hours of work of both Marek and myself, we've identified the problem.  The file started to be miscompiled with http://gcc.gnu.org/r195751 , but with additional --param max-early-inliner-iterations=1 (the new default for r195751+) it started failing already with http://gcc.gnu.org/r192719 aka LRA merge.
The problematic function is
_ZN2js5types15TypeCompartment19addPendingRecompileEP9JSContextRKNS0_13RecompileInfoE
The problem is while reloading:
(insn 534 84 535 11 (parallel [
            (set (reg/f:SI 105 [ iftmp.363 ])
                (plus:SI (reg/f:SI 100 [ D.180234 ])
                    (const_int 12 [0xc])))
            (clobber (reg:CC 17 flags))
        ]) /builddir/build/BUILD/xulrunner-20.0/mozilla-release/js/src/jsscript.h:703 273 {*addsi_1}
     (expr_list:REG_UNUSED (reg:CC 17 flags)
        (nil)))
(insn 535 534 536 11 (parallel [
            (set (reg:SI 224)
                (plus:SI (reg/f:SI 100 [ D.180234 ])
                    (const_int 8 [0x8])))
            (clobber (reg:CC 17 flags))
        ]) /builddir/build/BUILD/xulrunner-20.0/mozilla-release/js/src/jsscript.h:703 273 {*addsi_1}
     (expr_list:REG_DEAD (reg/f:SI 100 [ D.180234 ])
        (expr_list:REG_UNUSED (reg:CC 17 flags)
            (nil))))
(insn 536 535 537 11 (set (reg:CCZ 17 flags)
        (compare:CCZ (reg:QI 98 [ D.180221 ])
            (const_int 0 [0]))) /builddir/build/BUILD/xulrunner-20.0/mozilla-release/js/src/jsscript.h:703 1 {*cmpqi_ccno_1}
     (expr_list:REG_DEAD (reg:QI 98 [ D.180221 ])
        (nil)))
(insn 537 536 562 11 (set (reg/f:SI 105 [ iftmp.363 ])
        (if_then_else:SI (eq (reg:CCZ 17 flags)
                (const_int 0 [0]))
            (reg:SI 224)
            (reg/f:SI 105 [ iftmp.363 ]))) /builddir/build/BUILD/xulrunner-20.0/mozilla-release/js/src/jsscript.h:703 942 {*movsicc_noc}
     (expr_list:REG_DEAD (reg:SI 224)
        (expr_list:REG_DEAD (reg:CCZ 17 flags)
            (nil))))
into:
(insn 534 637 698 11 (parallel [
            (set (reg/f:SI 0 ax [orig:100 D.180234 ] [100])
                (plus:SI (reg/f:SI 0 ax [orig:100 D.180234 ] [100])
                    (const_int 12 [0xc])))
            (clobber (reg:CC 17 flags))
        ]) /builddir/build/BUILD/xulrunner-20.0/mozilla-release/js/src/jsscript.h:703 273 {*addsi_1}
     (expr_list:REG_DEAD (reg/f:SI 0 ax [orig:100 D.180234 ] [100])
        (nil)))
(insn 698 534 702 11 (set (mem/c:SI (plus:SI (reg/f:SI 7 sp)
                (const_int 32 [0x20])) [364 %sfp+0 S4 A32])
        (reg/f:SI 0 ax [orig:100 D.180234 ] [100])) /builddir/build/BUILD/xulrunner-20.0/mozilla-release/js/src/jsscript.h:703 89 {*movsi_internal}
     (expr_list:REG_DEAD (reg/f:SI 0 ax [orig:100 D.180234 ] [100])
        (nil)))
(note 702 698 639 11 NOTE_INSN_DELETED)
(insn 639 702 535 11 (set (reg/f:SI 0 ax [orig:100 D.180234 ] [100])
        (mem/c:SI (plus:SI (reg/f:SI 7 sp)
                (const_int 32 [0x20])) [364 %sfp+0 S4 A32])) /builddir/build/BUILD/xulrunner-20.0/mozilla-release/js/src/jsscript.h:703 89 {*movsi_
internal}
     (nil))
(insn 535 639 638 11 (parallel [
            (set (reg:SI 0 ax [224])
                (plus:SI (reg/f:SI 0 ax [orig:100 D.180234 ] [100])
                    (const_int 8 [0x8])))
            (clobber (reg:CC 17 flags))
        ]) /builddir/build/BUILD/xulrunner-20.0/mozilla-release/js/src/jsscript.h:703 273 {*addsi_1}
     (expr_list:REG_DEAD (reg/f:SI 0 ax [orig:100 D.180234 ] [100])
        (nil)))
(insn 638 535 671 11 (set (reg:SI 0 ax [224])
        (reg:SI 0 ax [224])) /builddir/build/BUILD/xulrunner-20.0/mozilla-release/js/src/jsscript.h:703 89 {*movsi_internal}
     (expr_list:REG_DEAD (reg:SI 0 ax [224])
        (nil)))
(note 671 638 674 11 NOTE_INSN_DELETED)
(note 674 671 536 11 NOTE_INSN_DELETED)
(insn 536 674 696 11 (set (reg:CCZ 17 flags)
        (compare:CCZ (reg:QI 2 cx [orig:98 D.180221 ] [98])
            (const_int 0 [0]))) /builddir/build/BUILD/xulrunner-20.0/mozilla-release/js/src/jsscript.h:703 1 {*cmpqi_ccno_1}
     (expr_list:REG_DEAD (reg:QI 2 cx [orig:98 D.180221 ] [98])
        (nil)))
(insn 696 536 537 11 (set (reg/f:SI 0 ax [orig:100 D.180234 ] [100])
        (reg:SI 0 ax [224])) /builddir/build/BUILD/xulrunner-20.0/mozilla-release/js/src/jsscript.h:703 89 {*movsi_internal}
     (expr_list:REG_DEAD (reg:SI 0 ax [224])
        (nil)))
(insn 537 696 697 11 (set (reg/f:SI 0 ax [orig:100 D.180234 ] [100])
        (if_then_else:SI (eq (reg:CCZ 17 flags)
                (const_int 0 [0]))
            (reg/f:SI 0 ax [orig:100 D.180234 ] [100])
            (mem/c:SI (plus:SI (reg/f:SI 7 sp)
                    (const_int 32 [0x20])) [364 %sfp+0 S4 A32]))) /builddir/build/BUILD/xulrunner-20.0/mozilla-release/js/src/jsscript.h:703 942 {*
movsicc_noc}
     (expr_list:REG_DEAD (reg/f:SI 100 [ D.180234 ])
        (nil)))
(insn 697 537 676 11 (set (mem/c:SI (plus:SI (reg/f:SI 7 sp)
                (const_int 32 [0x20])) [364 %sfp+0 S4 A32])
        (reg/f:SI 0 ax [orig:100 D.180234 ] [100])) /builddir/build/BUILD/xulrunner-20.0/mozilla-release/js/src/jsscript.h:703 89 {*movsi_internal}
     (expr_list:REG_DEAD (reg/f:SI 0 ax [orig:100 D.180234 ] [100])
        (nil)))

Instead of the original something + (somethingelse ? 12 : 8) the LRA generated code actually performs something + (somethingelse ? 12 : 20).  Trying to delta reduce this now.

Tracking this now upstream.  http://gcc.gnu.org/PR56999.

Please try gcc-4.8.0-3.fc19.

(In reply to comment #14)
> Please try gcc-4.8.0-3.fc19.

Has anyone maintaining the affected packages tried to rebuild their broken package using this newer version of gcc yet?

Testing builds will be much easier if gcc-4.8.0-3 will be built for Rawhide, now it only f19-updates-candidate.

That is not possible unfortunately, because last time I've tried something on the ecj? side broke in f20 buildroots, so gcc doesn't bootstrap somewhere in java.

seamonkey-2.17.1-1.fc19.i686 also crashes.

qupzilla-1.4.1-1.fc19.i686 rebuilt with gcc-4.8.0-3.fc19 still crashes. 
(no problems in F18)

seamonkey-2.17.1-1.fc18.i686 from F18 repo works without crashes in F19
but qupzilla-1.4.1-1.fc18.i686 which works fine in F18 crashes in F19.

So it looks like the qupzilla issue is different. It might not even be in QtWebKit, considering that nobody was able to reproduce the crashes with Konqueror+kwebkitpart.

Seamonkey is using its own bundled copy of xulrunner, so it's no surprise it's hit by the same GCC bug as xulrunner.

What about the other stuff? kactivitymanagerd (where at this point I also doubt the crash has anything to do with JavaScriptCore or other stuff would crash in it too)? Chromium? I think we have been imagining a bogus correlation between many different unrelated bugs.

There was chromium build that fixes crash in F19 http://koji.rfremix.ru/koji/buildinfo?buildID=2497

At leas on Beta TC3 kactivitymanagerd don't crashes but there is kernel with disableed debugging options.

In chromium was fixed harfbuzz-related bug in webkit https://bugs.webkit.org/show_bug.cgi?id=110145 so maybe system harfbuzz have problem?

Also in F19 crashes skype.
I know that we can't fix skype but maybe its crash related with other crashes because of bug in glib2.

See https://bugzilla.gnome.org/show_bug.cgi?id=698716#c19
https://bugzilla.gnome.org/show_bug.cgi?id=687763
https://bugs.archlinux.org/task/34630
https://bugs.launchpad.net/ubuntu/+source/qtwebkit-source/+bug/1131636

Skype crashes for me with glib2-2.37.0-1.fc20 in Rawhide VM with xorg-x11-drv-vmware, so this crash not nvidia-related, downgrading to  glib2-2.36.1-2.fc19 fixes crash.

See glib2 bug 961144

This message is a notice that Fedora 19 is now at end of life. Fedora 
has stopped maintaining and issuing updates for Fedora 19. It is 
Fedora's policy to close all bug reports from releases that are no 
longer maintained. Approximately 4 (four) weeks from now this bug will
be closed as EOL if it remains open with a Fedora 'version' of '19'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 19 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Fedora 19 changed to end-of-life (EOL) status on 2015-01-06. Fedora 19 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.