293307 - violation of c++ aliasing rules in imgCacheValidator::OnStartRequest() causing crash if compiled with gcc 4.0

Status: RESOLVED FIXED

(Core :: Graphics: ImageLib, defect)

Description

[Serge Belyshev]

User-Agent:       Mozilla/5.0 (X11; U; Linux x86_64; ru-RU; rv:1.7.7) Gecko/20050507 Firefox/1.0.3 (Debian package 1.0.3-2-gcc40)
Build Identifier: Mozilla/5.0 (X11; U; Linux x86_64; ru-RU; rv:1.7.7) Gecko/20050507 Firefox/1.0.3 (Debian package 1.0.3-2-gcc40)

If mozilla compiled with gcc version 4.0.0 and above it crashes in
imgRequest::NotifyProxyListener() every time hitting reload button.

The problem is in function imgCacheValidator::OnStartRequest() at
modules/libpr0n/src/imgLoader.cpp. Here is part of relevant code:

NS_IMETHODIMP imgCacheValidator::OnStartRequest(nsIRequest *aRequest,
nsISupports *ctxt)
{
...
      for (PRInt32 i = count-1; i>=0; i--) {
        imgRequestProxy *proxy;
        mProxies.GetElementAt(i, (nsISupports**)&proxy);
        mRequest->NotifyProxyListener(proxy);
        NS_RELEASE(proxy);
      }
...

This problem is essentially same as described in
https://bugzilla.mozilla.org/show_bug.cgi?id=212082#c7

(and note: this was previously reported as gcc problem
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=21450 but was rejected as invalid).

Reproducible: Always

Steps to Reproduce:
(these steps apply to amd64-linux platform).
1. get current snapshot of gcc 4.0
ftp://gcc.gnu.org/pub/gcc/snapshots/4.0-20050507/ , build it.
2. build mozilla with it
3. goto www.google.com and hit 'reload'

Comment 1

[timeless]

Attachment: use nsCOMArray

Comment 2

[Daniel Veditz [:dveditz]]

Comment on attachment 184548 [details] [diff] [review]
use nsCOMArray

sr=dveditz

Comment 3

[Serge Belyshev]

Attachment: backtrace

something wrong with this patch, here the backtrace of segfault when hitting
'reload' button. (mozilla was compiled with gcc 3.4.4 -O0 --enable-debug).

Comment 4

[timeless]

Attachment: supportsarray addrefed on get, comarray doesn't, so the code shouldn't release a reference it doesn't own - oops

Comment 5

[Mike Shaver (:shaver emeritus)]

Comment on attachment 185003 [details] [diff] [review]
supportsarray addrefed on get, comarray doesn't, so the code shouldn't release a reference it doesn't own - oops

a=shaver

Comment 6

[timeless]

Comment on attachment 185003 [details] [diff] [review]
supportsarray addrefed on get, comarray doesn't, so the code shouldn't release a reference it doesn't own - oops

mozilla/modules/libpr0n/src/imgLoader.cpp	1.88
mozilla/modules/libpr0n/src/imgLoader.h 	1.13

Comment 7

[Gorka]

I think the bug is a little bit more general.

Firefox crashes not only hitting F5 button (and not with CONTROL F5).
It crashes too in some particular pages and with the "GO BACK" button:

1.Go to www.nytimes.com
2.Click on Technology link (left menu)
3.Go back with top-menu arrow

At least in Ubuntu Breezy 64-bit

Comment 8

[Serge Belyshev]

(In reply to comment #7)
> I think the bug is a little bit more general.
[snip]
> At least in Ubuntu Breezy 64-bit

IIUC, this parcticular bug is not yet fixed in latest breezy's firefox package
(1.0.6-1ubuntu3). Also, recently were found two evil aliasing bugs in gcc-4.0 
( http://gcc.gnu.org/bugzilla/show_bug.cgi?id=22591 and
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=23192 ) and I think it is worth
waiting until fixes for those bugs propagated to debian&ubuntu's gcc packages
(which is not happened yet) before trying to use mozilla compiled with gcc-4.0 .