Note: There are a few cases of duplicates in user autocompletion which are being worked on.

"Assertion failure: !p" with duplicate form elements [@ Enumerate<KeyEnumeration>]

RESOLVED FIXED in mozilla7

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
7 years ago
6 years ago

People

(Reporter: Jesse Ruderman, Assigned: Waldo)

Tracking

(Blocks: 1 bug, {assertion, testcase})

Trunk
mozilla7
assertion, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(status2.0 ?)

Details

(Whiteboard: fixed-in-tracemonkey)

Attachments

(3 attachments)

(Reporter)

Description

7 years ago
Created attachment 465942 [details]
testcase (triggers fatal assertion when loaded)

This fuzzer-found bug might turn out to be the same as website-found bug 581776.
(Reporter)

Comment 1

7 years ago
Created attachment 465943 [details]
stack trace
This is basically the objectops version of bug 580200's proxy-returns-same-property-twice bug: the document.forms object's enumerator returns the same name twice, and assertion hilarity ensues.  Perhaps we should update the assertion to exclude these objects as well...
OS: Mac OS X → Windows 7
(Reporter)

Updated

7 years ago
OS: Windows 7 → All
Hardware: x86 → All
(Reporter)

Comment 3

7 years ago
Still happens on trunk.  Seems harmless in opt.

Updated

7 years ago
Duplicate of this bug: 581776

Comment 5

7 years ago
Note this can happen with checkbox input elements with the same name and could be quite common though so far I've only seen it on home.eease.com, home.eease.adp.com and tagged.com. While it might not affect the user, it can hide other issues from the crash automation.
status2.0: --- → ?

Comment 6

7 years ago
Whats the right behavior here? Should we enumerate twice? I guess host-objects are allowed to do that, but this invalidates all the effort we put into proxies to make keys unique.
I'd think double-enumeration is a bug that should be fixed.  What purpose does it serve?

What do other browsers do?

Comment 8

6 years ago
changing the var e in f loop body to

for (var e in f) { output.innerHTML += '<div>' + e + '</div>';}

g appears once in Nightly and does not appear at all in Chrome, Safari, or Opera.

This is still pretty common in crash testing. Can we just remove the assertion if we can't figure out if it is a problem?
Assignee: general → jwalden+bmo
Status: NEW → ASSIGNED
Created attachment 540846 [details] [diff] [review]
Patch
Attachment #540846 - Flags: review?(dmandelin)
Attachment #540846 - Flags: review?(dmandelin) → review+
http://hg.mozilla.org/tracemonkey/rev/11d5e81d190f
Whiteboard: fixed-in-tracemonkey
Target Milestone: --- → mozilla7
cdleary-bot mozilla-central merge info:
http://hg.mozilla.org/mozilla-central/rev/11d5e81d190f
Status: ASSIGNED → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.