Last Comment Bug 587268 - "Assertion failure: !p" with duplicate form elements [@ Enumerate<KeyEnumeration>]
: "Assertion failure: !p" with duplicate form elements [@ Enumerate<KeyEnumerat...
Status: RESOLVED FIXED
fixed-in-tracemonkey
: assertion, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: All All
: -- critical (vote)
: mozilla7
Assigned To: Jeff Walden [:Waldo] (remove +bmo to email)
:
Mentors:
: 581776 (view as bug list)
Depends on:
Blocks: 326633 581776
  Show dependency treegraph
 
Reported: 2010-08-13 20:14 PDT by Jesse Ruderman
Modified: 2011-06-27 11:36 PDT (History)
6 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
?


Attachments
testcase (triggers fatal assertion when loaded) (231 bytes, text/html)
2010-08-13 20:14 PDT, Jesse Ruderman
no flags Details
stack trace (10.30 KB, text/plain)
2010-08-13 20:16 PDT, Jesse Ruderman
no flags Details
Patch (1.46 KB, patch)
2011-06-21 12:58 PDT, Jeff Walden [:Waldo] (remove +bmo to email)
dmandelin: review+
Details | Diff | Review

Description Jesse Ruderman 2010-08-13 20:14:13 PDT
Created attachment 465942 [details]
testcase (triggers fatal assertion when loaded)

This fuzzer-found bug might turn out to be the same as website-found bug 581776.
Comment 1 Jesse Ruderman 2010-08-13 20:16:46 PDT
Created attachment 465943 [details]
stack trace
Comment 2 Jeff Walden [:Waldo] (remove +bmo to email) 2010-08-13 22:23:31 PDT
This is basically the objectops version of bug 580200's proxy-returns-same-property-twice bug: the document.forms object's enumerator returns the same name twice, and assertion hilarity ensues.  Perhaps we should update the assertion to exclude these objects as well...
Comment 3 Jesse Ruderman 2010-11-19 15:42:32 PST
Still happens on trunk.  Seems harmless in opt.
Comment 4 Bob Clary [:bc:] 2010-12-28 22:59:11 PST
*** Bug 581776 has been marked as a duplicate of this bug. ***
Comment 5 Bob Clary [:bc:] 2010-12-30 03:03:36 PST
Note this can happen with checkbox input elements with the same name and could be quite common though so far I've only seen it on home.eease.com, home.eease.adp.com and tagged.com. While it might not affect the user, it can hide other issues from the crash automation.
Comment 6 Andreas Gal :gal 2010-12-30 03:13:52 PST
Whats the right behavior here? Should we enumerate twice? I guess host-objects are allowed to do that, but this invalidates all the effort we put into proxies to make keys unique.
Comment 7 Jeff Walden [:Waldo] (remove +bmo to email) 2010-12-30 12:24:31 PST
I'd think double-enumeration is a bug that should be fixed.  What purpose does it serve?

What do other browsers do?
Comment 8 Bob Clary [:bc:] 2011-06-16 14:19:44 PDT
changing the var e in f loop body to

for (var e in f) { output.innerHTML += '<div>' + e + '</div>';}

g appears once in Nightly and does not appear at all in Chrome, Safari, or Opera.

This is still pretty common in crash testing. Can we just remove the assertion if we can't figure out if it is a problem?
Comment 9 Jeff Walden [:Waldo] (remove +bmo to email) 2011-06-21 12:58:56 PDT
Created attachment 540846 [details] [diff] [review]
Patch
Comment 10 Jeff Walden [:Waldo] (remove +bmo to email) 2011-06-23 14:44:47 PDT
http://hg.mozilla.org/tracemonkey/rev/11d5e81d190f
Comment 11 Chris Leary [:cdleary] (not checking bugmail) 2011-06-27 11:36:54 PDT
cdleary-bot mozilla-central merge info:
http://hg.mozilla.org/mozilla-central/rev/11d5e81d190f

Note You need to log in before you can comment on or make changes to this bug.