Closed Bug 587268 Opened 15 years ago Closed 14 years ago

"Assertion failure: !p" with duplicate form elements [@ Enumerate<KeyEnumeration>]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla7
Tracking Flags:
Tracking Status
status2.0 --- ?

People

(Reporter: jruderman, Assigned: Waldo)

References

Details

(Keywords: assertion, testcase, Whiteboard: fixed-in-tracemonkey)

Attachments

(3 files)

testcase (triggers fatal assertion when loaded)
231 bytes, text/html
Details
stack trace
10.30 KB, text/plain
Details
Patch
1.46 KB, patch
dmandelin
: review+
Details | Diff | Splinter Review
This fuzzer-found bug might turn out to be the same as website-found bug 581776.
Attached file stack trace
This is basically the objectops version of bug 580200's proxy-returns-same-property-twice bug: the document.forms object's enumerator returns the same name twice, and assertion hilarity ensues. Perhaps we should update the assertion to exclude these objects as well...
OS: Mac OS X → Windows 7
OS: Windows 7 → All
Hardware: x86 → All
Still happens on trunk. Seems harmless in opt.
Note this can happen with checkbox input elements with the same name and could be quite common though so far I've only seen it on home.eease.com, home.eease.adp.com and tagged.com. While it might not affect the user, it can hide other issues from the crash automation.
status2.0: --- → ?
Whats the right behavior here? Should we enumerate twice? I guess host-objects are allowed to do that, but this invalidates all the effort we put into proxies to make keys unique.
I'd think double-enumeration is a bug that should be fixed. What purpose does it serve? What do other browsers do?
changing the var e in f loop body to for (var e in f) { output.innerHTML += '<div>' + e + '</div>';} g appears once in Nightly and does not appear at all in Chrome, Safari, or Opera. This is still pretty common in crash testing. Can we just remove the assertion if we can't figure out if it is a problem?
Assignee: general → jwalden+bmo
Status: NEW → ASSIGNED
Attached patch PatchSplinter Review
Attachment #540846 - Flags: review?(dmandelin)
Attachment #540846 - Flags: review?(dmandelin) → review+
http://hg.mozilla.org/tracemonkey/rev/11d5e81d190f
Whiteboard: fixed-in-tracemonkey
Target Milestone: --- → mozilla7
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: