hermes icon indicating copy to clipboard operation
hermes copied to clipboard
verified publisher icon facebook

Assertion Failure `result != ExecutionStatus::EXCEPTION && *result && "JSArrayImpl::setElementAt() failing"' .

Open JimWongM opened this issue 9 months ago • 2 comments

Bug Description

Hello, I found a crash in hermes.

Hermes git revision (if applicable):01d96f4198789446b0e14226ec646b38f0ec3fd0 in branch static_h OS: Linux Platform: x86_64

Steps To Reproduce

1.Compile hermes in Debug mode 2.Run: ./hermes test.js

code example:

var arr=[];
for (var i = 0; i < 100000; i++) {
  arr[i] = [];
}
arr.concat(arr, arr.sort(function () {++arr.length;})).map(function () {});

Result:

hermes: /home/wjm/hermes_static/include/hermes/VM/JSArray.h:59: static void hermes::vm::ArrayImpl::setElementAt(Handle<hermes::vm::ArrayImpl>, hermes::vm::Runtime &, hermes::vm::ArrayImpl::size_type, Handle<>): Assertion `result != ExecutionStatus::EXCEPTION && *result && "JSArrayImpl::setElementAt() failing"' failed.
Signal: SIGABRT (signal SIGABRT)

Stack:

__pthread_kill_implementation 0x00007f841a4ef884
raise 0x00007f841a49eafe
abort 0x00007f841a48787f
__assert_fail_base.cold 0x00007f841a48779b
__assert_fail 0x00007f841a497187
hermes::vm::ArrayImpl::setElementAt(hermes::vm::Handle<…>, hermes::vm::Runtime &, unsigned int, hermes::vm::Handle<…>) JSArray.h:57
hermes::vm::arrayPrototypeMap(void *, hermes::vm::Runtime &, hermes::vm::NativeArgs) Array.cpp:3698
hermes::vm::NativeFunction::_nativeCall(hermes::vm::NativeFunction *, hermes::vm::Runtime &) Callable.h:745
hermes::vm::Interpreter::handleCallSlowPath(hermes::vm::Runtime &, hermes::vm::PinnedHermesValue *) Interpreter.cpp:245
hermes::vm::Interpreter::interpretFunction<…>(hermes::vm::Runtime &, hermes::vm::InterpreterState &) Interpreter.cpp:1501
hermes::vm::Runtime::interpretFunctionImpl(hermes::vm::CodeBlock *) Interpreter.cpp:633
hermes::vm::Runtime::interpretFunction(hermes::vm::CodeBlock *) Interpreter.cpp:641
hermes::vm::Runtime::runBytecode(std::shared_ptr<…> &&, hermes::vm::RuntimeModuleFlags, llvh::StringRef, hermes::vm::Handle<…>, hermes::vm::Handle<…>, hermes::vm::Handle<…>) Runtime.cpp:1178
hermes::vm::Runtime::runBytecode(std::shared_ptr<…> &&, hermes::vm::RuntimeModuleFlags, llvh::StringRef, hermes::vm::Handle<…>) Runtime.h:297
hermes::executeHBCBytecodeImpl(std::shared_ptr<…> &&, const hermes::ExecuteOptions &, const std::string *) ConsoleHost.cpp:473
$_3::operator()() const ConsoleHost.cpp:587
hermes::maybeCatchException<…>(const $_3 &) ConsoleHost.cpp:384
hermes::executeHBCBytecode(std::shared_ptr<…> &&, const hermes::ExecuteOptions &, const std::string *) ConsoleHost.cpp:586
executeHBCBytecodeFromCL(std::unique_ptr<…>, const hermes::driver::BytecodeBufferInfo &) hermes.cpp:132
main hermes.cpp:205
__libc_start_call_main 0x00007f841a488b8a
__libc_start_main@@GLIBC_2.34 0x00007f841a488c4b
_start 0x000000000040f515

Assertion Failure in JSArray.h:

  static void setElementAt(
      Handle<ArrayImpl> selfHandle,
      Runtime &runtime,
      size_type index,
      Handle<> value) {
    auto result = _setOwnIndexedImpl(selfHandle, runtime, index, value);
    (void)result;
    assert(
        result != ExecutionStatus::EXCEPTION && *result &&
        "JSArrayImpl::setElementAt() failing");
  }

The Expected Behavior

Hermes should not crash.

JimWongM avatar Mar 06 '25 11:03 JimWongM

Related to https://github.com/facebook/hermes/issues/1070

tmikov avatar Mar 06 '25 19:03 tmikov

This is caused by allocating too many properties for a sparse array. We have a fix in progress.

tmikov avatar Mar 06 '25 20:03 tmikov

180c83c

lavenzg avatar Apr 15 '25 22:04 lavenzg