Description
When using Hermes V1 (RCT_HERMES_V1_ENABLED=1 on iOS, hermesV1Enabled=true on Android) with React Native 0.83.4, the app crashes when React Native DevTools is connected.
The crash occurs in hermes::vm::CodeBlock::getSourceLocation() due to a null pointer dereference. The debugger's getLocationForState() does not check if state.codeBlock is null before calling ->getSourceLocation().
This is the same root cause as #55571 (which was closed due to inactivity).
Root Cause Analysis
In include/hermes/VM/Debugger/Debugger.h:
OptValue<hbc::DebugSourceLocation> getLocationForState(
const InterpreterState &state) const {
return state.codeBlock->getSourceLocation(state.offset);
// ^^^^^^^^^^^^^^^^ can be null — no null check
}And in sameStatementDifferentInstruction:
auto aLoc = getLocationForState(a);
auto bLoc = getLocationForState(b);
return a.codeBlock == b.codeBlock && aLoc->statement == bLoc->statement;
// ^^^^ aLoc/bLoc can be None when codeBlock is null
Crash Log
Thread 19 Crashed:: com.facebook.react.runtime.JavaScript
Exception Type: EXC_BAD_ACCESS (SIGSEGV)
Exception Subtype: KERN_INVALID_ADDRESS at 0x0000000000000000
0 hermesvm hermes::vm::CodeBlock::getSourceLocation(unsigned int) const + 28
1 hermesvm hermes::vm::Debugger::runUntilValidPauseLocation(hermes::vm::InterpreterState&) + 144
2 hermesvm hermes::vm::Debugger::runDebugger(hermes::vm::Debugger::RunReason, hermes::vm::InterpreterState&) + 1148
3 hermesvm hermes::vm::Interpreter::interpretFunction<false, false>(...) + 3152
...
9 tracer facebook::react::TimerCallback::invoke(facebook::jsi::Runtime&) + 88
10 tracer facebook::react::TimerManager::callTimer(int)::$_0::operator()(...) + 268
ARM Thread State:
x0: 0x0000000000000000 (null — this pointer for CodeBlock)
far: 0x0000000000000000
esr: 0x92000006 (Data Abort) byte read Translation fault
Steps to Reproduce
- Use React Native 0.83.4 (or 0.84.0) with Hermes V1 enabled
- Run the app in debug mode
- Connect React Native DevTools
- The app starts logging normally, then crashes after a few seconds when high-volume JS calls (e.g. timer callbacks, TurboModule calls) trigger the debugger
Expected Behavior
DevTools should work without crashing when Hermes V1 is enabled. getLocationForState() should handle null state.codeBlock gracefully.
Suggested Fix
OptValue<hbc::DebugSourceLocation> getLocationForState(
const InterpreterState &state) const {
if (!state.codeBlock) return llvh::None;
return state.codeBlock->getSourceLocation(state.offset);
}Environment
- React Native: 0.83.4
- Hermes V1: enabled (
RCT_HERMES_V1_ENABLED=1)
- Platform: iOS (also reproducible on Android)
- New Architecture: enabled
- DevTools: standalone React Native DevTools
Related Issues
Description
When using Hermes V1 (
RCT_HERMES_V1_ENABLED=1on iOS,hermesV1Enabled=trueon Android) with React Native 0.83.4, the app crashes when React Native DevTools is connected.The crash occurs in
hermes::vm::CodeBlock::getSourceLocation()due to a null pointer dereference. The debugger'sgetLocationForState()does not check ifstate.codeBlockis null before calling->getSourceLocation().This is the same root cause as #55571 (which was closed due to inactivity).
Root Cause Analysis
In
include/hermes/VM/Debugger/Debugger.h:And in
sameStatementDifferentInstruction:Crash Log
Steps to Reproduce
Expected Behavior
DevTools should work without crashing when Hermes V1 is enabled.
getLocationForState()should handle nullstate.codeBlockgracefully.Suggested Fix
Environment
RCT_HERMES_V1_ENABLED=1)Related Issues