Assertion `IDom && "Reached the top of the tree!"' failed in ./hermes/lib/Optimizer/Scalar/Mem2Reg.cpp

[Ye0nny]

Bug Description

Hermes git revision (if applicable): https://github.com/facebook/hermes/commit/75cdee98363191d31b6a1cdc766926f8d120364b React Native version: N/A OS: Ubuntu 20.04.5 LTS (Linux 5.4.0-144-generic x86_64) Platform (most likely one of arm64-v8a, armeabi-v7a, x86, x86_64): x86_64

Steps To Reproduce

Build steps

cmake -S hermes -B build -G Ninja
cmake --build ./build

Test case

testcase

```javascript let r = [ ] ; for ( let t = 0 ; t * 10 < 2500 ; ++ t ) { t += t * 10 ; print ( " 0 one - two - three - four - a " + " a " ) ; r. push ( 1 << t + " a " + ( " " + t ) ) ; r. pop ( ) ; r. push ( " " + t ) ; } r. some ( ( { [ t ] : t }, e ) => { r. splice ( ) ; r [ r. length - 1 ] = { [ e ] : t % 128 } ; r [ r. length ] ++ ; return e < t | t - e == 1 << e ; } ) ; ```

// poc.js
r. some ( ( { [ t ] : t } ) => { } ) ;

Execution steps & Output

$ ./hermes poc.js
hermes: ./hermes/lib/Optimizer/Scalar/Mem2Reg.cpp:590: hermes::Value* getLiveInValue(hermes::BasicBlock*, BlockToInstMap&, hermes::DominanceInfo&, BlockToInstMap&): Assertion `IDom && "Reached the top of the tree!"' failed.
Aborted

Backtrace

(gdb) bt
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1  0x00007ffff753f859 in __GI_abort () at abort.c:79
#2  0x00007ffff753f729 in __assert_fail_base (fmt=0x7ffff76d5588 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=0x555555f8e1c8 "IDom && \"Reached the top of the tree!\"", file=0x555555f8e138 "./hermes/lib/Optimizer/Scalar/Mem2Reg.cpp",
    line=590, function=<optimized out>) at assert.c:92
#3  0x00007ffff7550fd6 in __GI___assert_fail (assertion=0x555555f8e1c8 "IDom && \"Reached the top of the tree!\"", file=0x555555f8e138 "./hermes/lib/Optimizer/Scalar/Mem2Reg.cpp", line=590,
    function=0x555555f8e0c8 "hermes::Value* getLiveInValue(hermes::BasicBlock*, BlockToInstMap&, hermes::DominanceInfo&, BlockToInstMap&)") at assert.c:101
#4  0x0000555555a950c6 in getLiveInValue (BB=0x5555563ebf80, phiLoc=..., DT=..., stores=...) at ./hermes/lib/Optimizer/Scalar/Mem2Reg.cpp:590
#5  0x0000555555a95e3c in promoteAllocStackToSSA (ASI=0x5555563ea6e0, DT=..., domTreeLevels=...) at ./hermes/lib/Optimizer/Scalar/Mem2Reg.cpp:734
#6  0x0000555555a963ff in hermes::Mem2Reg::runOnFunction (this=0x5555563eb800, F=0x5555563ebe40) at ./hermes/lib/Optimizer/Scalar/Mem2Reg.cpp:785
#7  0x0000555555a84739 in hermes::PassManager::run (this=0x7fffffffd1c0, M=0x7fffffffd9e0) at ./hermes/lib/Optimizer/PassManager/PassManager.cpp:203
#8  0x0000555555a899f7 in hermes::runFullOptimizationPasses (M=...) at ./hermes/lib/Optimizer/PassManager/Pipeline.cpp:102
#9  0x00005555558c28d0 in (anonymous namespace)::processSourceFiles (context=std::shared_ptr<class hermes::Context> (use count 3, weak count 0) = {...}, Python Exception <class 'AttributeError'> 'NoneType' object has no attribute 'pointer':
fileBufs=std::map with 1 element) at ./hermes/lib/CompilerDriver/CompilerDriver.cpp:2015
#10 0x00005555558c420a in hermes::driver::compileFromCommandLineOptions () at ./hermes/lib/CompilerDriver/CompilerDriver.cpp:2291
#11 0x000055555557aad4 in main (argc=2, argv=0x7fffffffe328) at ./hermes/tools/hermes/hermes.cpp:202

---

when executed in release mode

Output

Segmentation fault

The Expected Behavior

This code should not crash. Other JS engines (such as V8, JSC, etc.) identify a ReferenceError.

poc.js:1: ReferenceError: r is not defined
r. some ( ( { [ t ] : t } ) => { } ) ;
^
ReferenceError: r is not defined
    at poc.js:1:1

Credits: @Ye0nny, @EJueon

[tmikov]

Thank you for reporting this! We looked into it - this is a Hermes bug related to (the lack of) TDZ. Notably it is not present in our next major version (Static Hermes). We are currently reviewing our options for addressing it.