search

facebook / hermes

A JavaScript engine optimized for running React Native.
https://hermesengine.dev/
MIT License
9.95k stars 643 forks source link

An issue about the Array.prototype.pop(). #349

Closed NWU-NISL closed 4 years ago

NWU-NISL commented 4 years ago

The pop() method removes the last element of the array and returns it,and the maximum length of the array is 2^32−1.But after I put an element in the last position of the array, an RangeError occurred while executing the pop function.When executing this test case on other engines, (like chakraCore, v8 and spiderMonkey),no error occurred.

version

b6530ae

Test case

var NISLFuzzingFunc = function(){
    var a = [];
    a[Math.pow(2,32)-2] = 1;
    a.pop();
}
NISLFuzzingFunc();

Command

./build/bin/hermes -w testcase.js

Output

RangeError: Out of memory for array elements.

Expected behavior

Pop successfully.
tmikov commented 4 years ago

Thank you for reporting this. I investigated and found the bug, working on a fix.