uint64_t underflow inside Array::arrayPrototypeSplice

[farwayer]

Bug Description

Incorrect handling of unsigned variables causes an undeflow inside Array::arrayPrototypeSplice when calling array.splice(0). This leads to a missed call to DeleteProperty on array elements.

hermes/lib/VM/JSLib/Array.cpp

Line 2698 in 6573809

while (i > (len - actualDeleteCount + itemCount - 1)) {

If len == actualDeleteCount (as for array.splice(0)) result expression < 0 for uint64_t and the loop never executes.

• I have run gradle clean and confirmed this bug does not occur with JSC
• The issue is reproducible with the latest version of React Native.

Hermes git revision (if applicable): 896ee1e

Steps To Reproduce

An example with Proxy, which is a symptom:

let log = (...args) => typeof print === 'undefined' ? console.log(JSON.stringify(args)) : print(JSON.stringify(args))

let arr = new Proxy([], {
	deleteProperty(target, p) {
		log('del', target, p)
		return Reflect.deleteProperty(target, p)
	},
})

arr.push('a', 'b', 'c')
arr.splice(0)

Hermes

no messages

V8

["del",["a","b","c"],"2"]
["del",["a","b",null],"1"]
["del",["a",null,null],"0"]

[farwayer]

@tmikov Hi! Sorry to bother you. Are you still accepting pull requests and bug reports for Hermes? I’ve spent quite a bit of time investigating the root causes of two issues, fixing them safely, and testing them. Unfortunately, in the past month and a half, I haven't received any response at all
Here's the second issue #1910
Thanks