[Hermes V1] Crash in CodeBlock::getSourceLocation when DevTools connected - missing null check on state.codeBlock

[benji-jo]

Description

When using Hermes V1 (RCT_HERMES_V1_ENABLED=1 on iOS, hermesV1Enabled=true on Android) with React Native 0.83.4, the app crashes when React Native DevTools is connected.

The crash occurs in hermes::vm::CodeBlock::getSourceLocation() due to a null pointer dereference. The debugger's getLocationForState() does not check if state.codeBlock is null before calling ->getSourceLocation().

This is the same root cause as #55571 (which was closed due to inactivity).

Root Cause Analysis

In include/hermes/VM/Debugger/Debugger.h:

OptValue<hbc::DebugSourceLocation> getLocationForState(
    const InterpreterState &state) const {
  return state.codeBlock->getSourceLocation(state.offset);
  //     ^^^^^^^^^^^^^^^^ can be null — no null check
}

And in sameStatementDifferentInstruction:

auto aLoc = getLocationForState(a);
auto bLoc = getLocationForState(b);
return a.codeBlock == b.codeBlock && aLoc->statement == bLoc->statement;
//                                   ^^^^ aLoc/bLoc can be None when codeBlock is null

Crash Log

Thread 19 Crashed:: com.facebook.react.runtime.JavaScript
Exception Type:    EXC_BAD_ACCESS (SIGSEGV)
Exception Subtype: KERN_INVALID_ADDRESS at 0x0000000000000000

0  hermesvm  hermes::vm::CodeBlock::getSourceLocation(unsigned int) const + 28
1  hermesvm  hermes::vm::Debugger::runUntilValidPauseLocation(hermes::vm::InterpreterState&) + 144
2  hermesvm  hermes::vm::Debugger::runDebugger(hermes::vm::Debugger::RunReason, hermes::vm::InterpreterState&) + 1148
3  hermesvm  hermes::vm::Interpreter::interpretFunction<false, false>(...) + 3152
...
9  tracer    facebook::react::TimerCallback::invoke(facebook::jsi::Runtime&) + 88
10 tracer    facebook::react::TimerManager::callTimer(int)::$_0::operator()(...) + 268

ARM Thread State:
x0: 0x0000000000000000 (null — this pointer for CodeBlock)
far: 0x0000000000000000
esr: 0x92000006 (Data Abort) byte read Translation fault

Steps to Reproduce

1. Use React Native 0.83.4 (or 0.84.0) with Hermes V1 enabled
2. Run the app in debug mode
3. Connect React Native DevTools
4. The app starts logging normally, then crashes after a few seconds when high-volume JS calls (e.g. timer callbacks, TurboModule calls) trigger the debugger

Expected Behavior

DevTools should work without crashing when Hermes V1 is enabled. getLocationForState() should handle null state.codeBlock gracefully.

Suggested Fix

OptValue<hbc::DebugSourceLocation> getLocationForState(
    const InterpreterState &state) const {
  if (!state.codeBlock) return llvh::None;
  return state.codeBlock->getSourceLocation(state.offset);
}

Environment

• React Native: 0.83.4
• Hermes V1: enabled (RCT_HERMES_V1_ENABLED=1)
• Platform: iOS (also reproducible on Android)
• New Architecture: enabled
• DevTools: standalone React Native DevTools

Related Issues

• [Cross-platform] Crash in hermes::vm::CodeBlock::getSourceLocation when connecting DevTools during high-volume TurboModule calls (v0.84.0) #55571 (same crash, closed due to inactivity)

[react-native-bot]

Warning

Missing reproducer: We could not detect a reproducible example in your issue report. Reproducers are mandatory and we can accept only one of those as a valid reproducer:

• For majority of bugs: send us a Pull Request with the RNTesterPlayground.js edited to reproduce your bug.
• If your bug is UI related: a Snack
• If your bug is build/upgrade related: a project using our Reproducer Template

You can read more about about it on our website: How to report a bug.