[iOS] Crash in HiddenClass::addProperty during runtime initialization (bindNativePerformanceNow) #1896
Description
[iOS] Crash in HiddenClass::addProperty during runtime initialization (bindNativePerformanceNow)
Bug Description
Crash during Hermes runtime initialization in HiddenClass::addProperty when React Native binds nativePerformanceNow. The app crashes on startup with EXC_BAD_ACCESS (SIGSEGV) - null pointer dereference at address 0x000000000000000c.
Symbolicated crash stack (Thread 13):
0 hermes HiddenClass::addProperty(Handle<HiddenClass>, Runtime&, SymbolID, PropertyFlags) (HiddenClass.cpp:388)
1 hermes JSObject::addOwnPropertyImpl(Handle<JSObject>, Runtime&, SymbolID, PropertyFlags, Handle<HermesValue>) (JSObject.cpp:2755)
2 hermes Callable::defineNameLengthAndPrototype(Handle<Callable>, Runtime&, SymbolID, unsigned int, Handle<JSObject>, WritablePrototype, bool) (Callable.cpp:0)
3 hermes FinalizableNativeFunction::createWithoutPrototype(Runtime&, void*, CallResult<HermesValue>(*)(void*, Runtime&, NativeArgs), void(*)(void*), SymbolID, unsigned int) (HostModel.cpp:77)
4 hermes HermesRuntimeImpl::createFunctionFromHostFunction<HFContext>(HFContext*, PropNameID const&, unsigned int) (hermes.cpp:2196)
5 hermes HermesRuntimeImpl::createFunctionFromHostFunction(PropNameID const&, unsigned int, std::function<...>) (hermes.cpp:2178)
6 Quince RuntimeDecorator::createFunctionFromHostFunction(...) (decorator.h:346)
7 Quince WithRuntimeDecorator::createFunctionFromHostFunction(...) (decorator.h:827)
8 Quince Function::createFromHostFunction(...) (JSIExecutor.cpp:553)
9 Quince bindNativePerformanceNow(Runtime&) + 152
10 Quince JSIExecutor::initializeRuntime() + 64 (JSIExecutor.cpp:85)
The crash occurs ~0.18 seconds after app launch during JSI runtime initialization. The HiddenClass is encountering a corrupted or null pointer when trying to add a property.
- I have run
gradle cleanand confirmed this bug does not occur with JSC (N/A - iOS only) - The issue is reproducible with the latest version of React Native.(not upgraded yet, the issue is anyways intermittent happening on prod)
| Field | Value |
|---|---|
| Hermes git revision | 0.77.3 |
| React Native version | 0.77.3 |
| OS | iOS 18.3.1 (23C71) |
| Platform | arm64 (iPhone 16, iPhone 16 Pro, etc.) |
Steps To Reproduce
This is an intermittent crash occurring in production for our users. We cannot reliably reproduce it locally.
- User launches the app from cold start
- App crashes during Hermes runtime initialization before JS bundle loads
- Crash happens intermittently - not every launch
We're seeing this across multiple users in production via Xcode Organizer / App Store Connect crash reports. The crash is categorized as NO_CRASH_STACK since no JS had executed yet.
Register state at crash:
x0: 0x000000016d8117f0 x1: 0x000000010ccc8000 x2: 0x000000000000008b
esr: 0x92000006 (Data Abort) byte read Translation fault
Exception details:
Exception Type: EXC_BAD_ACCESS (SIGSEGV)
Exception Subtype: KERN_INVALID_ADDRESS at 0x000000000000000c
The 0xc address suggests dereferencing a field at offset 12 from a null pointer.
The Expected Behavior
App should initialize the Hermes runtime without crashing. The HiddenClass::addProperty should handle the case gracefully or the runtime should be properly initialized before bindNativePerformanceNow is called.