Skip to content

[Bug] Engine crash (Access Violation) when iterating over a sparse array after delete and push operations #1430

Open
Open
[Bug] Engine crash (Access Violation) when iterating over a sparse array after delete and push operations#1430
@mzfhhhh

Description

@mzfhhhh
mzfhhhh
opened on Mar 30, 2026

[Bug] Engine crash (Access Violation) when iterating over a sparse array after delete and push operations

Description

The engine crashes with an Access Violation (exit code -1073741819 / 0xC0000005 on Windows) when accessing elements of a sparse array that was modified using a specific sequence of push and delete operations.

This issue was originally discovered when using the engine to render multi-line templates with mustache.js, which internally uses delete on a token array to strip whitespaces and then continues processing the array.

Steps to Reproduce

We have isolated this bug to the following 10-line minimal reproducible script:
It crashes most of the time, but occasionally runs successfully and outputs done.

// crash_minimal.js
var size = 2;
var arr = [];

// 1. Push initial elements
for (var i = 0; i < size; i++) arr.push(["a", i]);

// 2. Delete the last element to create a hole (makes it a sparse array)
delete arr[size - 1];

// 3. Push new elements into the array
for (var i = 0; i < size; i++) arr.push(["b", i]);

// 4. Iterate and access the elements
for (var i = 0; i < arr.length; i++) {
    console.log("accessing " + i);
    var t = arr[i]; // <--- CRASH occurs here when accessing newly pushed elements
    console.log("accessed " + i);
}
console.log("done");

Command

qjs crash_minimal.js

Expected Behavior

The script should execute successfully and output the logs without crashing. The deleted index should simply yield undefined.

Actual Behavior

The engine crashes immediately during the loop when attempting to access the array element.
Output before crash:

accessing 0
accessed 0
accessing 1
accessed 1
accessing 2

(Process terminates with exit code -1073741819 / 0xC0000005 Access Violation)

Environment

  • OS: Windows (but likely a cross-platform memory corruption issue in the underlying C engine)
  • Engine Version: quickjs-0.13.0

Additional Context

The crash seems to be tightly coupled with how the engine manages memory layouts for arrays transitioning between dense and sparse states.

  1. The array starts dense.
  2. delete arr[1] leaves a hole, changing internal properties/flags.
  3. Subsequent push operations seem to corrupt the array's internal length or element pointers.
  4. Accessing the newly pushed elements triggers a memory access out of bounds in the C backend.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions