runtime: SIGSEGV setting (arr as any).length to an invalid value (should throw RangeError)

[proggeramlug]

Summary

Setting a regular array's length to an invalid value through an any-typed
binding segfaults (SIGSEGV, exit 139) instead of throwing RangeError.

Repro

const a = [1, 2, 3];
try { (a as any).length = -1; } catch (e: any) { console.log("threw", e.name); }
console.log("done");

• Node: threw RangeError / done
• Perry: segfaults during the assignment (no output past the array literal)

The statically-typed form likely differs; the as any set routes through the
generic dynamic property-set path.

Crash detail

EXC_BAD_ACCESS (address=0x3ffffffffffffff8) — a raw f64 (2.0 =
0x4000000000000000) is treated as an object pointer and its GC header is read
at [ptr-8]. The faulting frame is a GC_TYPE_SET type check reached from the
array-length set path. So a numeric value is being threaded into a routine that
dereferences it as a heap object.

Scope / provenance

• Reproduces on a clean main build (isolated target, cold build) under
  both PERRY_NO_AUTO_OPTIMIZE=1 and the default auto-optimize path —
  independent of any in-flight branch.
• Surfaced while validating runtime: TypedArray constructors missing BYTES_PER_ELEMENT/constructor own props + validation #4140: it is what makes the parity fixtures
  test-parity/node-suite/globals/array-length-invalid.ts and
  structured-clone-transfer.ts fail (both exercise this set path).

[andrewtdiz]

I am taking this as a focused dynamic Array.length setter crash fix. I will keep the scope to routing (arr as any).length = value through the runtime array length validator so invalid lengths throw RangeError and valid dynamic length sets do not treat numeric RHS values as heap pointers.

[andrewtdiz]

Opened draft PR #4194 with the dynamic Array.length setter crash fix: #4194

[andrewtdiz]

Opened draft PR: #4197

The fix routes dynamic array length writes through the array length setter before creating runtime handle scopes, so invalid lengths throw RangeError instead of segfaulting. It also avoids the related descriptor-probe crash hit by the structured-clone transfer fixture.

Validation:

• NODE25_DIR=$(dirname "$(npx -y node@25 -p 'process.execPath')") PATH="$NODE25_DIR:$PATH" perl -e 'alarm shift; exec @argv' 300 ./run_parity_tests.sh --suite node-suite --module globals --filter array-length-invalid
• NODE25_DIR=$(dirname "$(npx -y node@25 -p 'process.execPath')") PATH="$NODE25_DIR:$PATH" perl -e 'alarm shift; exec @argv' 300 ./run_parity_tests.sh --suite node-suite --module globals --filter structured-clone-transfer
• cargo fmt --all -- --check
• git diff --check
• ./scripts/check_file_size.sh
• cargo check -p perry-runtime -p perry
• cargo test -p perry-runtime array_length -- --nocapture

[andrewtdiz]

Resolved on current main.

Validation:

• current main: de423ca Add Node builtin manifest radar check ([codex] add Node builtin manifest radar check #4208)
• Node: v26.3.0
• commands:
  • PERRY_NO_AUTO_OPTIMIZE=1 npm exec --yes --package=node@26 -- bash -lc 'node --version; ./run_parity_tests.sh --suite node-suite --module globals --filter array-length-invalid'
  • PERRY_NO_AUTO_OPTIMIZE=1 npm exec --yes --package=node@26 -- bash -lc 'node --version; ./run_parity_tests.sh --suite node-suite --module globals --filter structured-clone-transfer'
• result: both fixtures passed; each run was 1 pass / 0 parity fail / 0 compile fail / 0 skipped; parity rate 100.0%
• reports: test-parity/reports/parity_report_20260603_062442.json and test-parity/reports/parity_report_20260603_062453.json

No new code changes needed; the merged dynamic Array.length setter fix already covers this crash.

[andrewtdiz]

Current main validation confirms this is stale-open and ready for maintainer closure.

Validation:

• current main: de423ca Add Node builtin manifest radar check ([codex] add Node builtin manifest radar check #4208)
• Node: v26.3.0
• commands:
  • PERRY_NO_AUTO_OPTIMIZE=1 npm exec --yes --package=node@26 -- bash -lc 'node --version; ./run_parity_tests.sh --suite node-suite --module globals --filter array-length-invalid'
  • PERRY_NO_AUTO_OPTIMIZE=1 npm exec --yes --package=node@26 -- bash -lc 'node --version; ./run_parity_tests.sh --suite node-suite --module globals --filter structured-clone-transfer'
• result: both fixtures passed; each run was 1 pass / 0 parity fail / 0 compile fail / 0 skipped; parity rate 100.0%
• reports: test-parity/reports/parity_report_20260603_062442.json and test-parity/reports/parity_report_20260603_062453.json

No new code changes needed; the merged dynamic Array.length setter fix already covers this crash. I attempted to close it, but this account does not have CloseIssue permission for this issue.