Crash on llint_op_call_varargs on certain JS sources
pdobrev opened this issue · comments
Hi folks,
Wondering if anyone has experienced crashes on llint_op_call_varargs for certain JS sources. It happens only when running on a device (ARM arch) and not on a simulator.
Here's where it crashes:
ios`llint_op_call_varargs:
0x29beb4: mov r0, r7
0x29beb6: mov r1, r8
0x29beb8: bl 0x295960 ; llint_slow_path_size_and_alloc_frame_for_varargs
0x29bebc: mov r8, r0
0x29bebe: mov r7, r1
0x29bec0: ldr r4, [r7, #0x10]
0x29bec2: movw r12, #0x0
0x29bec6: movt r12, #0xffff
0x29beca: ands.w r4, r4, r12
0x29bece: ldr.w r4, [r4, #1076]
0x29bed2: movw r12, #0x5f28
0x29bed6: add r12, r4
0x29bed8: mvn r10, #0x5
0x29bedc: ldr.w r11, [r12]
0x29bee0: cmp r11, r10
0x29bee2: beq 0x29bee8 ; llint_op_call_varargs + 52
0x29bee4: b.w 0x29ab12 ; llint_throw_from_slow_path_trampoline
0x29bee8: str.w r8, [r7, #36]
0x29beec: mov r0, r7
0x29beee: mov r1, r8
0x29bef0: bl 0x2959e8 ; llint_slow_path_call_varargs
0x29bef4: mov r7, r1
0x29bef6: blx r0
0x29bef8: ldr.w r8, [r7, #36] ; <--------------- Thread 1: EXC_BAD_ACCESS (code=1, address=0x24)
0x29befc: ldr.w r2, [r8, #4]
0x29bf00: add.w r10, r7, r2, lsl #3
0x29bf04: str.w r1, [r10, #4]
0x29bf08: str.w r0, [r7, r2, lsl #3]
0x29bf0c: ldr.w r4, [r8, #28]
0x29bf10: str r1, [r4, #0x10]
0x29bf12: str r0, [r4, #0xc]
0x29bf14: adds.w r8, r8, #0x20
0x29bf18: ldr.w r10, [r8]
0x29bf1c: mov pc, r10
The JS code is rather long and I can't really share it, since it's not yet in the public domain, but so far I've been able to find two potential causes for the issue:
- At some point we had too many methods attached to an object. When we inlined some of the private methods and thus made the method count lower, it stopped crashing there. This no longer seems to help (or I can't really find the object which has too many methods attached to it).
- Uglifying the code sometimes helps, sometimes doesn't.
I'm wondering if anyone has run into this issue or if they have any idea how this could be resolved.
Thanks a lot!