René's URL Explorer Experiment

{"@context":"https://schema.org","@type":"DiscussionForumPosting","headline":"Crash on llint_op_call_varargs on certain JS sources","articleBody":"Hi folks,\n\nWondering if anyone has experienced crashes on `llint_op_call_varargs` for certain JS sources. It happens only when running on a device (ARM arch) and not on a simulator.\n\nHere's where it crashes:\n\n```\nios`llint_op_call_varargs:\n0x29beb4:  mov    r0, r7\n0x29beb6:  mov    r1, r8\n0x29beb8:  bl     0x295960                  ; llint_slow_path_size_and_alloc_frame_for_varargs\n0x29bebc:  mov    r8, r0\n0x29bebe:  mov    r7, r1\n0x29bec0:  ldr    r4, [r7, #0x10]\n0x29bec2:  movw   r12, #0x0\n0x29bec6:  movt   r12, #0xffff\n0x29beca:  ands.w r4, r4, r12\n0x29bece:  ldr.w  r4, [r4, #1076]\n0x29bed2:  movw   r12, #0x5f28\n0x29bed6:  add    r12, r4\n0x29bed8:  mvn    r10, #0x5\n0x29bedc:  ldr.w  r11, [r12]\n0x29bee0:  cmp    r11, r10\n0x29bee2:  beq    0x29bee8                  ; llint_op_call_varargs + 52\n0x29bee4:  b.w    0x29ab12                  ; llint_throw_from_slow_path_trampoline\n0x29bee8:  str.w  r8, [r7, #36]\n0x29beec:  mov    r0, r7\n0x29beee:  mov    r1, r8\n0x29bef0:  bl     0x2959e8                  ; llint_slow_path_call_varargs\n0x29bef4:  mov    r7, r1\n0x29bef6:  blx    r0\n0x29bef8:  ldr.w  r8, [r7, #36]        ; \u003c--------------- Thread 1: EXC_BAD_ACCESS (code=1, address=0x24)\n0x29befc:  ldr.w  r2, [r8, #4]\n0x29bf00:  add.w  r10, r7, r2, lsl #3\n0x29bf04:  str.w  r1, [r10, #4]\n0x29bf08:  str.w  r0, [r7, r2, lsl #3]\n0x29bf0c:  ldr.w  r4, [r8, #28]\n0x29bf10:  str    r1, [r4, #0x10]\n0x29bf12:  str    r0, [r4, #0xc]\n0x29bf14:  adds.w r8, r8, #0x20\n0x29bf18:  ldr.w  r10, [r8]\n0x29bf1c:  mov    pc, r10\n```\n\nThe JS code is rather long and I can't really share it, since it's not yet in the public domain, but so far I've been able to find two potential causes for the issue:\n- At some point we had too many methods attached to an object. When we inlined some of the private methods and thus made the method count lower, it stopped crashing there. This no longer seems to help (or I can't really find the object which has too many methods attached to it).\n- Uglifying the code sometimes helps, sometimes doesn't.\n\nI'm wondering if anyone has run into this issue or if they have any idea how this could be resolved. \n\nThanks a lot!\n","author":{"url":"https://github.com/pdobrev","@type":"Person","name":"pdobrev"},"datePublished":"2015-02-08T11:30:32.000Z","interactionStatistic":{"@type":"InteractionCounter","interactionType":"https://schema.org/CommentAction","userInteractionCount":0},"url":"https://github.com/28/JavaScriptCore-iOS/issues/28"}