Crash on llint_op_call_varargs on certain JS sources

[pdobrev]

Hi folks,

Wondering if anyone has experienced crashes on llint_op_call_varargs for certain JS sources. It happens only when running on a device (ARM arch) and not on a simulator.

Here's where it crashes:

ios`llint_op_call_varargs:
0x29beb4:  mov    r0, r7
0x29beb6:  mov    r1, r8
0x29beb8:  bl     0x295960                  ; llint_slow_path_size_and_alloc_frame_for_varargs
0x29bebc:  mov    r8, r0
0x29bebe:  mov    r7, r1
0x29bec0:  ldr    r4, [r7, #0x10]
0x29bec2:  movw   r12, #0x0
0x29bec6:  movt   r12, #0xffff
0x29beca:  ands.w r4, r4, r12
0x29bece:  ldr.w  r4, [r4, #1076]
0x29bed2:  movw   r12, #0x5f28
0x29bed6:  add    r12, r4
0x29bed8:  mvn    r10, #0x5
0x29bedc:  ldr.w  r11, [r12]
0x29bee0:  cmp    r11, r10
0x29bee2:  beq    0x29bee8                  ; llint_op_call_varargs + 52
0x29bee4:  b.w    0x29ab12                  ; llint_throw_from_slow_path_trampoline
0x29bee8:  str.w  r8, [r7, #36]
0x29beec:  mov    r0, r7
0x29beee:  mov    r1, r8
0x29bef0:  bl     0x2959e8                  ; llint_slow_path_call_varargs
0x29bef4:  mov    r7, r1
0x29bef6:  blx    r0
0x29bef8:  ldr.w  r8, [r7, #36]        ; <--------------- Thread 1: EXC_BAD_ACCESS (code=1, address=0x24)
0x29befc:  ldr.w  r2, [r8, #4]
0x29bf00:  add.w  r10, r7, r2, lsl #3
0x29bf04:  str.w  r1, [r10, #4]
0x29bf08:  str.w  r0, [r7, r2, lsl #3]
0x29bf0c:  ldr.w  r4, [r8, #28]
0x29bf10:  str    r1, [r4, #0x10]
0x29bf12:  str    r0, [r4, #0xc]
0x29bf14:  adds.w r8, r8, #0x20
0x29bf18:  ldr.w  r10, [r8]
0x29bf1c:  mov    pc, r10

The JS code is rather long and I can't really share it, since it's not yet in the public domain, but so far I've been able to find two potential causes for the issue:

• At some point we had too many methods attached to an object. When we inlined some of the private methods and thus made the method count lower, it stopped crashing there. This no longer seems to help (or I can't really find the object which has too many methods attached to it).
• Uglifying the code sometimes helps, sometimes doesn't.

I'm wondering if anyone has run into this issue or if they have any idea how this could be resolved.

Thanks a lot!