ASSERTION FAILED: (*insn & BlxInstructionMask) == BlxInstruction ../../Source/JavaScriptCore/assembler/ARMAssembler.h(866) : static JSC::ARMWord* JSC::ARMAssembler::getLdrImmAddress(JSC::ARMWord*) #0 0xb648805c in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:323 #1 0xb5851e28 in JSC::ARMAssembler::getLdrImmAddress (insn=0xb27ca808) at ../../Source/JavaScriptCore/assembler/ARMAssembler.h:866 #2 0xb590a10c in JSC::ARMAssembler::patchPointerInternal (from=-1300453368, to=0xb27cab20) at ../../Source/JavaScriptCore/assembler/ARMAssembler.h:892 #3 0xb590a23c in JSC::ARMAssembler::linkJump (code=0xb27ca808, from=..., to=0xb27cab20) at ../../Source/JavaScriptCore/assembler/ARMAssembler.h:956 #4 0xb590bc88 in JSC::AbstractMacroAssembler<JSC::ARMAssembler, JSC::MacroAssemblerARM>::linkJump (code=0xb27ca808, jump=..., target=...) at ../../Source/JavaScriptCore/assembler/AbstractMacroAssembler.h:970 #5 0xb590b33c in JSC::LinkBuffer::link (this=0xbeffe4fc, jump=..., label=...) at ../../Source/JavaScriptCore/assembler/LinkBuffer.h:143 #6 0xb5909208 in JSC::InlineAccess::rewireStubAsJump (vm=..., stubInfo=..., target=...) at ../../Source/JavaScriptCore/bytecode/InlineAccess.cpp:291 #7 0xb5fc0824 in JSC::tryCachePutByID (exec=0xbeffe888, baseValue=..., structure=0xb21a7220, ident=..., slot=..., stubInfo=..., putKind=JSC::NotDirect) at ../../Source/JavaScriptCore/jit/Repatch.cpp:452 #8 0xb5fc0a28 in JSC::repatchPutByID (exec=0xbeffe888, baseValue=..., structure=0xb21a7220, propertyName=..., slot=..., stubInfo=..., putKind=JSC::NotDirect) at ../../Source/JavaScriptCore/jit/Repatch.cpp:463 #9 0xb5f88c50 in JSC::operationPutByIdNonStrictOptimize (exec=0xbeffe888, stubInfo=0xb2590d80, encodedValue=-18486637472, encodedBase=-18486456960, uid=0xb259ac78) at ../../Source/JavaScriptCore/jit/JITOperations.cpp:421 #10 0xb27ca8f0 in ?? () (gdb) disas 0xb27ca808,+20 Dump of assembler code from 0xb27ca808 to 0xb27ca81c: 0xb27ca808: b 0xb27ca8b0 0xb27ca80c: nop ; (mov r0, r0) 0xb27ca810: nop ; (mov r0, r0) 0xb27ca814: nop ; (mov r0, r0) 0xb27ca818: nop ; (mov r0, r0) Generated Baseline JIT code for CallSign#A1TBrX:[0xb21aa4b0->0xb21d92c0, BaselineFunctionConstruct, 25], instruction count = 25 Source: function CallSign(value) { this._value = value; } Code at [0xb27ca5c0, 0xb27cab1c): disassembly not available for range 0xb27ca5c0...0xb27ca63c [ 0] enter disassembly not available for range 0xb27ca63c...0xb27ca700 [ 1] get_scope loc0 disassembly not available for range 0xb27ca700...0xb27ca714 [ 3] mov loc1, loc0 disassembly not available for range 0xb27ca714...0xb27ca724 [ 6] mov loc2, this disassembly not available for range 0xb27ca724...0xb27ca734 [ 9] create_this this, this, 1, 2988382240 disassembly not available for range 0xb27ca734...0xb27ca7ac [ 14] put_by_id this, _value(@id0), arg1, String llint(prev = 0xb21a7220, next = 0xb21a71d0 (offset = 0), chain = 0xb21cbea0: [struct = 0xb21a7900, struct = 0xb21f6d20]) disassembly not available for range 0xb27ca7ac...0xb27ca838 [ 23] ret this disassembly not available for range 0xb27ca838...0xb27ca860 (End Of Main Path) (S) [ 9] create_this this, this, 1, 2988382240 disassembly not available for range 0xb27ca860...0xb27ca8b0 (S) [ 14] put_by_id this, _value(@id0), arg1, String llint(prev = 0xb21a7220, next = 0xb21a71d0 (offset = 0), chain = 0xb21cbea0: [struct = 0xb21a7900, struct = 0xb21f6d20]) disassembly not available for range 0xb27ca8b0...0xb27ca918 (End Of Slow Path) disassembly not available for range 0xb27ca918...0xb27caa1c It seems this branch comes from [14] put_by_id and can't be patched. Of course, a branch can't be patched. The question is why a branch was generated here and not a patchable instruction. Could you give me some hint where is this instruction generated?
The whole point of that code inside InlineAccess is to just plat new machine code over the old location. In this case, it's splatting a jump over the old code to jump to and out of line generated code. Why is this a problem?