Analysis Fails on Dart 3.10.3 with Temporary Register Usage in Parameter Handling

[karjok]

Hello,

While performing static analysis on a Flutter application using your amazing project, blutter, the tool crashes with a segmentation fault when encountering a specific register shuffling pattern in the function prologue.

Error Output:

Analysis error at line 1668 `void FunctionAnalyzer::handleParameterRegisters(AsmIterator &)`: !isTmpReg
    0x7ad704: mov x2, x1
    0x7ad708: mov x1, x16
    0x7ad70c: mov x16, x3
    0x7ad710: mov x3, x2
  * 0x7ad714: mov x2, x16
    0x7ad718: stur x2, [x29, #-0x10]
...
subprocess.CalledProcessError: Command '[...]' died with <Signals.SIGSEGV: 11>.

Root Cause:

The crash occurs in /blutter/src/CodeAnalyzer_arm64.cpp at line 1668, where an assertion !isTmpReg fails. The issue is that the current analysis doesn't track values through temporary registers (x16/IP0 and x17/IP1).

In the observed assembly sequence:

1. x16 (TMP) temporarily holds the value from x3
2. This value is then moved to x2
3. The assertion fails because the analyzer doesn't expect temporary registers in parameter tracking

Temporary Workaround:

I've temporarily resolved this by modifying the code to skip tracking when encountering temporary registers:

// INSN_ASSERT(!isTmpReg);
if (isTmpReg) {
    // Skip tracking this parameter properly for now
    ++insn;
    continue;
}

Suggested Fix:

The analysis should be enhanced to track values through temporary registers. When encountering mov x2, x16 where x16 is marked as TMP, the analyzer should trace back to find where x16 obtained its value (in this case, from mov x16, x3) and treat x2 as originating from x3.

Environment:

• Dart version: 3.10.3
• Snapshot: 1ce86630892e2dca9a8543fdb8ed8e22
• Target: android arm64

Thank you for your amazing work !

[worawit]

Using x16 register in function prologue is a known issue. In fact, there are more unhanding cases for prologue.

But the analysis error should not cause a segmentation fault (SIGSEGV).

Can you provide the libapp.so? I'd like to fix a crash first.

[karjok]

Using x16 register in function prologue is a known issue. In fact, there are more unhanding cases for prologue.

But the analysis error should not cause a segmentation fault (SIGSEGV).

Can you provide the libapp.so? I'd like to fix a crash first.

How i can send the file to you ?

[worawit]

You can attach file in comment

[karjok]

You can attach file in comment

Hello, since i can not directly put the file due the unsupported format, i have host the file at https://file.kiwi/336c3751#Ee0pzv4gaMtqbV8aIyUdow, hope you downloaded it before it deleted after 96 hours. Thanks

[worawit]

No crash with latest commit.

I guess the crash is in "Dumping Object Pool" step (but the text is removed in your error output) which is fixed in latest commit.

[karjok]

No crash with latest commit.

I guess the crash is in "Dumping Object Pool" step (but the text is removed in your error output) which is fixed in latest commit.

ok, i will try with the latest commit.

[hvtc-code]

I also encountered the same issue. Got an error when running—does it not support 3.10.4?

(blutter) F:\blutterCodes>python blutter.py .\arm64-v8a\ .\output
Dart version: 3.10.4, Snapshot: 1ce86630892e2dca9a8543fdb8ed8e22, Target: android arm64
flags: product no-code_comments no-dwarf_stack_traces_mode dedup_instructions no-tsan no-msan no-shared_data arm64 android compressed-pointers
libapp is loaded at 0x1e143df0000
Dart heap at 0x1e200000000
Analyzing the application
Analysis error at line 3230 `class std::unique_ptr<class ILInstr,struct std::default_delete<class ILInstr> > __cdecl FunctionAnalyzer::processLoadStore(class AsmIterator &)`: insn.ops(2).shift.type == ARM64_SFT_LSL && (insn.ops(2).shift.value == dart::kCompressedWordSizeLog2 || (insn.ops(2).shift.value == dart::kCompressedWordSizeLog2 - 1 || insn.ops(2).ext == ARM64_EXT_SXTW))
    0x110d9b8: sbfx x23, x4, #1, #0x1f
    0x110d9bc: tbz w4, #0, #0x110d9c4
    0x110d9c0: ldur x23, [x4, #7]
    0x110d9c4: lsl x4, x23, #1
  * 0x110d9c8: add x25, x1, x4
    0x110d9cc: stur x25, [x29, #-0x98]
Dumping Object Pool
Traceback (most recent call last):
  File "F:\blutterCodes\blutter.py", line 248, in <module>
    main(args.indir, args.outdir, args.rebuild, args.vs_sln, args.no_analysis)
  File "F:\blutterCodes\blutter.py", line 230, in main
    main2(libapp_file, libflutter_file, outdir, rebuild_blutter, create_vs_sln, no_analysis)
  File "F:\blutterCodes\blutter.py", line 221, in main2
    build_and_run(input)
  File "F:\blutterCodes\blutter.py", line 210, in build_and_run
    subprocess.run([input.blutter_file, '-i', input.libapp_path, '-o', input.outdir], check=True)
  File "C:\Users\xxx\AppData\Local\Programs\Python\Python310\lib\subprocess.py", line 526, in run
    raise CalledProcessError(retcode, process.args,
subprocess.CalledProcessError: Command '['F:\\\blutterCodes\\bin\\blutter_dartvm3.10.4_android_arm64.exe', '-i', 'F:\\blutterCodes\\arm64-v8a\\libapp.so', '-o', '.\\output']' returned non-zero exit status 3221225477.

Environment:

• Dart version: 3.10.4
• Snapshot: 1ce86630892e2dca9a8543fdb8ed8e22
• Target: android arm64

Do you need me to upload libapp.so and libflutter.so? Thanks for the great work!

[clouedoc]

Hi, I was having similar errors.
I pointed Claude Code at the problem, which ended up producing this commit.
I don't dare opening a PR because I have no idea what's happening, but it looks like it correctly dumped my app :)

[t0kubetsu]

Hi, I was having similar errors. I pointed Claude Code at the problem, which ended up producing this commit. I don't dare opening a PR because I have no idea what's happening, but it looks like it correctly dumped my app :)

Can confirm the Claude fix works for me as well. Tested on an APK built with Dart version: 3.10.8, Snapshot: 1ce86630892e2dca9a8543fdb8ed8e22, Target: android arm64

[hackedbyxx]

嗨，我之前也遇到过类似的错误。我把问题反馈给了 Claude Code，最终他提交了这个 commit。我不敢提交 PR，因为我完全不明白发生了什么，但看起来它已经正确地导出了我的应用 :)

this sovle my problem,thanks