Why does Objective-C IMP crash when called directly on macOS ARM64e?

[vsosh2025iossecstaticlibb]

Body

I’m doing a small macOS ARM64 runtime experiment.
I retrieve an Objective‑C IMP using class_getInstanceMethod() and method_getImplementation(), and the pointer looks valid.

Example:

Method m = class_getInstanceMethod([MyClass class], @selector(test));
IMP fn = method_getImplementation(m);
printf("%p\n", fn);

But calling it manually:

((void(*)(id, SEL))fn)(obj, @selector(test));

instantly crashes with:

EXC_BAD_ACCESS (SIGBUS)

The object, selector, and IMP address are all correct.
Calling [obj test] works fine.

Why does directly calling the IMP pointer only crash on macOS ARM64e?
Does it require special PAC, alignment, or a specific frame structure?

Guidelines

• I have read and understood this category's guidelines before making this post.

[nkhmelni]

On macOS ARM64e, Objective‑C IMPs are entered through code that expects a PAC‑authenticated LR (x30).
When you call the IMP manually like a normal function pointer, you skip the ObjC dispatcher, so LR is not signed the way the IMP expects.

As soon as the function prologue/epilogue checks LR, the PAC authentication fails →
macOS raises:
EXC_BAD_ACCESS (invalid PAC)

Why normal calls work:
[obj test] routes through objc_msgSend, which sets up a proper authenticated frame.