Process crashed: Trace/BPT trap and Bad access due to invalid address

Galaxy s9 Android 10 kernel: 4.9 java vm: 2.1.0

index.ts

var Interruptor = require('./android-arm64-strace.min.js').target.LinuxArm64();

// better results, when app is loaded
Java.perform(()=>{
    Interruptor.newAgentTracer({
        exclude: {
            modules: ["linker64"],
            syscalls: ["clock_gettime"]
        }
    }).start();
});

after npm compile running frida -U -f com.android.contacts -l _agent.js --no-pause:

    / _  |   Frida 15.2.2 - A world-class dynamic instrumentation toolkit
   | (_| |
    > _  |   Commands:
   /_/ |_|       help      -> Displays the help system
   . . . .       object?   -> Display information about 'object'
   . . . .       exit/quit -> Exit
   . . . .
   . . . .   More info at https://frida.re/docs/home/
   . . . .
   . . . .   Connected to xx xxxx (id=xxxxx)
Spawned `com.android.contacts`. Resuming main thread!                   
[xx xxxx::com.android.contacts ]-> [INTERRUPTOR][STARTING] Tracing thread 9240 []
[STARTING TRACE] UID=0 Thread 9240
Deploying pthread_create hook
[libc.so] Hooking routine : 0x77222ef1a0 {"0x77222ef1a0":true}
------- [TID=9274][libutils.so][0x77222ef1a0] Thread routine start -------
[INTERRUPTOR][STARTING] Tracing thread 9274 []
[STARTING TRACE] UID=1 Thread 9274
Process crashed: Trace/BPT trap

***
*** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
RROS Version: 'RROS-Q-8.6.5-20201226-starlte-Official'
Build fingerprint: 'samsung/starltexx/starlte:10/xxxxxxxxxxx:user/release-keys'
Revision: '26'
ABI: 'arm64'
Timestamp: 2022-08-05 23:21:56+0600
pid: 9240, tid: 9240, name: ndroid.contacts  >>> com.android.contacts <<<
uid: 10246
signal 6 (SIGABRT), code -1 (SI_QUEUE), fault addr --------
Abort message: 'Check failed: dex_pc < accessor.InsnsSizeInCodeUnits() (dex_pc=4294967295, accessor.InsnsSizeInCodeUnits()=1421) '
    x0  0000000000000000  x1  0000000000002418  x2  0000000000000006  x3  0000007fc6ddab50
    x4  0000007687fb6940  x5  0000007687fb6940  x6  0000007687fb6940  x7  0000007687fb6800
    x8  00000000000000f0  x9  000000771efe44a0  x10 0000000000000000  x11 0000000000000001
    x12 0000007687fb6300  x13 0000007687fb6440  x14 0000000000000001  x15 00000077234c5540
    x16 000000771f0b18c0  x17 000000771f08f310  x18 0000000000000000  x19 00000000000000ac
    x20 0000000000002418  x21 00000000000000b2  x22 0000000000002418  x23 00000000ffffffff
    x24 000000769e2d4104  x25 000000769e2d6104  x26 000000769e2b62e7  x27 0000007723178258
    x28 000000769e7f2000  x29 0000007fc6ddac00
    sp  0000007fc6ddab30  lr  000000771f042170  pc  000000771f0421a0

backtrace:
      #00 pc 00000000000821a0  /apex/com.android.runtime/lib64/bionic/libc.so!libc.so (offset 0x82000) (abort+176) (BuildId: a5aa1dd8572ed64645c321b17b43e24d)
      #01 pc 0000000000000108  <anonymous:7696080000>
***
[xx xxxx::com.android.contacts ]->

Thank you for using Frida!

If I'm gonna remove modules: ["linker64"], from the agent script will get Process crashed: Bad access due to invalid address error:

     ____
    / _  |   Frida 15.2.2 - A world-class dynamic instrumentation toolkit
   | (_| |
    > _  |   Commands:
   /_/ |_|       help      -> Displays the help system
   . . . .       object?   -> Display information about 'object'
   . . . .       exit/quit -> Exit
   . . . .
   . . . .   More info at https://frida.re/docs/home/
   . . . .
   . . . .   Connected to xx xxxx (id=xxxxx)
Spawned `com.android.contacts`. Resuming main thread!                   
[xx xxxx::com.android.contacts ]-> [INTERRUPTOR][STARTING] Tracing thread 9304 []
[STARTING TRACE] UID=0 Thread 9304
Deploying pthread_create hook
 [TID=9304] [/apex/com.android.runtime/lib64/bionic/libc.so +0x1614]   mprotect (   addr = 0x12c40000 ,  size = 0x40000 ,  prot = PROT_READ | PROT_WRITE  )    > 0 SUCCESS
Process crashed: Bad access due to invalid address

***
*** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
RROS Version: 'RROS-Q-8.6.5-20201226-starlte-Official'
Build fingerprint: 'samsung/starltexx/starlte:10/xxxxxxxxxxxxxxx:user/release-keys'
Revision: '26'
ABI: 'arm64'
Timestamp: 2022-08-05 23:24:30+0600
pid: 9304, tid: 9304, name: ndroid.contacts  >>> com.android.contacts <<<
uid: 10246
signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x120
Cause: null pointer dereference
    x0  0000000000000000  x1  000000769e7b4e4c  x2  00000076423f3060  x3  0000007fc6ddaaa0
    x4  00000076423f6d30  x5  0000007fc6ddaf78  x6  0000007fc6ddaf70  x7  0000000000000018
    x8  0000000000000000  x9  0000000000000000  x10 0000000000000072  x11 0000000000000001
    x12 0000000070ec61c8  x13 ffffffffffffffff  x14 0000000000000000  x15 000000769e723198
    x16 0000000000000001  x17 0000000000000000  x18 0000000000000000  x19 000000769e7b4e4c
    x20 0000000000000000  x21 0000000000000007  x22 0000000071bdcc10  x23 00000077237f9020
    x24 0000000000000000  x25 0000000071d3cb50  x26 0000000071d3cae8  x27 0000000016f400e0
    x28 000000772350ac00  x29 0000007fc6ddab20
    sp  0000007fc6dda970  lr  000000769e7b4e50  pc  0000007631a356c8

backtrace:
      #00 pc 00000000000096c8  <anonymous:7631a2c000>
      #01 pc 000000000058fe4c  /apex/com.android.runtime/lib64/libart.so!libart.so (offset 0x58f000) (_ZN3artL37JniMethodEndWithReferenceHandleResultEP8_jobjectjPNS_6ThreadE.llvm.15732748762076278778+68) (BuildId: 666654ef4cf00eb4a229a0a82fb8580b)
      #02 pc 000000000058fe4c  /apex/com.android.runtime/lib64/libart.so!libart.so (offset 0x58f000) (_ZN3artL37JniMethodEndWithReferenceHandleResultEP8_jobjectjPNS_6ThreadE.llvm.15732748762076278778+68) (BuildId: 666654ef4cf00eb4a229a0a82fb8580b)
      #03 pc 00000000000b61fc  /system/framework/arm64/boot.oat (art_jni_trampoline+140) (BuildId: a8ac55bddd29586f0b1ef039f0785f47489a899b)
      #04 pc 00000000000de208  /system/framework/arm64/boot.oat!boot.oat (offset 0xde000) (java.lang.ref.Reference.get+40) (BuildId: a8ac55bddd29586f0b1ef039f0785f47489a899b)
      #05 pc 00000000000db7e8  /system/framework/arm64/boot.oat!boot.oat (offset 0xdb000) (java.lang.ThreadLocal.get+152) (BuildId: a8ac55bddd29586f0b1ef039f0785f47489a899b)
      #06 pc 000000000075a7cc  /system/framework/arm64/boot-framework.oat!boot-framework.oat (offset 0x759000) (android.os.StrictMode.setBlockGuardPolicy+204) (BuildId: 70f26bc2948d2b8de567ee63d027da3521d905c0)
      #07 pc 000000000075962c  /system/framework/arm64/boot-framework.oat!boot-framework.oat (offset 0x759000) (android.os.StrictMode.initThreadDefaults+476) (BuildId: 70f26bc2948d2b8de567ee63d027da3521d905c0)
      #08 pc 00000000004bf3cc  /system/framework/arm64/boot-framework.oat!boot-framework.oat (offset 0x4bf000) (android.app.ActivityThread.handleBindApplication+2396) (BuildId: 70f26bc2948d2b8de567ee63d027da3521d905c0)
      #09 pc 0000000000136334  /apex/com.android.runtime/lib64/libart.so!libart.so (offset 0x135000) (art_quick_invoke_stub+548) (BuildId: 666654ef4cf00eb4a229a0a82fb8580b)
      #10 pc 00000000001450ac  /apex/com.android.runtime/lib64/libart.so!libart.so (offset 0x145000) (art::ArtMethod::Invoke(art::Thread*, unsigned int*, unsigned int, art::JValue*, char const*)+244) (BuildId: 666654ef4cf00eb4a229a0a82fb8580b)
      #11 pc 00000000004b0390  /apex/com.android.runtime/lib64/libart.so!libart.so (offset 0x433000) (art::(anonymous namespace)::InvokeWithArgArray(art::ScopedObjectAccessAlreadyRunnable const&, art::ArtMethod*, art::(anonymous namespace)::ArgArray*, art::JValue*, char const*)+104) (BuildId: 666654ef4cf00eb4a229a0a82fb8580b)
      #12 pc 00000000004afff0  /apex/com.android.runtime/lib64/libart.so!libart.so (offset 0x433000) (art::InvokeWithVarArgs(art::ScopedObjectAccessAlreadyRunnable const&, _jobject*, _jmethodID*, std::__va_list)+408) (BuildId: 666654ef4cf00eb4a229a0a82fb8580b)
      #13 pc 00000000003a54cc  /apex/com.android.runtime/lib64/libart.so!libart.so (offset 0x385000) (art::JNI::CallNonvirtualVoidMethod(_JNIEnv*, _jobject*, _jclass*, _jmethodID*, ...)+692) (BuildId: 666654ef4cf00eb4a229a0a82fb8580b)
      #14 pc 0000000000769ff4  /data/local/tmp/re.frida.server/frida-agent-64.so!libfrida-agent.so (offset 0x769000)
      #15 pc 00000000007675bc  /data/local/tmp/re.frida.server/frida-agent-64.so!libfrida-agent.so (offset 0x767000)
***
[xx xxxx::com.android.contacts ]->

Thank you for using Frida!

with/without --no-pause have same result

Codeshare gives same error, so it's not about the script but device/android version, etc. command: frida --codeshare FrenchYeti/android-arm64-strace -U -f org.mozilla.firefox result: Process crashed: Bad access due to invalid address

     ____
    / _  |   Frida 15.2.2 - A world-class dynamic instrumentation toolkit
   | (_| |
    > _  |   Commands:
   /_/ |_|       help      -> Displays the help system
   . . . .       object?   -> Display information about 'object'
   . . . .       exit/quit -> Exit
   . . . .
   . . . .   More info at https://frida.re/docs/home/
   . . . .
   . . . .   Connected to xx xxxxx (id=xxxxxxxxxxxxxxxxxxxx)
Spawned `org.mozilla.firefox`. Use %resume to let the main thread start executing!
[SM G960F::org.mozilla.firefox ]-> %resume
[SM G960F::org.mozilla.firefox ]-> [LINKER] Loading '/data/app/org.mozilla.firefox-1NN_vhazYhlBVud4Hn6xkA==/lib/arm64/libjnidispatch.so'
[INTERRUPTOR][STARTING] Module '/data/app/org.mozilla.firefox-1NN_vhazYhlBVud4Hn6xkA==/lib/arm64/libjnidispatch.so' is loading, tracer will start
[INTERRUPTOR][STARTING] Tracing thread 11293 []
[STARTING TRACE] UID=0 Thread 11293
Deploying pthread_create hook
0 1
 [TID=11293] [/apex/com.android.runtime/bin/linker64 +0x1e4]   mprotect (   addr = 0x7723825000 ,  size = 0x64000 ,  prot = PROT_READ  )    > 0 SUCCESS
 [TID=11293] [/apex/com.android.runtime/bin/linker64 +0x1e4]   mprotect (   addr = 0x77238d4000 ,  size = 0x64000 ,  prot = PROT_READ  )    > 0 SUCCESS
 [TID=11293] [/apex/com.android.runtime/bin/linker64 +0x1e4]   mprotect (   addr = 0x772378c000 ,  size = 0x64000 ,  prot = PROT_READ  )    > 0 SUCCESS
 [TID=11293] [/apex/com.android.runtime/bin/linker64 +0x1e4]   mprotect (   addr = 0x7723728000 ,  size = 0x64000 ,  prot = PROT_READ  )    > 0 SUCCESS
 [TID=11293] [/apex/com.android.runtime/bin/linker64 +0x244]   prctl (   opt = PR_GET_DUMPABLE ,  unsigned long arg2 = 0x0 ,  unsigned long arg3 = 0x0 ,  unsigned long arg4 = 0x0 ,  unsigned long arg5 = 0x0  )    > 0x0
Process crashed: Bad access due to invalid address

***
*** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
RROS Version: 'RROS-Q-8.6.5-20201226-starlte-Official'
Build fingerprint: 'samsung/starltexx/starlte:10/xxxxxxxxxxx:user/release-keys'
Revision: '26'
ABI: 'arm64'
Timestamp: 2022-08-05 23:58:38+0400
pid: 11293, tid: 11293, name: mozilla.firefox  >>> org.mozilla.firefox <<<
uid: 10284
signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x0
Cause: null pointer dereference
    x0  0000000000000000  x1  00000077249997f0  x2  00000076423f3060  x3  0000007fc6ddd300
    x4  00000076423f6d30  x5  0000000000000000  x6  70612f617461642f  x7  0000000000000000
    x8  0000000000000000  x9  00000000000000fc  x10 0101010101010101  x11 0000000000000001
    x12 000000772302e700  x13 e735956009feee27  x14 0000000000000000  x15 0000007724a28840
    x16 0000000000000001  x17 0000000000000000  x18 0000007724730000  x19 00000077249997f0
    x20 0000007fc6ddd6a0  x21 0000007fc6ddd808  x22 000000000467e784  x23 000000762afc36c0
    x24 0000007fc6ddd71c  x25 00000000000000ad  x26 000000000467e784  x27 00000000000000ad
    x28 0000000000000018  x29 0000007fc6ddd700
    sp  0000007fc6ddd390  lr  00000077249997f4  pc  000000762a6755d4

backtrace:
      #00 pc 00000000000015d4  <anonymous:762a674000>
      #01 pc 000000000004f7f0  /apex/com.android.runtime/bin/linker64!ld-android.so (offset 0x4f000) (__dl__ZNK6soinfo10elf_lookupER10SymbolNamePK12version_infoPj+392) (BuildId: a36d6aad65c8722218c7f024d9148c80)
      #02 pc 000000000004f358  /apex/com.android.runtime/bin/linker64!ld-android.so (offset 0x4f000) (__dl__ZNK6soinfo19find_symbol_by_nameER10SymbolNamePK12version_infoPPK9elf64_sym+40) (BuildId: a36d6aad65c8722218c7f024d9148c80)
      #03 pc 0000000000042d54  /apex/com.android.runtime/bin/linker64!ld-android.so (offset 0x42000) (__dl__ZL19dlsym_handle_lookupP19android_namespace_tP6soinfoS2_PS2_R10SymbolNamePK12version_info+244) (BuildId: a36d6aad65c8722218c7f024d9148c80)
      #04 pc 000000000003bfac  /apex/com.android.runtime/bin/linker64!ld-android.so (offset 0x3b000) (__dl__Z8do_dlsymPvPKcS1_PKvPS_+724) (BuildId: a36d6aad65c8722218c7f024d9148c80)
      #05 pc 00000000000371fc  /apex/com.android.runtime/bin/linker64 (__dl__Z10dlsym_implPvPKcS1_PKv+84) (BuildId: a36d6aad65c8722218c7f024d9148c80)
      #06 pc 0000000000001054  /apex/com.android.runtime/lib64/bionic/libdl.so (dlsym+12) (BuildId: 81b9f7fbfbddd643bbc4e8d392b75861)
      #07 pc 000000000037e594  /apex/com.android.runtime/lib64/libart.so!libart.so (offset 0x37e000) (art::SharedLibrary::FindSymbolWithoutNativeBridge(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>> const&)+68) (BuildId: 666654ef4cf00eb4a229a0a82fb8580b)
      #08 pc 000000000037b09c  /apex/com.android.runtime/lib64/libart.so!libart.so (offset 0x378000) (art::JavaVMExt::LoadNativeLibrary(_JNIEnv*, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>> const&, _jobject*, _jclass*, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>*)+3140) (BuildId: 666654ef4cf00eb4a229a0a82fb8580b)
      #09 pc 0000000000005184  /apex/com.android.runtime/lib64/libopenjdkjvm.so (JVM_NativeLoad+412) (BuildId: c90789c7a25ff8363bc15f208387462f)
      #10 pc 00000000000b6af4  /system/framework/arm64/boot.oat (art_jni_trampoline+228) (BuildId: a8ac55bddd29586f0b1ef039f0785f47489a899b)
      #11 pc 00000000000d4060  /system/framework/arm64/boot.oat!boot.oat (offset 0xb7000) (java.lang.Runtime.loadLibrary0+224) (BuildId: a8ac55bddd29586f0b1ef039f0785f47489a899b)
      #12 pc 00000000000d5034  /system/framework/arm64/boot.oat!boot.oat (offset 0xb7000) (java.lang.Runtime.loadLibrary0+180) (BuildId: a8ac55bddd29586f0b1ef039f0785f47489a899b)
      #13 pc 00000000000d9c50  /system/framework/arm64/boot.oat!boot.oat (offset 0xb7000) (java.lang.System.loadLibrary+96) (BuildId: a8ac55bddd29586f0b1ef039f0785f47489a899b)
      #14 pc 0000000000615c58  /data/app/org.mozilla.firefox-1NN_vhazYhlBVud4Hn6xkA==/oat/arm64/base.odex (com.sun.jna.Native.loadNativeDispatchLibrary+2392)
      #15 pc 00000000001365b8  /apex/com.android.runtime/lib64/libart.so (art_quick_invoke_static_stub+568) (BuildId: 666654ef4cf00eb4a229a0a82fb8580b)
      #16 pc 00000000001450cc  /apex/com.android.runtime/lib64/libart.so!libart.so (offset 0x145000) (art::ArtMethod::Invoke(art::Thread*, unsigned int*, unsigned int, art::JValue*, char const*)+276) (BuildId: 666654ef4cf00eb4a229a0a82fb8580b)
      #17 pc 00000000002e1f98  /apex/com.android.runtime/lib64/libart.so!libart.so (offset 0x2a2000) (art::interpreter::ArtInterpreterToCompiledCodeBridge(art::Thread*, art::ArtMethod*, art::ShadowFrame*, unsigned short, art::JValue*)+384) (BuildId: 666654ef4cf00eb4a229a0a82fb8580b)
      #18 pc 00000000002dd024  /apex/com.android.runtime/lib64/libart.so!libart.so (offset 0x2a2000) (bool art::interpreter::DoCall<false, false>(art::ArtMethod*, art::Thread*, art::ShadowFrame&, art::Instruction const*, unsigned short, art::JValue*)+900) (BuildId: 666654ef4cf00eb4a229a0a82fb8580b)
      #19 pc 00000000005a2a08  /apex/com.android.runtime/lib64/libart.so!libart.so (offset 0x500000) (MterpInvokeStatic+368) (BuildId: 666654ef4cf00eb4a229a0a82fb8580b)
      #20 pc 0000000000130994  /apex/com.android.runtime/lib64/libart.so (mterp_op_invoke_static+20) (BuildId: 666654ef4cf00eb4a229a0a82fb8580b)
      #21 pc 00000000003c4fb6  /data/app/org.mozilla.firefox-1NN_vhazYhlBVud4Hn6xkA==/oat/arm64/base.vdex (com.sun.jna.Native.<clinit>+166)
      #22 pc 00000000002b28c8  /apex/com.android.runtime/lib64/libart.so!libart.so (offset 0x2a2000) (_ZN3art11interpreterL7ExecuteEPNS_6ThreadERKNS_20CodeItemDataAccessorERNS_11ShadowFrameENS_6JValueEbb.llvm.4600927533238258340+240) (BuildId: 666654ef4cf00eb4a229a0a82fb8580b)
      #23 pc 0000000000591348  /apex/com.android.runtime/lib64/libart.so!libart.so (offset 0x500000) (artQuickToInterpreterBridge+1024) (BuildId: 666654ef4cf00eb4a229a0a82fb8580b)
      #24 pc 000000000013f468  /apex/com.android.runtime/lib64/libart.so (art_quick_to_interpreter_bridge+88) (BuildId: 666654ef4cf00eb4a229a0a82fb8580b)
      #25 pc 00000000001365b8  /apex/com.android.runtime/lib64/libart.so (art_quick_invoke_static_stub+568) (BuildId: 666654ef4cf00eb4a229a0a82fb8580b)
      #26 pc 00000000001450cc  /apex/com.android.runtime/lib64/libart.so!libart.so (offset 0x145000) (art::ArtMethod::Invoke(art::Thread*, unsigned int*, unsigned int, art::JValue*, char const*)+276) (BuildId: 666654ef4cf00eb4a229a0a82fb8580b)
      #27 pc 0000000000170fdc  /apex/com.android.runtime/lib64/libart.so!libart.so (offset 0x14f000) (art::ClassLinker::InitializeClass(art::Thread*, art::Handle<art::mirror::Class>, bool, bool)+2188) (BuildId: 666654ef4cf00eb4a229a0a82fb8580b)
      #28 pc 000000000015bc04  /apex/com.android.runtime/lib64/libart.so!libart.so (offset 0x14f000) (art::ClassLinker::EnsureInitialized(art::Thread*, art::Handle<art::mirror::Class>, bool, bool)+92) (BuildId: 666654ef4cf00eb4a229a0a82fb8580b)
      #29 pc 00000000005842f8  /apex/com.android.runtime/lib64/libart.so!libart.so (offset 0x500000) (artInitializeStaticStorageFromCode+96) (BuildId: 666654ef4cf00eb4a229a0a82fb8580b)
      #30 pc 0000000000136cbc  /apex/com.android.runtime/lib64/libart.so (art_quick_initialize_static_storage+156) (BuildId: 666654ef4cf00eb4a229a0a82fb8580b)
      #31 pc 0000000000466dd4  /data/app/org.mozilla.firefox-1NN_vhazYhlBVud4Hn6xkA==/oat/arm64/base.odex (com.sun.jna.Structure.setAlignType+484)
      #32 pc 000000000045ee40  /data/app/org.mozilla.firefox-1NN_vhazYhlBVud4Hn6xkA==/oat/arm64/base.odex (com.sun.jna.Structure.<init>+160)
      #33 pc 000000000045ecb4  /data/app/org.mozilla.firefox-1NN_vhazYhlBVud4Hn6xkA==/oat/arm64/base.odex (com.sun.jna.Structure.<init>+52)
      #34 pc 0000000000981670  /data/app/org.mozilla.firefox-1NN_vhazYhlBVud4Hn6xkA==/oat/arm64/base.odex (mozilla.telemetry.glean.internal.CounterMetric.<init>+176)
      #35 pc 0000000000136334  /apex/com.android.runtime/lib64/libart.so (art_quick_invoke_stub+548) (BuildId: 666654ef4cf00eb4a229a0a82fb8580b)
      #36 pc 00000000001450ac  /apex/com.android.runtime/lib64/libart.so!libart.so (offset 0x145000) (art::ArtMethod::Invoke(art::Thread*, unsigned int*, unsigned int, art::JValue*, char const*)+244) (BuildId: 666654ef4cf00eb4a229a0a82fb8580b)
      #37 pc 00000000002e1f98  /apex/com.android.runtime/lib64/libart.so!libart.so (offset 0x2a2000) (art::interpreter::ArtInterpreterToCompiledCodeBridge(art::Thread*, art::ArtMethod*, art::ShadowFrame*, unsigned short, art::JValue*)+384) (BuildId: 666654ef4cf00eb4a229a0a82fb8580b)
      #38 pc 00000000002dd024  /apex/com.android.runtime/lib64/libart.so!libart.so (offset 0x2a2000) (bool art::interpreter::DoCall<false, false>(art::ArtMethod*, art::Thread*, art::ShadowFrame&, art::Instruction const*, unsigned short, art::JValue*)+900) (BuildId: 666654ef4cf00eb4a229a0a82fb8580b)
      #39 pc 00000000005a2200  /apex/com.android.runtime/lib64/libart.so!libart.so (offset 0x500000) (MterpInvokeDirect+400) (BuildId: 666654ef4cf00eb4a229a0a82fb8580b)
      #40 pc 0000000000130914  /apex/com.android.runtime/lib64/libart.so (mterp_op_invoke_direct+20) (BuildId: 666654ef4cf00eb4a229a0a82fb8580b)
      #41 pc 0000000000b40eae  /data/app/org.mozilla.firefox-1NN_vhazYhlBVud4Hn6xkA==/oat/arm64/base.vdex (org.mozilla.fenix.GleanMetrics.PerfStartup.<clinit>+128)
      #42 pc 00000000002b28c8  /apex/com.android.runtime/lib64/libart.so!libart.so (offset 0x2a2000) (_ZN3art11interpreterL7ExecuteEPNS_6ThreadERKNS_20CodeItemDataAccessorERNS_11ShadowFrameENS_6JValueEbb.llvm.4600927533238258340+240) (BuildId: 666654ef4cf00eb4a229a0a82fb8580b)
      #43 pc 0000000000591348  /apex/com.android.runtime/lib64/libart.so!libart.so (offset 0x500000) (artQuickToInterpreterBridge+1024) (BuildId: 666654ef4cf00eb4a229a0a82fb8580b)
      #44 pc 000000000013f468  /apex/com.android.runtime/lib64/libart.so (art_quick_to_interpreter_bridge+88) (BuildId: 666654ef4cf00eb4a229a0a82fb8580b)
      #45 pc 00000000001365b8  /apex/com.android.runtime/lib64/libart.so (art_quick_invoke_static_stub+568) (BuildId: 666654ef4cf00eb4a229a0a82fb8580b)
      #46 pc 00000000001450cc  /apex/com.android.runtime/lib64/libart.so!libart.so (offset 0x145000) (art::ArtMethod::Invoke(art::Thread*, unsigned int*, unsigned int, art::JValue*, char const*)+276) (BuildId: 666654ef4cf00eb4a229a0a82fb8580b)
      #47 pc 0000000000170fdc  /apex/com.android.runtime/lib64/libart.so!libart.so (offset 0x14f000) (art::ClassLinker::InitializeClass(art::Thread*, art::Handle<art::mirror::Class>, bool, bool)+2188) (BuildId: 666654ef4cf00eb4a229a0a82fb8580b)
      #48 pc 000000000015bc04  /apex/com.android.runtime/lib64/libart.so!libart.so (offset 0x14f000) (art::ClassLinker::EnsureInitialized(art::Thread*, art::Handle<art::mirror::Class>, bool, bool)+92) (BuildId: 666654ef4cf00eb4a229a0a82fb8580b)
      #49 pc 00000000005842f8  /apex/com.android.runtime/lib64/libart.so!libart.so (offset 0x500000) (artInitializeStaticStorageFromCode+96) (BuildId: 666654ef4cf00eb4a229a0a82fb8580b)
      #50 pc 0000000000136cbc  /apex/com.android.runtime/lib64/libart.so (art_quick_initialize_static_storage+156) (BuildId: 666654ef4cf00eb4a229a0a82fb8580b)
      #51 pc 0000000000949940  /data/app/org.mozilla.firefox-1NN_vhazYhlBVud4Hn6xkA==/oat/arm64/base.odex (org.mozilla.fenix.FenixApplication.onCreate+10016)
      #52 pc 00000000003d42b4  /system/framework/arm64/boot-framework.oat (android.app.Instrumentation.callApplicationOnCreate+52) (BuildId: 70f26bc2948d2b8de567ee63d027da3521d905c0)
      #53 pc 00000000004c08b0  /system/framework/arm64/boot-framework.oat (android.app.ActivityThread.handleBindApplication+7744) (BuildId: 70f26bc2948d2b8de567ee63d027da3521d905c0)
      #54 pc 00000000004b7bb4  /system/framework/arm64/boot-framework.oat (android.app.ActivityThread$H.handleMessage+6948) (BuildId: 70f26bc2948d2b8de567ee63d027da3521d905c0)
      #55 pc 000000000073b294  /system/framework/arm64/boot-framework.oat (android.os.Handler.dispatchMessage+180) (BuildId: 70f26bc2948d2b8de567ee63d027da3521d905c0)
      #56 pc 000000000073e96c  /system/framework/arm64/boot-framework.oat (android.os.Looper.loop+1756) (BuildId: 70f26bc2948d2b8de567ee63d027da3521d905c0)
      #57 pc 00000000004c7030  /system/framework/arm64/boot-framework.oat (android.app.ActivityThread.main+752) (BuildId: 70f26bc2948d2b8de567ee63d027da3521d905c0)
      #58 pc 00000000001365b8  /apex/com.android.runtime/lib64/libart.so (art_quick_invoke_static_stub+568) (BuildId: 666654ef4cf00eb4a229a0a82fb8580b)
      #59 pc 00000000001450cc  /apex/com.android.runtime/lib64/libart.so!libart.so (offset 0x145000) (art::ArtMethod::Invoke(art::Thread*, unsigned int*, unsigned int, art::JValue*, char const*)+276) (BuildId: 666654ef4cf00eb4a229a0a82fb8580b)
      #60 pc 00000000004b0390  /apex/com.android.runtime/lib64/libart.so!libart.so (offset 0x3e0000) (art::(anonymous namespace)::InvokeWithArgArray(art::ScopedObjectAccessAlreadyRunnable const&, art::ArtMethod*, art::(anonymous namespace)::ArgArray*, art::JValue*, char const*)+104) (BuildId: 666654ef4cf00eb4a229a0a82fb8580b)
      #61 pc 00000000004b1dd8  /apex/com.android.runtime/lib64/libart.so!libart.so (offset 0x3e0000) (art::InvokeMethod(art::ScopedObjectAccessAlreadyRunnable const&, _jobject*, _jobject*, _jobject*, unsigned long)+1472) (BuildId: 666654ef4cf00eb4a229a0a82fb8580b)
      #62 pc 000000000043da68  /apex/com.android.runtime/lib64/libart.so!libart.so (offset 0x3e0000) (art::Method_invoke(_JNIEnv*, _jobject*, _jobject*, _jobjectArray*)+48) (BuildId: 666654ef4cf00eb4a229a0a82fb8580b)
      #63 pc 00000000000bfc34  /system/framework/arm64/boot.oat!boot.oat (offset 0xb7000) (art_jni_trampoline+180) (BuildId: a8ac55bddd29586f0b1ef039f0785f47489a899b)
      #64 pc 00000000009b13c8  /system/framework/arm64/boot-framework.oat (com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run+136) (BuildId: 70f26bc2948d2b8de567ee63d027da3521d905c0)
      #65 pc 00000000009b8f98  /system/framework/arm64/boot-framework.oat (com.android.internal.os.ZygoteInit.main+2056) (BuildId: 70f26bc2948d2b8de567ee63d027da3521d905c0)
      #66 pc 00000000001365b8  /apex/com.android.runtime/lib64/libart.so (art_quick_invoke_static_stub+568) (BuildId: 666654ef4cf00eb4a229a0a82fb8580b)
      #67 pc 00000000001450cc  /apex/com.android.runtime/lib64/libart.so!libart.so (offset 0x145000) (art::ArtMethod::Invoke(art::Thread*, unsigned int*, unsigned int, art::JValue*, char const*)+276) (BuildId: 666654ef4cf00eb4a229a0a82fb8580b)
      #68 pc 00000000004b0390  /apex/com.android.runtime/lib64/libart.so!libart.so (offset 0x3e0000) (art::(anonymous namespace)::InvokeWithArgArray(art::ScopedObjectAccessAlreadyRunnable const&, art::ArtMethod*, art::(anonymous namespace)::ArgArray*, art::JValue*, char const*)+104) (BuildId: 666654ef4cf00eb4a229a0a82fb8580b)
      #69 pc 00000000004afff0  /apex/com.android.runtime/lib64/libart.so!libart.so (offset 0x3e0000) (art::InvokeWithVarArgs(art::ScopedObjectAccessAlreadyRunnable const&, _jobject*, _jmethodID*, std::__va_list)+408) (BuildId: 666654ef4cf00eb4a229a0a82fb8580b)
      #70 pc 00000000003bb370  /apex/com.android.runtime/lib64/libart.so!libart.so (offset 0x380000) (art::JNI::CallStaticVoidMethodV(_JNIEnv*, _jclass*, _jmethodID*, std::__va_list)+624) (BuildId: 666654ef4cf00eb4a229a0a82fb8580b)
      #71 pc 00000000000bf9dc  /system/lib64/libandroid_runtime.so (_JNIEnv::CallStaticVoidMethod(_jclass*, _jmethodID*, ...)+116) (BuildId: a28a7240999ab039363efab438417ca0)
      #72 pc 00000000000c2870  /system/lib64/libandroid_runtime.so (android::AndroidRuntime::start(char const*, android::Vector<android::String8> const&, bool)+784) (BuildId: a28a7240999ab039363efab438417ca0)
      #73 pc 00000000000034e0  /system/bin/app_process64 (main+1168) (BuildId: f76426758d45e1a553be61a1caa503f7)
      #74 pc 000000000007d844  /apex/com.android.runtime/lib64/bionic/libc.so!libc.so (offset 0x46000) (__libc_init+108) (BuildId: a5aa1dd8572ed64645c321b17b43e24d)
***
[xx xxxxxx::org.mozilla.firefox ]->

Thank you for using Frida!

Same for Android Studio's Emulator app: com.alphabetlabs.deviceinfo

Cause: null pointer dereference

Code:

Java.perform(() => {
  Interruptor.newAgentTracer({
  }).start();
});

frida -U -f com.alphabetlabs.deviceinfo -l _agent.js --no-pause

     ____
    / _  |   Frida 15.2.2 - A world-class dynamic instrumentation toolkit
   | (_| |
    > _  |   Commands:
   /_/ |_|       help      -> Displays the help system
   . . . .       object?   -> Display information about 'object'
   . . . .       exit/quit -> Exit
   . . . .
   . . . .   More info at https://frida.re/docs/home/
   . . . .
   . . . .   Connected to Android Emulator 5554 (id=emulator-5554)
Spawned `com.alphabetlabs.deviceinfo`. Resuming main thread!            
[Android Emulator 5554::com.alphabetlabs.deviceinfo ]-> [INTERRUPTOR][STARTING] Tracing thread 6830 []
[STARTING TRACE] UID=0 Thread 6830
Deploying pthread_create hook
 [TID=6830] [/system/lib64/libc.so +0xb95]   getuid (  )    > 0x2753
 [TID=6830] [/system/lib64/libc.so +0x315]   ioctl (   fd = 11  undefined   ,  cmd = 0xc0306201 ,  arg = 0x7ffd40497180  )    > 0x0
 [TID=6830] [/system/lib64/libc.so +0x315]   ioctl (   fd = 11  undefined   ,  cmd = 0xc0306201 ,  arg = 0x7ffd404971a0  )    > 0x0
 [TID=6830] [/system/lib64/libc.so +0xb95]   getuid (  )    > 0x2753
 [TID=6830] [/system/lib64/libc.so +0x315]   ioctl (   fd = 11  undefined   ,  cmd = 0xc0306201 ,  arg = 0x7ffd40497040  )    > 0x0
 [TID=6830] [/system/lib64/libc.so +0x338]   openat (   dfd = AT_FDCWD  ,  filename = /dev/ashmem ,  int flags = 0x80002 ,  umode_t mode = 0x0  )    > 0x75
 [TID=6830] [/system/lib64/libc.so +0x915]   fstat (   fd = 117  undefined   ,  *statbuf = 0x7ffd40497200  )    > 0x0
 [TID=6830] [/system/lib64/libc.so +0x315]   ioctl (   fd = 117  undefined   ,  cmd = 0x41007701 ,  arg = 0x7ffd404972c0  )    > 0x0
 [TID=6830] [/system/lib64/libc.so +0x315]   ioctl (   fd = 117  undefined   ,  cmd = 0x40087703 ,  arg = 0x2000  )    > 0x0
 [TID=6830] [/system/lib64/libc.so +0xe58]   mmap (   start_addr = 0x0 ,  size = 0x2000 ,  prot = PROT_READ | PROT_WRITE ,  flags = MAP_PRIVATE ,  fd = undefined ,  offset = 0x0  )    > 0x7abfe61bd000
 [TID=6830] [/system/lib64/libc.so +0x15]   close (   fd = 117  undefined    )    > 0x0
[libc.so] Hooking routine : 0x7abfe98445b0 {"0x7abfe98445b0":true}
 [TID=6830] [/system/lib64/libc.so +0xe58]   mmap (   start_addr = 0x0 ,  size = 0x106000 ,  prot = PROT_READ | PROT_WRITE ,  flags = MAP_PRIVATE | MAP_ANONYMOUS | MAP_NORESERVE ,  fd = undefined ,  offset = 0x0  )    > 0x7abfcddf1000
 [TID=6830] [/system/lib64/libc.so +0xe95]   mprotect (   addr = 0x7abfcddf1000 ,  size = 0x1000 ,  prot = PROT_NONE  )    > 0x0
 [TID=6830] [/system/lib64/libc.so +0xf98]   prctl (   int option = 0x53564d41 ,  unsigned long arg2 = 0x0 ,  unsigned long arg3 = 0x7abfcddf1000 ,  unsigned long arg4 = 0x1000 ,  unsigned long arg5 = 0x7ac06e40919d ,   = 0x0  )    > 0x0
 [TID=6830] [/system/lib64/libc.so +0xe58]   mmap (   start_addr = 0x0 ,  size = 0x5000 ,  prot = PROT_NONE ,  flags = MAP_PRIVATE | MAP_ANONYMOUS ,  fd = undefined ,  offset = 0x0  )    > 0x7abfdc5b7000
 [TID=6830] [/system/lib64/libc.so +0xf98]   prctl (   int option = 0x53564d41 ,  unsigned long arg2 = 0x0 ,  unsigned long arg3 = 0x7abfdc5b7000 ,  unsigned long arg4 = 0x5000 ,  unsigned long arg5 = 0x7ac06e408fd1 ,   = 0x0  )    > 0x0
 [TID=6830] [/system/lib64/libc.so +0xe95]   mprotect (   addr = 0x7abfdc5b8000 ,  size = 0x3000 ,  prot = PROT_READ | PROT_WRITE  )    > 0x0
 [TID=6830] [/system/lib64/libc.so +0xf98]   prctl (   int option = 0x53564d41 ,  unsigned long arg2 = 0x0 ,  unsigned long arg3 = 0x7abfdc5b8000 ,  unsigned long arg4 = 0x3000 ,  unsigned long arg5 = 0x7ac06e409013 ,   = 0x0  )    > 0x0
 [TID=6830] [/system/lib64/libc.so +0x99c]   clone (   unsigned long = 0x3d0f00 ,  unsigned long = 0x7abfcdef64e0 ,  int * = 0x7abfcdef6500 ,  int * = 0x7abfcdef6500 ,  unsigned long = 0x7abfcdef6588  )    > 0x1b08
 [TID=6830] [/system/lib64/libc.so +0xb96]   futex (   u32 *uaddr = 0x7abfcdef6570 ,  int op = 0x81 ,  u32 val = 0x1 ,  struct __kernel_timespec *utime = 0x0 ,  u32 *uaddr2 = 0x0 ,  u32 val3 = 0x7abf00000000  )    > 0x1
------- [TID=6920][libart.so][0x7abfe98445b0] Thread routine start -------
[INTERRUPTOR][STARTING] Tracing thread 6920 []
[STARTING TRACE] UID=1 Thread 6920
 [TID=6920] [/system/lib64/libc.so +0xe95]   mprotect (   addr = 0x7abfcddf2000 ,  size = 0x1000 ,  prot = PROT_NONE  )    > 0x0
 [TID=6920] [/system/lib64/libc.so +0xd95]   madvise (   addr = 0x7abfcddf2000 ,  size = 0x103000 ,  behavior = MADV_DONTNEED  )    > 0x0
 [TID=6920] [/system/lib64/libc.so +0xb96]   arch_prctl (  )    > 0x0
 [TID=6830] [/system/lib64/libc.so +0x315]   ioctl (   fd = 11  undefined   ,  cmd = 0xc0306201 ,  arg = 0x7ffd40497300  )    > 0x0
 [TID=6830] [/system/lib64/libc.so +0xb95]   getuid (  )    > 0x2753
 [TID=6920] [/system/lib64/libc.so +0xf98]   prctl (   int option = 0xf ,  unsigned long arg2 = 0x7abfcdef63c0 ,  unsigned long arg3 = 0x8 ,  unsigned long arg4 = 0x0 ,  unsigned long arg5 = 0x6 ,   = 0x2b8a  )    > 0x0
 [TID=6920] [/system/lib64/libc.so +0x2d5]   getpriority (   int which = 0x0 ,  int who = 0x1b08  )    > 0x18
 [TID=6920] [/system/lib64/libc.so +0x495]   setpriority (   int which = 0x0 ,  int who = 0x1b08 ,  int niceval = 0x0  )    > 0x0
 [TID=6920] [/system/lib64/libc.so +0xe95]   mprotect (   addr = 0x12dc0000 ,  size = 0x40000 ,  prot = PROT_READ | PROT_WRITE  )    > 0x0
 [TID=6920] [/system/lib64/libc.so +0xf15]   munmap (   addr = 0x7abfe61bd000 ,  size = 0x2000  )    > 0x0
 [TID=6830] [/system/lib64/libc.so +0x315]   ioctl (   fd = 11  undefined   ,  cmd = 0xc0306201 ,  arg = 0x7ffd40497000  )    > 0x0
------- [TID=6920][0x7abfe98445b0] Thread routine ended -------
 [TID=6830] [/system/lib64/libc.so +0x315]   ioctl (   fd = 11  undefined   ,  cmd = 0xc0306201 ,  arg = 0x7ffd40497020  )    > 0x0
 [TID=6830] [/system/lib64/libc.so +0x315]   ioctl (   fd = 11  undefined   ,  cmd = 0xc0306201 ,  arg = 0x7ffd404971c0  )    > 0x0
 [TID=6830] [/system/lib64/libc.so +0xe95]   mprotect (   addr = 0x12e00000 ,  size = 0x40000 ,  prot = PROT_READ | PROT_WRITE  )    > 0x0
 [TID=6830] [/system/lib64/libc.so +0xd95]   madvise (   addr = 0x7abfcfe10000 ,  size = 0x19000 ,  behavior = MADV_DONTNEED  )    > 0x0
 [TID=6830] [/system/lib64/libc.so +0xd95]   madvise (   addr = 0x7abfd03ce000 ,  size = 0x12000 ,  behavior = MADV_DONTNEED  )    > 0x0
 [TID=6830] [/system/lib64/libc.so +0xd95]   madvise (   addr = 0x7abfe0783000 ,  size = 0x3000 ,  behavior = MADV_DONTNEED  )    > 0x0
 [TID=6830] [/system/lib64/libc.so +0x315]   ioctl (   fd = 11  undefined   ,  cmd = 0xc0306201 ,  arg = 0x7ffd40496060  )    > 0x0
 [TID=6830] [/system/lib64/libc.so +0x315]   ioctl (   fd = 11  undefined   ,  cmd = 0xc0306201 ,  arg = 0x7ffd40496080  )    > 0x0
Process crashed: Bad access due to invalid address

***
*** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
Build fingerprint: 'Android/sdk_phone_x86_64/generic_x86_64:9/PSR1.180720.012/4923214:userdebug/test-keys'
Revision: '0'
ABI: 'x86_64'
pid: 6830, tid: 6830, name: labs.deviceinfo  >>> com.alphabetlabs.deviceinfo <<<
signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x0
Cause: null pointer dereference
    rax 0000000000000000  rbx 0000000000000000  rcx 0000000000000000  rdx 0000000000000001
    r8  00007ffd404970b8  r9  0000000074a4b6da  r10 0000000074a4b6dc  r11 00007ffd40496f14
    r12 0000000000000000  r13 0000000012e14d10  r14 00007ffd404970b8  r15 00000000717b2e60
    rdi 00000000718fe070  rsi 0000000000000000
    rbp 0000000012e14d10  rsp 00007ffd40496cc0  rip 00007abfce0806f2

backtrace:
    #00 pc 00000000001496f2  <anonymous:00007abfcdf37000>
***
[Android Emulator 5554::com.alphabetlabs.deviceinfo ]->

Thank you for using Frida!

having same problem script is unusable

@ahmedmani Interruptor changed a lot since the begin of this issue, can you provide some information ?

Your script
Device Model
Android version
Package
Output / trace

Many thanks !

FrenchYeti / interruptor

Process crashed: Trace/BPT trap and Bad access due to invalid address #11