通过So反射加载会崩溃

我是通过注入SO，然后hook jni_onload函数获取JavaVM，然后加载我自己的dex，然后在自己的dex里面执行： System.loadLibrary("lsplant"); 的时候就会崩溃。
崩溃日志如下：
--------- beginning of crash
10-11 12:01:29.427  5952  5952 F libc    : Fatal signal 6 (SIGABRT), code -1 (SI_QUEUE) in tid 5952 (.abcd.solinker2), pid 5952 (.abcd.solinker2)
10-11 12:01:29.447  5995  5995 I crash_dump64: obtaining output fd from tombstoned, type: kDebuggerdTombstone
10-11 12:01:29.447   949   949 I /system/bin/tombstoned: received crash request for pid 5952
10-11 12:01:29.448  5995  5995 I crash_dump64: performing dump of process 5952 (target tid = 5952)
10-11 12:01:29.452  5995  5995 F DEBUG   : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
10-11 12:01:29.452  5995  5995 F DEBUG   : Build fingerprint: 'Android/aosp_flame/flame:10/QQ3A.200805.001/eng.root.20240828.131930:user/release-keys'
10-11 12:01:29.452  5995  5995 F DEBUG   : Revision: 'MP1.0'
10-11 12:01:29.452  5995  5995 F DEBUG   : ABI: 'arm64'
10-11 12:01:29.452  5995  5995 F DEBUG   : Timestamp: 2024-10-11 12:01:29+0800
10-11 12:01:29.452  5995  5995 F DEBUG   : pid: 5952, tid: 5952, name: .abcd.solinker2  >>> com.abcd.solinker2 <<<
10-11 12:01:29.452  5995  5995 F DEBUG   : uid: 10116
10-11 12:01:29.452  5995  5995 F DEBUG   : signal 6 (SIGABRT), code -1 (SI_QUEUE), fault addr --------
10-11 12:01:29.452  5995  5995 F DEBUG   : Abort message: 'JNI DETECTED ERROR IN APPLICATION: JNI NewGlobalRef called with pending exception java.lang.reflect.InvocationTargetException:
10-11 12:01:29.452  5995  5995 F DEBUG   :   at java.lang.Object java.lang.reflect.Method.invoke(java.lang.Object, java.lang.Object[]) (Method.java:-2)
10-11 12:01:29.452  5995  5995 F DEBUG   :   at java.lang.String java.lang.Runtime.nativeLoad(java.lang.String, java.lang.ClassLoader, java.lang.Class) (Runtime.java:-2)
10-11 12:01:29.452  5995  5995 F DEBUG   :   at java.lang.String java.lang.Runtime.nativeLoad(java.lang.String, java.lang.ClassLoader) (Runtime.java:1196)
10-11 12:01:29.452  5995  5995 F DEBUG   :   at void java.lang.Runtime.loadLibrary0(java.lang.ClassLoader, java.lang.Class, java.lang.String) (Runtime.java:1150)
10-11 12:01:29.452  5995  5995 F DEBUG   :   at void java.lang.Runtime.loadLibrary0(java.lang.Class, java.lang.String) (Runtime.java:1088)
10-11 12:01:29.452  5995  5995 F DEBUG   :   at void java.lang.System.loadLibrary(java.lang.String) (System.java:1667)
10-11 12:01:29.452  5995  5995 F DEBUG   :   at void com.abcd.solinker2.MainActivity.<clinit>() (MainActivity.java:36)
10-11 12:01:29.452  5995  5995 F DEBUG   :   at java.lang.Object java.lang.Class.newInstance() (Class.java:-2)
10-11 12:01:29.452  5995  5995 F DEBUG   :   at android.app.Activity android.app.AppComponentFactory.instantiateActivity(java.lang.ClassLoader, java.lang.String, android.content.Intent) (AppComponentFactory.java:95)
10-11 12:01:29.452  5995  5995 F DEBUG   :   at android.app.Activity androidx.core.app.CoreComponentFactory.instantiateActivity(java.lang.ClassLoader, java.lang.String, android.content.Intent) (CoreComponentFactory.java:45)
10-11 12:01:29.452  5995  5995 F DEBUG   :   at android.app.Activity android.app.Instrumentation.newActivity(java.lang.ClassLoader, java.lang.String, android.content.Intent) (Instrumentation.java:1250)
10-11 12:01:29.452  5995  5995 F DEBUG   :   at android.app.Activity android.app.ActivityThread.performLaunchActivity(android.app.ActivityThread$ActivityClientRecord, android.content.Intent) (ActivityThread.java:3516)
10-11 12:01:29.452  5995  5995 F DEBUG   :   at android.app.Activity android.app.ActivityThread.handleLaunchActivity(android.app.ActivityThread$ActivityClientRecord, android.app.servertransaction.PendingTransactionActions, android.content.Intent) (ActivityThread.java:3746)
10-11 12:01:29.452  5995  5995 F DEBUG   :   at void android.app.servertransaction.LaunchActivityItem.execute(android.app.ClientTransactionHandler, android.os.IBinder, android.app.servertransaction.PendingTransactionActions) (LaunchActivityItem.java:83)
10-11 12:01:29.452  5995  5995 F DEBUG   :   at void android.app.servertransaction.TransactionExecutor.executeCallbacks(android.app.servertransaction.ClientTransaction) (TransactionExecutor.java:135)
10-11 12:01:29.452  5995  5995 F DEBUG   :   at void android.app.servertransaction.TransactionExecutor.execute(android.app.servertransaction.ClientTransaction) (TransactionExecutor.java:95)
10-11 12:01:29.452  5995  5995 F DEBUG   :   at void android.app.ActivityThread$H.handleMessage(android.os.Message) (ActivityThread.java:2350)
10-11 12:01:29.452  5995  5995 F DEBUG   :   at void android.os.Handler.dispatchMessage(android.os.Message) (Handler.java:107)
10-11 12:01:29.452  5995  5995 F DEBUG   :   at void android.os.Looper.loop() (Looper.java:214)
10-11 12:01:29.452  5995  5995 F DEBUG   :   at void android.app.ActivityThread.main(java.lang.String[]) (ActivityThread.java:7707)
10-11 12:01:29.452  5995  5995 F DEBUG   :   at java.lang.Object java.lang.reflect.Method.invoke(java.lang.Object, java.lang.Object[]) (Method.java:-2)
10-11 12:01:29.452  5995  5995 F DEBUG   :   at void com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run() (RuntimeInit.java:492)
10-11 12:01:29.452  5995  5995 F DEBUG   :   at void com.android.internal.os.ZygoteInit.main(java.lang.String[]) (ZygoteInit.java:930)
10-11 12:01:29.452  5995  5995 F DEBUG   :
10-11 12:01:29.452  5995  5995 F DEBUG   :     in call to NewGlobalRef
10-11 12:01:29.452  5995  5995 F DEBUG   :     from java.lang.String java.lang.Runtime.nativeLoad(java.lang.String, java.lang.ClassLoader, java.lang.Class)'
10-11 12:01:29.452  5995  5995 F DEBUG   :     x0  0000000000000000  x1  0000000000001740  x2  0000000000000006  x3  0000007fe2522d10
10-11 12:01:29.452  5995  5995 F DEBUG   :     x4  fefeff79ac565f97  x5  fefeff79ac565f97  x6  fefeff79ac565f97  x7  7f7f7f7fff7f7fff
10-11 12:01:29.452  5995  5995 F DEBUG   :     x8  00000000000000f0  x9  6de469c9c030fd19  x10 0000000000000001  x11 0000000000000000
10-11 12:01:29.452  5995  5995 F DEBUG   :     x12 fffffff0fffffbdf  x13 000000000c75a510  x14 0000000000000004  x15 ffffffffffffffff
10-11 12:01:29.452  5995  5995 F DEBUG   :     x16 0000007aacdfe8c0  x17 0000007aacddc0f0  x18 0000007ab1b28000  x19 0000000000001740
10-11 12:01:29.452  5995  5995 F DEBUG   :     x20 0000000000001740  x21 00000000ffffffff  x22 0000007ab13dc000  x23 0000007a2c0aa99d
10-11 12:01:29.452  5995  5995 F DEBUG   :     x24 0000007a2c0cc4ac  x25 0000000000000001  x26 0000007ab1039258  x27 0000007ab14870d0
10-11 12:01:29.452  5995  5995 F DEBUG   :     x28 0000000000000002  x29 0000007fe2522db0
10-11 12:01:29.452  5995  5995 F DEBUG   :     sp  0000007fe2522cf0  lr  0000007aacd90f48  pc  0000007aacd90f74
10-11 12:01:29.588  5995  5995 F DEBUG   :
10-11 12:01:29.588  5995  5995 F DEBUG   : backtrace:
10-11 12:01:29.588  5995  5995 F DEBUG   :       #00 pc 0000000000081f74  /apex/com.android.runtime/lib64/bionic/libc.so (abort+160) (BuildId: fec8325b622f2e8ee5dcf2ea5e6a74b9)
10-11 12:01:29.588  5995  5995 F DEBUG   :       #01 pc 00000000004b171c  /apex/com.android.runtime/lib64/libart.so!libart.so (offset 0x377000) (art::Runtime::Abort(char const*)+2268) (BuildId: 9eda39b10a1252c6fe6084ceeed237d0)
10-11 12:01:29.588  5995  5995 F DEBUG   :       #02 pc 000000000000c5b4  /system/lib64/libbase.so (android::base::LogMessage::~LogMessage()+608) (BuildId: 423e25e493e7ff1f65b876e1f6038130)
10-11 12:01:29.588  5995  5995 F DEBUG   :       #03 pc 0000000000372fac  /apex/com.android.runtime/lib64/libart.so (art::JavaVMExt::JniAbort(char const*, char const*)+1592) (BuildId: 9eda39b10a1252c6fe6084ceeed237d0)
10-11 12:01:29.588  5995  5995 F DEBUG   :       #04 pc 0000000000373160  /apex/com.android.runtime/lib64/libart.so (art::JavaVMExt::JniAbortV(char const*, char const*, std::__va_list)+108) (BuildId: 9eda39b10a1252c6fe6084ceeed237d0)
10-11 12:01:29.588  5995  5995 F DEBUG   :       #05 pc 00000000003656dc  /apex/com.android.runtime/lib64/libart.so (art::(anonymous namespace)::ScopedCheck::AbortF(char const*, ...)+136) (BuildId: 9eda39b10a1252c6fe6084ceeed237d0)
10-11 12:01:29.588  5995  5995 F DEBUG   :       #06 pc 0000000000364164  /apex/com.android.runtime/lib64/libart.so (art::(anonymous namespace)::ScopedCheck::CheckPossibleHeapValue(art::ScopedObjectAccess&, char, art::(anonymous namespace)::JniValueType)+1144) (BuildId: 9eda39b10a1252c6fe6084ceeed237d0)
10-11 12:01:29.588  5995  5995 F DEBUG   :       #07 pc 0000000000363530  /apex/com.android.runtime/lib64/libart.so (art::(anonymous namespace)::ScopedCheck::Check(art::ScopedObjectAccess&, bool, char const*, art::(anonymous namespace)::JniValueType*)+624) (BuildId: 9eda39b10a1252c6fe6084ceeed237d0)
10-11 12:01:29.588  5995  5995 F DEBUG   :       #08 pc 0000000000365b2c  /apex/com.android.runtime/lib64/libart.so (art::(anonymous namespace)::CheckJNI::NewRef(char const*, _JNIEnv*, _jobject*, art::IndirectRefKind)+668) (BuildId: 9eda39b10a1252c6fe6084ceeed237d0)
10-11 12:01:29.589  5995  5995 F DEBUG   :       #09 pc 00000000004f9908  /apex/com.android.runtime/lib64/libart.so!libart.so (offset 0x377000) (art::Thread::SetClassLoaderOverride(_jobject*)+64) (BuildId: 9eda39b10a1252c6fe6084ceeed237d0)
10-11 12:01:29.589  5995  5995 F DEBUG   :       #10 pc 0000000000376ae8  /apex/com.android.runtime/lib64/libart.so!libart.so (offset 0x376000) (art::JavaVMExt::LoadNativeLibrary(_JNIEnv*, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>> const&, _jobject*, _jclass*, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>*)+3276) (BuildId: 9eda39b10a1252c6fe6084ceeed237d0)
10-11 12:01:29.589  5995  5995 F DEBUG   :       #11 pc 00000000000050e8  /apex/com.android.runtime/lib64/libopenjdkjvm.so (JVM_NativeLoad+412) (BuildId: a685a6cf253bfd370cd635b7e0ad9d5d)
10-11 12:01:29.589  5995  5995 F DEBUG   :       #12 pc 00000000000baaf4  /system/framework/arm64/boot.oat (art_jni_trampoline+228) (BuildId: af11d70c9e5a5e47c4187bf7bb1d97c55e7d12a9)
10-11 12:01:29.589  5995  5995 F DEBUG   :       #13 pc 00000000001365b8  /apex/com.android.runtime/lib64/libart.so (art_quick_invoke_static_stub+568) (BuildId: 9eda39b10a1252c6fe6084ceeed237d0)
10-11 12:01:29.589  5995  5995 F DEBUG   :       #14 pc 0000000000142f44  /apex/com.android.runtime/lib64/libart.so (art::ArtMethod::Invoke(art::Thread*, unsigned int*, unsigned int, art::JValue*, char const*)+412) (BuildId: 9eda39b10a1252c6fe6084ceeed237d0)
10-11 12:01:29.589  5995  5995 F DEBUG   :       #15 pc 00000000002df430  /apex/com.android.runtime/lib64/libart.so (art::interpreter::ArtInterpreterToCompiledCodeBridge(art::Thread*, art::ArtMethod*, art::ShadowFrame*, unsigned short, art::JValue*)+384) (BuildId: 9eda39b10a1252c6fe6084ceeed237d0)
10-11 12:01:29.589  5995  5995 F DEBUG   :       #16 pc 00000000002da710  /apex/com.android.runtime/lib64/libart.so (bool art::interpreter::DoCall<false, false>(art::ArtMethod*, art::Thread*, art::ShadowFrame&, art::Instruction const*, unsigned short, art::JValue*)+912) (BuildId: 9eda39b10a1252c6fe6084ceeed237d0)
10-11 12:01:29.589  5995  5995 F DEBUG   :       #17 pc 000000000059a668  /apex/com.android.runtime/lib64/libart.so!libart.so (offset 0x377000) (MterpInvokeStatic+368) (BuildId: 9eda39b10a1252c6fe6084ceeed237d0)
10-11 12:01:29.589  5995  5995 F DEBUG   :       #18 pc 0000000000130994  /apex/com.android.runtime/lib64/libart.so (mterp_op_invoke_static+20) (BuildId: 9eda39b10a1252c6fe6084ceeed237d0)
10-11 12:01:29.589  5995  5995 F DEBUG   :       #19 pc 00000000000e3aaa  /apex/com.android.runtime/javalib/core-oj.jar (java.lang.Runtime.nativeLoad+2)
10-11 12:01:29.589  5995  5995 F DEBUG   :       #20 pc 000000000059a968  /apex/com.android.runtime/lib64/libart.so!libart.so (offset 0x377000) (MterpInvokeStatic+1136) (BuildId: 9eda39b10a1252c6fe6084ceeed237d0)
10-11 12:01:29.589  5995  5995 F DEBUG   :       #21 pc 0000000000130994  /apex/com.android.runtime/lib64/libart.so (mterp_op_invoke_static+20) (BuildId: 9eda39b10a1252c6fe6084ceeed237d0)
10-11 12:01:29.589  5995  5995 F DEBUG   :       #22 pc 00000000000e4016  /apex/com.android.runtime/javalib/core-oj.jar (java.lang.Runtime.loadLibrary0+46)
10-11 12:01:29.589  5995  5995 F DEBUG   :       #23 pc 000000000059a15c  /apex/com.android.runtime/lib64/libart.so!libart.so (offset 0x377000) (MterpInvokeDirect+1168) (BuildId: 9eda39b10a1252c6fe6084ceeed237d0)
10-11 12:01:29.589  5995  5995 F DEBUG   :       #24 pc 0000000000130914  /apex/com.android.runtime/lib64/libart.so (mterp_op_invoke_direct+20) (BuildId: 9eda39b10a1252c6fe6084ceeed237d0)
10-11 12:01:29.589  5995  5995 F DEBUG   :       #25 pc 00000000000e3fd0  /apex/com.android.runtime/javalib/core-oj.jar (java.lang.Runtime.loadLibrary0+8)
10-11 12:01:29.589  5995  5995 F DEBUG   :       #26 pc 0000000000597dcc  /apex/com.android.runtime/lib64/libart.so!libart.so (offset 0x377000) (MterpInvokeVirtual+1432) (BuildId: 9eda39b10a1252c6fe6084ceeed237d0)
10-11 12:01:29.589  5995  5995 F DEBUG   :       #27 pc 0000000000130814  /apex/com.android.runtime/lib64/libart.so (mterp_op_invoke_virtual+20) (BuildId: 9eda39b10a1252c6fe6084ceeed237d0)
10-11 12:01:29.589  5995  5995 F DEBUG   :       #28 pc 00000000000e9574  /apex/com.android.runtime/javalib/core-oj.jar (java.lang.System.loadLibrary+16)
10-11 12:01:29.589  5995  5995 F DEBUG   :       #29 pc 000000000059a968  /apex/com.android.runtime/lib64/libart.so!libart.so (offset 0x377000) (MterpInvokeStatic+1136) (BuildId: 9eda39b10a1252c6fe6084ceeed237d0)
10-11 12:01:29.589  5995  5995 F DEBUG   :       #30 pc 0000000000130994  /apex/com.android.runtime/lib64/libart.so (mterp_op_invoke_static+20) (BuildId: 9eda39b10a1252c6fe6084ceeed237d0)
10-11 12:01:29.589  5995  5995 F DEBUG   :       #31 pc 00000000002180fc  /data/app/com.abcd.solinker2-u0llgBj6OvmeQsGmc8nHOg==/oat/arm64/base.vdex (com.abcd.solinker2.MainActivity.<clinit>+4)
10-11 12:01:29.589  5995  5995 F DEBUG   :       #32 pc 00000000002b007c  /apex/com.android.runtime/lib64/libart.so (_ZN3art11interpreterL7ExecuteEPNS_6ThreadERKNS_20CodeItemDataAccessorERNS_11ShadowFrameENS_6JValueEbb.llvm.13319403877762172464+240) (BuildId: 9eda39b10a1252c6fe6084ceeed237d0)
测试环境是谷歌官方安卓10系统。 LSPlant是6.4版本
LSPosed / LSPlant

通过So反射加载会崩溃 #112
