search

LSPosed / LSPlant

A hook framework for Android Runtime (ART)
https://lsposed.org/LSPlant/
GNU Lesser General Public License v3.0
825 stars 205 forks source link

Fatal signal 4 (SIGILL) on armv7, Android 10 (Nexus 7 2013) #21

Closed KieronQuinn closed 2 years ago

KieronQuinn commented 2 years ago

I'm using LSPlant (via Aliuhook) in an app, and while it works perfectly on modern armv8 devices, I've just tried to get it going on armv7 for laughs and LSPlant seems to not like the platform:

Ignore the fingerprint, the device is actually running Android 10, this ROM (QQ2A.2000405.005)

06-14 20:15:04.090 10935 10935 F DEBUG   : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
06-14 20:15:04.090 10935 10935 F DEBUG   : Build fingerprint: 'google/razor/flo:6.0.1/MOB30X/3036618:user/release-keys'
06-14 20:15:04.090 10935 10935 F DEBUG   : Revision: '0'
06-14 20:15:04.090 10935 10935 F DEBUG   : ABI: 'arm'
06-14 20:15:04.102 10935 10935 F DEBUG   : Timestamp: 2022-06-14 20:15:04+0100
06-14 20:15:04.102 10935 10935 F DEBUG   : pid: 10867, tid: 10867, name: xelambientmusic  >>> com.kieronquinn.app.pixelambientmusic <<<
06-14 20:15:04.102 10935 10935 F DEBUG   : uid: 10158
06-14 20:15:04.103 10935 10935 F DEBUG   : signal 4 (SIGILL), code 1 (ILL_ILLOPC), fault addr 0xa74e0004 (*pc=0xf010f8df)
06-14 20:15:04.103 10935 10935 F DEBUG   :     r0  aab6aa80  r1  13026628  r2  a74e0001  r3  80c092c4
06-14 20:15:04.103 10935 10935 F DEBUG   :     r4  13026628  r5  aab6aa80  r6  aab6aa80  r7  be9c56b0
06-14 20:15:04.103 10935 10935 F DEBUG   :     r8  be9c5728  r9  0000015f  r10 5a587b3d  r11 aa60c260
06-14 20:15:04.103 10935 10935 F DEBUG   :     ip  80033d1c  sp  be9c55a0  lr  80076761  pc  a74e0004
06-14 20:15:08.048 10935 10935 F DEBUG   :
06-14 20:15:08.048 10935 10935 F DEBUG   : backtrace:
06-14 20:15:08.048 10935 10935 F DEBUG   :       #00 pc 00000004  <anonymous:a74e0000>
06-14 20:15:08.048 10935 10935 F DEBUG   :       #01 pc 0001175f  /data/app/com.kieronquinn.app.pixelambientmusic-_oc8J-QUsJLPPRDJx6ViFQ==/lib/arm/liblsplant.so (BuildId: 4283a16ea35097d9497b6c7d2fe132833796d5d9)
06-14 20:15:08.048 10935 10935 F DEBUG   :       #02 pc 00100e45  /apex/com.android.runtime/lib/libart.so!libart.so (offset 0xfd000) (art::ClassLinker::InitializeClass(art::Thread*, art::Handle<art::mirror::Class>, bool, bool)+2048) (BuildId: 05244180e8793b3072772e09a73d0db0)
06-14 20:15:08.052 10935 10935 F DEBUG   :       #03 pc 000f10f3  /apex/com.android.runtime/lib/libart.so!libart.so (offset 0xed000) (art::ClassLinker::EnsureInitialized(art::Thread*, art::Handle<art::mirror::Class>, bool, bool)+58) (BuildId: 05244180e8793b3072772e09a73d0db0)
06-14 20:15:08.052 10935 10935 F DEBUG   :       #04 pc 001f2d25  /apex/com.android.runtime/lib/libart.so!libart.so (offset 0x1e9000) (art::interpreter::ArtInterpreterToInterpreterBridge(art::Thread*, art::CodeItemDataAccessor const&, art::ShadowFrame*, art::JValue*)+352) (BuildId: 05244180e8793b3072772e09a73d0db0)
06-14 20:15:08.052 10935 10935 F DEBUG   :       #05 pc 0020dfa1  /apex/com.android.runtime/lib/libart.so!libart.so (offset 0x1e9000) (bool art::interpreter::DoCall<false, false>(art::ArtMethod*, art::Thread*, art::ShadowFrame&, art::Instruction const*, unsigned short, art::JValue*)+768) (BuildId: 05244180e8793b3072772e09a73d0db0)
06-14 20:15:08.053 10935 10935 F DEBUG   :       #06 pc 0042dbe5  /apex/com.android.runtime/lib/libart.so!libart.so (offset 0x37f000) (MterpInvokeStatic+336) (BuildId: 05244180e8793b3072772e09a73d0db0)
06-14 20:15:08.053 10935 10935 F DEBUG   :       #07 pc 000d2994  /apex/com.android.runtime/lib/libart.so (mterp_op_invoke_static+20) (BuildId: 05244180e8793b3072772e09a73d0db0)
06-14 20:15:08.053 10935 10935 F DEBUG   :       #08 pc 0000f3b6  [anon:dalvik-classes11.dex extracted in memory from /data/app/com.kieronquinn.app.pixelambientmusic-_oc8J-QUsJLPPRDJx6ViFQ==/base.apk!classes11.dex] (com.kieronquinn.app.pixelambientmusic.xposed.XposedHooks.hookMethod+6)
06-14 20:15:08.055 10935 10935 F DEBUG   :       #09 pc 0042d749  /apex/com.android.runtime/lib/libart.so!libart.so (offset 0x37f000) (MterpInvokeDirect+940) (BuildId: 05244180e8793b3072772e09a73d0db0)
06-14 20:15:08.055 10935 10935 F DEBUG   :       #10 pc 000d2914  /apex/com.android.runtime/lib/libart.so (mterp_op_invoke_direct+20) (BuildId: 05244180e8793b3072772e09a73d0db0)
06-14 20:15:08.055 10935 10935 F DEBUG   :       #11 pc 0000f66e  [anon:dalvik-classes11.dex extracted in memory from /data/app/com.kieronquinn.app.pixelambientmusic-_oc8J-QUsJLPPRDJx6ViFQ==/base.apk!classes11.dex] (com.kieronquinn.app.pixelambientmusic.xposed.XposedHooks.setupHooks+650)
06-14 20:15:08.055 10935 10935 F DEBUG   :       #12 pc 0042d749  /apex/com.android.runtime/lib/libart.so!libart.so (offset 0x37f000) (MterpInvokeDirect+940) (BuildId: 05244180e8793b3072772e09a73d0db0)
06-14 20:15:08.055 10935 10935 F DEBUG   :       #13 pc 000d2914  /apex/com.android.runtime/lib/libart.so (mterp_op_invoke_direct+20) (BuildId: 05244180e8793b3072772e09a73d0db0)
06-14 20:15:08.056 10935 10935 F DEBUG   :       #14 pc 0000f69a  [anon:dalvik-classes11.dex extracted in memory from /data/app/com.kieronquinn.app.pixelambientmusic-_oc8J-QUsJLPPRDJx6ViFQ==/base.apk!classes11.dex] (com.kieronquinn.app.pixelambientmusic.xposed.XposedHooks.init+2)
06-14 20:15:08.056 10935 10935 F DEBUG   :       #15 pc 0042b8dd  /apex/com.android.runtime/lib/libart.so!libart.so (offset 0x37f000) (MterpInvokeVirtual+1200) (BuildId: 05244180e8793b3072772e09a73d0db0)
06-14 20:15:08.056 10935 10935 F DEBUG   :       #16 pc 000d2814  /apex/com.android.runtime/lib/libart.so (mterp_op_invoke_virtual+20) (BuildId: 05244180e8793b3072772e09a73d0db0)
06-14 20:15:08.056 10935 10935 F DEBUG   :       #17 pc 0000edae  [anon:dalvik-classes11.dex extracted in memory from /data/app/com.kieronquinn.app.pixelambientmusic-_oc8J-QUsJLPPRDJx6ViFQ==/base.apk!classes11.dex] (com.kieronquinn.app.pixelambientmusic.xposed.XposedHooks$Companion.setupHooks+546)
06-14 20:15:08.056 10935 10935 F DEBUG   :       #18 pc 0042b8dd  /apex/com.android.runtime/lib/libart.so!libart.so (offset 0x37f000) (MterpInvokeVirtual+1200) (BuildId: 05244180e8793b3072772e09a73d0db0)
06-14 20:15:08.056 10935 10935 F DEBUG   :       #19 pc 000d2814  /apex/com.android.runtime/lib/libart.so (mterp_op_invoke_virtual+20) (BuildId: 05244180e8793b3072772e09a73d0db0)
06-14 20:15:08.056 10935 10935 F DEBUG   :       #20 pc 00004ade  [anon:dalvik-classes10.dex extracted in memory from /data/app/com.kieronquinn.app.pixelambientmusic-_oc8J-QUsJLPPRDJx6ViFQ==/base.apk!classes10.dex] (com.kieronquinn.app.pixelambientmusic.Injector.attachBaseContext+74)
06-14 20:15:08.056 10935 10935 F DEBUG   :       #21 pc 0042b8dd  /apex/com.android.runtime/lib/libart.so!libart.so (offset 0x37f000) (MterpInvokeVirtual+1200) (BuildId: 05244180e8793b3072772e09a73d0db0)
06-14 20:15:08.056 10935 10935 F DEBUG   :       #22 pc 000d2814  /apex/com.android.runtime/lib/libart.so (mterp_op_invoke_virtual+20) (BuildId: 05244180e8793b3072772e09a73d0db0)
06-14 20:15:08.057 10935 10935 F DEBUG   :       #23 pc 00199a20  /system/framework/framework.jar (android.app.Application.attach)
06-14 20:15:08.057 10935 10935 F DEBUG   :       #24 pc 0042b8dd  /apex/com.android.runtime/lib/libart.so!libart.so (offset 0x37f000) (MterpInvokeVirtual+1200) (BuildId: 05244180e8793b3072772e09a73d0db0)
06-14 20:15:08.057 10935 10935 F DEBUG   :       #25 pc 000d2814  /apex/com.android.runtime/lib/libart.so (mterp_op_invoke_virtual+20) (BuildId: 05244180e8793b3072772e09a73d0db0)
06-14 20:15:08.057 10935 10935 F DEBUG   :       #26 pc 001e5f08  /system/framework/framework.jar (android.app.Instrumentation.newApplication+24)
06-14 20:15:08.057 10935 10935 F DEBUG   :       #27 pc 0042b8dd  /apex/com.android.runtime/lib/libart.so!libart.so (offset 0x37f000) (MterpInvokeVirtual+1200) (BuildId: 05244180e8793b3072772e09a73d0db0)
06-14 20:15:08.057 10935 10935 F DEBUG   :       #28 pc 000d2814  /apex/com.android.runtime/lib/libart.so (mterp_op_invoke_virtual+20) (BuildId: 05244180e8793b3072772e09a73d0db0)
06-14 20:15:08.057 10935 10935 F DEBUG   :       #29 pc 001ea874  /system/framework/framework.jar (android.app.LoadedApk.makeApplication+120)
06-14 20:15:08.057 10935 10935 F DEBUG   :       #30 pc 0042b8dd  /apex/com.android.runtime/lib/libart.so!libart.so (offset 0x37f000) (MterpInvokeVirtual+1200) (BuildId: 05244180e8793b3072772e09a73d0db0)
06-14 20:15:08.058 10935 10935 F DEBUG   :       #31 pc 000d2814  /apex/com.android.runtime/lib/libart.so (mterp_op_invoke_virtual+20) (BuildId: 05244180e8793b3072772e09a73d0db0)
06-14 20:15:08.058 10935 10935 F DEBUG   :       #32 pc 0017f018  /system/framework/framework.jar (android.app.ActivityThread.handleBindApplication+2032)
06-14 20:15:08.058 10935 10935 F DEBUG   :       #33 pc 001ee197  /apex/com.android.runtime/lib/libart.so!libart.so (offset 0x1e9000) (_ZN3art11interpreterL7ExecuteEPNS_6ThreadERKNS_20CodeItemDataAccessorERNS_11ShadowFrameENS_6JValueEbb.llvm.8948476230334279806+170) (BuildId: 05244180e8793b3072772e09a73d0db0)
06-14 20:15:08.058 10935 10935 F DEBUG   :       #34 pc 001f2b79  /apex/com.android.runtime/lib/libart.so!libart.so (offset 0x1e9000) (art::interpreter::EnterInterpreterFromEntryPoint(art::Thread*, art::CodeItemDataAccessor const&, art::ShadowFrame*)+120) (BuildId: 05244180e8793b3072772e09a73d0db0)
06-14 20:15:08.058 10935 10935 F DEBUG   :       #35 pc 0041fced  /apex/com.android.runtime/lib/libart.so!libart.so (offset 0x37f000) (artQuickToInterpreterBridge+820) (BuildId: 05244180e8793b3072772e09a73d0db0)
06-14 20:15:08.058 10935 10935 F DEBUG   :       #36 pc 000dc5a1  /apex/com.android.runtime/lib/libart.so (art_quick_to_interpreter_bridge+32) (BuildId: 05244180e8793b3072772e09a73d0db0)
06-14 20:15:08.058 10935 10935 F DEBUG   :       #37 pc 000d7bc5  /apex/com.android.runtime/lib/libart.so (art_quick_invoke_stub_internal+68) (BuildId: 05244180e8793b3072772e09a73d0db0)
06-14 20:15:08.058 10935 10935 F DEBUG   :       #38 pc 004363ab  /apex/com.android.runtime/lib/libart.so!libart.so (offset 0x37f000) (art_quick_invoke_stub+250) (BuildId: 05244180e8793b3072772e09a73d0db0)
06-14 20:15:08.058 10935 10935 F DEBUG   :       #39 pc 000dff93  /apex/com.android.runtime/lib/libart.so (art::ArtMethod::Invoke(art::Thread*, unsigned int*, unsigned int, art::JValue*, char const*)+166) (BuildId: 05244180e8793b3072772e09a73d0db0)
06-14 20:15:08.058 10935 10935 F DEBUG   :       #40 pc 00376a67  /apex/com.android.runtime/lib/libart.so!libart.so (offset 0x338000) (art::(anonymous namespace)::InvokeWithArgArray(art::ScopedObjectAccessAlreadyRunnable const&, art::ArtMethod*, art::(anonymous namespace)::ArgArray*, art::JValue*, char const*)+54) (BuildId: 05244180e8793b3072772e09a73d0db0)
06-14 20:15:08.058 10935 10935 F DEBUG   :       #41 pc 00377d31  /apex/com.android.runtime/lib/libart.so!libart.so (offset 0x338000) (art::InvokeMethod(art::ScopedObjectAccessAlreadyRunnable const&, _jobject*, _jobject*, _jobject*, unsigned int)+788) (BuildId: 05244180e8793b3072772e09a73d0db0)
06-14 20:15:08.059 10935 10935 F DEBUG   :       #42 pc 003237f3  /apex/com.android.runtime/lib/libart.so!libart.so (offset 0x2e9000) (art::Method_invoke(_JNIEnv*, _jobject*, _jobject*, _jobjectArray*)+30) (BuildId: 05244180e8793b3072772e09a73d0db0)
06-14 20:15:08.059 10935 10935 F DEBUG   :       #43 pc 000b97ef  /system/framework/arm/boot.oat (BuildId: 6b3463fcb05baab29017e055a20411ff5c16d16c)

Other logs before the crash:

                 Zygote  I  seccomp disabled by setenforce 0
         xelambientmusi  I  Late-enabling -Xcheck:jni
                         E  Unknown bits set in runtime_flags: 0x8000
                   Riru  V  hook removed
                         V  edxp: forkAndSpecializePost
         xelambientmusi  W  Unsupported class loader
               SandHook  D  method <public java.lang.ClassLoader android.app.LoadedApk.getClassLoader()> hook <replacement> success!

Using the latest Aliuhook build, which itself uses LSPlant v4.0

As far as I can tell the crash is in LSPlant, but if it's within the scope of Aliuhook, I'll move it there.

This is a pretty old device so if it doesn't work that's not the end of the world, but I thought I'd report it anyway.

Cheers!

yujincheng08 commented 2 years ago

ILL_ILLOPC is caused by the native hooker, e.g. Dobby.

This is usually because you hook a function twice by different Dobby. And I can see you have edxposed hooking the same process, which causes the conflict.