Crash on all 32bit Unisoc & JLQ Android Go devices

OfficialKatana commented 1 year ago

Both test cases and app with lsplant initializer were crashed on start up. e.g. POCO C40 / Nokia C2 Logs may looks like these:

2023-06-16 20:32:56.884 10343-10365/? A/libc: Fatal signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0xb22018a8 in tid 10365 (pool-2-thread-1), pid 10343 (com.whatsapp)
2023-06-16 20:32:56.946 10368-10368/? I/crash_dump32: obtaining output fd from tombstoned, type: kDebuggerdTombstone
2023-06-16 20:32:56.946 358-358/? I//system/bin/tombstoned: received crash request for pid 10365
2023-06-16 20:32:56.950 10368-10368/? I/crash_dump32: performing dump of process 10343 (target tid = 10365)
2023-06-16 20:32:56.974 10368-10368/? A/DEBUG: *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
2023-06-16 20:32:56.974 10368-10368/? A/DEBUG: Native Crash TIME: 75389841
2023-06-16 20:32:56.974 10368-10368/? A/DEBUG: *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
2023-06-16 20:32:56.974 10368-10368/? A/DEBUG: Build fingerprint: 'PSZ/alsgs8990_io09/alsgs8990_io09_go:9/PPR1.180610.011/372:user/release-keys'
2023-06-16 20:32:56.974 10368-10368/? A/DEBUG: Revision: '0'
2023-06-16 20:32:56.974 10368-10368/? A/DEBUG: ABI: 'arm'
2023-06-16 20:32:56.974 10368-10368/? A/DEBUG: pid: 10343, tid: 10365, name: pool-2-thread-1  >>> com.whatsapp <<<
2023-06-16 20:32:56.974 10368-10368/? A/DEBUG: signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0xb22018a8
2023-06-16 20:32:56.974 10368-10368/? A/DEBUG:     r0  b22018a8  r1  4731a6b1  r2  9c20e2b2  r3  0000001a
2023-06-16 20:32:56.974 10368-10368/? A/DEBUG:     r4  9c225954  r5  9bd806f0  r6  0000001c  r7  9c20ea87
2023-06-16 20:32:56.974 10368-10368/? A/DEBUG:     r8  aa25d700  r9  9c225ac8  r10 aa25d700  r11 9c225b40
2023-06-16 20:32:56.974 10368-10368/? A/DEBUG:     ip  b22018a8  sp  9bd7f498  lr  b2aedaa7  pc  9c21230c
2023-06-16 20:32:56.975 10368-10368/? A/DEBUG: backtrace:
2023-06-16 20:32:56.975 10368-10368/? A/DEBUG:     #00 pc 0000630c  /data/app/com.whatsapp-DIUPK6U6RRcSp-EVXuCxBA==/lib/arm/liblsplant.so (lsplant::v2::Init(_JNIEnv*, lsplant::v2::InitInfo const&)+3952)

yujincheng08 commented 1 year ago

看起来并没有在主线程掉用 Init，这不是正确使用。应该要在主线成调用。并且没看到 JniOnLoad 的 native 调用栈，可能并没有 bypass 掉 Non-SDK API restriction 而引发崩溃。

OfficialKatana commented 1 year ago

看起来并没有在主线程掉用 Init，这不是正确使用。应该要在主线成调用。并且没看到 JniOnLoad 的 native 调用栈，可能并没有 bypass 掉 Non-SDK API restriction 而引发崩溃。

The probable was found, devices carrying UniSoc may miss this function: _ZN3artL18DexFile_setTrustedEP7_JNIEnvP7_jclassP8_jobject Which may cause initialization failed, searching this function will lead to collapse, maybe due to the malformed functions on Android Go devices. Changing code below may fix:

        if (sdk_int >= __ANDROID_API_P__) [[likely]] {
            if (!RETRIEVE_FUNC_SYMBOL(DexFile_setTrusted,
                                      "_ZN3artL18DexFile_setTrustedEP7_JNIEnvP7_jclassP8_jobject",
                                      true)) {
                return false;
            }
        }

to

        if (sdk_int >= __ANDROID_API_P__) [[likely]] {
            if (!RETRIEVE_FUNC_SYMBOL(DexFile_setTrusted,
                                      "_ZN3artL18DexFile_setTrustedEP7_JNIEnvP7_jclassP8_jobject",
                                      true)) {
                LOGE("Dex files trusting method not found?");
            }
        }

The actual reason may cause by the compiler's InstrProfSymtab pass which may modify specific (libart) functions and cause bugs.

yujincheng08 commented 1 year ago

Your fix is correct. Since this function is not mandatory.

yujincheng08 commented 1 year ago

Can you provide libart.so？

LSPosed / LSPlant

Crash on all 32bit Unisoc & JLQ Android Go devices #42