Device won't boot up when XPrivacy is enabled

[abforce]

Tested with four or five modules, all works flawlessly. but XPrivacy doesn't. Thanks to logcat, I am given the following log:

07-04 21:12:48.950   355   355 W         : debuggerd: handling request: pid=929 uid=1000 gid=1000 tid=929
07-04 21:12:48.991  2951  2951 E         : debuggerd: Unable to connect to activity manager (connect failed: Connection refused)
07-04 21:12:49.042  2951  2951 F DEBUG   : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
07-04 21:12:49.042  2951  2951 F DEBUG   : Build fingerprint: 'Android/aosp_bullhead/bullhead:7.1.1/NMF26V/root07170845:userdebug/test-keys'
07-04 21:12:49.042  2951  2951 F DEBUG   : Revision: 'rev_1.0'
07-04 21:12:49.042  2951  2951 F DEBUG   : ABI: 'arm64'
07-04 21:12:49.043  2951  2951 F DEBUG   : pid: 929, tid: 929, name: system_server  >>> system_server <<<
07-04 21:12:49.043  2951  2951 F DEBUG   : signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x0
07-04 21:12:49.043  2951  2951 F DEBUG   :     x0   0000007fc6865ad8  x1   000000716e295a00  x2   0000000000000001  x3   0000007fc6865ad8
07-04 21:12:49.043  2951  2951 F DEBUG   :     x4   fffffffffffffff0  x5   0000000000000040  x6   000000000000003f  x7   0000000000000000
07-04 21:12:49.043  2951  2951 F DEBUG   :     x8   0000000000000000  x9   0000000000000000  x10  0000000010000000  x11  0000000000000000
07-04 21:12:49.044  2951  2951 F DEBUG   :     x12  0000007fc6865df0  x13  000000000000000b  x14  000000716e287d20  x15  0000000000000002
07-04 21:12:49.044  2951  2951 F DEBUG   :     x16  000000716e1f97d8  x17  000000716f973e00  x18  000000716cb17188  x19  0000007fc6865dc8
07-04 21:12:49.044  2951  2951 F DEBUG   :     x20  000000716cc734a0  x21  0000000012c31000  x22  eb87efcfb876d605  x23  0000007fc6868f90
07-04 21:12:49.044  2951  2951 F DEBUG   :     x24  0000007fc6866fc0  x25  000000716e1ec970  x26  0000007fc6865dc8  x27  0000000000000000
07-04 21:12:49.044  2951  2951 F DEBUG   :     x28  eb87efcfb876d605  x29  0000007fc6865b50  x30  000000716e037e8c
07-04 21:12:49.044  2951  2951 F DEBUG   :     sp   0000007fc6865a90  pc   000000716e037ef8  pstate 0000000020000000
07-04 21:12:49.316  2951  2951 F DEBUG   : 
07-04 21:12:49.316  2951  2951 F DEBUG   : backtrace:
07-04 21:12:49.316  2951  2951 F DEBUG   :     #00 pc 0000000000461ef8  /system/lib64/libart.so (_ZN3art19ReferenceMapVisitorINS_19RootCallbackVisitorEE15VisitQuickFrameEv+256)
07-04 21:12:49.316  2951  2951 F DEBUG   :     #01 pc 0000000000461de8  /system/lib64/libart.so (_ZN3art19ReferenceMapVisitorINS_19RootCallbackVisitorEE10VisitFrameEv+24)
07-04 21:12:49.316  2951  2951 F DEBUG   :     #02 pc 0000000000448d44  /system/lib64/libart.so (_ZN3art12StackVisitor9WalkStackEb+668)
07-04 21:12:49.316  2951  2951 F DEBUG   :     #03 pc 000000000045db50  /system/lib64/libart.so (_ZN3art6Thread10VisitRootsEPNS_11RootVisitorE+1028)
07-04 21:12:49.316  2951  2951 F DEBUG   :     #04 pc 00000000001f38d8  /system/lib64/libart.so (_ZN3art2gc9collector9MarkSweep25CheckpointMarkThreadRoots3RunEPNS_6ThreadE+180)
07-04 21:12:49.316  2951  2951 F DEBUG   :     #05 pc 0000000000454ef0  /system/lib64/libart.so (_ZN3art6Thread21RunCheckpointFunctionEv+192)
07-04 21:12:49.317  2951  2951 F DEBUG   :     #06 pc 000000000054f4c4  /system/lib64/libart.so (artTestSuspendFromCode+24)
07-04 21:12:49.317  2951  2951 F DEBUG   :     #07 pc 00000000000dbad4  /system/lib64/libart.so (art_quick_test_suspend+68)
07-04 21:12:49.317  2951  2951 F DEBUG   :     #08 pc 0000000000672e00  /system/framework/arm64/boot-core-libart.oat (offset 0x4a0000) (com.android.dex.Dex.checkBounds+364)
07-04 21:12:49.317  2951  2951 F DEBUG   :     #09 pc 000000000067431c  /system/framework/arm64/boot-core-libart.oat (offset 0x4a0000) (com.android.dex.Dex.nameIndexFromMethodIndex+72)
07-04 21:12:49.317  2951  2951 F DEBUG   :     #10 pc 000000000061915c  /system/framework/arm64/boot.oat (offset 0x54d000) (java.lang.reflect.Method.getName+88)
07-04 21:12:49.317  2951  2951 F DEBUG   :     #11 pc 00000000009e9670  /system/app/zzz/oat/arm64/zzz.odex (offset 0x55f000)
07-04 21:12:50.516   355   355 W         : debuggerd: resuming target 929
07-04 21:12:50.527   390   390 I ServiceManager: service 'user.zzz_service_32' died
07-04 21:12:50.528   507   507 E         : eof
07-04 21:12:50.528   507   507 E         : failed to read size
07-04 21:12:50.528   507   507 I         : closing connection
07-04 21:12:50.530   502   502 I Zygote  : Process 929 exited due to signal (11)
07-04 21:12:50.530   502   502 E Zygote  : Exit zygote because system server (929) has terminated
07-04 21:12:50.555   390   390 I ServiceManager: service 'user.xposed.system' died
07-04 21:12:50.555   390   390 I ServiceManager: service 'media.player' died
07-04 21:12:50.555   390   390 I ServiceManager: service 'media.resource_manager' died
07-04 21:12:50.559   390   390 I ServiceManager: service 'netd' died
07-04 21:12:50.564   390   390 I ServiceManager: service 'user.xposed.app' died
07-04 21:12:50.564   390   390 I ServiceManager: service 'media.camera' died
07-04 21:12:50.564   390   390 I ServiceManager: service 'media.sound_trigger_hw' died
07-04 21:12:50.564   390   390 I ServiceManager: service 'media.radio' died
07-04 21:12:50.564   390   390 I ServiceManager: service 'media.audio_flinger' died
07-04 21:12:50.564   390   390 I ServiceManager: service 'media.audio_policy' died

I suspect that's because of my blind port of VisitRoots method.

[laststandingdroid]

If you could share how you got xposed on the device I could try help. However I won't be able to compile it myself.

According to the log system/app/zzz/oat/arm64/zzz.odex

Is dying. But is that the reason for the bootloop? Or is there a bin called user.zzz_service_32

Because it is being killed, what happen if you disable it

[vipzrx]

@abforce @laststandingdroid how can i install your xposed on my phone ？ or should i compile the rom for my phone ？

[abforce]

@vipzrx @laststandingdroid You can't install this Xposed on your devices. This is just a modified ART module which enables the ROM to have Xposed installed out-of-the-box without requiring users to root their phones.

[vipzrx]

@abforce i just have an OnePlusOne ， it is not supported by google aosp . may be i can build my ROM for OnePlus using the Lineage OS

[abforce]

@vipzrx No need to run on your phone. You can use emulators.

[Yangff]

It's not your VisitRoots function, it's art::Thread::VisitRoots(art::RootVisitor*). And based on the calling stack, It crash somewhere in function art::ReferenceMapVisitor\<art::RootCallbackVisitor>::VisitQuickFrame(). I don't think it has involved in your function...

I guess it visited some corrupt stack data... anyway it's doing something on a... object(?) that have not such operation (?)

And I feel this line seems wired...

It has a hint said // Process register map (which native and runtime methods don't have) and based on your comment here https://github.com/abforce/xposed_art_n/commit/1d14337b858cabd184335804b178f16849186f89#diff-cf0dabb8669f8065d895db3a6d69b6daR472 I'm thinking should it also have a !m->IsXposedHookedMethod() aka if (!m->IsNative() && !m->IsRuntimeMethod() && !m->IsXposedHookedMethod() && (!m->IsProxyMethod() || m->IsConstructor())) {? Because of some function maybe native... and XPrivacy hooked it? So when it try to visit it, it crash.

I'm just guessing on all these things, so I'm not sure it's right or wrong and you can test them.... I think...

[laststandingdroid]

Yes but how to enable it? Must be built from source?

[ahronshor]

I already made a pull request for part of these modifications: #16

[amakuramio]

I have the same problem, but use the purifyOS version / sdk24 https://ufile.io/unfyz <logcat

[Yangff]

@amakuramio from your log, it looks like there are two threads (sysTid=5127 and sysTid=4303) try to lock mutator lock... Since they're called from jni, their states are both Runnable so nobody can enter this lock... (which has a checkpoint when returns from jni) And then they time out. I'm not sure why there will be two threads.. Am I misunderstanding something? But I suggest add a lock to ensure only one thread call from xposedbridge to native code.. Or use a native thread to suspend all.. (I' m not familiar with android, it looks like a thread with native status is safe) @abforce @ahronshor

[amakuramio]

@Yangff I did the following to fix it>

1. Uninstall Twitter
2. Flash Xposed SDK 24 26.07 (purifyOS)
3. Reboot
4. Install DVDandroid Xposed 27.07
5. Reboot
6. Install Xprivacy, enable it
7. Reboot
8. It works, but some app force close
9. Wipe dalvik/art cache

fixed, no problems

[abforce]

The problem solved. Using the new XposedBridge everything seems to be working fine.

[avently]

After installing compiled version with all new commits i was able to boot the system. Then i rebooted and couldn't boot anymore. I tried to restore /system backup. Didn't help. I tried to return old XposedBridge.jar. Didn't help. Removing dalvik/art cache via TWRP didn't help. Removing /data/system/xprivacy didn't help. It means that i have something wrong with /data partition. I could detele Xprivacy or XposedBridge.jar and boot the system normally but it is not an option. I couldn't find what cause this problem (bootloop) and just restored my old /data partition backup.

So, @abforce, it needs more investigations... Here is the link to logs: https://gist.github.com/avently/99cd3aa80e1502e747802ce04e6964a8

[abforce]

@avently Did you merge this commit to your ART copy?

[avently]

@abforce yes, I did. Maybe I found what causes this situation. It's enabled LuckyPatcher module. Somehow it conflicts with Xprivacy and new XposedBridge. When I restored old /data I removed LuckyPatcher and replaced old bridge with new one. No bootloop, worked fine. Then I installed lucky and enabled module. Bootloop. Can you reproduce it?