frida-trace crashes android/x86 apps

I'm trying to inject into Clash of Clans on a Genymotion Google Nexus 7 emulator. I'm using the binary from http://build.frida.re/frida-snapshot/android/i386/bin/frida-server. The command I'm using to instrument CoC is:

frida-trace -U -i send -i recv com.supercell.clashofclans

frida-trace outputs "Resolving functions..." and just sits there. It causes CoC to crash and logcat shows the following:

F/libc ( 2031): Fatal signal 11 (SIGSEGV), code 1, fault addr 0x2d in tid 2031 (ll.clashofclans) I/DEBUG ( 86): * * * * * * * * * * * * * * * * I/DEBUG ( 86): Build fingerprint: 'generic/vbox86tp/vbox86tp:5.1/LMY47D/buildbot11172044:userdebug/test-keys' I/DEBUG ( 86): Revision: '0' I/DEBUG ( 86): ABI: 'x86' I/DEBUG ( 86): pid: 2031, tid: 2031, name: ll.clashofclans >>> com.supercell.clashofclans <<< I/DEBUG ( 86): signal 11 (SIGSEGV), code 1 (SEGVMAPERR), fault addr 0x2d I/DEBUG ( 86): eax ffffffff ebx f743398c ecx 00000003 edx ffb7b198 I/DEBUG ( 86): esi ffffffff edi f3efa104 I/DEBUG ( 86): xcs 00000023 xds 0000002b xes 0000002b xfs 00000007 xss 0000002b I/DEBUG ( 86): eip f74286a8 ebp 00000000 esp ffb7b1e0 flags 00210286 I/DEBUG ( 86): I/DEBUG ( 86): backtrace: I/DEBUG ( 86): #00 pc 0001b6a8 /system/lib/libutils.so (android::Looper::pollInner(int)+200) I/DEBUG ( 86): #01 pc 0001baa7 /system/lib/libutils.so (android::Looper::pollOnce(int, int, int, void*)+55) I/DEBUG ( 86): #02 pc 000c8697 /system/lib/libandroid_runtime.so (android::NativeMessageQueue::pollOnce(JNIEnv, int)+71) I/DEBUG ( 86): #03 pc 000c86fa /system/lib/libandroid_runtime.so I/DEBUG ( 86): #04 pc 000db8ae /data/dalvik-cache/x86/system@framework@boot.oat I/DEBUG ( 86): I/DEBUG ( 86): Tombstone written to: /data/tombstones/tombstone_02 I/BootReceiver( 571): Copying /data/tombstones/tombstone_02 to DropBox (SYSTEM_TOMBSTONE) W/ActivityManager( 571): Force finishing activity 1 com.supercell.clashofclans/.GameApp E/JavaBinder( 571): !!! FAILED BINDER TRANSACTION !!! E/EGL_emulation( 606): tid 606: eglCreateSyncKHR(1209): error 0x3004 (EGL_BAD_ATTRIBUTE) D/WifiService( 571): Client connection lost with reason: 4 W/InputDispatcher( 571): channel '2443c6a1 com.supercell.clashofclans/com.supercell.clashofclans.GameApp (server)' ~ Consumer closed input channel or an erroroccurred. events=0x9 E/InputDispatcher( 571): channel '2443c6a1 com.supercell.clashofclans/com.supercell.clashofclans.GameApp (server)' ~ Channel is unrecoverably broken and will be disposed! I/Zygote ( 306): Process 2031 exited due to signal (11) D/WifiService( 571): releaseWifiLockLocked: WifiLock{com.supercell.clashofclans type=1 binder=android.os.BinderProxy@26e5fd1c} I/WindowState( 571): WIN DEATH: Window{2443c6a1 u0 com.supercell.clashofclans/com.supercell.clashofclans.GameApp} W/InputDispatcher( 571): Attempted to unregister already unregistered input channel '2443c6a1 com.supercell.clashofclans/com.supercell.clashofclans.GameApp (server)' I/WindowState( 571): WIN DEATH: Window{2d076887 u0 SurfaceView} W/ActivityManager( 571): Exception thrown during pause W/ActivityManager( 571): android.os.DeadObjectException W/ActivityManager( 571): at android.os.BinderProxy.transactNative(Native Method) W/ActivityManager( 571): at android.os.BinderProxy.transact(Binder.java:496) W/ActivityManager( 571): at android.app.ApplicationThreadProxy.schedulePauseActivity(ApplicationThreadNative.java:704) W/ActivityManager( 571): at com.android.server.am.ActivityStack.startPausingLocked(ActivityStack.java:825) W/ActivityManager( 571): at com.android.server.am.ActivityStack.finishActivityLocked(ActivityStack.java:2726) W/ActivityManager( 571): at com.android.server.am.ActivityStack.finishTopRunningActivityLocked(ActivityStack.java:2583) W/ActivityManager( 571): at com.android.server.am.ActivityStackSupervisor.finishTopRunningActivityLocked(ActivityStackSupervisor.java:2497) W/ActivityManager( 571): at com.android.server.am.ActivityManagerService.handleAppCrashLocked(ActivityManagerService.java:11500) W/ActivityManager( 571): at com.android.server.am.ActivityManagerService.makeAppCrashingLocked(ActivityManagerService.java:11397) W/ActivityManager( 571): at com.android.server.am.ActivityManagerService.crashApplication(ActivityManagerService.java:12081) W/ActivityManager( 571): at com.android.server.am.ActivityManagerService.handleApplicationCrashInner(ActivityManagerService.java:11592) W/ActivityManager( 571): at com.android.server.am.NativeCrashListener$NativeCrashReporter.run(NativeCrashListener.java:86) E/lowmemorykiller( 201): Error opening /proc/2031/oom_score_adj; errno=2 E/EGL_emulation( 606): tid 606: eglCreateSyncKHR(1209): error 0x3004 (EGL_BAD_ATTRIBUTE) D/SurfaceFlinger( 606): setOrientation, mFbdev=0xf68603c0, mFbDev->setOrientation=0xf65aacd0, orientation=0 I/gralloc_vbox86( 606): setOrientation: orientation=0 I/ActivityManager( 571): Config changes=480 {1.0 310mcc260mnc en_US ?layoutDir sw600dp w600dp h888dp 213dpi lrg port finger qwerty/v/v dpad/v s.12} I/InputReader( 571): Reconfiguring input devices. changes=0x00000004 I/InputReader( 571): Device reconfigured: id=1, name='Genymotion Virtual Input', size 800x1280, orientation 0, mode 1, display id 0 I/ActivityManager( 571): Process com.supercell.clashofclans (pid 2031) has died W/art ( 571): Long monitor contention event with owner method=void com.android.server.am.ActivityManagerService.crashApplication(com.android.server.am.ProcessRecord, android.app.ApplicationErrorReport$CrashInfo) from ActivityManagerService.java:12027 waiters=2 for 189ms W/art ( 571): Long monitor contention event with owner method=void com.android.server.am.ActivityManagerService.crashApplication(com.android.server.am.ProcessRecord, android.app.ApplicationErrorReport$CrashInfo) from ActivityManagerService.java:12027 waiters=3 for 143ms D/OpenGLRenderer( 571): Use EGL_SWAP_BEHAVIOR_PRESERVED: true D/Atlas ( 571): Validating map... V/ActivityManager( 571): Display changed displayId=0 I/WindowManager( 571): Screen frozen for +204ms due to Window{3a90d6d u0 Starting com.supercell.clashofclans} I/OpenGLRenderer( 875): Initialized EGL, version 1.4 I/OpenGLRenderer( 571): Initialized EGL, version 1.4 D/ ( 571): HostConnection::get() New Host Connection established 0xe11adbb0, tid 2191 W/EGL_emulation( 690): eglSurfaceAttrib not implemented W/OpenGLRenderer( 690): Failed to set EGL_SWAP_BEHAVIOR on surface 0xf3ee92c0, error=EGL_SUCCESS W/EGL_emulation( 875): eglSurfaceAttrib not implemented W/OpenGLRenderer( 875): Failed to set EGL_SWAP_BEHAVIOR on surface 0xe24ba280, error=EGL_SUCCESS D/OpenGLRenderer( 571): Enabling debug mode 0 W/EGL_emulation( 571): eglSurfaceAttrib not implemented W/OpenGLRenderer( 571): Failed to set EGL_SWAP_BEHAVIOR on surface 0xded13fa0, error=EGL_SUCCESS W/EGL_emulation( 690): eglSurfaceAttrib not implemented W/OpenGLRenderer( 690): Failed to set EGL_SWAP_BEHAVIOR on surface 0xf3ee92e0, error=EGL_SUCCESS W/EGL_emulation( 571): eglSurfaceAttrib not implemented W/OpenGLRenderer( 571): Failed to set EGL_SWAP_BEHAVIOR on surface 0xded13fa0, error=EGL_SUCCESS V/RenderScript( 875): 0xf3da6200 Launching thread(s), CPUs 4 W/OpenGLRenderer( 875): Incorrectly called buildLayer on View: ShortcutAndWidgetContainer, destroying layer... I/art ( 571): Explicit concurrent mark sweep GC freed 21790(1190KB) AllocSpace objects, 10(2MB) LOS objects, 33% free, 8MB/13MB, paused 844us total 16.373ms

I tested instrumenting com.android.browser following the example on the website and it crashes the web browser.

frida / frida-core

frida-trace crashes android/x86 apps #60