arm32上DobbyDestroy后调用目标函数崩溃

设备：Redmi 5 Plus 系统：LineageOS 18.0 （Android 11）代码：

static void hook_target() {
    LOGI("TARGET TARGET");
    LOGI("TTT! GET!");
}

static void replace_target() {
    LOGI("We replaced target!");
}

void hook_func() {
    void* fake = nullptr;
    DobbyHook((void*) hook_target, (void*) replace_target, &fake);
    DobbyDestroy((void*) hook_target);
    hook_target();
}

在arm64下，一切正常；而arm32下，虽然能够hook到，但是destroy后再调用被hook的函数，发生崩溃：

2020-09-15 04:39:51.393 20749-20749/? A/DEBUG: *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
2020-09-15 04:39:51.393 20749-20749/? A/DEBUG: Build fingerprint: 'Xiaomi/lineage_vince/vince:11/RP1A.200720.009/eng.dd3boh.20200913.133422:userdebug/test-keys'
2020-09-15 04:39:51.393 20749-20749/? A/DEBUG: Revision: '0'
2020-09-15 04:39:51.393 20749-20749/? A/DEBUG: ABI: 'arm'
2020-09-15 04:39:51.395 20749-20749/? A/DEBUG: Timestamp: 2020-09-15 04:39:51+0800
2020-09-15 04:39:51.395 20749-20749/? A/DEBUG: pid: 20709, tid: 20709, name: e.pine.examples  >>> top.canyie.pine.examples <<<
2020-09-15 04:39:51.395 20749-20749/? A/DEBUG: uid: 10131
2020-09-15 04:39:51.395 20749-20749/? A/DEBUG: signal 11 (SIGSEGV), code 2 (SEGV_ACCERR), fault addr 0xd29b648f
2020-09-15 04:39:51.395 20749-20749/? A/DEBUG:     r0  00000000  r1  be4db831  r2  00000000  r3  d29b648d
2020-09-15 04:39:51.395 20749-20749/? A/DEBUG:     r4  ebd7e456  r5  00000001  r6  00000001  r7  ff845480
2020-09-15 04:39:51.395 20749-20749/? A/DEBUG:     r8  00000000  r9  e4180e10  r10 ff845690  r11 e4180e10
2020-09-15 04:39:51.395 20749-20749/? A/DEBUG:     ip  00001000  sp  ff845458  lr  be4db58f  pc  be4db828
2020-09-15 04:40:31.087 21153-21153/? A/DEBUG: backtrace:
2020-09-15 04:40:31.087 21153-21153/? A/DEBUG:       #00 pc 00018828  /data/app/~~qWZFXlHmtSTIROgdalGSnA==/top.canyie.pine.examples-LIEwmWKV6bKpb4_hDmb09w==/lib/arm/libpine.so!libpine.so (offset 0x18000) (BuildId: d51db045b1fcee50ed7817cab18a48007b48d7fe)
2020-09-15 04:40:31.087 21153-21153/? A/DEBUG:       #01 pc 000181c7  /data/app/~~qWZFXlHmtSTIROgdalGSnA==/top.canyie.pine.examples-LIEwmWKV6bKpb4_hDmb09w==/lib/arm/libpine.so!libpine.so (offset 0x18000) (pine::Android::Init(_JNIEnv*, int, bool, bool)+518) (BuildId: d51db045b1fcee50ed7817cab18a48007b48d7fe)
2020-09-15 04:40:31.087 21153-21153/? A/DEBUG:       #02 pc 00015f4f  /data/app/~~qWZFXlHmtSTIROgdalGSnA==/top.canyie.pine.examples-LIEwmWKV6bKpb4_hDmb09w==/lib/arm/libpine.so (Pine_init0(_JNIEnv*, _jclass*, int, unsigned char, unsigned char, unsigned char, unsigned char, unsigned char)+178) (BuildId: d51db045b1fcee50ed7817cab18a48007b48d7fe)
2020-09-15 04:40:31.087 21153-21153/? A/DEBUG:       #03 pc 000d80dd  /apex/com.android.art/lib/libart.so (art_quick_generic_jni_trampoline+44) (BuildId: 411163f681666e1c830637f4e9c59ea5)
<省略android内部调用栈>


extern bool targetFunction(int i) {
    LOGI("target function %d", i);
    int k = i;
    for(int j = 0;j < i;++j) {
        LOGI("for loop %d", j);
        k += j;
        k++;
    }
    i--;
    k += i;
    k--;
    i++;
    k -= i;
    LOGI("After target function %d", k);
    return false;
}

extern bool hook_target(int i) {
    LOGI("Before target function: received param %d", i);
    LOGI("Change param to %d", ++i);
    bool result = orgi_target(i);
    LOGI("After target function: result %s", B2S(result));
    result = !result;
    LOGI("Changed result to %s", B2S(result));
    return result;
}

extern "C" JNIEXPORT void JNICALL
Java_com_canyie_nativehooktest_MainActivity_test(
        JNIEnv* env,
        jclass) {
    LOGI(" ----- BEGIN HOOK ----- ");
    void* fake = nullptr;
    DobbyHook((void*) targetFunction, (void*) hook_target, &fake);
    DobbyDestroy((void*) targetFunction);
    LOGI(" ----- END HOOK -----");
    bool result = targetFunction(1);
    LOGI("target function returned %s", B2S(result));
}

2021-02-07 20:32:07.126 28656-28656/com.canyie.nativehooktest I/Dobby: [*] ================================
2021-02-07 20:32:07.126 28656-28656/com.canyie.nativehooktest I/Dobby: [*] Dobby
2021-02-07 20:32:07.126 28656-28656/com.canyie.nativehooktest I/Dobby: [*] ================================
2021-02-07 20:32:07.126 28656-28656/com.canyie.nativehooktest I/Dobby: [*] dobby in debug log mode, disable with cmake flag "-DDOBBY_DEBUG=OFF"
2021-02-07 20:32:07.159 28656-28656/com.canyie.nativehooktest I/native-lib:  ----- BEGIN HOOK ----- 
2021-02-07 20:32:07.159 28656-28656/com.canyie.nativehooktest I/Dobby: [*] [DobbyHook] Initialize at 0xc325f1c5
2021-02-07 20:32:07.159 28656-28656/com.canyie.nativehooktest I/Dobby: [*] ================ FunctionInlineReplaceRouting Start ================
2021-02-07 20:32:07.159 28656-28656/com.canyie.nativehooktest I/Dobby: [*] [trampoline] Generate trampoline buffer 0xc325f1c5 -> 0xc325f26d
2021-02-07 20:32:07.159 28656-28656/com.canyie.nativehooktest I/Dobby: [*] [insn relocate] origin 0xc325f1c4 - 8
2021-02-07 20:32:07.159 28656-28656/com.canyie.nativehooktest I/Dobby: [*] [insn relocate] relocated 0xe9ee0001 - 28
2021-02-07 20:32:07.159 28656-28656/com.canyie.nativehooktest I/Dobby: [*] [intercept routing] Active patch 0xc325f1c4
2021-02-07 20:32:07.159 28656-28656/com.canyie.nativehooktest I/Dobby: [*] ================ FunctionInlineReplaceRouting End ================
2021-02-07 20:32:07.159 28656-28656/com.canyie.nativehooktest I/native-lib:  ----- END HOOK -----

    --------- beginning of crash
2021-02-07 20:32:07.159 28656-28656/com.canyie.nativehooktest A/libc: Fatal signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x5 in tid 28656 (.nativehooktest), pid 28656 (.nativehooktest)
2021-02-07 20:32:07.185 28696-28696/? I/crash_dump32: obtaining output fd from tombstoned, type: kDebuggerdTombstone
2021-02-07 20:32:07.185 1145-1145/? I//system/bin/tombstoned: received crash request for pid 28656
2021-02-07 20:32:07.186 28696-28696/? I/crash_dump32: performing dump of process 28656 (target tid = 28656)
2021-02-07 20:32:07.192 28696-28696/? A/DEBUG: *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
2021-02-07 20:32:07.192 28696-28696/? A/DEBUG: Build fingerprint: 'google/blueline/blueline:10/QQ3A.200605.001/6392402:user/release-keys'
2021-02-07 20:32:07.192 28696-28696/? A/DEBUG: Revision: 'MP1.0'
2021-02-07 20:32:07.192 28696-28696/? A/DEBUG: ABI: 'arm'
2021-02-07 20:32:07.194 28696-28696/? A/DEBUG: Timestamp: 2021-02-07 20:32:07+0800
2021-02-07 20:32:07.194 28696-28696/? A/DEBUG: pid: 28656, tid: 28656, name: .nativehooktest  >>> com.canyie.nativehooktest <<<
2021-02-07 20:32:07.194 28696-28696/? A/DEBUG: uid: 10334
2021-02-07 20:32:07.194 28696-28696/? A/DEBUG: signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x5
2021-02-07 20:32:07.194 28696-28696/? A/DEBUG: Cause: null pointer dereference
2021-02-07 20:32:07.195 28696-28696/? A/DEBUG:     r0  00000001  r1  00000001  r2  8e942cbe  r3  00000003
2021-02-07 20:32:07.195 28696-28696/? A/DEBUG:     r4  c326f011  r5  c326f0d2  r6  ed95ce00  r7  00000001
2021-02-07 20:32:07.195 28696-28696/? A/DEBUG:     r8  00000000  r9  ed95ce00  r10 ffeb47a0  r11 ed95ce00
2021-02-07 20:32:07.195 28696-28696/? A/DEBUG:     ip  c3276e10  sp  ffeb4730  lr  c325f3cf  pc  c325f1c4
2021-02-07 20:32:07.304 28696-28696/? A/DEBUG: backtrace:
2021-02-07 20:32:07.304 28696-28696/? A/DEBUG:       #00 pc 0001e1c4  /data/app/com.canyie.nativehooktest-htjAVE6HXmSV5bY_DXAezg==/lib/arm/libdobby.so!libdobby.so (offset 0x1e000) (targetFunction(int)) (BuildId: d27a8dc3965672aaffc766e01580968879f6a1c7)
2021-02-07 20:32:07.304 28696-28696/? A/DEBUG:       #01 pc 0001e1c3  /data/app/com.canyie.nativehooktest-htjAVE6HXmSV5bY_DXAezg==/lib/arm/libdobby.so!libdobby.so (offset 0x1e000) (zz::OSThread::SetThreadLocal(int, void*)+118) (BuildId: d27a8dc3965672aaffc766e01580968879f6a1c7)
================

jmpews / Dobby

arm32上DobbyDestroy后调用目标函数崩溃 #128