[Armv7a Android11] Regression issue: Java.perform api fails due to instructions parsing error #364
Description
Environment
- OS: Android 11 based smart TV OS (not reproducible in Android 14 based OS);
- CPU:
ARMv7 Processor rev 0 (v7l). Features:half thumb fastmult vfp edsp neon vfpv3 tls vfpv4 idiva idivt vfpd32 lpae evtstrm aes pmull sha1 sha2 crc32 - Frida & server version: 17.2.14
- Frida java bridge version: 7.0.7
Reproduce steps
- Attach to any application using
python-frida; - Run a
Java.performcommand. For example:
Java.perform(() => { console.log('111'); })
Logs
The exception is thrown from: https://github.com/frida/frida-java-bridge/blob/main/lib/android.js#L4331
Exception message when loading a js file containing a Java.perform invocation:
Error: Failed to parse instruction at ab8b5817: invalid instruction
at recompileExceptionClearForArm (/my-debug.js:5768)
at <anonymous> (/my-debug.js:5565)
at _patchCode (native)
at value (/frida/runtime/core.js:183)
at makeArtThreadStateTransitionImpl (/my-debug.js:5566)
at _getArtThreadStateTransitionImpl (/my-debug.js:3898)
at <anonymous> (/my-debug.js:1929)
at withRunnableArtThread (/my-debug.js:3887)
at <anonymous> (/my-debug.js:3627)
at <anonymous> (/my-debug.js:2774)
at getArtClassSpec (/my-debug.js:3679)
at compileModule (/my-debug.js:8065)
at ensureInitialized (/my-debug.js:8034)
at build (/my-debug.js:9331)
at _make (/my-debug.js:11627)
at use (/my-debug.js:11506)
at <anonymous> (/my-debug.js:13292)
at <anonymous> (/my-debug.js:2774)
at _performPendingVmOpsWhenReady (/my-debug.js:13330)
at perform (/my-debug.js:13271)
at my-debug.js (/my-debug.js:13438)
at __require (/my-debug.js:7)
at <anonymous> (/my-debug.js:13441)
TypeError: cannot set property '_code' of null
at makeArtThreadStateTransitionImpl (/my-debug.js:5567)
at _getArtThreadStateTransitionImpl (/my-debug.js:3898)
at <anonymous> (/my-debug.js:1929)
at withRunnableArtThread (/my-debug.js:3887)
at <anonymous> (/my-debug.js:3627)
at <anonymous> (/my-debug.js:2774)
at getArtClassSpec (/my-debug.js:3679)
at compileModule (/my-debug.js:8065)
at ensureInitialized (/my-debug.js:8034)
at build (/my-debug.js:9331)
at _make (/my-debug.js:11627)
at use (/my-debug.js:11506)
at <anonymous> (/my-debug.js:13292)
at <anonymous> (/my-debug.js:2774)
at _performPendingVmOpsWhenReady (/my-debug.js:13330)
at perform (/my-debug.js:13271)
at my-debug.js (/my-debug.js:13438)
at __require (/my-debug.js:7)
at <anonymous> (/my-debug.js:13441)
I also added some logs in the native code where an instruction is parsed: https://github.com/frida/frida-gum/blob/main/bindings/gumjs/gumquickinstruction.c#L236
When the error occurs, the 16 bytes from the address are
d9 ff 07 f7 d9 ff 68 7d 20 00 be 98 20 00 f8 20
The return value from cs_disasm api is 0 and the error code got from cs_errno is also 0(CS_ERR_OK).
Regression
This issue is no longer seen after I manually revert this commit: 996a4a3
Hi @Rwkeith , could you please provide some insights on how to further debug this issue? Any help would be greatly appreciated.