Frida: Troubles with ART`s JIT-profiles after Java method get hooked

Created on 28 Mar 2019  路  10Comments  路  Source: frida/frida

Not sure yet, if collaborators can do anything with this Android gimmick, but fatal error appeared in logcat just before hooked process crash:

zygote64: profile_saver.cc:359] Check failed: method.GetCounter() == 0u (method.GetCounter()=16, 0u=0) void org.a.a.c.b.some_funct!(byte[], int, int) access_flags=524561
ActivityManager: Process come.some_process.anr (pid 19434) has died: fore TOP 

(see in AOSP the profile_saver.cc)
after launching the following script (do not think it matters):

var clazz= Java.use("org.a.a.c.b");
clazz.some_funct.overload('[B', 'int', 'int').implementation = function(bytes, length, offset){
    return clazz.some_funct.call(this, bytes, length, offset);
}

with enabled jit profiles (profile-guided optimization) feature on device.

Most helpful comment

+1 here

04-03 12:43:48.498 26188 26218 F zygote : profile_saver.cc:359] Check failed: method.GetCounter() == 0u (method.GetCounter()=245, 0u=0) java.lang.String com.package.XXX!(android.content.Context) access_flags=524553
04-03 12:43:48.617 26188 26330 W Unity : The referenced script on this Behaviour is missing!

followed by proc crash

All 10 comments

+1 here

04-03 12:43:48.498 26188 26218 F zygote : profile_saver.cc:359] Check failed: method.GetCounter() == 0u (method.GetCounter()=245, 0u=0) java.lang.String com.package.XXX!(android.content.Context) access_flags=524553
04-03 12:43:48.617 26188 26330 W Unity : The referenced script on this Behaviour is missing!

followed by proc crash

+1
device: Nexus 5X
OS version: the stock oreo 8.1 OPM7.181205.001 And lineage-15.1(base on the stock oreo 8.1 OPM7.181205.001)
zygote64: profile_saver.cc:359] Check failed: method.GetCounter() == 0u (method.GetCounter()=16, 0u=0) void org.a.a.c.b.some_funct!(byte[], int, int) access_flags=524561
ActivityManager: Process come.some_process.anr (pid 19434) has died: fore TOP

CODE:
https://github.com/LineageOS/android_art/blob/lineage-15.1/runtime/jit/profile_saver.cc
LINE: 359
CHECK_EQ(method.GetCounter(), 0u) << method.PrettyMethod()
<< " access_flags=" << method.GetAccessFlags();

+1

05-09 09:30:52.116 25335 25356 F zygote64: profile_saver.cc:359] Check failed: method.GetCounter() == 0u (method.GetCounter()=55, 0u=0) void com.app.core.tools.a.setInit!(boolean) access_flags=524553
05-09 09:30:52.263 25335 25356 F zygote64: runtime.cc:523] Runtime aborting...

Device: Nexus 5X
Android version: 8.1.0
Kernel version: 3.10.73

Could you try Java.deoptimizeEverything() in Frida 12.5.0? Ideally put it in a Java.performNow(), so it's applied as early as possible.

Java.deoptimizeEverything()

Thx, just tried it, but it didn`t work out. Still same problem having this JS-code:

Java.performNow(function(){
    Java.deoptimizeEverything();
    // hooks
}

Strange thing is 2 similary configured devices have different behaviour: the first have this error, the second is not. Both have JIT and PGO enabled. (Just noticed)

This appears to still be an issue in 12.7.5. Seems to not matter if duk of v8 runtime is used.

I have been battling with this JIT issue for a while; now this works for me, you can disable JIT on your phone using adb shell

~
adb root
adb shell stop
adb shell setprop dalvik.vm.usejit false
adb shell start
~

zygote: profile_saver.cc:359] Check failed: method.GetCounter()

This will be fixed by frida/frida-java-bridge#191.

zygote : profile_saver.cc:359] Check failed: method.GetCounter() == 0u
frida==14.2.2

Was this page helpful?
0 / 5 - 0 ratings