8000 Android 15: `zygote64: Failed to reach single-threaded state` · Issue #1133 · frida/frida-core · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content
Android 15: zygote64: Failed to reach single-threaded state #1133
New issue
New issue
Open
Open
Android 15: zygote64: Failed to reach single-threaded state#1133
@aleclearmind

Description

@aleclearmind
aleclearmind
opened on Jan 19, 2025

Problem

When launching an app while frida-server is running, zygote64 crashes with "Failed to reach single-threaded state"

Set up

OS: LineageOS 22.1 (based on AOSP 15)
Phone: Pixel 7
Frida version: 16.6.4

I get an error similar to #500 when starting an app while frida-server is running.

To reproduce

adb root
adb push frida-server-16.6.4-android-arm64 /data/local/tmp/frida-server
adb shell chmod 755 /data/local/tmp/frida-server
adb shell /data/local/tmp/frida-server

When I launch an application, from adb logcat I see the following:

11252 11252 W Zygote  : forkRepeatedly terminated due to non-simple command
11252 11252 D Zygote  : mbuffer starts with 18, nice name is , mEnd = 1765, mNext = 35, mLinesLeft = 16, mFd = 67
11252 11252 E zygote64: Not single threaded: bytes_read = 309 stat contents = "11252 (main) R 1 11252 0 0 -1 4194560 58037 139162 266 1435 84 361 1341 496 20 0 5 0 4101145 17336115200 52096 18446744073709551615 374155563008 37415..."
11252 11252 E zygote64: Other threads' abbreviated stats: 
11252 11252 E zygote64: After re-read: bytes_read = 150 stat contents = "11252 (main) R 1 11252 0 0 -1 4194560 58048 139162 266 1435 84 361 1341 496 20 0 5 0 4101145 17336115200 52096 18446744073709551615 374155563008 3741..."
11252 11252 F zygote64: runtime.cc:809] Failed to reach single-threaded state: wait_time = 4385
11252 11252 F zygote64: runtime.cc:707] Runtime aborting...
11252 11252 F zygote64: runtime.cc:707] Skipping all-threads dump as locks are held: thread_suspend_count_lock
11252 11252 F zygote64: runtime.cc:707] Aborting thread:
11252 11252 F zygote64: runtime.cc:707] "main" prio=5 tid=1 Native
11252 11252 F zygote64: runtime.cc:707]   | group="" sCount=0 ucsCount=0 flags=0 obj=0x72938d20 self=0xb400006fc7511be0
11252 11252 F zygote64: runtime.cc:707]   | sysTid=11252 nice=0 cgrp=default sched=0/0 handle=0x70de8ce0a0
11252 11252 F zygote64: runtime.cc:707]   | state=R schedstat=( 4454297440 426134072 4427 ) utm=84 stm=361 core=4 HZ=100
11252 11252 F zygote64: runtime.cc:707]   | stack=0x7fbfcac000-0x7fbfcae000 stackSize=8188KB
11252 11252 F zygote64: runtime.cc:707]   | held mutexes= "abort lock" "thread list lock" "mutator lock"(shared held)
11252 11252 F zygote64: runtime.cc:707]   native: #00 pc 004510cc  /apex/com.android.art/lib64/libart.so (art::DumpNativeStack+108) (BuildId: aa3cb587e62dcd7657261312998b429f)
11252 11252 F zygote64: runtime.cc:707]   native: #01 pc 005c1838  /apex/com.android.art/lib64/libart.so (art::Thread::DumpStack const+456) (BuildId: aa3cb587e62dcd7657261312998b429f)
11252 11252 F zygote64: runtime.cc:707]   native: #02 pc 00451b60  /apex/com.android.art/lib64/libart.so (art::Thread::DumpStack const+96) (BuildId: aa3cb587e62dcd7657261312998b429f)
11252 11252 F zygote64: runtime.cc:707]   native: #03 pc 008e46b8  /apex/com.android.art/lib64/libart.so (art::AbortState::DumpThread const+56) (BuildId: aa3cb587e62dcd7657261312998b429f)
11252 11252 F zygote64: runtime.cc:707]   native: #04 pc 008e42e0  /apex/com.android.art/lib64/libart.so (art::AbortState::Dump const+416) (BuildId: aa3cb587e62dcd7657261312998b429f)
11252 11252 F zygote64: runtime.cc:707]   native: #05 pc 008e1724  /apex/com.android.art/lib64/libart.so (art::Runtime::Abort+804) (BuildId: aa3cb587e62dcd7657261312998b429f)
11252 11252 F zygote64: runtime.cc:707]   native: #06 pc 000144d0  /apex/com.android.art/lib64/libbase.so (android::base::SetAborter::$_0::__invoke+80) (BuildId: 46b6a9bcb2abcf5a6ff00f0ebb5aae63)
11252 11252 F zygote64: runtime.cc:707]   native: #07 pc 00013a28  /apex/com.android.art/lib64/libbase.so (android::base::LogMessage::~LogMessage+520) (BuildId: 46b6a9bcb2abcf5a6ff00f0ebb5aae63)
11252 11252 F zygote64: runtime.cc:707]   native: #08 pc 00535304  /apex/com.android.art/lib64/libart.so (art::Runtime::PreZygoteFork+2404) (BuildId: aa3cb587e62dcd7657261312998b429f)
11252 11252 F zygote64: runtime.cc:707]   native: #09 pc 00534918  /apex/com.android.art/lib64/libart.so (art::ZygoteHooks_nativePreFork +56) (BuildId: aa3cb587e62dcd7657261312998b429f)
11252 11252 F zygote64: runtime.cc:707]   native: #10 pc 00014078  /system/framework/arm64/boot-core-libart.oat (art_jni_trampoline+104) (BuildId: 3fbb629a4aca93d38e64b2280938856348286aad)
11252 11252 F zygote64: runtime.cc:707]   native: #11 pc 00029d40  /system/framework/arm64/boot-core-libart.oat (dalvik.system.ZygoteHooks.preFork+112) (BuildId: 3fbb629a4aca93d38e64b2280938856348286aad)
11252 11252 F zygote64: runtime.cc:707]   native: #12 pc 00806720  /system/framework/arm64/boot-framework.oat (com.android.internal.os.ZygoteConnection.processCommand+848) (BuildId: d749efbe6b0792c81e599f06ed790e86982c9881)
11252 11252 F zygote64: runtime.cc:707]   native: #13 pc 00807f74  /system/framework/arm64/boot-framework.oat (com.android.internal.os.ZygoteServer.runSelectLoop+2084) (BuildId: d749efbe6b0792c81e599f06ed790e86982c9881)
11252 11252 F zygote64: runtime.cc:707]   native: #14 pc 008169c4  /system/framework/arm64/boot-framework.oat (com.android.internal.os.ZygoteInit.main+2948) (BuildId: d749efbe6b0792c81e599f06ed790e86982c9881)
11252 11252 F zygote64: runtime.cc:707]   native: #15 pc 003fc660  /apex/com.android.art/lib64/libart.so (art_quick_invoke_static_stub+640) (BuildId: aa3cb587e62dcd7657261312998b429f)
11252 11252 F zygote64: runtime.cc:707]   native: #16 pc 00243c9c  /apex/com.android.art/lib64/libart.so (art::ArtMethod::Invoke+204) (BuildId: aa3cb587e62dcd7657261312998b429f)
11252 11252 F zygote64: runtime.cc:707]   native: #17 pc 00244028  /apex/com.android.art/lib64/libart.so (art::JValue art::InvokeWithVarArgs<_jmethodID*>+568) (BuildId: aa3cb587e62dcd7657261312998b429f)
11252 11252 F zygote64: runtime.cc:707]   native: #18 pc 006e4fb8  /apex/com.android.art/lib64/libart.so (art::JNI<true>::CallStaticVoidMethodV+136) (BuildId: aa3cb587e62dcd7657261312998b429f)
11252 11252 F zygote64: runtime.cc:707]   native: #19 pc 000d7638  /system/lib64/libandroid_runtime.so (_JNIEnv::CallStaticVoidMethod+104) (BuildId: 4992a4b3ab646d74ec65a1b6cb30f478)
11252 11252 F zygote64: runtime.cc:707]   native: #20 pc 000ed85c  /system/lib64/libandroid_runtime.so (android::AndroidRuntime::start+844) (BuildId: 4992a4b3ab646d74ec65a1b6cb30f478)
11252 11252 F zygote64: runtime.cc:707]   native: #21 pc 0000259c  /system/bin/app_process64 (main+1212) (BuildId: 591a760d5525738102d35ef3dd197404)
11252 11252 F zygote64: runtime.cc:707]   native: #22 pc 000574f4  /apex/com.android.runtime/lib64/bionic/libc.so (__libc_init+116) (BuildId: 86c1cf5355663d1bf73d5263da254ebc)
11252 11252 F zygote64: runtime.cc:707]   at dalvik.system.ZygoteHooks.nativePreFork(Native method)
11252 11252 F zygote64: runtime.cc:707]   at dalvik.system.ZygoteHooks.preFork(ZygoteHooks.java:164)
11252 11252 F zygote64: runtime.cc:707]   at com.android.internal.os.ZygoteConnection.processCommand(ZygoteConnection.java:282)
11252 11252 F zygote64: runtime.cc:707]   at com.android.internal.os.ZygoteServer.runSelectLoop(ZygoteServer.java:521)
11252 11252 F zygote64: runtime.cc:707]   at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:858)
11252 11252 F zygote64: runtime.cc:707] 
11252 11252 W main    : type=1400 audit(0.0:2709): avc:  denied  { sys_nice } for  capability=23  scontext=u:r:zygote:s0 tcontext=u:r:zygote:s0 tclass=capability permissive=0
11252 11252 W gdbus   : type=1400 audit(0.0:2710): avc:  denied  { sys_nice } for  capability=23  scontext=u:r:zygote:s0 tcontext=u:r:zygote:s0 tclass=capability permissive=0
11252 11252 F libc    : Fatal signal 6 (SIGABRT), code -1 (SI_QUEUE) in tid 11252 (main), pid 11252 (main)
19439 19439 E crash_dump64: failed to get the guest state header for thread 11252: Bad address
  635   635 I tombstoned: received crash request for pid 11252
11252 11252 E Zygote  : Zygote failed to write to system_server FD: Bad file descriptor
11252 11252 I Zygote  : Process 19438 exited cleanly (0)
19439 19439 I crash_dump64: performing dump of process 11252 (target tid = 11252)
11252 11252 F libc    : failed to wait for crash_dump helper: No child processes
  462   462 I logd    : logdr: UID=0 GID=0 PID=19439 n tail=500 logMask=8 pid=11252 start=0ns deadline=0ns
  462   462 I logd    : logdr: UID=0 GID=0 PID=19439 n tail=500 logMask=1 pid=11252 start=0ns deadline=0ns
19439 19439 F DEBUG   : pid: 11252, tid: 11252, name: main  >>> zygote64 <<<
11403 11702 W NativeCrashListener: Couldn't find ProcessRecord for pid 11252
    1     1 I init    : Service 'zygote' (pid 11252) received signal 6
    1     1 I init    : Sending signal 9 to service 'zygote' (pid 11252) process group...
    1     1 I libprocessgroup: Removed cgroup /sys/fs/cgroup/uid_0/pid_11252

Afterwards, I get a soft reboot.

Let me know if I can provide further information.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions
      0