Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Pine.disableProfileSaver() causes SIGILL ILL_ILLOPC on MiUi 12 #18

Closed
Vendicated opened this issue Oct 17, 2021 · 4 comments
Closed

Pine.disableProfileSaver() causes SIGILL ILL_ILLOPC on MiUi 12 #18

Vendicated opened this issue Oct 17, 2021 · 4 comments
Assignees
@canyie
Labels
bug Something isn't working

Comments

@Vendicated
Copy link
Contributor

Vendicated commented Oct 17, 2021
edited
Loading

App crashes instantly when launched

Only happens on MIUI 12 (Android 11), works fine on other Android 11 roms.

Logcat 
10-17 15:11:37.262 16097 16097 E com.aliucord: Not starting debugger since process cannot load the jdwp agent.
10-17 15:11:37.377 16097 16097 W com.aliucord: Accessing hidden method Ljava/lang/reflect/Executable;->getAccessFlags()I (greylist-max-o, JNI, denied)
10-17 15:11:37.377 16097 16097 W Pine    : Method.getAccessFlags not found, use default access flags.
10-17 15:11:37.379 16097 16097 W Pine    : JIT API is not supported in Android R yet
10-17 15:11:37.380  1073  2006 W SurfaceFlinger: eEarlyWakeup is deprecated. Use eExplicitEarlyWakeup[Start|End]
10-17 15:11:37.381 16097 16097 W Pine    : JIT compilation is not supported in Android R yet
--------- beginning of crash
10-17 15:11:37.409 16097 16111 F libc    : Fatal signal 4 (SIGILL), code 1 (ILL_ILLOPC), fault addr 0x73e969b118 in tid 16111 (Jit thread pool), pid 16097 (com.aliucord)
10-17 15:11:37.417  1073  2006 W SurfaceFlinger: eEarlyWakeup is deprecated. Use eExplicitEarlyWakeup[Start|End]
10-17 15:11:37.423  1073  2385 W SurfaceFlinger: eEarlyWakeup is deprecated. Use eExplicitEarlyWakeup[Start|End]
10-17 15:11:37.439  1073  2385 W SurfaceFlinger: eEarlyWakeup is deprecated. Use eExplicitEarlyWakeup[Start|End]
10-17 15:11:37.446  1073  2006 W SurfaceFlinger: eEarlyWakeup is deprecated. Use eExplicitEarlyWakeup[Start|End]
10-17 15:11:37.456  1073  2385 W SurfaceFlinger: eEarlyWakeup is deprecated. Use eExplicitEarlyWakeup[Start|End]
10-17 15:11:37.457  2974  7084 W FloatingIconLayer: release
10-17 15:11:37.464  1073  2005 W SurfaceFlinger: eEarlyWakeup is deprecated. Use eExplicitEarlyWakeup[Start|End]
10-17 15:11:37.472  1073  2005 W SurfaceFlinger: eEarlyWakeup is deprecated. Use eExplicitEarlyWakeup[Start|End]
10-17 15:11:37.483  1073  2006 W SurfaceFlinger: eEarlyWakeup is deprecated. Use eExplicitEarlyWakeup[Start|End]
10-17 15:11:37.491  1073  2006 W SurfaceFlinger: eEarlyWakeup is deprecated. Use eExplicitEarlyWakeup[Start|End]
10-17 15:11:37.503  1073  2005 W SurfaceFlinger: eEarlyWakeup is deprecated. Use eExplicitEarlyWakeup[Start|End]
10-17 15:11:37.513  1073  2385 W SurfaceFlinger: eEarlyWakeup is deprecated. Use eExplicitEarlyWakeup[Start|End]
10-17 15:11:37.521  1073  2005 W SurfaceFlinger: eEarlyWakeup is deprecated. Use eExplicitEarlyWakeup[Start|End]
10-17 15:11:37.530  1073  2385 W SurfaceFlinger: eEarlyWakeup is deprecated. Use eExplicitEarlyWakeup[Start|End]
10-17 15:11:37.534 16097 16097 W Firebase-Messag: type=1400 audit(0.0:773707): avc: denied { read } for name="u:object_r:vendor_displayfeature_prop:s0" dev="tmpfs" ino=1356 scontext=u:r:untrusted_app_29:s0:c110,c257,c512,c768 tcontext=u:object_r:vendor_displayfeature_prop:s0 tclass=file permissive=0 app=com.aliucord
10-17 15:11:37.537 16133 16133 F DEBUG   : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
10-17 15:11:37.537 16133 16133 F DEBUG   : Build fingerprint: 'Redmi/sweet_global/sweet:11/RKQ1.200826.002/V12.5.8.0.RKFMIXM:user/release-keys'
10-17 15:11:37.537 16097 16140 E libc    : Access denied finding property "ro.vendor.df.effect.conflict"
10-17 15:11:37.537 16133 16133 F DEBUG   : Revision: '0'
10-17 15:11:37.538 16133 16133 F DEBUG   : ABI: 'arm64'
10-17 15:11:37.538 16097 16140 E libc    : Access denied finding property "ro.vendor.knock.type"
10-17 15:11:37.538 16133 16133 F DEBUG   : Timestamp: 2021-10-17 15:11:37+0200
10-17 15:11:37.538 16133 16133 F DEBUG   : pid: 16097, tid: 16111, name: Jit thread pool  >>> com.aliucord <<<
10-17 15:11:37.539 16133 16133 F DEBUG   : uid: 10366
10-17 15:11:37.539 16133 16133 F DEBUG   : signal 4 (SIGILL), code 1 (ILL_ILLOPC), fault addr 0x73e969b118 (*pc=0x000073)
10-17 15:11:37.539 16133 16133 F DEBUG   :     x0  0000000000000001  x1  00000073ccbc3c00  x2  00000073ccbc3c00  x3  0000000000000000
10-17 15:11:37.539 16133 16133 F DEBUG   :     x4  00000073d5501891  x5  5472696d4d617073  x6  7370614d6d697254  x7  7370614d6d697254
10-17 15:11:37.539 16133 16133 F DEBUG   :     x8  0000000000000000  x9  b4000073e9edb340  x10 0000000000430000  x11 00000073c0000000
10-17 15:11:37.539 16133 16133 F DEBUG   :     x12 00000000000170d0  x13 0000000000b486ff  x14 0000000000ae64c4  x15 000040cab5ea4083
10-17 15:11:37.539 16133 16133 F DEBUG   :     x16 000000746aeae3f0  x17 000000746e502f7c  x18 000000738a9f0000  x19 00000073ccbc3c00
10-17 15:11:37.539 16133 16133 F DEBUG   :     x20 000000000000005c  x21 00000073e93fcc06  x22 00000073e93ef561  x23 00000073e93f14be
10-17 15:11:37.539 16133 16133 F DEBUG   :     x24 00000073e93d2d67  x25 0000000000000001  x26 000000746a783000  x27 0000000000000043
10-17 15:11:37.539 16133 16133 F DEBUG   :     x28 00000073e99ef000  x29 00000073d5501be0
10-17 15:11:37.539 16133 16133 F DEBUG   :     lr  00000073e9684d18  sp  00000073d5501b70  pc  00000073e969b118  pst 0000000040000000
10-17 15:11:37.539  1073  2385 W SurfaceFlinger: eEarlyWakeup is deprecated. Use eExplicitEarlyWakeup[Start|End]
10-17 15:11:37.544 16133 16133 F DEBUG   : backtrace:
10-17 15:11:37.544 16133 16133 F DEBUG   :       #00 pc 0000000000359118  /apex/com.android.art/lib64/libart.so!libart.so (offset 0x359000) (art::ProfileSaver::NotifyJitActivity()) (BuildId: d9d09da4285f1f09feadb805782797e4)
10-17 15:11:37.544 16133 16133 F DEBUG   :       #01 pc 0000000000342d14  /apex/com.android.art/lib64/libart.so (art::jit::JitCompileTask::Run(art::Thread*)+736) (BuildId: d9d09da4285f1f09feadb805782797e4)
10-17 15:11:37.544 16133 16133 F DEBUG   :       #02 pc 00000000005caee0  /apex/com.android.art/lib64/libart.so!libart.so (offset 0x35a000) (art::ThreadPoolWorker::Run()+108) (BuildId: d9d09da4285f1f09feadb805782797e4)
10-17 15:11:37.544 16133 16133 F DEBUG   :       #03 pc 00000000005ca9d4  /apex/com.android.art/lib64/libart.so!libart.so (offset 0x35a000) (art::ThreadPoolWorker::Callback(void*)+192) (BuildId: d9d09da4285f1f09feadb805782797e4)
10-17 15:11:37.544 16133 16133 F DEBUG   :       #04 pc 00000000000eb868  /apex/com.android.runtime/lib64/bionic/libc.so (__pthread_start(void*)+64) (BuildId: a790cdbd8e44ea8a90802da343cb82ce)
10-17 15:11:37.544 16133 16133 F DEBUG   :       #05 pc 000000000008ba88  /apex/com.android.runtime/lib64/bionic/libc.so (__start_thread+64) (BuildId: a790cdbd8e44ea8a90802da343cb82ce)

Some examples of affected phones (probably just all MIUI 12 phones):

  • Mi 9T MIUI Global 12.1.1
  • Poco X3 NFC MIUI Global 12.5.1.0
  • Redmi Note 10 Pro MIUI Global 12.5.3

Edit: Also seems to happen on Realme and Oppo phones
@vegedreamgagnoa
Copy link

make sure you bypass the restriction, using tiann/freereflection or something!

@vegedreamgagnoa
Copy link

vegedreamgagnoa commented Nov 8, 2021
edited
Loading

Because I also have MIUI 12 and no problems here. I added a restriction bypass before using Pine.

@canyie
Copy link
Owner

canyie commented Dec 11, 2021
edited
Loading

Can confirm on Mi 10i (Redmi Note 9 Pro) with MIUI 12.

E/Pine: address of ProcessProfilingInfo=0x7344add33c
A/libc: Fatal signal 4 (SIGILL), code 1 (ILL_ILLOPC), fault addr 0x7344add348 in tid 13504 (Jit thread pool), pid 13498 (e.pine.examples)
A/DEBUG: backtrace:
A/DEBUG:       #00 pc 000000000034b348  /apex/com.android.runtime/lib64/libart.so!libart.so (offset 0x34b000) (art::ProfileSaver::NotifyJitActivity()) (BuildId: dc07026eb326bf48bb9d36ad9ec43a22)

0x7344add348 (address of crash point) - 0x7344add33c (address of ProcessProfilingInfo) = 0xc = 12, which smaller than the trampoline size on arm64.

@canyie canyie added the bug Something isn't working label Dec 11, 2021
@canyie canyie self-assigned this Dec 11, 2021
@canyie canyie closed this as completed in 2f852b5 Dec 11, 2021
canyie added a commit that referenced this issue Dec 11, 2021
@canyie
[core] Add two symbol name of ProcessProfilingInfo
ef0f5fb 
Android 12 changes the symbol of `ProcessProfilingInfo`, just follow the change.
MIUI added a new function and move the implementation to it, the old function just call the new one, cannot be hooked due to small size, just hook the new one instead. Also removed the previous workaround as we really fixed this issue. This fixes #18.
@Vendicated
Copy link
Contributor Author

Thank you!

@cantalou cantalou mentioned this issue Jun 6, 2022
Open
@czlee32 czlee32 mentioned this issue Apr 20, 2023
Closed
@allenjq allenjq mentioned this issue Apr 28, 2023
Closed
@zwkaku zwkaku mentioned this issue Oct 12, 2023
Closed
@9c-x 9c-x mentioned this issue Feb 27, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@canyie canyie

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@canyie @Vendicated @vegedreamgagnoa