Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Android 15: zygote64: Failed to reach single-threaded state #1133

Open
aleclearmind opened this issue Jan 19, 2025 · 10 comments
Open

Android 15: zygote64: Failed to reach single-threaded state #1133

aleclearmind opened this issue Jan 19, 2025 · 10 comments

Comments

@aleclearmind
Copy link

Problem

When launching an app while frida-server is running, zygote64 crashes with "Failed to reach single-threaded state"

Set up

OS: LineageOS 22.1 (based on AOSP 15)
Phone: Pixel 7
Frida version: 16.6.4

I get an error similar to #500 when starting an app while frida-server is running.

To reproduce

adb root
adb push frida-server-16.6.4-android-arm64 /data/local/tmp/frida-server
adb shell chmod 755 /data/local/tmp/frida-server
adb shell /data/local/tmp/frida-server

When I launch an application, from adb logcat I see the following:

11252 11252 W Zygote  : forkRepeatedly terminated due to non-simple command
11252 11252 D Zygote  : mbuffer starts with 18, nice name is , mEnd = 1765, mNext = 35, mLinesLeft = 16, mFd = 67
11252 11252 E zygote64: Not single threaded: bytes_read = 309 stat contents = "11252 (main) R 1 11252 0 0 -1 4194560 58037 139162 266 1435 84 361 1341 496 20 0 5 0 4101145 17336115200 52096 18446744073709551615 374155563008 37415..."
11252 11252 E zygote64: Other threads' abbreviated stats: 
11252 11252 E zygote64: After re-read: bytes_read = 150 stat contents = "11252 (main) R 1 11252 0 0 -1 4194560 58048 139162 266 1435 84 361 1341 496 20 0 5 0 4101145 17336115200 52096 18446744073709551615 374155563008 3741..."
11252 11252 F zygote64: runtime.cc:809] Failed to reach single-threaded state: wait_time = 4385
11252 11252 F zygote64: runtime.cc:707] Runtime aborting...
11252 11252 F zygote64: runtime.cc:707] Skipping all-threads dump as locks are held: thread_suspend_count_lock
11252 11252 F zygote64: runtime.cc:707] Aborting thread:
11252 11252 F zygote64: runtime.cc:707] "main" prio=5 tid=1 Native
11252 11252 F zygote64: runtime.cc:707]   | group="" sCount=0 ucsCount=0 flags=0 obj=0x72938d20 self=0xb400006fc7511be0
11252 11252 F zygote64: runtime.cc:707]   | sysTid=11252 nice=0 cgrp=default sched=0/0 handle=0x70de8ce0a0
11252 11252 F zygote64: runtime.cc:707]   | state=R schedstat=( 4454297440 426134072 4427 ) utm=84 stm=361 core=4 HZ=100
11252 11252 F zygote64: runtime.cc:707]   | stack=0x7fbfcac000-0x7fbfcae000 stackSize=8188KB
11252 11252 F zygote64: runtime.cc:707]   | held mutexes= "abort lock" "thread list lock" "mutator lock"(shared held)
11252 11252 F zygote64: runtime.cc:707]   native: #00 pc 004510cc  /apex/com.android.art/lib64/libart.so (art::DumpNativeStack+108) (BuildId: aa3cb587e62dcd7657261312998b429f)
11252 11252 F zygote64: runtime.cc:707]   native: #01 pc 005c1838  /apex/com.android.art/lib64/libart.so (art::Thread::DumpStack const+456) (BuildId: aa3cb587e62dcd7657261312998b429f)
11252 11252 F zygote64: runtime.cc:707]   native: #02 pc 00451b60  /apex/com.android.art/lib64/libart.so (art::Thread::DumpStack const+96) (BuildId: aa3cb587e62dcd7657261312998b429f)
11252 11252 F zygote64: runtime.cc:707]   native: #03 pc 008e46b8  /apex/com.android.art/lib64/libart.so (art::AbortState::DumpThread const+56) (BuildId: aa3cb587e62dcd7657261312998b429f)
11252 11252 F zygote64: runtime.cc:707]   native: #04 pc 008e42e0  /apex/com.android.art/lib64/libart.so (art::AbortState::Dump const+416) (BuildId: aa3cb587e62dcd7657261312998b429f)
11252 11252 F zygote64: runtime.cc:707]   native: #05 pc 008e1724  /apex/com.android.art/lib64/libart.so (art::Runtime::Abort+804) (BuildId: aa3cb587e62dcd7657261312998b429f)
11252 11252 F zygote64: runtime.cc:707]   native: #06 pc 000144d0  /apex/com.android.art/lib64/libbase.so (android::base::SetAborter::$_0::__invoke+80) (BuildId: 46b6a9bcb2abcf5a6ff00f0ebb5aae63)
11252 11252 F zygote64: runtime.cc:707]   native: #07 pc 00013a28  /apex/com.android.art/lib64/libbase.so (android::base::LogMessage::~LogMessage+520) (BuildId: 46b6a9bcb2abcf5a6ff00f0ebb5aae63)
11252 11252 F zygote64: runtime.cc:707]   native: #08 pc 00535304  /apex/com.android.art/lib64/libart.so (art::Runtime::PreZygoteFork+2404) (BuildId: aa3cb587e62dcd7657261312998b429f)
11252 11252 F zygote64: runtime.cc:707]   native: #09 pc 00534918  /apex/com.android.art/lib64/libart.so (art::ZygoteHooks_nativePreFork +56) (BuildId: aa3cb587e62dcd7657261312998b429f)
11252 11252 F zygote64: runtime.cc:707]   native: #10 pc 00014078  /system/framework/arm64/boot-core-libart.oat (art_jni_trampoline+104) (BuildId: 3fbb629a4aca93d38e64b2280938856348286aad)
11252 11252 F zygote64: runtime.cc:707]   native: #11 pc 00029d40  /system/framework/arm64/boot-core-libart.oat (dalvik.system.ZygoteHooks.preFork+112) (BuildId: 3fbb629a4aca93d38e64b2280938856348286aad)
11252 11252 F zygote64: runtime.cc:707]   native: #12 pc 00806720  /system/framework/arm64/boot-framework.oat (com.android.internal.os.ZygoteConnection.processCommand+848) (BuildId: d749efbe6b0792c81e599f06ed790e86982c9881)
11252 11252 F zygote64: runtime.cc:707]   native: #13 pc 00807f74  /system/framework/arm64/boot-framework.oat (com.android.internal.os.ZygoteServer.runSelectLoop+2084) (BuildId: d749efbe6b0792c81e599f06ed790e86982c9881)
11252 11252 F zygote64: runtime.cc:707]   native: #14 pc 008169c4  /system/framework/arm64/boot-framework.oat (com.android.internal.os.ZygoteInit.main+2948) (BuildId: d749efbe6b0792c81e599f06ed790e86982c9881)
11252 11252 F zygote64: runtime.cc:707]   native: #15 pc 003fc660  /apex/com.android.art/lib64/libart.so (art_quick_invoke_static_stub+640) (BuildId: aa3cb587e62dcd7657261312998b429f)
11252 11252 F zygote64: runtime.cc:707]   native: #16 pc 00243c9c  /apex/com.android.art/lib64/libart.so (art::ArtMethod::Invoke+204) (BuildId: aa3cb587e62dcd7657261312998b429f)
11252 11252 F zygote64: runtime.cc:707]   native: #17 pc 00244028  /apex/com.android.art/lib64/libart.so (art::JValue art::InvokeWithVarArgs<_jmethodID*>+568) (BuildId: aa3cb587e62dcd7657261312998b429f)
11252 11252 F zygote64: runtime.cc:707]   native: #18 pc 006e4fb8  /apex/com.android.art/lib64/libart.so (art::JNI<true>::CallStaticVoidMethodV+136) (BuildId: aa3cb587e62dcd7657261312998b429f)
11252 11252 F zygote64: runtime.cc:707]   native: #19 pc 000d7638  /system/lib64/libandroid_runtime.so (_JNIEnv::CallStaticVoidMethod+104) (BuildId: 4992a4b3ab646d74ec65a1b6cb30f478)
11252 11252 F zygote64: runtime.cc:707]   native: #20 pc 000ed85c  /system/lib64/libandroid_runtime.so (android::AndroidRuntime::start+844) (BuildId: 4992a4b3ab646d74ec65a1b6cb30f478)
11252 11252 F zygote64: runtime.cc:707]   native: #21 pc 0000259c  /system/bin/app_process64 (main+1212) (BuildId: 591a760d5525738102d35ef3dd197404)
11252 11252 F zygote64: runtime.cc:707]   native: #22 pc 000574f4  /apex/com.android.runtime/lib64/bionic/libc.so (__libc_init+116) (BuildId: 86c1cf5355663d1bf73d5263da254ebc)
11252 11252 F zygote64: runtime.cc:707]   at dalvik.system.ZygoteHooks.nativePreFork(Native method)
11252 11252 F zygote64: runtime.cc:707]   at dalvik.system.ZygoteHooks.preFork(ZygoteHooks.java:164)
11252 11252 F zygote64: runtime.cc:707]   at com.android.internal.os.ZygoteConnection.processCommand(ZygoteConnection.java:282)
11252 11252 F zygote64: runtime.cc:707]   at com.android.internal.os.ZygoteServer.runSelectLoop(ZygoteServer.java:521)
11252 11252 F zygote64: runtime.cc:707]   at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:858)
11252 11252 F zygote64: runtime.cc:707] 
11252 11252 W main    : type=1400 audit(0.0:2709): avc:  denied  { sys_nice } for  capability=23  scontext=u:r:zygote:s0 tcontext=u:r:zygote:s0 tclass=capability permissive=0
11252 11252 W gdbus   : type=1400 audit(0.0:2710): avc:  denied  { sys_nice } for  capability=23  scontext=u:r:zygote:s0 tcontext=u:r:zygote:s0 tclass=capability permissive=0
11252 11252 F libc    : Fatal signal 6 (SIGABRT), code -1 (SI_QUEUE) in tid 11252 (main), pid 11252 (main)
19439 19439 E crash_dump64: failed to get the guest state header for thread 11252: Bad address
  635   635 I tombstoned: received crash request for pid 11252
11252 11252 E Zygote  : Zygote failed to write to system_server FD: Bad file descriptor
11252 11252 I Zygote  : Process 19438 exited cleanly (0)
19439 19439 I crash_dump64: performing dump of process 11252 (target tid = 11252)
11252 11252 F libc    : failed to wait for crash_dump helper: No child processes
  462   462 I logd    : logdr: UID=0 GID=0 PID=19439 n tail=500 logMask=8 pid=11252 start=0ns deadline=0ns
  462   462 I logd    : logdr: UID=0 GID=0 PID=19439 n tail=500 logMask=1 pid=11252 start=0ns deadline=0ns
19439 19439 F DEBUG   : pid: 11252, tid: 11252, name: main  >>> zygote64 <<<
11403 11702 W NativeCrashListener: Couldn't find ProcessRecord for pid 11252
    1     1 I init    : Service 'zygote' (pid 11252) received signal 6
    1     1 I init    : Sending signal 9 to service 'zygote' (pid 11252) process group...
    1     1 I libprocessgroup: Removed cgroup /sys/fs/cgroup/uid_0/pid_11252

Afterwards, I get a soft reboot.

Let me know if I can provide further information.
@kaftejiman
Copy link

can you grep for "JNI FatalError called: (system_server) Not allowlisted" at the logs?

@aleclearmind
Copy link
Author

can you grep for "JNI FatalError called: (system_server) Not allowlisted" at the logs?

Can't find anything similar.

$ grep -i 'allow.*system_server' log.log | wc -l
0
$ grep -i 'system_server.*allow' log.log | wc -l
0

@kaftejiman
Copy link

kaftejiman commented Jan 22, 2025
edited
Loading

Thank you, I also get this error on my device therefore I am trying to check whether they share the same root cause, can you please egrep for "Zygote : Process (.*) exited due to signal 11 \(Segmentation fault\)" ? And also can you please mention your ART version? You can get it with the command "pm dump com.google.android.art | grep Version" ?

@aleclearmind
Copy link
Author

can you please grep for "DEBUG : signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr" ?

$ grep -i segv log | wc -l
0

You can get it with the command "pm dump com.google.android.art | grep Version" ?

I had to use com.android.art (without .google).

$ adb shell pm dump com.android.art | grep -i Version
    Version: 352090000
      enabled=true minSdkVersion=31 targetSdkVersion=35 versionCode=352090000 targetSandboxVersion=1
    Version: 352090000
      enabled=true minSdkVersion=31 targetSdkVersion=35 versionCode=352090000 targetSandboxVersion=1

@5ec1cff 5ec1cff mentioned this issue Feb 6, 2025
Closed
1 task
@enovella
Copy link
Contributor

enovella commented Feb 7, 2025

Failed to reach single-threaded state

I remember this log info - #500. Probably, you need to tweak a bit the injection on your ROM to make it work. Check this 165480d

@aleclearmind
Copy link
Author

It might be worth nothing that this only happens when I see a secondary Android profile.
With my main Android profile, things seem to work.

@aleclearmind
Copy link
Author

I'm trying to triage what's wrong with ThreadCountCloaker but without a debug print it's rather difficult.
What is the proper way to have some debug output?

I tried adding a stderr.printf but it is my understanding that ThreadCountCloaker is executed in the target process. I can't see my output in logcat either.

@bl4ckbo7
Copy link

@aleclearmind @enovella Facing exactly same issue in Pixel 7a.

@enovella
Copy link
Contributor

@bl4ckbo7 with Frida 16.6.6?

@bl4ckbo7
Copy link

@enovella Well, after upgrading to Frida 16.6.6 this issue doesn't occur again. It's solved really.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@aleclearmind @enovella @bl4ckbo7 @kaftejiman