[v7.0.11+] Process crash on accessing object["<init>"] with JVMTI available #384
Description
Introduced in frida-java-bridge v7.0.11 (also confirmed on current latest v7.0.13), loading a script that has Java.use(...)["<init>"] crashes the target process.
Issue description:
Provided that jvmti is available, the logic in lib/class-model.js:284 calls model_add_method even if the current function is a constructor ("<init>" or "<clinit>"), leading to an invalid function definition which crashes the process on access.
The other two paths in model_new avoid adding constructors like so:
- art_api path:
else if (art_api.available)
{
//...
if ((access_flags & kAccConstructor) != 0)
continue;- get_declared_methods doesn't get constructors
else
{
jobject elements;
elements = call_object_method (env, class_handle, java_api.clazz.get_declared_methods);Environment:
- Tested on Android 11 and Android 16 AVD images
Test performed:
jvmti_init_crash.js:
import Java from "frida-java-bridge";
Java.perform(() => { Java.use('java.lang.Object')['<init>'] })- frida-pm install frida-java-bridge@7.0.11 # or 7.0.12 or 7.0.13
- frida-compile jvmti_init_crash.js -o jvmti_init_crash_compiled.js
- frida -UF -l jvmti_init_crash_compiled.js
frida shell output:
frida -UF -l jvmti_init_crash_compiled.js
____
/ _ | Frida 17.8.2 - A world-class dynamic instrumentation toolkit
| (| |
> _ | Commands:
// |_| help -> Displays the help system
. . . . object? -> Display information about 'object'
. . . . exit/quit -> Exit
. . . .
. . . . More info at https://frida.re/docs/home/
. . . .
. . . . Connected to Android Emulator 5554 (id=emulator-5554)
Failed to load script: the connection is closedThank you for using Frida!
logcat logs:
03-19 00:56:40.647 4177 15511 F libc : Fatal signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x4 in tid 15511 (Thread-2), pid 4177 (droid.deskclock)
03-19 00:56:40.683 15514 15514 I crash_dump64: obtaining output fd from tombstoned, type: kDebuggerdTombstoneProto
03-19 00:56:40.684 307 307 I tombstoned: received crash request for pid 15511
03-19 00:56:40.685 15514 15514 I crash_dump64: performing dump of process 4177 (target tid = 15511)
03-19 00:56:40.827 0 0 I logd : logdr: UID=10170 GID=10170 PID=15514 n tail=500 logMask=8 pid=4177 start=0ns deadline=0ns
03-19 00:56:40.851 0 0 I logd : logdr: UID=10170 GID=10170 PID=15514 n tail=500 logMask=1 pid=4177 start=0ns deadline=0ns
03-19 00:56:40.900 15514 15514 F DEBUG : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
03-19 00:56:40.900 15514 15514 F DEBUG : Build fingerprint: 'google/sdk_gphone64_x86_64/emu64xa:16/BE2A.250530.026.F3/13894323:userdebug/dev-keys'
03-19 00:56:40.901 15514 15514 F DEBUG : Revision: '0'
03-19 00:56:40.902 15514 15514 F DEBUG : ABI: 'x86_64'
03-19 00:56:40.902 15514 15514 F DEBUG : Timestamp: 2026-03-19 00:56:40.690669100+0000
03-19 00:56:40.903 15514 15514 F DEBUG : Process uptime: 653535s
03-19 00:56:40.903 15514 15514 F DEBUG : Cmdline: com.google.android.deskclock
03-19 00:56:40.904 15514 15514 F DEBUG : pid: 4177, tid: 15511, name: Thread-2 >>> com.google.android.deskclock <<<
03-19 00:56:40.904 15514 15514 F DEBUG : uid: 10170
03-19 00:56:40.904 15514 15514 F DEBUG : signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x0000000000000004
03-19 00:56:40.904 15514 15514 F DEBUG : Cause: null pointer dereference
03-19 00:56:40.905 15514 15514 F DEBUG : rax 0000000000000000 rbx 0000000000000000 rcx 0000000000000080 rdx 0000000000000008
03-19 00:56:40.905 15514 15514 F DEBUG : r8 ffffffffffffffff r9 00007104eebbaae0 r10 0000000000000000 r11 0000710243897e40
03-19 00:56:40.906 15514 15514 F DEBUG : r12 0000000002274188 r13 0000710243250ab5 r14 000071022f969d78 r15 000000006fbfb058
03-19 00:56:40.906 15514 15514 F DEBUG : rdi 000000006fa27ba8 rsi 000000006fbfb058
03-19 00:56:40.906 15514 15514 F DEBUG : rbp 000071022f969c80 rsp 000071022f969bd0 rip 0000710243a9d10e
03-19 00:56:40.907 15514 15514 F DEBUG : 56 total frames
03-19 00:56:40.907 15514 15514 F DEBUG : backtrace:
03-19 00:56:40.908 15514 15514 F DEBUG : #00 pc 000000000089d10e /apex/com.android.art/lib64/libart.so (art::JValue art::InvokeVirtualOrInterfaceWithVarArgs<_jmethodID*>(art::ScopedObjectAccessAlreadyRunnable const&, _jobject*, _jmethodID*, __va_list_tag*)+190) (BuildId: 108a321dc93c20580e74b855c407e975)
03-19 00:56:40.908 15514 15514 F DEBUG : #1 pc 0000000000698178 /apex/com.android.art/lib64/libart.so (art::JNI::CallObjectMethod(_JNIEnv*, _jobject*, _jmethodID*, ...)+824) (BuildId: 108a321dc93c20580e74b855c407e975)
03-19 00:56:40.908 15514 15514 F DEBUG : #2 pc 0000000000c9ab61 /memfd:frida-agent-64.so (deleted)
03-19 00:56:40.908 15514 15514 F DEBUG : #3 pc 0000000000c9a226 /memfd:frida-agent-64.so (deleted)
03-19 00:56:40.909 15514 15514 F DEBUG : #4 pc 0000000000c99f86 /memfd:frida-agent-64.so (deleted)
03-19 00:56:40.909 15514 15514 F DEBUG : #5 pc 0000000000b78b14 /memfd:frida-agent-64.so (deleted)
03-19 00:56:40.910 15514 15514 F DEBUG : #6 pc 0000000000b786a3 /memfd:frida-agent-64.so (deleted)
03-19 00:56:40.910 15514 15514 F DEBUG : #7 pc 0000000000b785f9 /memfd:frida-agent-64.so (deleted)
03-19 00:56:40.911 15514 15514 F DEBUG : #8 pc 0000000000d36819 /memfd:frida-agent-64.so (deleted)
03-19 00:56:40.911 15514 15514 F DEBUG : #9 pc 0000000000d37a7e /memfd:frida-agent-64.so (deleted)
03-19 00:56:40.911 15514 15514 F DEBUG : #10 pc 0000000000d36580 /memfd:frida-agent-64.so (deleted)
03-19 00:56:40.912 15514 15514 F DEBUG : #11 pc 0000000000d74785 /memfd:frida-agent-64.so (deleted)
03-19 00:56:40.912 15514 15514 F DEBUG : #12 pc 0000000000d2c7ca /memfd:frida-agent-64.so (deleted)
03-19 00:56:40.912 15514 15514 F DEBUG : #13 pc 0000000000d36819 /memfd:frida-agent-64.so (deleted)
03-19 00:56:40.912 15514 15514 F DEBUG : #14 pc 0000000000d37c52 /memfd:frida-agent-64.so (deleted)
03-19 00:56:40.912 15514 15514 F DEBUG : #15 pc 0000000000d37a7e /memfd:frida-agent-64.so (deleted)
03-19 00:56:40.912 15514 15514 F DEBUG : #16 pc 0000000000d37a7e /memfd:frida-agent-64.so (deleted)
03-19 00:56:40.913 15514 15514 F DEBUG : #17 pc 0000000000d37c52 /memfd:frida-agent-64.so (deleted)
03-19 00:56:40.914 15514 15514 F DEBUG : #18 pc 0000000000d37c52 /memfd:frida-agent-64.so (deleted)
03-19 00:56:40.914 15514 15514 F DEBUG : #19 pc 0000000000d30ece /memfd:frida-agent-64.so (deleted)
03-19 00:56:40.914 15514 15514 F DEBUG : #20 pc 0000000000d5a465 /memfd:frida-agent-64.so (deleted)
03-19 00:56:40.915 15514 15514 F DEBUG : #21 pc 0000000000d315ce /memfd:frida-agent-64.so (deleted)
03-19 00:56:40.915 15514 15514 F DEBUG : #22 pc 0000000000d32566 /memfd:frida-agent-64.so (deleted)
03-19 00:56:40.915 15514 15514 F DEBUG : #23 pc 0000000000d3bda3 /memfd:frida-agent-64.so (deleted)
03-19 00:56:40.916 15514 15514 F DEBUG : #24 pc 0000000000d37a7e /memfd:frida-agent-64.so (deleted)
03-19 00:56:40.916 15514 15514 F DEBUG : #25 pc 0000000000d37c52 /memfd:frida-agent-64.so (deleted)
03-19 00:56:40.917 15514 15514 F DEBUG : #26 pc 0000000000d37c52 /memfd:frida-agent-64.so (deleted)
03-19 00:56:40.917 15514 15514 F DEBUG : #27 pc 0000000000d37a7e /memfd:frida-agent-64.so (deleted)
03-19 00:56:40.917 15514 15514 F DEBUG : #28 pc 0000000000d37c52 /memfd:frida-agent-64.so (deleted)
03-19 00:56:40.917 15514 15514 F DEBUG : #29 pc 0000000000d37c52 /memfd:frida-agent-64.so (deleted)
03-19 00:56:40.918 15514 15514 F DEBUG : #30 pc 0000000000d37c52 /memfd:frida-agent-64.so (deleted)
03-19 00:56:40.918 15514 15514 F DEBUG : #31 pc 0000000000d51d08 /memfd:frida-agent-64.so (deleted)
03-19 00:56:40.918 15514 15514 F DEBUG : #32 pc 0000000000d5c620 /memfd:frida-agent-64.so (deleted)
03-19 00:56:40.918 15514 15514 F DEBUG : #33 pc 0000000000d4577c /memfd:frida-agent-64.so (deleted)
03-19 00:56:40.918 15514 15514 F DEBUG : #34 pc 0000000000d53168 /memfd:frida-agent-64.so (deleted)
03-19 00:56:40.918 15514 15514 F DEBUG : #35 pc 0000000000d52f8f /memfd:frida-agent-64.so (deleted)
03-19 00:56:40.919 15514 15514 F DEBUG : #36 pc 0000000000d3f49e /memfd:frida-agent-64.so (deleted)
03-19 00:56:40.919 15514 15514 F DEBUG : #37 pc 0000000000d3f38c /memfd:frida-agent-64.so (deleted)
03-19 00:56:40.919 15514 15514 F DEBUG : #38 pc 0000000000b6d8d1 /memfd:frida-agent-64.so (deleted)
03-19 00:56:40.919 15514 15514 F DEBUG : #39 pc 0000000000b6a65b /memfd:frida-agent-64.so (deleted)
03-19 00:56:40.919 15514 15514 F DEBUG : #40 pc 0000000000d2c8ac /memfd:frida-agent-64.so (deleted)
03-19 00:56:40.920 15514 15514 F DEBUG : #41 pc 0000000000d36819 /memfd:frida-agent-64.so (deleted)
03-19 00:56:40.921 15514 15514 F DEBUG : #42 pc 0000000000d36580 /memfd:frida-agent-64.so (deleted)
03-19 00:56:40.921 15514 15514 F DEBUG : #43 pc 0000000000d52690 /memfd:frida-agent-64.so (deleted)
03-19 00:56:40.921 15514 15514 F DEBUG : #44 pc 0000000000d2ce50 /memfd:frida-agent-64.so (deleted)
03-19 00:56:40.921 15514 15514 F DEBUG : #45 pc 0000000000b73215 /memfd:frida-agent-64.so (deleted)
03-19 00:56:40.921 15514 15514 F DEBUG : #46 pc 0000000000b72f02 /memfd:frida-agent-64.so (deleted)
03-19 00:56:40.921 15514 15514 F DEBUG : #47 pc 0000000000b6d811 /memfd:frida-agent-64.so (deleted)
03-19 00:56:40.922 15514 15514 F DEBUG : #48 pc 0000000000b696fa /memfd:frida-agent-64.so (deleted)
03-19 00:56:40.923 15514 15514 F DEBUG : #49 pc 0000000000cad2b9 /memfd:frida-agent-64.so (deleted)
03-19 00:56:40.923 15514 15514 F DEBUG : #50 pc 0000000000cad4f1 /memfd:frida-agent-64.so (deleted)
03-19 00:56:40.923 15514 15514 F DEBUG : #51 pc 0000000000cad628 /memfd:frida-agent-64.so (deleted)
03-19 00:56:40.924 15514 15514 F DEBUG : #52 pc 0000000000b69637 /memfd:frida-agent-64.so (deleted)
03-19 00:56:40.924 15514 15514 F DEBUG : #53 pc 0000000000cbfdbb /memfd:frida-agent-64.so (deleted)
03-19 00:56:40.925 15514 15514 F DEBUG : #54 pc 000000000007ac5f /apex/com.android.runtime/lib64/bionic/libc.so (__pthread_start(void*)+63) (BuildId: fcb82240218d1473de1e3d2137c0be35)
03-19 00:56:40.925 15514 15514 F DEBUG : #55 pc 000000000006d94d /apex/com.android.runtime/lib64/bionic/libc.so (__start_thread+61) (BuildId: fcb82240218d1473de1e3d2137c0be35)
03-19 00:56:40.934 729 15519 I am_crash: [729,0,com.google.android.deskclock,818658885,Native crash,Segmentation fault,unknown,0,0]
Suggested fix (from v7.0.13):
--- a/lib/class-model.js
+++ b/lib/class-model.js
@@ -282,7 +282,8 @@ model_new (jclass class_handle,
get_method_name (jvmti, method, &name, NULL, NULL);
get_method_modifiers (jvmti, method, &modifiers);
- model_add_method (model, name, method, modifiers);
+ if (name[0] != '<')
+ model_add_method (model, name, method, modifiers);
deallocate (jvmti, name);
}