[Android 16] App crashes during Garbage Collection when Frida is attached (Build BP4A.251205.006) #387
Description
Environment
- Frida Version: 17.6.2
- Device: Pixel 7 (Panther)
- OS: Android 16
- ART versionCode: com.android.art@361302280
Description: The process consistently crashes with a SIGSEGV (Null pointer dereference) within the ART Garbage Collector while performing a stack walk. The crash occurs in art::CodeInfo::DecodeGcMasksOnly, suggesting that the GC is encountering an invalid or missing CodeInfo metadata block for a stack frame—likely one modified or intercepted by Frida. This is observed specifically on the Android 16 preview build (BP4A.251205.006).
Observed Behavior
- The crash occurs as soon as the app attempts to execute Java/Kotlin logic (in this case, during OkHttp/networking events) while Frida is attached.
- The fault address 0x0 (as seen in the log) indicates a null pointer dereference when the GC attempts to read the OatQuickMethodHeader or its associated CodeInfo.
Crash Log (Backtrace)
Process crashed: Bad access due to invalid address
***
*** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
Build fingerprint: 'google/panther/panther:16/BP4A.251205.006/14401865:user/release-keys'
Kernel Release: '6.1.145-android14-11-gc1de4747ac59-ab14219743'
Revision: 'MP1.0'
ABI: 'arm64'
Timestamp: 2026-02-11 04:59:41.706140548-0800
Process uptime: 11s
Executable: /system/bin/app_process64
Cmdline: com.redacted.app
pid: 8280, tid: 8284, name: HeapTaskDaemon >>> com.redacted.app <<<
uid: 10295
tagged_addr_ctrl: 0000000000000001 (PR_TAGGED_ADDR_ENABLE)
esr: 0000000092000006 (Data Abort Exception 0x24)
signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x0000000000000000 (read)
Cause: null pointer dereference
x0 0000000000000000 x1 00000000701a6048 x2 0000000000000000 x3 0000007b0122ada0
x4 0000007b0122b748 x5 0000000000000004 x6 49c2300000000000 x7 00000000ffffff5c
x8 8244ff6a4d49b2f9 x9 0000000000000001 x10 0000000000000001 x11 00000000701a6048
x12 000000000003a048 x13 00000000015c9000 x14 fffffffffcaee048 x15 00000000000e6a00
x16 0000007b34039260 x17 0000007b340382bc x18 0000007aaa9c8000 x19 0000007b0122ada0
x20 0000007b0122c640 x21 0000007b0122ab90 x22 0000007b0122ada0 x23 0000000000000000
x24 0000000050380001 x25 0000007b348cbfe8 x26 b400007cd6e90ab8 x27 000000130000000e
x28 0000007b0122c640 x29 0000007b0122ad30
lr 0000007b342f4c70 sp 0000007b0122ab90 pc 0000007b342f57b0 pst 0000000000001000
esr 0000000092000006
8 total frames
backtrace:
#00 pc 00000000006377b0 /apex/com.android.art/lib64/libart.so (art::CodeInfo::DecodeGcMasksOnly(art::OatQuickMethodHeader const*)+48) (BuildId: 61c7a211c01ef3c0068b4fbe31051050)
frida/frida#1 pc 0000000000636c6c /apex/com.android.art/lib64/libart.so (art::ReferenceMapVisitor<art::RootCallbackVisitor, false>::VisitFrame()+240) (BuildId: 61c7a211c01ef3c0068b4fbe31051050)
frida/frida#2 pc 000000000037a584 /apex/com.android.art/lib64/libart.so (void art::StackVisitor::WalkStack<(art::StackVisitor::CountTransitions)1>(bool)+712) (BuildId: 61c7a211c01ef3c0068b4fbe31051050)
frida/frida#3 pc 0000000000379e0c /apex/com.android.art/lib64/libart.so (void art::Thread::VisitRoots<false>(art::RootVisitor*)+1024) (BuildId: 61c7a211c01ef3c0068b4fbe31051050)
frida/frida#4 pc 000000000037d47c /apex/com.android.art/lib64/libart.so (art::gc::collector::MarkCompact::RunPhases()+5344) (BuildId: 61c7a211c01ef3c0068b4fbe31051050)
frida/frida#5 pc 00000000003e71bc /apex/com.android.art/lib64/libart.so (art::gc::collector::GarbageCollector::Run(art::gc::GcCause, bool)+324) (BuildId: 61c7a211c01ef3c0068b4fbe31051050)
frida/frida#6 pc 00000000003ea5d4 /apex/com.android.art/lib64/libart.so (art::gc::Heap::CollectGarbageInternal(art::gc::collector::GcType, art::gc::GcCause, bool, unsigned int)+516) (BuildId: 61c7a211c01ef3c0068b4fbe31051050)
frida/frida#7 pc 0000000000000908 <anonymous:7df9779000>
***
Attaching the libart.so file form my device: libart-216.so.zip