frida-discover fails with the Chrome app in Android 10

[raulsiles]

When "frida-discover" is run to monitor the Chrome app (v 86.0.x.y) in Android 10, it dies with multiple error messages depending on the execution (as soon as it tries to run). Different crash samples are provided below.

The Frida environment is using version 12.11.18 in macOS and Python 3.8, and "frida-server" version 12.11.18 running as root in Android 10.

In this case "frida-discover" tries to trace all threads, and Frida dies. As a result, the app also dies:

$ frida-discover -U com.android.chrome
Tracing 47 threads. Press ENTER to stop.
Process terminated
Stopping...

$ frida-discover -U com.android.chrome
Failed to spawn: unable to find process with name 'com.android.chrome'

In this case, there is a trap via "libc" and "trichromelibrary":

$ frida-discover -U com.android.chrome
Tracing 49 threads. Press ENTER to stop.
Process crashed: Trace/BPT trap

***
*** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
Build fingerprint: 'google/sargo/sargo:10/QQ2A.200405.005/6254899:user/release-keys'
Revision: 'MP1.0'
ABI: 'arm'
Timestamp: 2020-10-20 11:37:52+0200
pid: 5675, tid: 5719, name: RenderThread  >>> com.android.chrome <<<
uid: 10189
signal 6 (SIGABRT), code -6 (SI_TKILL), fault addr --------
Abort message: 'RenderThread Looper POLL_ERROR!'
    r0  00000000  r1  00001657  r2  00000006  r3  00000006
    r4  00000006  r5  c3bfc930  r6  da29b254  r7  0000010c
    r8  c3bfc930  r9  c3bfc8bc  r10 c3bfc9b0  r11 d59eda20
    ip  c3bfc928  sp  c3bfc870  lr  ba335d9b  pc  ef032c74

backtrace:
      #00 pc 00097c74  /apex/com.android.runtime/lib/bionic/libc.so!libc.so (offset 0x97000) (tgkill+12) (BuildId: 8c3173001a99af3ab544de85a610e066)
      #01 pc 00348d99  /data/app/com.google.android.trichromelibrary_424009933-MLvtBvj9odLq1ZikiiIpiA==/base.apk
***
Stopping...

In this case, the script injection generates an exception and the script is destroyed:

$ frida-discover -U com.android.chrome
Injecting script...
Exception in thread Thread-1:
Traceback (most recent call last):
  File "/Applications/Xcode.app/Contents/Developer/Library/Frameworks/Python3.framework/Versions/3.8/lib/python3.8/threading.py", line 932, in _bootstrap_inner
    self.run()
  File "/Applications/Xcode.app/Contents/Developer/Library/Frameworks/Python3.framework/Versions/3.8/lib/python3.8/threading.py", line 870, in run
    self._target(*self._args, **self._kwargs)
  File "/Users/<user>/Library/Python/3.8/lib/python/site-packages/frida_tools/application.py", line 635, in _run
    work()
  File "/Users/<user>/Library/Python/3.8/lib/python/site-packages/frida_tools/application.py", line 330, in _try_start
    self._start()
  File "/Users/<user>/Library/Python/3.8/lib/python/site-packages/frida_tools/discoverer.py", line 35, in _start
    self._discoverer.start(self._session, self._runtime, self)
  File "/Users/<user>/Library/Python/3.8/lib/python/site-packages/frida_tools/discoverer.py", line 89, in start
    params = self._script.exports.start()
  File "/Users/<user>/Library/Python/3.8/lib/python/site-packages/frida/core.py", line 401, in method
    return script._rpc_request('call', js_name, args, **kwargs)
  File "/Users/<user>/Library/Python/3.8/lib/python/site-packages/frida/core.py", line 26, in wrapper
    return f(*args, **kwargs)
  File "/Users/<user>/Library/Python/3.8/lib/python/site-packages/frida/core.py", line 333, in _rpc_request
    raise result[2]
frida.InvalidOperationError: script is destroyed