Java.cast resulting in JNI DETECTED ERROR IN APPLICATION: use of deleted global reference

[StefaanSeys]

Hi,

I have a problem with using a Java.cast inside an onButtonClick event overwrite in Android.

This is my hooking code:

Java.perform(function () {
    var hook = Java.use('com.test.MainActivity$1');
    var EditText = Java.use('android.widget.EditText');
    
    hook.onClick.implementation = function (s) {
        var pwd = Java.cast(ptr(this.val$pwd1.value.$handle), EditText);
        // now that we have the EditText instance, print its contents
        send("Entered password: " + pwd.getText().toString());
        this.onClick(s);
    };
});

I am using frida-gadget-12.2.5 inserted in a test application. Other hooks are working, but not this one. This hook has worked before, using frida-server on a rooted phone.

The error I get in logcat is JNI DETECTED ERROR IN APPLICATION: use of deleted global reference and frida crashes with Error: abort was called. I understand that the Garbage collector has cleared something before I can cast the object, but I do not know how to fix it.

I also tried with
var pwd = Java.cast(this.val$pwd1.value, EditText);
This no longer results in a crash of frida when doing the Java.cast, but it does crash when using pwd.getText() with a frida error {'type': 'error', 'description': 'Error: access violation accessing 0x3358b000', 'stack': 'Error: access violation accessing 0x3358b000\n at frida/node_modules/frida-java/lib/env.js:351\n at frida/node_modules/frida-java/lib/env.js:918\n at frida/node_modules/frida-java/lib/class-factory.js:2505\n at input:1\n at [anon] (/script1.js:22)\n at input:1', 'fileName': 'frida/node_modules/frida-java/lib/env.js', 'lineNumber': 351, 'columnNumber': 1}

What is going wrong? How can I fix it?

Thanks,
Stefaan

[muhzii]

Have a look at: Error: abort was called during instance cast

[StefaanSeys]

Yes, I have seen that. That is why I have tried what you did:
var pwd = Java.cast(this.val$pwd1.value, EditText);
which does not give an error, but then, when I want to use the object in
pwd.getText()
I get this access violation error....

[muhzii]

Well, you say it worked in the injected mode. I'm not exactly sure but it might be related to this.

[StefaanSeys]

@muhzii I read the issue you mentioned, but I do not think it is related. Issue 29 is about early instrumentation, while I am hooking an "onClick" and the hook is triggered the moment I click the button.

[muhzii]

Yeah, I saw that the same error as yours would happen if classes failed to load early and frida tried to access them. So what happens if you invoke other methods on the casted instance?

[StefaanSeys]

Weirdly enough, they all work!
I tried

• toString() -> works
• getDefaultEditable() -> works
• getAccessibilityClassName() -> works

But getText() results in the access violation error.

Any ideas?

Stefaan

[StefaanSeys]

I tried a different phone, and same result.

OS's tried:

• 7.1.2 (lineage)
• 6.0.1 (Nexus 5 latest official update)

[muhzii]

It's probably that frida fails at processing the returned value of type Editable when you call getText. frida-java@class-factory.js

[muhzii]

Should be fixed now, see this.

[StefaanSeys]

Yes indeed, that fixes the issue!