[OneUI] Native crashes of background applications during `art::Thread::Attach`

[Emulond]

General information:

Android version: 14
OEM: OneUI 6.1
Model name: SM-G988B
Codename: z3s
Root solution: KernelSU NEXT v12200
Zygisk solution: ReZygisk
Kernel (non-GKI): 4.19.87-VulcanKernel-v3
ᅠ ᅠ

Brief description

On Samsung Galaxy with OneUI (includes both Exynos and Snapdragon variants) applications suffer from systematic and chaotic/unpredictable native crashes. Occurs only in the background, but in seldom situations might happen during the launching.
⚠️ P.S. It now includes Snapdragon Samsung devices! Hence all Samsung devices seem to have been affected! PLEASE, STUDY THE ISSUE ONCE AGAIN, SIGNIFICANT CHANGES HAVE BEEN MADE! 🚨
ᅠ ᅠ

Important notes

1. Which root solution is affected?

• Magisk
• Kitsune
• KernelSU
• KernelSU NEXT
• aPatch

2. Which Zygisk solution is affected?

• Magisk native
• Kitsune native
• ZygiskNext
• ReZygisk
• NeoZygisk

3. Does it occur without Xposed modules injected?

• Yes.
• No.

4. Conditional combinations

• Occurs with 🟢 LSP enabled & 🟢 Zygisk enabled.
• Occurs with 🔴 LSP disabled & 🟢 Zygisk enabled.
• Occurs with 🔴 LSP disabled & 🔴 Zygisk disabled.

5. OS affected

• OneUI 5.1, Android 13 – stock.
• OneUI 6.1, Android 14 – port¹.
• OneUI 7.0, Android 15 — stock.
• AOSP/LOS, Android 13/14.

6. Does replacement of the libraries with AOSP ones help?

• Yes.
• No.

7. Does it affect other Snapdragon devices on OneUI?

• Yes.
• No.

8. Does it affect other Exynos devices on OneUI?

• Yes.
• No.
  ᅠ ᅠ

9. What apps are affected?

• System apps.
• User apps.

10. Does it affect not-injected apps?

• Yes.³
• No.

11. Does it affect unlaunchable apps?

• Yes.
• No.

12. Does the issue persist across all boot sessions?

• Yes.
• No.

13. When does it happen?

• In idle/doze mode.
• In active mode.

14. Apps in what state does it affect?

• On-screen app.³
• Background app.

ᅠ ᅠ

Misc information

It's been happening for approximately 2 years. And it's not anyhow related to the ROM, or any specific root solution, or any specific Zygisk implementation.
It's impossible to manually reproduce the issue, because it only happens by itself and about 14 times a day.
In addition, @DanGLES3 said that, basically, ART libraries are now identical disregard of the OEM due to introduction of universal Google Play System Update APEX distribution.

Example of the described crash

🐞 Native crash: d.app.dressroom

[Device Brand]: samsung
[Device Model]: SM-S988B
[Display]: ExtremeROM v4.6 (UP1A.231005.007.S908BXXSAEXE3)
[Android Version]: 14
[Android API Level]: 34
[System Locale]: ru_RU
[Process ID]: 16650
[User ID]: 0
[CPU ABI]: arm64-v8a
[Package Name]: com.samsung.android.app.dressroom
[Version Name]: 2.6.70.29
[Version Code]: 267029000
[Target SDK]: 34
[Min SDK]: 33
[Error Type]: Native
[Crash Time]: 2024-12-14T01:19:25.053
[Stack Trace]:
*** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
Build fingerprint: 'samsung/b0sxser/b0s:14/UP1A.231005.007/S908BXXSAEXE3:user/release-keys'
Revision: '23'
ABI: 'arm64'
Processor: '0'
Timestamp: 2024-12-14 01:19:24.539918540+0300
Process uptime: 0s
Cmdline: zygote64
pid: 16650, tid: 16665, name: d.app.dressroom  >>> zygote64 <<<
uid: 1000
signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x000000735dc211e8
    x0  000000000000000b  x1  000000767fe58da0  x2  000000767fe58e20  x3  0000000000000008
    x4  000000744e754130  x5  0000000000000004  x6  0000000000000a6e  x7  7f7f7f7f7f7f7f7f
    x8  89930b4767bd19fa  x9  89930b4767bd19fa  x10 000000734e862040  x11 0000000000000000
    x12 0000000000000000  x13 0000000000000000  x14 0000000000000031  x15 0000000000000030
    x16 0000007673fcc300  x17 000000765b36f504  x18 000000734b078000  x19 000000767fe58e20
    x20 000000767fe58e20  x21 000000767fe58da0  x22 0000000000000001  x23 0000007673fd1000
    x24 000000734e862000  x25 000000735dc21000  x26 0000007673fd1694  x27 0000007673fd1698
    x28 0000007673fd0408  x29 000000767fe58c90
    lr  0000007673fc706c  sp  000000767fe58b60  pc  000000735d72d3b0  pst 0000000060001000
10 total frames
backtrace:
      #00 pc 000000000052d3b0  /apex/com.android.art/lib64/libart.so (art::FaultManager::HandleSigsegvFault(int, siginfo*, void*)+48) (BuildId: c35c9ebf7bb06435e4b31977d87bd5d5)
      #01 pc 0000000000007068  /apex/com.android.art/lib64/libsigchain.so (art::SignalChain::Handler(int, siginfo*, void*)+368) (BuildId: 1dfc84ea17eda8296164845381922b35)
      #02 pc 00000000000005d8  [vdso] (__kernel_rt_sigreturn+0)
      #03 pc 00000000009b6b30  /apex/com.android.art/lib64/libart.so (BuildId: c35c9ebf7bb06435e4b31977d87bd5d5)
      #04 pc 00000000005dcc88  /apex/com.android.art/lib64/libart.so (art::Thread::Thread(bool)+196) (BuildId: c35c9ebf7bb06435e4b31977d87bd5d5)
      #05 pc 000000000062222c  /apex/com.android.art/lib64/libart.so (art::Thread* art::Thread::Attach<art::Thread::Attach(char const*, bool, _jobject*, bool, bool)::$_0>(char const*, bool, art::Thread::Attach(char const*, bool, _jobject*, bool, bool)::$_0, bool) (.__uniq.112444171608964125319761912539055931073.llvm.17385930779745706793)+160) (BuildId: c35c9ebf7bb06435e4b31977d87bd5d5)
      #06 pc 00000000006760b4  /apex/com.android.art/lib64/libart.so (art::Runtime::AttachCurrentThread(char const*, bool, _jobject*, bool, bool)+132) (BuildId: c35c9ebf7bb06435e4b31977d87bd5d5)
      #07 pc 000000000002b900  /apex/com.android.art/lib64/libperfetto_hprof.so (void* std::__1::__thread_proxy[abi:nn180000]<std::__1::tuple<std::__1::unique_ptr<std::__1::__thread_struct, std::__1::default_delete<std::__1::__thread_struct> >, ArtPlugin_Initialize::$_7> >(void*)+116) (BuildId: 9299b6ce82fd6a7f26e3799ece61cd3f)
      #08 pc 00000000000be8c8  /apex/com.android.runtime/lib64/bionic/libc.so (__pthread_start(void*)+208) (BuildId: 7b2771e16ba279a5186fe9e8c815e964)
      #09 pc 000000000005b3b0  /apex/com.android.runtime/lib64/bionic/libc.so (__start_thread+64) (BuildId: 7b2771e16ba279a5186fe9e8c815e964)

ᅠ ᅠ ᅠ ᅠ

---

¹ — ported from S22.
² — no relevance between injection of a particular app and crashes frequency has been found. In fact, the vast majority of apps crashes are non-injected ones.
³ — yes, I have to admit that it can crash during the launching or when running an application, but this happens basically in 0,00001% of situations.

⚠️ January 2025: CONNOTATION!

Upon a deeper investigation, it's been revealed that the issue, in fact, is not related to LSPosed! (Maybe LSPosed provokes more frequent occurrences [in the worst case scenario], but is not the core issue per se).
In addition, my partner @ExtremeXT has discovered that not only Exynos 990, and not only Exynos devices in general are affected! This now includes even Snapdragon devices.
Here is an instance from another repository, exemplifying that this happens on a stock based ROM on S24 Ultra (SM-G980B):

🐞 Native crash: com.samsung.android.app.routines

SystemUptimeMs: 61891767
Process: com.samsung.android.app.routines:RoutineUIProcess
PID: 24174
UID: 10051
Frozen: false
Flags: 0x30c83e45
Package: com.samsung.android.app.routines v480117000 (4.8.01.17)
Foreground: No
Process-Runtime: 624
Build: samsung/e3qxeea/e3q:15/AP3A.240905.015.A2/S928BXXU4ZXLJ:user/release-keys
Loading-Progress: 1.0
Dropped-Count: 0

*** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
Build fingerprint: 'samsung/e3qxeea/e3q:15/AP3A.240905.015.A2/S928BXXU4ZXLJ:user/release-keys'
Revision: '13'
ABI: 'arm64'
Processor: '2'
Timestamp: 2025-01-10 07:17:26.234283851+0000
Process uptime: 1s
Cmdline: com.samsung.android.app.routines:RoutineUIProcess
pid: 24174, tid: 24204, name: outineUIProcess  >>> com.samsung.android.app.routines:RoutineUIProcess <<<
uid: 10051
tagged_addr_ctrl: 0000000000000001 (PR_TAGGED_ADDR_ENABLE)
pac_enabled_keys: 000000000000000f (PR_PAC_APIAKEY, PR_PAC_APIBKEY, PR_PAC_APDAKEY, PR_PAC_APDBKEY)
signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x000000000000000d
Cause: null pointer dereference
    x0  000000000000000b  x1  0000007c0d9bbda0  x2  0000007c0d9bbe20  x3  0000000000000008
    x4  0000000000000000  x5  0000000000000001  x6  0000000030323432  x7  7f7f7f7f7f7f7f7f
    x8  5c0f7a5931b194b0  x9  5c0f7a5931b194b0  x10 000000789a8f4980  x11 0000000000000000
    x12 0000000000000030  x13 0000000000000000  x14 0000000000000005  x15 0000000000000032
    x16 0000007bdeb22300  x17 0000007c0ce72ab4  x18 00000078977c8000  x19 0000007c0d9bbe20
    x20 0000007c0d9bbda0  x21 000000000000000b  x22 0000000000000001  x23 0000007bdeb27000
    x24 000000789a8f4940  x25 0000000000000000  x26 0000007bdeb27694  x27 0000007bdeb27698
    x28 0000007bdeb26408  x29 0000007c0d9bbc90
    lr  0000007bdeb1d06c  sp  0000007c0d9bbb60  pc  00000078c8e365e4  pst 0000000060001000
8 total frames
backtrace:
      #00 pc 000000000052e5e4  /apex/com.android.art/lib64/libart.so (art::FaultManager::HandleSigsegvFault(int, siginfo*, void*)+64) (BuildId: d062c9de79838c0ddb9d758595062c10)
      #01 pc 0000000000007068  /apex/com.android.art/lib64/libsigchain.so (art::SignalChain::Handler(int, siginfo*, void*)+368) (BuildId: 1dfc84ea17eda8296164845381922b35)
      #02 pc 0000000000000860  [vdso]
      #03 pc 0000000000000000  <unknown>
      #04 pc 0000000000655c44  /apex/com.android.art/lib64/libart.so (art::Runtime::AttachCurrentThread(char const*, bool, _jobject*, bool, bool)+72) (BuildId: d062c9de79838c0ddb9d758595062c10)
      #05 pc 000000000002b900  /apex/com.android.art/lib64/libperfetto_hprof.so (void* std::__1::__thread_proxy[abi:nn180000]<std::__1::tuple<std::__1::unique_ptr<std::__1::__thread_struct, std::__1::default_delete<std::__1::__thread_struct>>, ArtPlugin_Initialize::$_7>>(void*)+116) (BuildId: 9299b6ce82fd6a7f26e3799ece61cd3f)
      #06 pc 0000000000071ae8  /apex/com.android.runtime/lib64/bionic/libc.so (__pthread_start(void*)+196) (BuildId: a7d3435cebd777f0dc1a07c5e7386036)
      #07 pc 0000000000063be0  /apex/com.android.runtime/lib64/bionic/libc.so (__start_thread+68) (BuildId: a7d3435cebd777f0dc1a07c5e7386036)

[bocchi810]

Could you try this CI version by me?Since I can't simulate your device environment, it may still be like this

[Emulond]

Could you try this CI version by me?

Hello! Thanks for your assistance. I have installed your fork, the device has booted properly. I will keep you updated.
One of the changes I have noticed, is that I'm once again able to launch the parasitic manager, because previously on the latest Nightly build LSPosed-v1.10.1-7159-zygisk-debug I was having this error:

⚠️ java.io.IOException: apk signature not verified

2024-12-16 15:20:15.136 7246 26439 root E LSPosedService : failed to open manager apk
java.io.IOException: java.io.IOException: apk signature not verified
 at org.lsposed.lspd.util.InstallerVerifier.verifyInstallerSignature(InstallerVerifier.java:28)
 at org.lsposed.lspd.service.ConfigFileManager.getManagerApk(ConfigFileManager.java:162)
 at org.lsposed.lspd.service.ConfigManager.getManagerApk(ConfigManager.java:1078)
 at org.lsposed.lspd.service.LSPApplicationService.requestInjectedManagerBinder(LSPApplicationService.java:157)
 at org.lsposed.lspd.service.ILSPApplicationService$Stub.onTransact(ILSPApplicationService.java:110)
 at org.lsposed.lspd.service.LSPApplicationService.onTransact(LSPApplicationService.java:107)
 at android.os.Binder.execTransactInternal(Unknown Source:94)
 at android.os.Binder.execTransact(Unknown Source:39)
Caused by: java.io.IOException: apk signature not verified
 at org.lsposed.lspd.util.InstallerVerifier.verifyInstallerSignature(InstallerVerifier.java:20)
 ... 7 more

[bocchi810]

@JingMatrix Are you set the apk signature into the github secrets?
Action "Write key" need this

      - name: Write key
        if: ${{ ( github.event_name != 'pull_request' && github.ref == 'refs/heads/master' ) || github.ref_type == 'tag' }}
        run: |
          if [ ! -z "${{ secrets.KEY_STORE }}" ]; then
            echo androidStorePassword='${{ secrets.KEY_STORE_PASSWORD }}' >> gradle.properties
            echo androidKeyAlias='${{ secrets.ALIAS }}' >> gradle.properties
            echo androidKeyPassword='${{ secrets.KEY_PASSWORD }}' >> gradle.properties
            echo androidStoreFile='key.jks' >> gradle.properties
            echo ${{ secrets.KEY_STORE }} | base64 --decode > key.jks
          fi

[JingMatrix]

Ah, I didn't. I should have done that, thanks for reminding me of it!

[JingMatrix]

The latest CI debug build is causing the following problem according to user's report:

2025-01-09 22:23:21.103 30264 30264 root V zygisk-core64: module.cpp:364#void ZygiskContext::nativeSpecializeAppProcess_pre(): pre specialize [org.lsposed.manager]
2025-01-09 22:23:21.104  7477  7673 system I ActivityManager: Start proc 30264:org.lsposed.manager/2000 for top-activity {com.android.shell/com.android.shell.BugreportWarningActivity}
2025-01-09 22:23:21.106 30264 30264 com.android.shell E SELinux: seapp_context_lookup_internal:  No match for app with uid 2000, seinfo platform, name org.lsposed.manager  username shell appid 2000
2025-01-09 22:23:21.107 30264 30264 com.android.shell F zygote64: jni_internal.cc:828] JNI FatalError called: (org.lsposed.manager) frameworks/base/core/jni/com_android_internal_os_Zygote.cpp:2011: selinux_android_setcontext(2000, 0, "platform:privapp:targetSdkVersion=34:complete", "org.lsposed.manager") failed
2025-01-09 22:23:21.330 30267 30267 com.android.shell F DEBUG: Abort message: 'JNI FatalError called: (org.lsposed.manager) frameworks/base/core/jni/com_android_internal_os_Zygote.cpp:2011: selinux_android_setcontext(2000, 0, "platform:privapp:targetSdkVersion=34:complete", "org.lsposed.manager") failed'
2025-01-09 22:23:21.369  7477 30272 system I LSPosed-Bridge: [AppErrorsTracking][I][android] Received crash application data --pid 30264
2025-01-09 22:23:24.827  7477  7657 system V ActivityManager: Skipped removedTask org.lsposed.manager
2025-01-09 22:23:25.277  7477  7942 system D LSPosed: LoadedApk#<init> starts: pkg=null, prc=null
2025-01-09 22:23:25.277  7477  7942 system D LSPosed: LoadedApk#<init> ends: /data/app/~~QXKpbCMclD8VVdGSIqkqsw==/it.octogramx.android-JzUCbhF9Yjt8HaO6QogJgA==/base.apk: pkg=null, prc=null
2025-01-09 22:23:25.827  7477 30482 system I LSPosed-Bridge: [AppErrorsTracking][I][android] Received crash application data --pid 30425
2025-01-09 22:23:31.103  7477  7672 system W ActivityManager: Process ProcessRecord{55520e5 30264:org.lsposed.manager/2000} failed to attach
2025-01-09 22:23:32.103  7477  7672 system W ActivityManager: Spurious death for ProcessRecord{55520e5 30264:org.lsposed.manager/2000}, curProc for 30264: null

It seems that the system server is not hooked correctly. The crash happens at selinux_android_setcontext.

[Emulond]

⚠️ Caution! Significant changes have been made to the head content of the issue ticket! Restudy of the content is required by the observers and participants!
Regards

[JingMatrix]

No worries, I will keep this issue open. We should first classify the crashes since there are many different types of native crashes. And it could happen that a special crash is causing all the rest.

[Emulond]

• Occurs with 🔴 LSP disabled & 🔴 Zygisk disabled.

Speaking about this item: it still requires total confirmation. I think I might not just be able to reproduce in a Zygisk-less environment, but I might try asking other people + initiate an experiment myself.

Please, consider that some information might still be changed. It's a very complicated issue, and it's very time-consuming. Pardon all inaccurate information, but for the most part of it the content is largely beyond refutation or dispute.