Uncatchable NullPointerException Crashes Target Process

[chaoxi72]

Description

When hooking Java methods using frida-java-bridge, calling methods on null parameters causes the target process to crash, even when the code is wrapped in a try-catch block. This is unexpected behavior for JavaScript developers and causes production apps to terminate silently.

Reproduction

Java.perform(function () {
    const ArrayList = Java.use("java.util.ArrayList");
    
    ArrayList.add.overload('java.lang.Object').implementation = function (value) {
        try {
            // This crashes the process when value is null
            var className = value.getClass().getName();
            console.log("Class:", className);
        } catch (e) {
            console.log("Exception caught:", e); // Never executed
        }
        return this.add(value);
    };
});

Command:

frida -UF -l script.js

Expected Behavior

The try-catch block should catch the NullPointerException when value is null, log the error message, and allow the application to continue running.

Actual Behavior

The target process terminates immediately:

Process terminated

The exception is never caught, and no error message appears in the console.

Environment

Frida version: 16.2.1
Target platform: Android 6
Script language: JavaScript

[chaoxi72]

Hi,

I've created a potential fix for this issue in my fork: chaoxi72@21b45a4

If this is something you'd like to address, I'm happy to submit a PR. Feel free to reference the commit or let me know if you'd prefer a different approach.

Thanks!

[kartikm7]

Facing a similar issue:

2025-10-31 16:22:59.869 10874-10874 libc                    com.example.helloworld               A  Fatal signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x10 in tid 10874 (mple.helloworld), pid 10874 (mple.helloworld)
2025-10-31 16:23:00.652 10956-10956 DEBUG                   crash_dump64                         A  *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
2025-10-31 16:23:00.652 10956-10956 DEBUG                   crash_dump64                         A  Build fingerprint: 'google/sdk_gphone64_arm64/emu64a:16/BE2A.250530.026.D1/13818094:user/release-keys'
2025-10-31 16:23:00.652 10956-10956 DEBUG                   crash_dump64                         A  Revision: '0'
2025-10-31 16:23:00.652 10956-10956 DEBUG                   crash_dump64                         A  ABI: 'arm64'
2025-10-31 16:23:00.652 10956-10956 DEBUG                   crash_dump64                         A  Timestamp: 2025-10-31 16:22:59.950497641+0530
2025-10-31 16:23:00.652 10956-10956 DEBUG                   crash_dump64                         A  Process uptime: 15s
2025-10-31 16:23:00.652 10956-10956 DEBUG                   crash_dump64                         A  Cmdline: com.example.helloworld
2025-10-31 16:23:00.652 10956-10956 DEBUG                   crash_dump64                         A  pid: 10874, tid: 10874, name: mple.helloworld  >>> com.example.helloworld <<<
2025-10-31 16:23:00.652 10956-10956 DEBUG                   crash_dump64                         A  uid: 10214
2025-10-31 16:23:00.652 10956-10956 DEBUG                   crash_dump64                         A  tagged_addr_ctrl: 0000000000000001 (PR_TAGGED_ADDR_ENABLE)
2025-10-31 16:23:00.652 10956-10956 DEBUG                   crash_dump64                         A  pac_enabled_keys: 000000000000000f (PR_PAC_APIAKEY, PR_PAC_APIBKEY, PR_PAC_APDAKEY, PR_PAC_APDBKEY)
2025-10-31 16:23:00.652 10956-10956 DEBUG                   crash_dump64                         A  signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x0000000000000010
2025-10-31 16:23:00.652 10956-10956 DEBUG                   crash_dump64                         A  Cause: null pointer dereference

Is this the same thing you faced @chaoxi72 ?

I believe in my case, what's happening is that the object is garbage collected or gets fragmented, so the memory address goes stale. My code is wrapped in a try{}catch{} as well, but it doesn't catch the error rather it crashes the app. I've hooked into a scroll function, and created weak refs.

Running on frida-java-bridge: 7.0.10 and gadget 17

[chaoxi72]

If you modify the code and add validation when retrieving the method, will the problem still exist? @kartikm7

[kartikm7]

@chaoxi72 yes, it would still exist. Actually upgrade your frida-java-bridge to 7.0.10 they've added a fix for GC synchronization. Which works incredibly, although I still faced crashes in two scenarios.

1. In nested scroll hooks, faced crashses. Hook into an API which is only a level deep, this fixed the issue for me.
2. Also, in Pixel 10 series have been noticing frequent crashes (even with the frida-java-bridge upgrade)

[chaoxi72]

Okay, thank you for your reply.