frida-go
frida-go copied to clipboard
frida
SIGSEGV: segmentation violation
HI ,I encounter a problem when many concurrent goroutine execute Script.ExportsCall;Here is The Env And Error Info
OS: Mac Os 14.1.2 (23B92)
CPU ARCH: 2.6 GHz Intel Core i7 Amd64
Go Version: go1.21.5
Frida-go-sdk version: v0.6.10
Android Device Version : Android 12
Android frida-server version : 16.1.4 Arm64
Updated: switch the latest Frida-Server 16.1.8 , the problem reproduced
===========
Error Stack:
SIGSEGV: segmentation violation
PC=0x1010b21c2 m=15 sigcode=1
signal arrived during cgo execution
goroutine 2986 [syscall]:
runtime.cgocall(0x100a46800, 0xc00129ae58)
/usr/local/Cellar/go/1.21.5/libexec/src/runtime/cgocall.go:157 +0x4b fp=0xc00129ae30 sp=0xc00129adf8 pc=0x10000aaab
github.com/frida/frida-go/frida._Cfunc_g_object_unref(0x7fb31d817380)
_cgo_gotypes.go:3402 +0x3f fp=0xc00129ae58 sp=0xc00129ae30 pc=0x1002e71df
github.com/frida/frida-go/frida.unrefGObj.func1(0x7fb31d817380)
/Users/jackie/go/pkg/mod/github.com/frida/[email protected]/frida/cleanups.go:30 +0x3b fp=0xc00129ae90 sp=0xc00129ae58 pc=0x1002eb31b
github.com/frida/frida-go/frida.unrefGObj(0x7fb31d817380)
/Users/jackie/go/pkg/mod/github.com/frida/[email protected]/frida/cleanups.go:30 +0x18 fp=0xc00129aea8 sp=0xc00129ae90 pc=0x1002eb2b8
github.com/frida/frida-go/frida.clean(0x7fb31d817380, {0x1012f6734, 0xb})
/Users/jackie/go/pkg/mod/github.com/frida/[email protected]/frida/cleanups.go:37 +0x5e fp=0xc00129aee0 sp=0xc00129aea8 pc=0x1002eb39e
github.com/frida/frida-go/frida.(*Session).Clean(0xc000015900)
/Users/jackie/go/pkg/mod/github.com/frida/[email protected]/frida/session.go:198 +0x33 fp=0xc00129af10 sp=0xc00129aee0 pc=0x100302d33
frida-go-rpc/MyFridaApp/fridaApiHooker.close({0xc000015800, 0xc0000158a8, 0xc000015900, 0xc0001f02a0})
/GoProjects/frida-go-rpc/MyApp/ApiHooker.go:35 +0x3c fp=0xc00129af38 sp=0xc00129af10 pc=0x1007bd41c
frida-go-rpc/MyFridaApp/.GetClient.func1.1.1()
/GoProjects/frida-go-rpc/MyFridaApp/FridaClient.go:158 +0x9e fp=0xc00129afe0 sp=0xc00129af38 pc=0x1007bf91e
runtime.goexit()
/usr/local/Cellar/go/1.21.5/libexec/src/runtime/asm_amd64.s:1650 +0x1 fp=0xc00129afe8 sp=0xc00129afe0 pc=0x1000785e1
created by frida-go-rpc/MyFridaApp/.GetClient.func1.1 in goroutine 5
/GoProjects/frida-go-rpc/MyFridaApp/FridaClient.go:148 +0x145
goroutine 1 [sleep]:
runtime.gopark(0x10135a680, 0xc0002300f0, 0x13, 0x13, 0x1)
/usr/local/Cellar/go/1.21.5/libexec/src/runtime/proc.go:398 +0xfc fp=0xc001491b60 sp=0xc001491b30 pc=0x10004673c
time.Sleep(0x174876e800)
/usr/local/Cellar/go/1.21.5/libexec/src/runtime/time.go:195 +0x110 fp=0xc001491ba0 sp=0xc001491b60 pc=0x100075550
main.main()
/GoProjects/frida-go-rpc/main.go:213 +0x12a fp=0xc001491f68 sp=0xc001491ba0 pc=0x100a4474a
runtime.main()
/usr/local/Cellar/go/1.21.5/libexec/src/runtime/proc.go:267 +0x267 fp=0xc001491fe0 sp=0xc001491f68 pc=0x1000462c7
runtime.goexit()
/usr/local/Cellar/go/1.21.5/libexec/src/runtime/asm_amd64.s:1650 +0x1 fp=0xc001491fe8 sp=0xc001491fe0 pc=0x1000785e1
goroutine 17 [syscall, locked to thread]:
runtime.goexit()
/usr/local/Cellar/go/1.21.5/libexec/src/runtime/asm_amd64.s:1650 +0x1 fp=0xc0015a5fe8 sp=0xc0015a5fe0 pc=0x1000785e1
goroutine 2 [force gc (idle)]:
runtime.gopark(0x10135a640, 0x103fb1d60, 0x11, 0x14, 0x1)
/usr/local/Cellar/go/1.21.5/libexec/src/runtime/proc.go:398 +0xfc fp=0xc00006af80 sp=0xc00006af50 pc=0x10004673c
runtime.goparkunlock(0x0?, 0x0?, 0x0?, 0x0?)
/usr/local/Cellar/go/1.21.5/libexec/src/runtime/proc.go:404 +0x25 fp=0xc00006afb0 sp=0xc00006af80 pc=0x1000467c5
runtime.forcegchelper()
/usr/local/Cellar/go/1.21.5/libexec/src/runtime/proc.go:322 +0xb5 fp=0xc00006afe0 sp=0xc00006afb0 pc=0x100046555
runtime.goexit()
/usr/local/Cellar/go/1.21.5/libexec/src/runtime/asm_amd64.s:1650 +0x1 fp=0xc00006afe8 sp=0xc00006afe0 pc=0x1000785e1
created by runtime.init.6 in goroutine 1
/usr/local/Cellar/go/1.21.5/libexec/src/runtime/proc.go:310 +0x1a
goroutine 18 [GC sweep wait]:
runtime.gopark(0x10135a640, 0x103fb2ba0, 0xc, 0x14, 0x1)
/usr/local/Cellar/go/1.21.5/libexec/src/runtime/proc.go:398 +0xfc fp=0xc000066750 sp=0xc000066720 pc=0x10004673c
runtime.goparkunlock(0x1?, 0x0?, 0x0?, 0x0?)
/usr/local/Cellar/go/1.21.5/libexec/src/runtime/proc.go:404 +0x25 fp=0xc000066780 sp=0xc000066750 pc=0x1000467c5
runtime.bgsweep(0x0?)
/usr/local/Cellar/go/1.21.5/libexec/src/runtime/mgcsweep.go:321 +0xe5 fp=0xc0000667c8 sp=0xc000066780 pc=0x10002f525
runtime.gcenable.func1()
/usr/local/Cellar/go/1.21.5/libexec/src/runtime/mgc.go:200 +0x25 fp=0xc0000667e0 sp=0xc0000667c8 pc=0x1000237a5
runtime.goexit()
/usr/local/Cellar/go/1.21.5/libexec/src/runtime/asm_amd64.s:1650 +0x1 fp=0xc0000667e8 sp=0xc0000667e0 pc=0x1000785e1
created by runtime.gcenable in goroutine 1
/usr/local/Cellar/go/1.21.5/libexec/src/runtime/mgc.go:200 +0x66
goroutine 19 [GC scavenge wait]:
runtime.gopark(0x10135a640, 0x103fb33e0, 0xd, 0x14, 0x2)
/usr/local/Cellar/go/1.21.5/libexec/src/runtime/proc.go:398 +0xfc fp=0xc000066f40 sp=0xc000066f10 pc=0x10004673c
runtime.goparkunlock(0x1013a5288?, 0x0?, 0x0?, 0x0?)
/usr/local/Cellar/go/1.21.5/libexec/src/runtime/proc.go:404 +0x25 fp=0xc000066f70 sp=0xc000066f40 pc=0x1000467c5
runtime.(*scavengerState).park(0x103fb33e0)
/usr/local/Cellar/go/1.21.5/libexec/src/runtime/mgcscavenge.go:425 +0x45 fp=0xc000066f98 sp=0xc000066f70 pc=0x10002c7e5
runtime.bgscavenge(0x0?)
/usr/local/Cellar/go/1.21.5/libexec/src/runtime/mgcscavenge.go:658 +0x65 fp=0xc000066fc8 sp=0xc000066f98 pc=0x10002cd85
runtime.gcenable.func2()
/usr/local/Cellar/go/1.21.5/libexec/src/runtime/mgc.go:201 +0x25 fp=0xc000066fe0 sp=0xc000066fc8 pc=0x100023745
runtime.goexit()
/usr/local/Cellar/go/1.21.5/libexec/src/runtime/asm_amd64.s:1650 +0x1 fp=0xc000066fe8 sp=0xc000066fe0 pc=0x1000785e1
created by runtime.gcenable in goroutine 1
/usr/local/Cellar/go/1.21.5/libexec/src/runtime/mgc.go:201 +0xa5
goroutine 3 [finalizer wait]:
runtime.gopark(0x10135a370, 0x103feeda8, 0x10, 0x14, 0x1)
/usr/local/Cellar/go/1.21.5/libexec/src/runtime/proc.go:398 +0xfc fp=0xc00006a628 sp=0xc00006a5f8 pc=0x10004673c
runtime.runfinq()
/usr/local/Cellar/go/1.21.5/libexec/src/runtime/mfinal.go:193 +0xfa fp=0xc00006a7e0 sp=0xc00006a628 pc=0x10002285a
runtime.goexit()
/usr/local/Cellar/go/1.21.5/libexec/src/runtime/asm_amd64.s:1650 +0x1 fp=0xc00006a7e8 sp=0xc00006a7e0 pc=0x1000785e1
created by runtime.createfing in goroutine 1
/usr/local/Cellar/go/1.21.5/libexec/src/runtime/mfinal.goExiting.
Any Other Info ,when the app call Script.ExportsCall Timeout, i think it is just broken Session,so i close the resource , reopen another DeviceManager 、Device、Session and so on; Here is the code
hooker.script.Clean()
hooker.session.Clean()
hooker.device.Clean()
hooker.deviceManager.Clean()
Can anyone help me to solve it? Many Thanks!
Hey, can you paste the code that caused the error
Thanks For Your Reply!
Here is the code :
type FridaClient struct {
apiHooker *fridaApiHooker
//
refreshChan *chan uint32
// Client Version,
version * atomic.Uint32
// Frida Resource is ok?
OK bool
}
type fridaApiHooker struct {
deviceManager *frida.DeviceManager
device *frida.Device
session *frida.Session
script *frida.Script
}
// Close close the resource held by the frida client singleton
func (hooker fridaApiHooker) close() {
hooker.script.Clean()
hooker.session.Clean()
hooker.device.Clean()
hooker.deviceManager.Clean()
}
// newApiHooker make new frida Resource
func newApiHooker() *fridaApiHooker {
jsScript := readJsScript()
deviceManager := frida.NewDeviceManager()
devices, err := deviceManager.EnumerateDevices()
if err != nil {
panic("Device Error!")
}
for _, d := range devices {
log.Printf("[*] Found device with id:%v", d.ID())
}
device, err := deviceManager.USBDevice()
if err != nil {
log.Printf("Could not get usb device: %v", err)
os.Exit(1)
}
log.Printf("[*] Attaching to `App`")
session, err := device.Attach(processName, nil)
if err != nil {
log.Printf("New Session Fail!err:%v", err)
os.Exit(1)
}
fridaScript, err := session.CreateScript(jsScript)
if err != nil {
log.Printf("New Frida Script Fail! err:%v", err)
os.Exit(1)
}
if err := fridaScript.Load(); err != nil {
log.Printf("Load Frida Script Fail!err:%v", err)
os.Exit(1)
}
return &fridaApiHooker{
deviceManager: deviceManager,
device: device,
session: session,
script: fridaScript,
}
}
func (client * FridaClient) CallFrida(param *CallFridaParam) (*rpc.CallResult, error) {
// for loop 3 times
for i := 0; i < 3; i++ {
// every iteration , call the func , if err is TimeOutError,close
// the resource, reopen it
result, err := client.doFridaCallInner(param)
if err != nil {
if errors.Is(err, timeoutError) {
// Timeout Error,get Client Version
ver := client.version.Load()
*client.refreshChan <- ver
// wait for the client version greater than current,and 'ok'
// statuc switch to 'true'
for !(client.version.Load() > ver && client.OK) {
// wait for reloader to reload resource
time.Sleep(1 * time.Second)
}
continue
} else {
// other error than TimeOut
return nil, err
}
} else {
// call frida success ,just return it
return result, nil
}
}
// for loop end ,can't get result ,return err
return nil, timeoutError
}
func (client *FridaClient) doFridaCallInner(param *FridaCallParam) (*rpc.FridaResult, error) {
// make chan to recv result
ch := make(chan FridaResult, 1)
go func() {
defer close(ch)
resultMap := client.apiHooker.script.ExportsCall("JSFuncName",
//
params
)
ch <- FridaResult{resultMap, nil}
}()
// 4. 当前协程等待结果
select {
case <-time.After(RpcTimeout * time.Second):
{
//
return nil, timeoutError
}
case result := <-ch:
{
return &result,nil
}
}
}
// GetFridaClient make FridaClient Singleton
func GetFridaClient() *FridaClient {
clientInitLock.Do(func() {
log.Printf("init Frida client! ")
apiHooker := newApiHooker()
ch := make(chan uint32, 1)
ver := atomic.Uint32{}
// incr to version 1
ver.Add(1)
clientSingleton = &FridaClient{
apiHooker: apiHooker,
// version init to 1
version: &ver,
// size 1 channel
refreshChan: &ch,
//
OK: true,
}
// 7. launch a new coroutine , do for refresh Resource
go func() {
for {
// wait for channel recv
v := <-*clientSingleton.refreshChan
if v == clientSingleton.version.Load() {
// version equals ,do the resource refresh actions
casSuccess := clientSingleton.version.CompareAndSwap(v, v+1)
if casSuccess {
go func() {
log.Printf("resource clean up")
// when cas success ,refresh resource
clientSingleton.OK = false
defer func() { clientSingleton.OK = true }()
_ = clientSingleton.apiHooker.close()
// make new hooker ,update the prop of singleton
clientSingleton.apiHooker = newApiHooker()
}()
}
} else {
// Version different,Just return
log.Printf("", v, clientSingleton.version)
}
}
}()
})
return clientSingleton
}