rovo89
zygote64 crash on Note8 Snapdragon(bootloop)
Hello. I am attempting to use Xposed 88.1 on the Galaxy Note8(7.1.1 API 25 arm64) and I'm encountering a bootloop issue. Ive narrowed it down to the art files and managed to get some information using adb bugreport as I cannot get a logcat from the boot(adb offline).
Essentially this is where my boot fails:
10-19 20:40:04.680 19545 19545 I art : GenerateImage: /system/bin/dex2oat --image=/data/dalvik-cache/arm64/system@[email protected] --dex-file=/system/framework/SmpsManager.jar --dex-file=/system/framework/core-oj.jar --dex-file=/system/framework/core-libart.jar --dex-file=/system/framework/conscrypt.jar --dex-file=/system/framework/okhttp.jar --dex-file=/system/framework/core-junit.jar --dex-file=/system/framework/bouncycastle.jar --dex-file=/system/framework/ext.jar --dex-file=/system/framework/fram10-19 20:40:14.804 19545 19545 E art : Could not create image space with image file '/system/framework/boot.art'. Attempting to fall back to imageless running. Error was: Failed to generate image '/data/dalvik-cache/arm64/system@[email protected]': Failed execv(/system/bin/dex2oat --image=/data/dalvik-cache/arm64/system@[email protected] --dex-file=/system/framework/SmpsManager.jar --dex-file=/system/framework/core-oj.jar --dex-file=/system/framework/core-libart.jar --dex-file=/system/framework/consc10-19 20:40:14.804 19545 19545 E art : Attempted image: /system/framework/boot.art 10-19 20:40:15.600 19545 19545 W art : Skipping non-existent dex file '/system/framework/oem-services.jar'
That sadly was the most i saw error wise. It is impossible to get a logcat of the bootloop unfortunatly. But I removed the libart.so and the dexoat files from the zip for the framework and it BOOTS but obviously xposed installer says it isnt running
Here are tombstones from the failed boot https://gist.github.com/me2151/135b863463dd4b938f4a8d763f14faa4
EDIT: After trying again ive found that zygote64 is crashing which causes my bootloop. I added tombstones from the failed boot. Ive managed to get past the previous point of failure and now have this.
Unfortunately, the original bug report didn't contain the full error. So I can't say anything about that.
I'll have to check the new crash:
backtrace:
#00 pc 00000000002f7a24 /system/lib64/libart.so (_ZNSt3__16__treeINS_12__value_typeINS_12basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEEEPN3art13SharedLibraryEEENS_19__map_value_compareIS7_SB_NS_4lessIS7_EELb1EEENS5_ISB_EEE4findIS7_EENS_15__tree_iteratorISB_PNS_11__tree_nodeISB_PvEElEERKT_+28)
#01 pc 00000000002f4b6c /system/lib64/libart.so (_ZN3art9JavaVMExt17LoadNativeLibraryEP7_JNIEnvRKNSt3__112basic_stringIcNS3_11char_traitsIcEENS3_9allocatorIcEEEEP8_jobjectP8_jstringPS9_+168)
#02 pc 0000000000004698 /system/lib64/libopenjdkjvm.so (JVM_NativeLoad+284)
#03 pc 00000000736061c0 /data/dalvik-cache/arm64/system@[email protected] (offset 0x356a000)
Last log line:
10-21 21:19:32.551 10302 10302 E SemAffinityControl: SemAffinityControl: registerfunction enter
Please also try whether v88.1 works any better for you.
v88.1 produces same results. Currently HOPEFULLY pulling a logcat in a few minutes.
EDIT: Do you have any suggestions or tips? I just tried creating a binary that runs logcat and saves to a file in /tombstones. Replaced the bootanimation binary for it. Sadly doesnt write the file during boot but if I test outside of boot it works fine
Finally got a logcat using the previously mentioned method. Its 12MB so its too big for paste bin so I uploaded to drive. https://drive.google.com/open?id=0B8CP3g3AqMuHeGZKMVpSeFIyaTA
Thanks! It basically confirms the same things as above. Looks like it's crashing while loading a native library. Could you please upload /data/dalvik-cache/arm64/system@[email protected]? Then I can check what's at pc 0000000073be51c0 (from the new log).
Here you go: This is the system@[email protected] file from xposed installed bootloop. https://drive.google.com/file/d/0B8CP3g3AqMuHS1hFVThsTkdCajQ/view
00000000002f4b6c in https://github.com/rovo89/Xposed/issues/273#issuecomment-338560578 refers to library = libraries_->Get(path);
The same for 00000000002f4cec in https://github.com/rovo89/Xposed/issues/273#issuecomment-339089543.
And from https://github.com/rovo89/XposedBridge/issues/210:
10-16 21:03:34.416 F/DEBUG ( 3956): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
10-16 21:03:34.416 F/DEBUG ( 3956): Build fingerprint: 'samsung/greatqltezc/greatqltechn:7.1.1/NMF26X/N9500ZCU1AQI9:user/release-keys'
10-16 21:03:34.416 F/DEBUG ( 3956): Revision: '11'
10-16 21:03:34.416 F/DEBUG ( 3956): ABI: 'arm64'
10-16 21:03:34.416 F/DEBUG ( 3956): pid: 759, tid: 759, name: main >>> zygote64 <<<
10-16 21:03:34.416 F/DEBUG ( 3956): signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x6f4c646573754e
10-16 21:03:34.416 F/DEBUG ( 3956): x0 636f4c6465737546 x1 0000007ff9c7f138 x2 0000007ff9c7f138 x3 0000000000000000
10-16 21:03:34.416 F/DEBUG ( 3956): x4 0000000000000000 x5 0000007ff9c7f150 x6 0000007fa2193b9e x7 636176616a62696c
10-16 21:03:34.416 F/DEBUG ( 3956): x8 0000000000000000 x9 d5abb8b2f4cfdd06 x10 0000007fa6dddab0 x11 0000000000000003
10-16 21:03:34.416 F/DEBUG ( 3956): x12 0000000000000021 x13 0000007fa5e93080 x14 d5abb8b2f4cfdd06 x15 0000007fa20c1e58
10-16 21:03:34.416 F/DEBUG ( 3956): x16 0000007f95b45f38 x17 0000007fa1cc4c44 x18 0000000000000021 x19 636f4c6465737546
10-16 21:03:34.416 F/DEBUG ( 3956): x20 636f4c6465737546 x21 0000007fa2046300 x22 0000007fa20fbd40 x23 d5abb8b2f4cfdd06
10-16 21:03:34.416 F/DEBUG ( 3956): x24 0000000000000000 x25 000000000000001e x26 0000007ff9c7f150 x27 0000007fa20cba00
10-16 21:03:34.416 F/DEBUG ( 3956): x28 0000007fa2033b80 x29 0000007ff9c7efd0 x30 0000007fa1cc4cf0
10-16 21:03:34.416 F/DEBUG ( 3956): sp 0000007ff9c7ef90 pc 0000007fa1cc7ba4 pstate 0000000020000000
10-16 21:03:34.522 F/DEBUG ( 3956):
10-16 21:03:34.522 F/DEBUG ( 3956): backtrace:
10-16 21:03:34.522 F/DEBUG ( 3956): #00 pc 00000000002f7ba4 /system/lib64/libart.so (_ZNSt3__16__treeINS_12__value_typeINS_12basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEEEPN3art13SharedLibraryEEENS_19__map_value_compareIS7_SB_NS_4lessIS7_EELb1EEENS5_ISB_EEE4findIS7_EENS_15__tree_iteratorISB_PNS_11__tree_nodeISB_PvEElEERKT_+28)
10-16 21:03:34.522 F/DEBUG ( 3956): #01 pc 00000000002f4cec /system/lib64/libart.so (_ZN3art9JavaVMExt17LoadNativeLibraryEP7_JNIEnvRKNSt3__112basic_stringIcNS3_11char_traitsIcEENS3_9allocatorIcEEEEP8_jobjectP8_jstringPS9_+168)
10-16 21:03:34.522 F/DEBUG ( 3956): #02 pc 0000000000004698 /system/lib64/libopenjdkjvm.so (JVM_NativeLoad+284)
10-16 21:03:34.522 F/DEBUG ( 3956): #03 pc 00000000005df630 /system/framework/arm64/boot-core-oj.oat (offset 0x54f000) (java.lang.Runtime.nativeLoad+204)
10-16 21:03:34.522 F/DEBUG ( 3956): #04 pc 00000000005df0d0 /system/framework/arm64/boot-core-oj.oat (offset 0x54f000) (java.lang.Runtime.doLoad+204)
10-16 21:03:34.522 F/DEBUG ( 3956): #05 pc 00000000005e10ec /system/framework/arm64/boot-core-oj.oat (offset 0x54f000) (java.lang.Runtime.loadLibrary0+1240)
10-16 21:03:34.522 F/DEBUG ( 3956): #06 pc 0000000000602f14 /system/framework/arm64/boot-core-oj.oat (offset 0x54f000) (java.lang.System.loadLibrary+96)
10-16 21:03:34.522 F/DEBUG ( 3956): #07 pc 000000000009426c /system/framework/arm64/boot-conscrypt.oat (offset 0x76000) (com.android.org.conscrypt.NativeCryptoJni.init+56)
10-16 21:03:34.522 F/DEBUG ( 3956): #08 pc 00000000000d3be8 /system/lib64/libart.so (art_quick_invoke_static_stub+600)
10-16 21:03:34.522 F/DEBUG ( 3956): #09 pc 00000000000e0630 /system/lib64/libart.so (_ZN3art9ArtMethod6InvokeEPNS_6ThreadEPjjPNS_6JValueEPKc+252)
10-16 21:03:34.522 F/DEBUG ( 3956): #10 pc 0000000000292f44 /system/lib64/libart.so (_ZN3art11interpreter34ArtInterpreterToCompiledCodeBridgeEPNS_6ThreadEPNS_9ArtMethodEPKNS_7DexFile8CodeItemEPNS_11ShadowFrameEPNS_6JValueE+312)
10-16 21:03:34.522 F/DEBUG ( 3956): #11 pc 000000000028bf20 /system/lib64/libart.so (_ZN3art11interpreter6DoCallILb0ELb0EEEbPNS_9ArtMethodEPNS_6ThreadERNS_11ShadowFrameEPKNS_11InstructionEtPNS_6JValueE+592)
10-16 21:03:34.522 F/DEBUG ( 3956): #12 pc 0000000000561aa8 /system/lib64/libart.so (MterpInvokeStatic+356)
10-16 21:03:34.522 F/DEBUG ( 3956): #13 pc 00000000000c6494 /system/lib64/libart.so (ExecuteMterpImpl+14612)
Same location here. That looks like com.android.org.conscrypt.NativeCryptoJni.init tries to load a native library and it fails with a crash. I assume that libraries_ isn't valid, which could mean that the whole JavaVMExt instance isn't valid.
Not sure if this is related or not:
10-16 21:03:34.344 E/System ( 759): Unable to open boot classpath entry: /system/framework/oem-services.jar
10-16 21:03:34.345 E/System ( 759): java.io.FileNotFoundException: File doesn't exist: /system/framework/oem-services.jar
10-16 21:03:34.345 E/System ( 759): at java.util.zip.ZipFile.<init>(ZipFile.java:212)
10-16 21:03:34.345 E/System ( 759): at java.util.zip.ZipFile.<init>(ZipFile.java:148)
10-16 21:03:34.345 E/System ( 759): at java.util.jar.JarFile.<init>(JarFile.java:161)
10-16 21:03:34.345 E/System ( 759): at java.util.jar.JarFile.<init>(JarFile.java:98)
10-16 21:03:34.345 E/System ( 759): at libcore.io.ClassPathURLStreamHandler.<init>(ClassPathURLStreamHandler.java:47)
10-16 21:03:34.345 E/System ( 759): at java.lang.VMClassLoader.createBootClassPathUrlHandlers(VMClassLoader.java:49)
10-16 21:03:34.345 E/System ( 759): at java.lang.VMClassLoader.<clinit>(VMClassLoader.java:31)
10-16 21:03:34.345 E/System ( 759): at java.lang.ClassLoader.findLoadedClass(ClassLoader.java:742)
10-16 21:03:34.345 E/System ( 759): at java.lang.BootClassLoader.loadClass(ClassLoader.java:1403)
10-16 21:03:34.345 E/System ( 759): at java.lang.ClassLoader.loadClass(ClassLoader.java:312)
10-16 21:03:34.345 E/System ( 759): at sun.security.jca.ProviderConfig.initProvider(ProviderConfig.java:248)
10-16 21:03:34.345 E/System ( 759): at sun.security.jca.ProviderConfig.-wrap0(ProviderConfig.java)
10-16 21:03:34.345 E/System ( 759): at sun.security.jca.ProviderConfig$2.run(ProviderConfig.java:214)
10-16 21:03:34.345 E/System ( 759): at sun.security.jca.ProviderConfig$2.run(ProviderConfig.java:207)
10-16 21:03:34.345 E/System ( 759): at java.security.AccessController.doPrivileged(AccessController.java:41)
10-16 21:03:34.345 E/System ( 759): at sun.security.jca.ProviderConfig.doLoadProvider(ProviderConfig.java:206)
10-16 21:03:34.345 E/System ( 759): at sun.security.jca.ProviderConfig.getProvider(ProviderConfig.java:187)
10-16 21:03:34.345 E/System ( 759): at sun.security.jca.ProviderList.loadAll(ProviderList.java:281)
10-16 21:03:34.345 E/System ( 759): at sun.security.jca.ProviderList.removeInvalid(ProviderList.java:298)
10-16 21:03:34.345 E/System ( 759): at sun.security.jca.Providers.<clinit>(Providers.java:64)
10-16 21:03:34.345 E/System ( 759): at sun.security.jca.GetInstance.getInstance(GetInstance.java:156)
10-16 21:03:34.345 E/System ( 759): at java.security.Security.getImpl(Security.java:587)
10-16 21:03:34.345 E/System ( 759): at java.security.MessageDigest.getInstance(MessageDigest.java:186)
10-16 21:03:34.345 E/System ( 759): at de.robv.android.xposed.DexCreator.updateSignature(DexCreator.java:185)
10-16 21:03:34.345 E/System ( 759): at de.robv.android.xposed.DexCreator.create(DexCreator.java:177)
10-16 21:03:34.345 E/System ( 759): at de.robv.android.xposed.DexCreator.ensure(DexCreator.java:69)
10-16 21:03:34.345 E/System ( 759): at de.robv.android.xposed.DexCreator.ensure(DexCreator.java:48)
10-16 21:03:34.345 E/System ( 759): at de.robv.android.xposed.DexCreator.ensure(DexCreator.java:40)
10-16 21:03:34.345 E/System ( 759): at de.robv.android.xposed.XposedBridge.initXResources(XposedBridge.java:123)
10-16 21:03:34.345 E/System ( 759): at de.robv.android.xposed.XposedBridge.main(XposedBridge.java:79)
I checked my GS7 conscrypt sources with an other 7.1.1 deodexed Touchwiz Rom, and found that NativeCryptoJni.init() loads only one library "libjavacrypto".
package com.android.org.conscrypt;
class NativeCryptoJni
{
public static void init()
{
System.loadLibrary("javacrypto");
}
}
Unfortunately GS7 didn't get Android 7.1 yet, so i cannot debug this myself. We can try to hook bellow methods, this helped in the past to get out of boot-loop on TW Lollipop and Marshmallow, but i didn't think it would be necessary since many TouchWiz devices booted fine on Nougat without it:
com.android.org.conscrypt.NativeCrypto.isMdfEnforced() -> false
com.samsung.android.security.CCManager.isMdfEnforced() -> false
I'll see if the deodex process does anything with oem-services.jar. I can assume that 88.2 does not have anything to do with this issue correct?
Yes, unfortunately not. The next step from my point of view would be to try @wanam's suggestions. If that doesn't help, we need a special build with more logging output in LoadNativeLibrary(), e.g. to log all the parameters and especially the address of libraries_.
Alright. I'll figure out how to do @wanam's suggestion. Is there any documentation on it that i can follow? EDIT: Im not entirely sure on how and where to do this unfortunately. Is there anything I can follow to get that going or can you tell me how to do it real quick? EDIT2: found https://github.com/wanam/XposedBridge/commit/b9595e96bd204099bd8e6b1d9dbb89575fe1052a in @wanam's git history. Will be attempting
I have some internet connection issues, cannot upload full installer zip, so rename attached file to "XposedBridge.jar" and put it on "/system/framework" inside xposed installer zip, flash the zip and get the logcat if the issue persists. XposedBridge.zip
currently installing the studio to build myself as well Already applied the commits to latest tree in my repo. Ill try this real quick though. Thanks
Well... with that something new happened but I dont have a log because i need to recompile my binary for that which im doing right now. Phone still bootloops but it vibrated after sitting like 5 min. Will be posting a new logcat in a few minutes
You don't need to recompile the binaries, just use the official xposed 88.2 zip, replace "XposedBridge.jar" file inside the zip, flash it and try to get the logs.
Some of my old changes may not apply for tw nougat.
Right. i have little to no adb access so i have custom binaries(commands) to fork a logcat and store it locally to the cache partition. Thats how I have to get a logcat since i cant adb logcat and live boot doesnt work
Well... thats different. Had FULL adb access. have a 39mb logcat so i think i let it run long enough. Pulling from device in a few
44MB logcat:https://drive.google.com/file/d/0B8CP3g3AqMuHVS1uZEFRQU9YYXM/view
Okay let's try the opposite, surprisingly it seems that setting "isMdfEnforced()" to true forced Private mode to work, maybe other things i didn't test as well, looking at "conscrypt.jar" Samsung uses this check to add some OpenSSL crypto algorithms.
@rovo89 Other thing i noticed, PackageManager scans "/system/container" which is not supported on aosp version of "ScanSystemApps", this folder contains some Knox apps.
I'm also getting this error with no apparent issue:
10-31 08:59:09.122 3319 3319 E SemAffinityControl: SemAffinityControl: registerfunction enter
Please try attached file and post your logcat again. xposed-v88.3-sdk24-arm64-wanam-test1.zip
Edit: added sdk25 xposed-v88.3-sdk25-arm64-wanam-test1.zip
Testing and getting logs now
Newest log using 88.3-sdk-wanam-test1 https://drive.google.com/file/d/0B8CP3g3AqMuHR3ZpdTAtY2QtTjA/view?usp=sharing
From what I can see it made absolutely no difference :(
Bump... Any forward momentum. Its a shame that the SD S8/8+ works, not Note SD Note 8
Unfortunately the logs don't say much about where we should look at, do you know any GS7 Rom port that has the same issue, so i can reproduce it.
If I can help anyway... I am pretty competent with debugging. That 88.3 zip that you uploaded- does that have the LoadNativeLibrary() like @rovo89 recommended?
I have not actively worked on this for awhile but i am back on this. hopefully something nice will happen soon.
@wanam since you mentioned /system/container previously could not having the /system/container folder in the rom be causing the issue(we remove it for deknoxing)