Android 14 Compatibility Break: IDA Pro Debugger Triggers Null Pointer Crash in ART Runtime

IDA General Bugs
1

The issue occurs on Android 14 (works fine on Android 12 versions)

Issue Description :
When using IDA Pro to debug processes on Android 14 devices, the target process consistently crashes during the boot-framework phase immediately after attachment and continue execution . The crash occurs at the following disassembly point:
boot_framework.oat base → 71FAC000

boot_framework.oat:00000000725DDF10 ; ---------------------------------------------------------------------------
boot_framework.oat:00000000725DDF10 LDR     X21, [X21]
boot_framework.oat:00000000725DDF14 MOV     X22, X1
boot_framework.oat:00000000725DDF18 MOV     X15, X0
boot_framework.oat:00000000725DDF1C ADRP    X30, #off_71354E10@PAGE
boot_framework.oat:00000000725DDF20 LDR     X30, [X30,#off_71354E10@PAGEOFF]
boot_framework.oat:00000000725DDF24 BLR     X30                             ; atrace_get_enabled_tags
boot_framework.oat:00000000725DDF28 AND     X0, X22, X0
boot_framework.oat:00000000725DDF2C CMP     X0, #0
boot_framework.oat:00000000725DDF30 CSET    W0, NE
boot_framework.oat:00000000725DDF34 LDP     X23, X30, [SP,#0x10]
boot_framework.oat:00000000725DDF38 LDP     XZR, X22, [SP],#0x20
boot_framework.oat:00000000725DDF3C RET

Debugger: attached to process /system/bin/app_process64 (pid=17593)
71BFD108: got SIGSEGV signal (Segmentation violation) (exc.code b, tid 17609)

image
image1920×812 188 KB

2

Thank you very much for the report. Does it happen in the emulator, real device (which?), or both? Were you able to track down the crash location to a line in the source code? If you step instead of continue, do you get the crash?

3

Sorry for the late response. My triggering environment is on a real device - I haven’t tested it on the emulator. The crash location shouldn’t have much relationship with the debugged application’s source code, because I encounter the same crash regardless of which application I’m debugging. Step debugging triggers a null pointer error that causes the crash and exit.

4

Thank you for the update and sorry for the unclear message previously. By “source code”, I meant the source of Android kernel or runtime (if it’s possible to find it).

6

Finding the corresponding source code is quite difficult, and IDA cannot decompile the corresponding symbols. My environment is Pixel 8 Magisk Root Android 14 (Build number AP1A.240305.019.A1), which should theoretically make it easy to reproduce this crash scenario.

7

runtime/arch/arm64/fault_handler_arm64.cc - platform/art - Git at Google Maybe here.

8

going by the code, the null deref should be handled by the kernel/runtime and not passed to the application. Is gdb/lldb able to debug?

9

I haven’t tried it; I’m not very familiar with lldb and gdb. I hope the compatibility issues on Android 14 can be fixed; otherwise, it will be quite troublesome as many new devices will be unable to be debugged.:melting_face:

1 Like
10

I tried using gdbserver --multi, and then attached it with IDA. In this case, it did not crash. It seems that IDA’s Android server is not adapted for the new version of Android.:smiling_face_with_tear:

11

Thank you for checking. Hopefully we’ll be able to track down why there is a difference in behavior.

Android_server doesn't work AOSP
12

Hi again @608ccc ,

In another thread, the following helped:

adb shell setprop dalvik.vm.usejit false

can you try it?

13

Idk why, but it works only for apps with android::debugging flag. I still can’t debug for example Camera app (any system apps)..

14

Same issue on Android 15 (Real machine).

I enabled global debugging using the following command:

adb shell
su
magisk resetprop ro.build.type userdebug
magisk resetprop persist.debug.dalvik.vm.jdwp.enabled 1
magisk resetprop ro.debuggable 1
magisk resetprop dalvik.vm.usejit false
stop;start

The app launches correctly and displays “Waiting For Debugger”.

Then use IDA to attach to the process, and attach jdb to notify the app to continue running.

PixPin_2025-12-07_15-31-13
PixPin_2025-12-07_15-31-131920×1278 539 KB

Finally, when I pressed F9 in IDA, SIGSEGV appeared here. I tried ignoring the exception, but it didn’t work.

15

Hi everyone!

A quick follow up - this Android debugger issue is going to be fixed in the upcoming release, which is right around the corner. If you’d like to be among the very first to try it out - you’re welcome to join our beta program!

How to enroll in the beta, if you haven’t done so yet:

  1. Log in to My Hex Rays portal
  2. Click Subscribe to the beta right away from your dashboard.

Waiting for you to join and share your thoughts!