Android_server is bad since android 14

IDA General Bugs
1

Hi again! Please try to debug any apps via android_server since android 14, it can’t be possible. You will get crashes or many exceptions.
If i use lldb-server
and lldb client with

settings set plugin.jit-loader.gdb.enable off
process handle SIGSEGV -s false -p true -n false
process handle SIGBUS -s false -p true -n false

it will work perfect.
How can i use ida instead of lldb client for lldb-server?

2

You can try configuring exceptions in IDA’s debugger options to behave similarly (don’t suspend, pass to application).

3

I did it, but app still crashes. How can i log the reason of crash?

4

well, bypassing the signals in the runtime initialization will bypass the real crashes too. Perhaps you need to bypass the signals only until the app starts up, then restore the settings so that you can catch the crashes in the app.

Enabling the log option might help you to track down the cutoff point (e.g. when addresses starts to change).

1 Like
5

Always app crashes when i use ida, when i use lldb client everything works perfect

Summary

51 18279-18279 DEBUG crash_dump64 A *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
2025-09-27 15:45:58.151 18279-18279 DEBUG crash_dump64 A Build fingerprint: ‘Android/aosp_komodo/komodo:14/AD1A.240530.030/eng.root.20250905.041410:userdebug/test-keys’
2025-09-27 15:45:58.151 18279-18279 DEBUG crash_dump64 A Revision: ‘MP1.0’
2025-09-27 15:45:58.151 18279-18279 DEBUG crash_dump64 A ABI: ‘arm64’
2025-09-27 15:45:58.151 18279-18279 DEBUG crash_dump64 A Timestamp: 2025-09-27 15:45:57.994645875+0300
2025-09-27 15:45:58.151 18279-18279 DEBUG crash_dump64 A Process uptime: 1s
2025-09-27 15:45:58.151 18279-18279 DEBUG crash_dump64 A Cmdline:
2025-09-27 15:45:58.151 18279-18279 DEBUG crash_dump64 A pid: 18261, tid: 18268, name: ADB-JDWP Connec >>> <<<
2025-09-27 15:45:58.151 18279-18279 DEBUG crash_dump64 A uid: 10126
2025-09-27 15:45:58.151 18279-18279 DEBUG crash_dump64 A tagged_addr_ctrl: 0000000000000001 (PR_TAGGED_ADDR_ENABLE)
2025-09-27 15:45:58.151 18279-18279 DEBUG crash_dump64 A pac_enabled_keys: 000000000000000f (PR_PAC_APIAKEY, PR_PAC_APIBKEY, PR_PAC_APDAKEY, PR_PAC_APDBKEY)
2025-09-27 15:45:58.151 18279-18279 DEBUG crash_dump64 A signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x0000007ad389d3c0
2025-09-27 15:45:58.151 18279-18279 DEBUG crash_dump64 A x0 0000007c576a6820 x1 0000000000000000 x2 0000007ad2959f64 x3 0000000000000004
2025-09-27 15:45:58.151 18279-18279 DEBUG crash_dump64 A x4 0000000000000000 x5 0000000000000000 x6 0000007aa24805d8 x7 0000007aa2480d40
2025-09-27 15:45:58.151 18279-18279 DEBUG crash_dump64 A x8 0000007aa24805f0 x9 0000007ad347612c x10 0000000000002f38 x11 0000007ad2ebded0
2025-09-27 15:45:58.151 18279-18279 DEBUG crash_dump64 A x12 0000007ad3aa8000 x13 0000007ad295aad0 x14 0000000000000000 x15 0000000000000000
2025-09-27 15:45:58.151 18279-18279 DEBUG crash_dump64 A x16 0000007ad389d000 x17 0000007d8706f940 x18 0000007a4c658000 x19 0000007aa2480680
2025-09-27 15:45:58.151 18279-18279 DEBUG crash_dump64 A x20 0000007aa2480688 x21 0000007c576a6820 x22 0000007ad295aade x23 0000000000000000
2025-09-27 15:45:58.151 18279-18279 DEBUG crash_dump64 A x24 0000007aa24805d8 x25 0000007ad295aad8 x26 0000000000000004 x27 000000000000306e
2025-09-27 15:45:58.151 18279-18279 DEBUG crash_dump64 A x28 0000007aa2480618 x29 0000007aa2480560
2025-09-27 15:45:58.151 18279-18279 DEBUG crash_dump64 A lr 0000007ad3476148 sp 0000007aa2480430 pc 0000007ad382fd74 pst 0000000000001000
2025-09-27 15:45:58.151 18279-18279 DEBUG crash_dump64 A 45 total frames
2025-09-27 15:45:58.151 18279-18279 DEBUG crash_dump64 A backtrace:
2025-09-27 15:45:58.151 18279-18279 DEBUG crash_dump64 A #00 pc 00000000009b6d74 /apex/com.android.art/lib64/libart.so (BuildId: 1baa085e52462906909d6dfe1b6332e2)
2025-09-27 15:45:58.152 18279-18279 DEBUG crash_dump64 A #01 pc 00000000005fd144 /apex/com.android.art/lib64/libart.so (void art::interpreter::ExecuteSwitchImplCpp(art::interpreter::SwitchImplContext*)+12532) (BuildId: 1baa085e52462906909d6dfe1b6332e2)
2025-09-27 15:45:58.152 18279-18279 DEBUG crash_dump64 A #02 pc 00000000003b8dd8 /apex/com.android.art/lib64/libart.so (ExecuteSwitchImplAsm+8) (BuildId: 1baa085e52462906909d6dfe1b6332e2)
2025-09-27 15:45:58.152 18279-18279 DEBUG crash_dump64 A #03 pc 000000000015aad0 /apex/com.android.art/javalib/core-oj.jar (java.nio.Bits.putCharB+0)
2025-09-27 15:45:58.152 18279-18279 DEBUG crash_dump64 A #04 pc 0000000000417424 /apex/com.android.art/lib64/libart.so (art::interpreter::Execute(art::Thread*, art::CodeItemDataAccessor const&, art::ShadowFrame&, art::JValue, bool, bool) (.__uniq.112435418011751916792819755956732575238.llvm.8052627883304077624)+244) (BuildId: 1baa085e52462906909d6dfe1b6332e2)
2025-09-27 15:45:58.152 18279-18279 DEBUG crash_dump64 A #05 pc 0000000000526878 /apex/com.android.art/lib64/libart.so (bool art::interpreter::DoCall(art::ArtMethod*, art::Thread*, art::ShadowFrame&, art::Instruction const*, unsigned short, bool, art::JValue*)+3416) (BuildId: 1baa085e52462906909d6dfe1b6332e2)
2025-09-27 15:45:58.152 18279-18279 DEBUG crash_dump64 A #06 pc 00000000005fd460 /apex/com.android.art/lib64/libart.so (void art::interpreter::ExecuteSwitchImplCpp(art::interpreter::SwitchImplContext*)+13328) (BuildId: 1baa085e52462906909d6dfe1b6332e2)
2025-09-27 15:45:58.152 18279-18279 DEBUG crash_dump64 A #07 pc 00000000003b8dd8 /apex/com.android.art/lib64/libart.so (ExecuteSwitchImplAsm+8) (BuildId: 1baa085e52462906909d6dfe1b6332e2)
2025-09-27 15:45:58.152 18279-18279 DEBUG crash_dump64 A #08 pc 000000000015aa88 /apex/com.android.art/javalib/core-oj.jar (java.nio.Bits.putChar+0)
2025-09-27 15:45:58.152 18279-18279 DEBUG crash_dump64 A #09 pc 0000000000417424 /apex/com.android.art/lib64/libart.so (art::interpreter::Execute(art::Thread*, art::CodeItemDataAccessor const&, art::ShadowFrame&, art::JValue, bool, bool) (.__uniq.112435418011751916792819755956732575238.llvm.8052627883304077624)+244) (BuildId: 1baa085e52462906909d6dfe1b6332e2)
2025-09-27 15:45:58.152 18279-18279 DEBUG crash_dump64 A #10 pc 0000000000526878 /apex/com.android.art/lib64/libart.so (bool art::interpreter::DoCall(art::ArtMethod*, art::Thread*, art::ShadowFrame&, art::Instruction const*, unsigned short, bool, art::JValue*)+3416) (BuildId: 1baa085e52462906909d6dfe1b6332e2)
2025-09-27 15:45:58.152 18279-18279 DEBUG crash_dump64 A #11 pc 00000000005fd460 /apex/com.android.art/lib64/libart.so (void art::interpreter::ExecuteSwitchImplCpp(art::interpreter::SwitchImplContext*)+13328) (BuildId: 1baa085e52462906909d6dfe1b6332e2)
2025-09-27 15:45:58.152 18279-18279 DEBUG crash_dump64 A #12 pc 00000000003b8dd8 /apex/com.android.art/lib64/libart.so (ExecuteSwitchImplAsm+8) (BuildId: 1baa085e52462906909d6dfe1b6332e2)
2025-09-27 15:45:58.152 18279-18279 DEBUG crash_dump64 A #13 pc 0000000000163044 /apex/com.android.art/javalib/core-oj.jar (java.nio.HeapByteBuffer.putChar+0)
2025-09-27 15:45:58.152 18279-18279 DEBUG crash_dump64 A #14 pc 0000000000417424 /apex/com.android.art/lib64/libart.so (art::interpreter::Execute(art::Thread*, art::CodeItemDataAccessor const&, art::ShadowFrame&, art::JValue, bool, bool) (.__uniq.112435418011751916792819755956732575238.llvm.8052627883304077624)+244) (BuildId: 1baa085e52462906909d6dfe1b6332e2)
2025-09-27 15:45:58.152 18279-18279 DEBUG crash_dump64 A #15 pc 0000000000526878 /apex/com.android.art/lib64/libart.so (bool art::interpreter::DoCall(art::ArtMethod*, art::Thread*, art::ShadowFrame&, art::Instruction const*, unsigned short, bool, art::JValue*)+3416) (BuildId: 1baa085e52462906909d6dfe1b6332e2)
2025-09-27 15:45:58.152 18279-18279 DEBUG crash_dump64 A #16 pc 00000000005fd460 /apex/com.android.art/lib64/libart.so (void art::interpreter::ExecuteSwitchImplCpp(art::interpreter::SwitchImplContext*)+13328) (BuildId: 1baa085e52462906909d6dfe1b6332e2)
2025-09-27 15:45:58.152 18279-18279 DEBUG crash_dump64 A #17 pc 00000000003b8dd8 /apex/com.android.art/lib64/libart.so (ExecuteSwitchImplAsm+8) (BuildId: 1baa085e52462906909d6dfe1b6332e2)
2025-09-27 15:45:58.152 18279-18279 DEBUG crash_dump64 A #18 pc 00000000003fc32c /system/framework/framework.jar (android.ddm.DdmHandle.putString+0)
2025-09-27 15:45:58.152 18279-18279 DEBUG crash_dump64 A #19 pc 0000000000417424 /apex/com.android.art/lib64/libart.so (art::interpreter::Execute(art::Thread*, art::CodeItemDataAccessor const&, art::ShadowFrame&, art::JValue, bool, bool) (.__uniq.112435418011751916792819755956732575238.llvm.8052627883304077624)+244) (BuildId: 1baa085e52462906909d6dfe1b6332e2)
2025-09-27 15:45:58.152 18279-18279 DEBUG crash_dump64 A #20 pc 0000000000526878 /apex/com.android.art/lib64/libart.so (bool art::interpreter::DoCall(art::ArtMethod*, art::Thread*, art::ShadowFrame&, art::Instruction const*, unsigned short, bool, art::JValue*)+3416) (BuildId: 1baa085e52462906909d6dfe1b6332e2)
2025-09-27 15:45:58.152 18279-18279 DEBUG crash_dump64 A #21 pc 00000000005fd460 /apex/com.android.art/lib64/libart.so (void art::interpreter::ExecuteSwitchImplCpp(art::interpreter::SwitchImplContext*)+13328) (BuildId: 1baa085e52462906909d6dfe1b6332e2)
2025-09-27 15:45:58.152 18279-18279 DEBUG crash_dump64 A #22 pc 00000000003b8dd8 /apex/com.android.art/lib64/libart.so (ExecuteSwitchImplAsm+8) (BuildId: 1baa085e52462906909d6dfe1b6332e2)
2025-09-27 15:45:58.152 18279-18279 DEBUG crash_dump64 A #23 pc 00000000003faf3c /system/framework/framework.jar (android.ddm.DdmHandleHello.handleFEAT+0)
2025-09-27 15:45:58.152 18279-18279 DEBUG crash_dump64 A #24 pc 0000000000417424 /apex/com.android.art/lib64/libart.so (art::interpreter::Execute(art::Thread*, art::CodeItemDataAccessor const&, art::ShadowFrame&, art::JValue, bool, bool) (.__uniq.112435418011751916792819755956732575238.llvm.8052627883304077624)+244) (BuildId: 1baa085e52462906909d6dfe1b6332e2)
2025-09-27 15:45:58.152 18279-18279 DEBUG crash_dump64 A #25 pc 0000000000526878 /apex/com.android.art/lib64/libart.so (bool art::interpreter::DoCall(art::ArtMethod*, art::Thread*, art::ShadowFrame&, art::Instruction const*, unsigned short, bool, art::JValue*)+3416) (BuildId: 1baa085e52462906909d6dfe1b6332e2)
2025-09-27 15:45:58.152 18279-18279 DEBUG crash_dump64 A #26 pc 00000000005fd460 /apex/com.android.art/lib64/libart.so (void art::interpreter::ExecuteSwitchImplCpp(art::interpreter::SwitchImplContext*)+13328) (BuildId: 1baa085e52462906909d6dfe1b6332e2)
2025-09-27 15:45:58.152 18279-18279 DEBUG crash_dump64 A #27 pc 00000000003b8dd8 /apex/com.android.art/lib64/libart.so (ExecuteSwitchImplAsm+8) (BuildId: 1baa085e52462906909d6dfe1b6332e2)
2025-09-27 15:45:58.152 18279-18279 DEBUG crash_dump64 A #28 pc 00000000003faec8 /system/framework/framework.jar (android.ddm.DdmHandleHello.handleChunk+0)
2025-09-27 15:45:58.152 18279-18279 DEBUG crash_dump64 A #29 pc 0000000000417424 /apex/com.android.art/lib64/libart.so (art::interpreter::Execute(art::Thread*, art::CodeItemDataAccessor const&, art::ShadowFrame&, art::JValue, bool, bool) (.__uniq.112435418011751916792819755956732575238.llvm.8052627883304077624)+244) (BuildId: 1baa085e52462906909d6dfe1b6332e2)
2025-09-27 15:45:58.152 18279-18279 DEBUG crash_dump64 A #30 pc 0000000000526878 /apex/com.android.art/lib64/libart.so (bool art::interpreter::DoCall(art::ArtMethod*, art::Thread*, art::ShadowFrame&, art::Instruction const*, unsigned short, bool, art::JValue*)+3416) (BuildId: 1baa085e52462906909d6dfe1b6332e2)
2025-09-27 15:45:58.152 18279-18279 DEBUG crash_dump64 A #31 pc 00000000005fd460 /apex/com.android.art/lib64/libart.so (void art::interpreter::ExecuteSwitchImplCpp(art::interpreter::SwitchImplContext*)+13328) (BuildId: 1baa085e52462906909d6dfe1b6332e2)
2025-09-27 15:45:58.152 18279-18279 DEBUG crash_dump64 A #32 pc 00000000003b8dd8 /apex/com.android.art/lib64/libart.so (ExecuteSwitchImplAsm+8) (BuildId: 1baa085e52462906909d6dfe1b6332e2)
2025-09-27 15:45:58.152 18279-18279 DEBUG crash_dump64 A #33 pc 0000000000040880 /apex/com.android.art/javalib/core-libart.jar (org.apache.harmony.dalvik.ddmc.DdmServer.dispatch+0)
2025-09-27 15:45:58.152 18279-18279 DEBUG crash_dump64 A #34 pc 00000000003cb538 /apex/com.android.art/lib64/libart.so (artQuickToInterpreterBridge+952) (BuildId: 1baa085e52462906909d6dfe1b6332e2)
2025-09-27 15:45:58.152 18279-18279 DEBUG crash_dump64 A #35 pc 00000000003b6898 /apex/com.android.art/lib64/libart.so (art_quick_to_interpreter_bridge+88) (BuildId: 1baa085e52462906909d6dfe1b6332e2)
2025-09-27 15:45:58.152 18279-18279 DEBUG crash_dump64 A #36 pc 00000000003a0240 /apex/com.android.art/lib64/libart.so (art_quick_invoke_static_stub+640) (BuildId: 1baa085e52462906909d6dfe1b6332e2)
2025-09-27 15:45:58.152 18279-18279 DEBUG crash_dump64 A #37 pc 0000000000340e7c /apex/com.android.art/lib64/libart.so (art::ArtMethod::Invoke(art::Thread*, unsigned int*, unsigned int, art::JValue*, char const*)+220) (BuildId: 1baa085e52462906909d6dfe1b6332e2)
2025-09-27 15:45:58.152 18279-18279 DEBUG crash_dump64 A #38 pc 00000000007ba364 /apex/com.android.art/lib64/libart.so (art::detail::ShortyTraits<(char)76>::Type art::ArtMethod::InvokeStatic<(char)76, (char)73, (char)76, (char)73, (char)73>(art::Thread*, art::detail::ShortyTraits<(char)73>::Type, art::detail::ShortyTraits<(char)76>::Type, art::detail::ShortyTraits<(char)73>::Type, art::detail::ShortyTraits<(char)73>::Type)+84) (BuildId: 1baa085e52462906909d6dfe1b6332e2)
2025-09-27 15:45:58.152 18279-18279 DEBUG crash_dump64 A #39 pc 00000000007b9a94 /apex/com.android.art/lib64/libart.so (art::Dbg::DdmHandleChunk(_JNIEnv*, unsigned int, art::ArrayRef const&, unsigned int*, std::__1::vector<unsigned char, std::__1::allocator >)+276) (BuildId: 1baa085e52462906909d6dfe1b6332e2)
2025-09-27 15:45:58.152 18279-18279 DEBUG crash_dump64 A #40 pc 000000000001549c /apex/com.android.art/lib64/libadbconnection.so (adbconnection::AdbConnectionState::HandleDataWithoutAgent(art::Thread)+940) (BuildId: 8fca99393dcb72bb5b31fb8c55c1e67e)
2025-09-27 15:45:58.152 18279-18279 DEBUG crash_dump64 A #41 pc 00000000000146d8 /apex/com.android.art/lib64/libadbconnection.so (adbconnection::AdbConnectionState::RunPollLoop(art::Thread*)+1800) (BuildId: 8fca99393dcb72bb5b31fb8c55c1e67e)
2025-09-27 15:45:58.152 18279-18279 DEBUG crash_dump64 A #42 pc 0000000000012af0 /apex/com.android.art/lib64/libadbconnection.so (adbconnection::CallbackFunction(void*)+1344) (BuildId: 8fca99393dcb72bb5b31fb8c55c1e67e)
2025-09-27 15:45:58.152 18279-18279 DEBUG crash_dump64 A #43 pc 000000000007afbc /apex/com.android.runtime/lib64/bionic/libc.so (__pthread_start(void*)+204) (BuildId: d6dbe2c18b0def7e9ee1655171c8af09)
2025-09-27 15:45:58.152 18279-18279 DEBUG crash_dump64 A #44 pc 000000000006cd60 /apex/com.android.runtime/lib64/bionic/libc.so (__start_thread+64) (BuildId: d6dbe2c18b0def7e9ee1655171c8af09)
2025-09-27 15:45:53.011 408-408 logd pid-408 I logdr: UID=10126 GID=10126 PID=18279 n tail=500 logMask=8 pid=18261 start=0ns deadline=0ns
2025-09-27 15:45:53.013 408-408 logd pid-408 I logdr: UID=10126 GID=10126 PID=18279 n tail=500 logMask=1 pid=18261 start=0ns deadline=0ns
2025-09-27 15:45:58.162 617-617 tombstoned tombstoned E Tombstone written to: tombstone_24
2025-09-27 15:45:58.164 1355-18285 DropBoxManagerService system_server

6

Thank you. How is lldb configured for signal handling? Can you add the output of process handle in lldb?

7
Summary

(lldb) process handle
NAME PASS STOP NOTIFY
=========== ===== ===== ======
SIGHUP true true true
SIGINT false true true
SIGQUIT true true true
SIGILL true true true
SIGTRAP false true true
SIGABRT true true true
SIGBUS true false false
SIGFPE true true true
SIGKILL true true true
SIGUSR1 true true true
SIGSEGV true false false
SIGUSR2 true true true
SIGPIPE true true true
SIGALRM true false false
SIGTERM true true true
SIGSTKFLT true true true
SIGCHLD true false true
SIGCONT true false true
SIGSTOP false true true
SIGTSTP true true true
SIGTTIN true true true
SIGTTOU true true true
SIGURG true true true
SIGXCPU true true true
SIGXFSZ true true true
SIGVTALRM true true true
SIGPROF true false false
SIGWINCH true true true
SIGIO true true true
SIGPWR true true true
SIGSYS true true true
SIG32 true false false
SIG33 true false false
SIGRTMIN true false false
SIGRTMIN+1 true false false
SIGRTMIN+2 true false false
SIGRTMIN+3 true false false
SIGRTMIN+4 true false false
SIGRTMIN+5 true false false
SIGRTMIN+6 true false false
SIGRTMIN+7 true false false
SIGRTMIN+8 true false false
SIGRTMIN+9 true false false
SIGRTMIN+10 true false false
SIGRTMIN+11 true false false
SIGRTMIN+12 true false false
SIGRTMIN+13 true false false
SIGRTMIN+14 true false false
SIGRTMIN+15 true false false
SIGRTMAX-14 true false false
SIGRTMAX-13 true false false
SIGRTMAX-12 true false false
SIGRTMAX-11 true false false
SIGRTMAX-10 true false false
SIGRTMAX-9 true false false
SIGRTMAX-8 true false false
SIGRTMAX-7 true false false
SIGRTMAX-6 true false false
SIGRTMAX-5 true false false
SIGRTMAX-4 true false false
SIGRTMAX-3 true false false
SIGRTMAX-2 true false false
SIGRTMAX-1 true false false
SIGRTMAX true false false

I have tried to use the same in IDA, but IDA still crashes
and with option “settings set plugin.jit-loader.gdb.enable off” LLDB works faster

8

I have noticed, that in IDA it interrupts for SIGSEGV on

__rt_sigprocmask

libc.so:000000761D8F8680 __rt_sigprocmask
libc.so:000000761D8F8680 MOV X8, #0x87
libc.so:000000761D8F8684 SVC 0
libc.so:000000761D8F8688 CMN X0, #1,LSL#12
libc.so:000000761D8F868C CNEG X0, X0, HI
libc.so:000000761D8F8690 B.HI __set_errno_internal
libc.so:000000761D8F8694 RET

or JIT instructions,
but in LLDB it interrupts for SIGSEGV only on JIT intructions. Maybe __rt_sigprocmask crashes my app?