frida-java-bridge 6.0.2 → 6.1.0

package/lib/android.js

@@ -1,6 +1,11 @@
 const makeCodeAllocator = require('./alloc');
+const {
+  jvmtiVersion,
+  jvmtiCapabilities,
+  EnvJvmti
+} = require('./jvmti');
 const memoize = require('./memoize');
-const { checkJniResult } = require('./result');
+const { checkJniResult, JNI_OK } = require('./result');
 const VM = require('./vm');
 
 const jsizeSize = 4;
@@ -99,6 +104,7 @@ const artThreadStateTransitions = {};
 let cachedApi = null;
 let MethodMangler = null;
 let artController = null;
+const inlineHooks = [];
 const patchedClasses = new Map();
 const artQuickInterceptors = [];
 let thunkPage = null;
@@ -330,6 +336,7 @@ function _getApi () {
           '_ZN3art3Dbg13ConfigureJdwpERKNS_4JDWP11JdwpOptionsE',
           '_ZN3art31InternalDebuggerControlCallback13StartDebuggerEv',
           '_ZN3art3Dbg15gDebuggerActiveE',
+          '_ZN3art15instrumentation15Instrumentation20EnableDeoptimizationEv',
           '_ZN3art15instrumentation15Instrumentation20DeoptimizeEverythingEPKc',
           '_ZN3art15instrumentation15Instrumentation20DeoptimizeEverythingEv',
           '_ZN3art7Runtime19DeoptimizeBootImageEv',
@@ -474,6 +481,16 @@ function _getApi () {
     artController = makeArtController(vm);
 
     fixupArtQuickDeliverExceptionBug(temporaryApi);
+
+    let cachedJvmti = null;
+    Object.defineProperty(temporaryApi, 'jvmti', {
+      get () {
+        if (cachedJvmti === null) {
+          cachedJvmti = [tryGetEnvJvmti(vm, this.artRuntime)];
+        }
+        return cachedJvmti[0];
+      }
+    });
   }
 
   const cxxImports = Module.enumerateImports(vmModule.path)
@@ -490,6 +507,39 @@ function _getApi () {
   return temporaryApi;
 }
 
+function tryGetEnvJvmti (vm, runtime) {
+  let env = null;
+
+  vm.perform(() => {
+    const ensurePluginLoaded = new NativeFunction(
+      Module.getExportByName('libart.so', '_ZN3art7Runtime18EnsurePluginLoadedEPKcPNSt3__112basic_stringIcNS3_11char_traitsIcEENS3_9allocatorIcEEEE'),
+      'bool',
+      ['pointer', 'pointer', 'pointer']);
+    const errorPtr = Memory.alloc(pointerSize);
+    const success = ensurePluginLoaded(runtime, Memory.allocUtf8String('libopenjdkjvmti.so'), errorPtr);
+    if (!success) {
+      // FIXME: Avoid leaking error
+      return;
+    }
+
+    const kArtTiVersion = jvmtiVersion.v1_2 | 0x40000000;
+    const handle = vm.tryGetEnvHandle(kArtTiVersion);
+    if (handle === null) {
+      return;
+    }
+    env = new EnvJvmti(handle, vm);
+
+    const capaBuf = Memory.alloc(8);
+    capaBuf.writeU64(jvmtiCapabilities.canTagObjects);
+    const result = env.addCapabilities(capaBuf);
+    if (result !== JNI_OK) {
+      env = null;
+    }
+  });
+
+  return env;
+}
+
 function ensureClassInitialized (env, classRef) {
   const api = getApi();
   if (api.flavor !== 'art') {
@@ -530,6 +580,7 @@ function _getArtRuntimeSpec (api) {
    * InternTable* intern_table_;      <--/
    * ClassLinker* class_linker_;      <-/
    * SignalCatcher* signal_catcher_;
+   * SmallIrtAllocator* small_irt_allocator_; <------------ API level >= 33 or Android Tiramisu Developer Preview
    * std::unique_ptr<jni::JniIdManager> jni_id_manager_; <- API level >= 30 or Android R Developer Preview
    * bool use_tombstoned_traces_;     <-------------------- API level 27/28
    * std::string stack_trace_file_;   <-------------------- API level <= 28
@@ -553,7 +604,10 @@ function _getArtRuntimeSpec (api) {
     if (value.equals(vm)) {
       let classLinkerOffset = null;
       let jniIdManagerOffset = null;
-      if (apiLevel >= 30 || getAndroidCodename() === 'R') {
+      if (apiLevel >= 33 || getAndroidCodename() === 'Tiramisu') {
+        classLinkerOffset = offset - (4 * pointerSize);
+        jniIdManagerOffset = offset - pointerSize;
+      } else if (apiLevel >= 30 || getAndroidCodename() === 'R') {
         classLinkerOffset = offset - (3 * pointerSize);
         jniIdManagerOffset = offset - pointerSize;
       } else if (apiLevel >= 29) {
@@ -593,7 +647,7 @@ function _getArtRuntimeSpec (api) {
     throw new Error('Unable to determine Runtime field offsets');
   }
 
-  spec.offset.instrumentation = tryDetectInstrumentationOffset();
+  spec.offset.instrumentation = tryDetectInstrumentationOffset(api);
   spec.offset.jniIdsIndirection = tryDetectJniIdsIndirectionOffset();
 
   return spec;
@@ -606,15 +660,15 @@ const instrumentationOffsetParsers = {
   arm64: parseArm64InstrumentationOffset
 };
 
-function tryDetectInstrumentationOffset () {
-  let cur = Module.findExportByName('libart.so', 'MterpHandleException');
-  if (cur === null) {
+function tryDetectInstrumentationOffset (api) {
+  let cur = api['art::Runtime::DeoptimizeBootImage'];
+  if (cur === undefined) {
     return null;
   }
 
   const tryParse = instrumentationOffsetParsers[Process.arch];
 
-  for (let i = 0; i !== 20; i++) {
+  for (let i = 0; i !== 30; i++) {
     const insn = Instruction.parse(cur);
 
     const offset = tryParse(insn);
@@ -629,20 +683,16 @@ function tryDetectInstrumentationOffset () {
 }
 
 function parsex86InstrumentationOffset (insn) {
-  const { mnemonic } = insn;
-  if (mnemonic !== 'mov' && mnemonic !== 'add') {
+  if (insn.mnemonic !== 'lea') {
     return null;
   }
 
-  const op1 = insn.operands[1];
-  if (op1.type !== 'imm') {
-    return null;
-  }
-  if (op1.value < 0x100 || op1.value > 0x400) {
+  const offset = insn.operands[1].value.disp;
+  if (offset < 0x100 || offset > 0x400) {
     return null;
   }
 
-  return op1.value;
+  return offset;
 }
 
 function parseArmInstrumentationOffset (insn) {
@@ -673,12 +723,21 @@ function parseArm64InstrumentationOffset (insn) {
     return null;
   }
 
+  if (ops[0].value === 'sp' || ops[1].value === 'sp') {
+    return null;
+  }
+
   const op2 = ops[2];
   if (op2.type !== 'imm') {
     return null;
   }
 
-  return op2.value;
+  const offset = op2.value.valueOf();
+  if (offset < 0x100 || offset > 0x400) {
+    return null;
+  }
+
+  return offset;
 }
 
 const jniIdsIndirectionOffsetParsers = {
@@ -902,7 +961,7 @@ function _getArtMethodSpec (vm) {
 
   vm.perform(env => {
     const process = env.findClass('android/os/Process');
-    const setArgV0 = unwrapMethodId(env.getStaticMethodId(process, 'setArgV0', '(Ljava/lang/String;)V'));
+    const getElapsedCpuTime = unwrapMethodId(env.getStaticMethodId(process, 'getElapsedCpuTime', '()J'));
     env.deleteLocalRef(process);
 
     const runtimeModule = Process.getModuleByName('libandroid_runtime.so');
@@ -914,13 +973,13 @@ function _getArtMethodSpec (vm) {
     const entrypointFieldSize = (apiLevel <= 21) ? 8 : pointerSize;
 
     const expectedAccessFlags = kAccPublic | kAccStatic | kAccFinal | kAccNative;
-    const relevantAccessFlagsMask = ~(kAccPublicApi | kAccNterpInvokeFastPathFlag) >>> 0;
+    const relevantAccessFlagsMask = ~(kAccFastInterpreterToInterpreterInvoke | kAccPublicApi | kAccNterpInvokeFastPathFlag) >>> 0;
 
     let jniCodeOffset = null;
     let accessFlagsOffset = null;
     let remaining = 2;
     for (let offset = 0; offset !== 64 && remaining !== 0; offset += 4) {
-      const field = setArgV0.add(offset);
+      const field = getElapsedCpuTime.add(offset);
 
       if (jniCodeOffset === null) {
         const address = field.readPointer();
@@ -1711,6 +1770,7 @@ on_leave_gc_concurrent_copying_copying_phase (GumInvocationContext * ic)
   return {
     handle: cm,
     replacedMethods: {
+      isReplacement: new NativeFunction(cm.is_replacement_method, 'bool', ['pointer'], fastOptions),
       get: new NativeFunction(cm.get_replacement_method, 'pointer', ['pointer'], fastOptions),
       set: new NativeFunction(cm.set_replacement_method, 'void', ['pointer', 'pointer'], fastOptions),
       delete: new NativeFunction(cm.delete_replacement_method, 'void', ['pointer'], fastOptions),
@@ -1785,18 +1845,20 @@ function ensureArtKnowsHowToHandleReplacementMethods (vm) {
   }
   taughtArtAboutReplacementMethods = true;
 
-  const { getOatQuickMethodHeaderImpl } = artController;
-  if (getOatQuickMethodHeaderImpl === null) {
-    return;
-  }
+  if (!maybeInstrumentGetOatQuickMethodHeaderInlineCopies()) {
+    const { getOatQuickMethodHeaderImpl } = artController;
+    if (getOatQuickMethodHeaderImpl === null) {
+      return;
+    }
 
-  try {
-    Interceptor.replace(getOatQuickMethodHeaderImpl, artController.hooks.ArtMethod.getOatQuickMethodHeader);
-  } catch (e) {
-    /*
-     * Already replaced by another script. For now we don't support replacing methods from multiple scripts,
-     * but we'll allow users to try it if they're feeling adventurous.
-     */
+    try {
+      Interceptor.replace(getOatQuickMethodHeaderImpl, artController.hooks.ArtMethod.getOatQuickMethodHeader);
+    } catch (e) {
+      /*
+       * Already replaced by another script. For now we don't support replacing methods from multiple scripts,
+       * but we'll allow users to try it if they're feeling adventurous.
+       */
+    }
   }
 
   const apiLevel = getAndroidApiLevel();
@@ -1813,6 +1875,385 @@ function ensureArtKnowsHowToHandleReplacementMethods (vm) {
   }
 }
 
+const artGetOatQuickMethodHeaderInlinedCopyHandler = {
+  arm: {
+    signatures: [
+      {
+        pattern: [
+          'b0 68', // ldr r0, [r6, #8]
+          '01 30', // adds r0, #1
+          '0c d0', // beq #0x16fcd4
+          '1b 98', // ldr r0, [sp, #0x6c]
+          ':',
+          'c0 ff',
+          'c0 ff',
+          '00 ff',
+          '00 2f'
+        ],
+        validateMatch: validateGetOatQuickMethodHeaderInlinedMatchArm
+      },
+      {
+        pattern: [
+          'd8 f8 08 00', // ldr r0, [r8, #8]
+          '01 30', // adds r0, #1
+          '0c d0', // beq #0x16fcd4
+          '1b 98', // ldr r0, [sp, #0x6c]
+          ':',
+          'f0 ff ff 0f',
+          'ff ff',
+          '00 ff',
+          '00 2f'
+        ],
+        validateMatch: validateGetOatQuickMethodHeaderInlinedMatchArm
+      },
+      {
+        pattern: [
+          'b0 68', // ldr r0, [r6, #8]
+          '01 30', // adds r0, #1
+          '40 f0 c3 80', // bne #0x203bf0
+          '00 25', // movs r5, #0
+          ':',
+          'c0 ff',
+          'c0 ff',
+          'c0 fb 00 d0',
+          'ff f8'
+        ],
+        validateMatch: validateGetOatQuickMethodHeaderInlinedMatchArm
+      }
+    ],
+    instrument: instrumentGetOatQuickMethodHeaderInlinedCopyArm
+  },
+  arm64: {
+    signatures: [
+      {
+        pattern: [
+          /* e8 */ '0a 40 b9', // ldr w8, [x23, #0x8]
+          '1f 05 00 31', // cmn w8, #0x1
+          '40 01 00 54', // b.eq 0x2e4204
+          '88 39 00 f0', // adrp x8, 0xa17000
+          ':',
+          /* 00 */ 'fc ff ff',
+          '1f fc ff ff',
+          '1f 00 00 ff',
+          '00 00 00 9f'
+        ],
+        offset: 1,
+        validateMatch: validateGetOatQuickMethodHeaderInlinedMatchArm64
+      },
+      {
+        pattern: [
+          /* e8 */ '0a 40 b9', // ldr w8, [x23, #0x8]
+          '1f 05 00 31', // cmn w8, #0x1
+          '01 34 00 54', // b.ne 0x3d8e50
+          'e0 03 1f aa', // mov x0, xzr
+          ':',
+          /* 00 */ 'fc ff ff',
+          '1f fc ff ff',
+          '1f 00 00 ff',
+          'e0 ff ff ff'
+        ],
+        offset: 1,
+        validateMatch: validateGetOatQuickMethodHeaderInlinedMatchArm64
+      }
+    ],
+    instrument: instrumentGetOatQuickMethodHeaderInlinedCopyArm64
+  }
+};
+
+function validateGetOatQuickMethodHeaderInlinedMatchArm ({ address, size }) {
+  const ldr = Instruction.parse(address.or(1));
+  const [ldrDst, ldrSrc] = ldr.operands;
+  const methodReg = ldrSrc.value.base;
+  const scratchReg = ldrDst.value;
+
+  const branch = Instruction.parse(ldr.next.add(2));
+  const targetWhenTrue = ptr(branch.operands[0].value);
+  const targetWhenFalse = branch.address.add(branch.size);
+
+  let targetWhenRegularMethod, targetWhenRuntimeMethod;
+  if (branch.mnemonic === 'beq') {
+    targetWhenRegularMethod = targetWhenFalse;
+    targetWhenRuntimeMethod = targetWhenTrue;
+  } else {
+    targetWhenRegularMethod = targetWhenTrue;
+    targetWhenRuntimeMethod = targetWhenFalse;
+  }
+
+  let cursor = targetWhenRegularMethod.or(1);
+  for (let i = 0; i !== 3; i++) {
+    const insn = Instruction.parse(cursor);
+    cursor = insn.next;
+
+    const { mnemonic } = insn;
+    if (!(mnemonic === 'ldr' || mnemonic === 'ldr.w')) {
+      continue;
+    }
+
+    const { base, disp } = insn.operands[1].value;
+    if (base === methodReg && disp === 0x14) {
+      return {
+        methodReg,
+        scratchReg,
+        target: {
+          whenTrue: targetWhenTrue,
+          whenRegularMethod: targetWhenRegularMethod,
+          whenRuntimeMethod: targetWhenRuntimeMethod
+        }
+      };
+    }
+  }
+
+  return null;
+}
+
+function validateGetOatQuickMethodHeaderInlinedMatchArm64 ({ address, size }) {
+  const [ldrDst, ldrSrc] = Instruction.parse(address).operands;
+  const methodReg = ldrSrc.value.base;
+  const scratchReg = 'x' + ldrDst.value.substring(1);
+
+  const branch = Instruction.parse(address.add(8));
+  const targetWhenTrue = ptr(branch.operands[0].value);
+  const targetWhenFalse = address.add(12);
+
+  let targetWhenRegularMethod, targetWhenRuntimeMethod;
+  if (branch.mnemonic === 'b.eq') {
+    targetWhenRegularMethod = targetWhenFalse;
+    targetWhenRuntimeMethod = targetWhenTrue;
+  } else {
+    targetWhenRegularMethod = targetWhenTrue;
+    targetWhenRuntimeMethod = targetWhenFalse;
+  }
+
+  let cursor = targetWhenRegularMethod;
+  for (let i = 0; i !== 3; i++) {
+    const insn = Instruction.parse(cursor);
+    cursor = insn.next;
+
+    if (insn.mnemonic !== 'ldr') {
+      continue;
+    }
+
+    const { base, disp } = insn.operands[1].value;
+    if (base === methodReg && disp === 0x18) {
+      return {
+        methodReg,
+        scratchReg,
+        target: {
+          whenTrue: targetWhenTrue,
+          whenRegularMethod: targetWhenRegularMethod,
+          whenRuntimeMethod: targetWhenRuntimeMethod
+        }
+      };
+    }
+  }
+
+  return null;
+}
+
+function maybeInstrumentGetOatQuickMethodHeaderInlineCopies () {
+  if (getAndroidApiLevel() < 31) {
+    return false;
+  }
+
+  const handler = artGetOatQuickMethodHeaderInlinedCopyHandler[Process.arch];
+  if (handler === undefined) {
+    // Not needed on x86 and x64, at least not for now...
+    return false;
+  }
+
+  const signatures = handler.signatures.map(({ pattern, offset = 0, validateMatch = returnEmptyObject }) => {
+    return {
+      pattern: new MatchPattern(pattern.join('')),
+      offset,
+      validateMatch
+    };
+  });
+
+  const impls = [];
+  for (const { base, size } of getApi().module.enumerateRanges('--x')) {
+    for (const { pattern, offset, validateMatch } of signatures) {
+      const matches = Memory.scanSync(base, size, pattern)
+        .map(({ address, size }) => {
+          return { address: address.sub(offset), size: size + offset };
+        })
+        .filter(match => {
+          const validationResult = validateMatch(match);
+          if (validationResult === null) {
+            return false;
+          }
+          match.validationResult = validationResult;
+          return true;
+        });
+      impls.push(...matches);
+    }
+  }
+
+  impls.forEach(handler.instrument);
+
+  return true;
+}
+
+function returnEmptyObject () {
+  return {};
+}
+
+class InlineHook {
+  constructor (address, size, trampoline) {
+    this.address = address;
+    this.size = size;
+    this.originalCode = address.readByteArray(size);
+    this.trampoline = trampoline;
+  }
+
+  revert () {
+    Memory.patchCode(this.address, this.size, code => {
+      code.writeByteArray(this.originalCode);
+    });
+  }
+}
+
+function instrumentGetOatQuickMethodHeaderInlinedCopyArm ({ address, size, validationResult }) {
+  const { methodReg, target } = validationResult;
+
+  const trampoline = Memory.alloc(Process.pageSize);
+  let redirectCapacity = size;
+
+  Memory.patchCode(trampoline, 256, code => {
+    const writer = new ThumbWriter(code, { pc: trampoline });
+
+    const relocator = new ThumbRelocator(address, writer);
+    for (let i = 0; i !== 2; i++) {
+      relocator.readOne();
+    }
+    relocator.writeAll();
+
+    relocator.readOne();
+    relocator.skipOne();
+    writer.putBCondLabel('eq', 'runtime_or_replacement_method');
+
+    const vpushFpRegs = [0x2d, 0xed, 0x10, 0x0a]; /* vpush {s0-s15} */
+    writer.putBytes(vpushFpRegs);
+
+    const savedRegs = ['r0', 'r1', 'r2', 'r3'];
+    writer.putPushRegs(savedRegs);
+
+    writer.putCallAddressWithArguments(artController.replacedMethods.isReplacement, [methodReg]);
+    writer.putCmpRegImm('r0', 0);
+
+    writer.putPopRegs(savedRegs);
+
+    const vpopFpRegs = [0xbd, 0xec, 0x10, 0x0a]; /* vpop {s0-s15} */
+    writer.putBytes(vpopFpRegs);
+
+    writer.putBCondLabel('ne', 'runtime_or_replacement_method');
+    writer.putBLabel('regular_method');
+
+    relocator.readOne();
+
+    const tailIsRegular = relocator.input.address.equals(target.whenRegularMethod);
+
+    writer.putLabel(tailIsRegular ? 'regular_method' : 'runtime_or_replacement_method');
+    relocator.writeOne();
+    while (redirectCapacity < 10) {
+      const offset = relocator.readOne();
+      if (offset === 0) {
+        redirectCapacity = 10;
+        break;
+      }
+      redirectCapacity = offset;
+    }
+    relocator.writeAll();
+    writer.putBranchAddress(address.add(redirectCapacity + 1));
+
+    writer.putLabel(tailIsRegular ? 'runtime_or_replacement_method' : 'regular_method');
+    writer.putBranchAddress(target.whenTrue);
+
+    writer.flush();
+  });
+
+  inlineHooks.push(new InlineHook(address, redirectCapacity, trampoline));
+
+  Memory.patchCode(address, redirectCapacity, code => {
+    const writer = new ThumbWriter(code, { pc: address });
+    writer.putLdrRegAddress('pc', trampoline.or(1));
+    writer.flush();
+  });
+}
+
+function instrumentGetOatQuickMethodHeaderInlinedCopyArm64 ({ address, size, validationResult }) {
+  const { methodReg, scratchReg, target } = validationResult;
+
+  const trampoline = Memory.alloc(Process.pageSize);
+
+  Memory.patchCode(trampoline, 256, code => {
+    const writer = new Arm64Writer(code, { pc: trampoline });
+
+    const relocator = new Arm64Relocator(address, writer);
+    for (let i = 0; i !== 2; i++) {
+      relocator.readOne();
+    }
+    relocator.writeAll();
+
+    relocator.readOne();
+    relocator.skipOne();
+    writer.putBCondLabel('eq', 'runtime_or_replacement_method');
+
+    const savedRegs = [
+      'd0', 'd1',
+      'd2', 'd3',
+      'd4', 'd5',
+      'd6', 'd7',
+      'x0', 'x1',
+      'x2', 'x3',
+      'x4', 'x5',
+      'x6', 'x7',
+      'x8', 'x9',
+      'x10', 'x11',
+      'x12', 'x13',
+      'x14', 'x15',
+      'x16', 'x17'
+    ];
+    const numSavedRegs = savedRegs.length;
+
+    for (let i = 0; i !== numSavedRegs; i += 2) {
+      writer.putPushRegReg(savedRegs[i], savedRegs[i + 1]);
+    }
+
+    writer.putCallAddressWithArguments(artController.replacedMethods.isReplacement, [methodReg]);
+    writer.putCmpRegReg('x0', 'xzr');
+
+    for (let i = numSavedRegs - 2; i >= 0; i -= 2) {
+      writer.putPopRegReg(savedRegs[i], savedRegs[i + 1]);
+    }
+
+    writer.putBCondLabel('ne', 'runtime_or_replacement_method');
+    writer.putBLabel('regular_method');
+
+    relocator.readOne();
+    const tailInstruction = relocator.input;
+
+    const tailIsRegular = tailInstruction.address.equals(target.whenRegularMethod);
+
+    writer.putLabel(tailIsRegular ? 'regular_method' : 'runtime_or_replacement_method');
+    relocator.writeOne();
+    writer.putBranchAddress(tailInstruction.next);
+
+    writer.putLabel(tailIsRegular ? 'runtime_or_replacement_method' : 'regular_method');
+    writer.putBranchAddress(target.whenTrue);
+
+    writer.flush();
+  });
+
+  inlineHooks.push(new InlineHook(address, size, trampoline));
+
+  Memory.patchCode(address, size, code => {
+    const writer = new Arm64Writer(code, { pc: address });
+    writer.putLdrRegAddress(scratchReg, trampoline);
+    writer.putBrReg(scratchReg);
+    writer.flush();
+  });
+}
+
 function makeMethodMangler (methodId) {
   return new MethodMangler(methodId);
 }
@@ -1937,8 +2378,6 @@ extern void translate_location (ArtMethod * method, guint32 pc, const gchar ** s
 extern void cxx_delete (void * mem);
 extern unsigned long strtoul (const char * str, char ** endptr, int base);
 
-extern void _frida_log (const gchar * message);
-
 static bool visit_frame (ArtStackVisitor * visitor);
 static void art_stack_frame_destroy (ArtStackFrame * frame);
 
@@ -1947,8 +2386,6 @@ static void append_jni_type_name (GString * s, const gchar * name, gsize length)
 static void std_string_destroy (StdString * str);
 static gchar * std_string_get_data (StdString * str);
 
-static void frida_log (const char * format, ...);
-
 void
 init (void)
 {
@@ -2334,7 +2771,13 @@ function revertGlobalPatches () {
   });
   patchedClasses.clear();
 
-  artQuickInterceptors.forEach((interceptor) => interceptor.deactivate());
+  for (const interceptor of artQuickInterceptors.splice(0)) {
+    interceptor.deactivate();
+  }
+
+  for (const hook of inlineHooks.splice(0)) {
+    hook.revert();
+  }
 }
 
 function unwrapMethodId (methodId) {
@@ -3161,9 +3604,12 @@ function requestDeoptimization (vm, env, kind, method) {
         throw new Error('Unable to find Instrumentation class in ART; please file a bug');
       }
 
-      const deoptimizationEnabled = !!instrumentation.add(getArtInstrumentationSpec().offset.deoptimizationEnabled).readU8();
-      if (!deoptimizationEnabled) {
-        api['art::Instrumentation::EnableDeoptimization'](instrumentation);
+      const enableDeopt = api['art::Instrumentation::EnableDeoptimization'];
+      if (enableDeopt !== undefined) {
+        const deoptimizationEnabled = !!instrumentation.add(getArtInstrumentationSpec().offset.deoptimizationEnabled).readU8();
+        if (!deoptimizationEnabled) {
+          enableDeopt(instrumentation);
+        }
       }
 
       switch (kind) {
@@ -3544,8 +3990,9 @@ function recompileExceptionClearForX86 (buffer, pc, exceptionClearImpl, nextFunc
               if (pointerSize === 4) {
                 writer.putAndRegU32('esp', 0xfffffff0);
               } else {
-                writer.putMovRegU64('rax', uint64('0xfffffffffffffff0'));
-                writer.putAndRegReg('rsp', 'rax');
+                const scratchReg = (threadReg !== 'rdi') ? 'rdi' : 'rsi';
+                writer.putMovRegU64(scratchReg, uint64('0xfffffffffffffff0'));
+                writer.putAndRegReg('rsp', scratchReg);
               }
               writer.putCallAddressWithAlignedArguments(callback, [threadReg]);
               writer.putMovRegReg('xsp', 'xbp');

package/lib/class-factory.js

@@ -485,9 +485,16 @@ class ClassFactory {
     if (flavor === 'jvm') {
       this._chooseObjectsJvm(specifier, env, callbacks);
     } else if (flavor === 'art') {
+      const legacyApiMissing = api['art::gc::Heap::VisitObjects'] === undefined;
+      if (legacyApiMissing) {
+        const preA12ApiMissing = api['art::gc::Heap::GetInstances'] === undefined;
+        if (preA12ApiMissing) {
+          return this._chooseObjectsJvm(specifier, env, callbacks);
+        }
+      }
       android.withRunnableArtThread(vm, env, thread => {
-        if (api['art::gc::Heap::VisitObjects'] === undefined) {
-          this._chooseObjectsArtModern(specifier, env, thread, callbacks);
+        if (legacyApiMissing) {
+          this._chooseObjectsArtPreA12(specifier, env, thread, callbacks);
         } else {
           this._chooseObjectsArtLegacy(specifier, env, thread, callbacks);
         }
@@ -545,7 +552,7 @@ class ClassFactory {
     }
   }
 
-  _chooseObjectsArtModern (className, env, thread, callbacks) {
+  _chooseObjectsArtPreA12 (className, env, thread, callbacks) {
     const classWrapper = this.use(className);
 
     const scope = android.VariableSizedHandleScope.$new(thread, vm);

package/lib/class-model.js

@@ -1176,7 +1176,7 @@ class Model {
 
     const params = query.match(methodQueryPattern);
     if (params === null) {
-      throw new Error('Invalid method query');
+      throw new Error('Invalid query; format is: class!method -- see documentation of Java.enumerateMethods(query) for details');
     }
 
     const classQuery = Memory.allocUtf8String(params[1]);

package/lib/jvm.js

@@ -1,3 +1,8 @@
+const {
+  jvmtiVersion,
+  jvmtiCapabilities,
+  EnvJvmti
+} = require('./jvmti');
 const memoize = require('./memoize');
 const { checkJniResult } = require('./result');
 const VM = require('./vm');
@@ -11,11 +16,6 @@ const JVM_ACC_IS_OBSOLETE = 0x00020000;
 const JVM_ACC_NOT_C2_COMPILABLE = 0x02000000;
 const JVM_ACC_NOT_C1_COMPILABLE = 0x04000000;
 const JVM_ACC_NOT_C2_OSR_COMPILABLE = 0x08000000;
-const JVMTI_VERSION_1_0 = 0x30010000;
-
-const jvmtiCapabilities = {
-  canTagObjects: 1
-};
 
 const nativeFunctionOptions = {
   exceptions: 'propagate'
@@ -291,6 +291,7 @@ function _getApi () {
   }
 
   temporaryApi.jvmti = getEnvJvmti(temporaryApi);
+
   return temporaryApi;
 }
 
@@ -299,63 +300,21 @@ function getEnvJvmti (api) {
 
   let env;
   vm.perform(() => {
-    const getEnv = new NativeFunction(vm.handle.readPointer().add(6 * pointerSize).readPointer(), 'int32', ['pointer', 'pointer', 'int32'],
-      nativeFunctionOptions);
-    const envBuf = Memory.alloc(pointerSize);
-    let result = getEnv(vm.handle, envBuf, JVMTI_VERSION_1_0);
-    checkJniResult('getEnvJvmti::GetEnv', result);
-    env = new EnvJvmti(envBuf.readPointer(), vm);
+    const handle = vm.tryGetEnvHandle(jvmtiVersion.v1_0);
+    if (handle === null) {
+      throw new Error('JVMTI not available');
+    }
+    env = new EnvJvmti(handle, vm);
 
     const capaBuf = Memory.alloc(8);
     capaBuf.writeU64(jvmtiCapabilities.canTagObjects);
-    result = env.addCapabilities(capaBuf);
+    const result = env.addCapabilities(capaBuf);
     checkJniResult('getEnvJvmti::AddCapabilities', result);
   });
 
   return env;
 }
 
-function EnvJvmti (handle, vm) {
-  this.handle = handle;
-  this.vm = vm;
-  this.vtable = handle.readPointer();
-}
-
-EnvJvmti.prototype.deallocate = proxy(47, 'int32', ['pointer', 'pointer'], function (impl, mem) {
-  return impl(this.handle, mem);
-});
-
-EnvJvmti.prototype.getLoadedClasses = proxy(78, 'int32', ['pointer', 'pointer', 'pointer'], function (impl, classCountPtr, classesPtr) {
-  const result = impl(this.handle, classCountPtr, classesPtr);
-  checkJniResult('EnvJvmti::getLoadedClasses', result);
-});
-
-EnvJvmti.prototype.iterateOverInstancesOfClass = proxy(112, 'int32', ['pointer', 'pointer', 'int', 'pointer', 'pointer'], function (impl, klass, objectFilter, heapObjectCallback, userData) {
-  const result = impl(this.handle, klass, objectFilter, heapObjectCallback, userData);
-  checkJniResult('EnvJvmti::iterateOverInstancesOfClass', result);
-});
-
-EnvJvmti.prototype.getObjectsWithTags = proxy(114, 'int32', ['pointer', 'int', 'pointer', 'pointer', 'pointer', 'pointer'], function (impl, tagCount, tags, countPtr, objectResultPtr, tagResultPtr) {
-  const result = impl(this.handle, tagCount, tags, countPtr, objectResultPtr, tagResultPtr);
-  checkJniResult('EnvJvmti::getObjectsWithTags', result);
-});
-
-EnvJvmti.prototype.addCapabilities = proxy(142, 'int32', ['pointer', 'pointer'], function (impl, capabilitiesPtr) {
-  return impl(this.handle, capabilitiesPtr);
-});
-
-function proxy (offset, retType, argTypes, wrapper) {
-  let impl = null;
-  return function () {
-    if (impl === null) {
-      impl = new NativeFunction(this.vtable.add((offset - 1) * pointerSize).readPointer(), retType, argTypes, nativeFunctionOptions);
-    }
-    let args = [impl];
-    args = args.concat.apply(args, arguments);
-    return wrapper.apply(this, args);
-  };
-}
-
 function ensureClassInitialized (env, classRef) {
 }
 

package/lib/jvmti.js

@@ -0,0 +1,62 @@
+const { checkJniResult } = require('./result');
+
+const jvmtiVersion = {
+  v1_0: 0x30010000,
+  v1_2: 0x30010200
+};
+
+const jvmtiCapabilities = {
+  canTagObjects: 1
+};
+
+const { pointerSize } = Process;
+const nativeFunctionOptions = {
+  exceptions: 'propagate'
+};
+
+function EnvJvmti (handle, vm) {
+  this.handle = handle;
+  this.vm = vm;
+  this.vtable = handle.readPointer();
+}
+
+EnvJvmti.prototype.deallocate = proxy(47, 'int32', ['pointer', 'pointer'], function (impl, mem) {
+  return impl(this.handle, mem);
+});
+
+EnvJvmti.prototype.getLoadedClasses = proxy(78, 'int32', ['pointer', 'pointer', 'pointer'], function (impl, classCountPtr, classesPtr) {
+  const result = impl(this.handle, classCountPtr, classesPtr);
+  checkJniResult('EnvJvmti::getLoadedClasses', result);
+});
+
+EnvJvmti.prototype.iterateOverInstancesOfClass = proxy(112, 'int32', ['pointer', 'pointer', 'int', 'pointer', 'pointer'], function (impl, klass, objectFilter, heapObjectCallback, userData) {
+  const result = impl(this.handle, klass, objectFilter, heapObjectCallback, userData);
+  checkJniResult('EnvJvmti::iterateOverInstancesOfClass', result);
+});
+
+EnvJvmti.prototype.getObjectsWithTags = proxy(114, 'int32', ['pointer', 'int', 'pointer', 'pointer', 'pointer', 'pointer'], function (impl, tagCount, tags, countPtr, objectResultPtr, tagResultPtr) {
+  const result = impl(this.handle, tagCount, tags, countPtr, objectResultPtr, tagResultPtr);
+  checkJniResult('EnvJvmti::getObjectsWithTags', result);
+});
+
+EnvJvmti.prototype.addCapabilities = proxy(142, 'int32', ['pointer', 'pointer'], function (impl, capabilitiesPtr) {
+  return impl(this.handle, capabilitiesPtr);
+});
+
+function proxy (offset, retType, argTypes, wrapper) {
+  let impl = null;
+  return function () {
+    if (impl === null) {
+      impl = new NativeFunction(this.vtable.add((offset - 1) * pointerSize).readPointer(), retType, argTypes, nativeFunctionOptions);
+    }
+    let args = [impl];
+    args = args.concat.apply(args, arguments);
+    return wrapper.apply(this, args);
+  };
+}
+
+module.exports = {
+  jvmtiVersion,
+  jvmtiCapabilities,
+  EnvJvmti
+};

package/lib/vm.js

@@ -107,12 +107,20 @@ function VM (api) {
   };
 
   this._tryGetEnv = function () {
+    const h = this.tryGetEnvHandle(JNI_VERSION_1_6);
+    if (h === null) {
+      return null;
+    }
+    return new Env(h, this);
+  };
+
+  this.tryGetEnvHandle = function (version) {
     const envBuf = Memory.alloc(pointerSize);
-    const result = getEnv(handle, envBuf, JNI_VERSION_1_6);
+    const result = getEnv(handle, envBuf, version);
     if (result !== JNI_OK) {
       return null;
     }
-    return new Env(envBuf.readPointer(), this);
+    return envBuf.readPointer();
   };
 
   this.makeHandleDestructor = function (handle) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "frida-java-bridge",
-  "version": "6.0.2",
+  "version": "6.1.0",
   "description": "Java runtime interop from Frida",
   "main": "index.js",
   "files": [
@@ -36,6 +36,7 @@
       "Instruction",
       "Int64",
       "Interceptor",
+      "MatchPattern",
       "Memory",
       "Module",
       "NULL",