android: Synchronize ArtMethod class field post GC

oleavr · hsorbo · oleavr · commit cb2399165787 · 2025-10-24T15:01:36.000+02:00
So our replacement ArtMethod instances don't go stale, and cause
undefined behavior.

Co-authored-by: Håvard Sørbø &lt;havard@hsorbo.no&gt;
diff --git a/lib/android.js b/lib/android.js
@@ -1866,6 +1866,23 @@ set_replacement_method (gpointer original_method,
   g_mutex_unlock (&lock);
 }
 
+void
+on_gc_performed (void)
+{
+  GHashTableIter iter;
+  gpointer hooked_method, replacement_method;
+
+  g_mutex_lock (&lock);
+
+  g_hash_table_iter_init (&iter, methods);
+  while (g_hash_table_iter_next (&iter, &hooked_method, &replacement_method))
+  {
+    *((uint32_t *) replacement_method) = *((uint32_t *) hooked_method);
+  }
+
+  g_mutex_unlock (&lock);
+}
+
 void
 on_fixups_applied (guint quick_code_offset,
                    void * nterp_entrypoint,
@@ -2045,6 +2062,7 @@ on_leave_gc_concurrent_copying_copying_phase (GumInvocationContext * ic)
       isReplacement: new NativeFunction(cm.is_replacement_method, 'bool', ['pointer'], fastOptions),
       get: new NativeFunction(cm.get_replacement_method, 'pointer', ['pointer'], fastOptions),
       set: new NativeFunction(cm.set_replacement_method, 'void', ['pointer', 'pointer'], fastOptions),
+      onGcPerformed: new NativeFunction(cm.on_gc_performed, 'void', [], fastOptions),
       onFixupsApplied: new NativeFunction(cm.on_fixups_applied, 'void', ['uint', 'pointer', 'pointer'], fastOptions),
       delete: new NativeFunction(cm.delete_replacement_method, 'void', ['pointer'], fastOptions),
       translate: new NativeFunction(cm.translate_method, 'pointer', ['pointer'], fastOptions),
@@ -2079,6 +2097,7 @@ function ensureArtKnowsHowToHandleMethodInstrumentation (vm) {
 
   instrumentArtQuickEntrypoints(vm);
   instrumentArtMethodInvocationFromInterpreter();
+  instrumentArtGarbageCollection();
   instrumentArtFixupStaticTrampolines();
 }
 
@@ -2131,6 +2150,16 @@ function instrumentArtMethodInvocationFromInterpreter () {
   }
 }
 
+function instrumentArtGarbageCollection () {
+  const gc = getApi().module.findSymbolByName("_ZN3art2gc4Heap22CollectGarbageInternalENS0_9collector6GcTypeENS0_7GcCauseEbj");
+  if (gc === null)
+    return;
+
+  Interceptor.attach(gc, {
+    onLeave: artController.replacedMethods.onGcPerformed,
+  });
+}
+
 function instrumentArtFixupStaticTrampolines () {
   const patterns = [
     ['_ZN3art11ClassLinker26VisiblyInitializedCallback22MarkVisiblyInitializedEPNS_6ThreadE',         'e90340f8 : ff0ff0ff'],
