Android Crash Analysis and Fixes: DNS, MediaCodec, BIO, and Focus Issues

This article documents a series of native crashes observed on the DeWu Android client, analyzes their root causes, and presents concrete fix strategies using inline‑hook, PLT‑hook, and JNI‑hook techniques.

1. DNS Resolution Crash

Background: On Android 11 and lower, DNS resolution may trigger a native null‑pointer crash, with Android 9 showing the highest incidence.

Analysis: The crash originates from InetAddress.getAllByName which eventually calls Libcore.os.android_getaddrinfo . When android_getaddrinfofornet returns a non‑zero value, a GaiException is thrown.

at libcore.io.Linux.android_getaddrinfo(Linux.java)
at libcore.io.BlockGuardOs.android_getaddrinfo(BlockGuardOs.java:172)
at java.net.InetAddress.parseNumericAddressNoThrow(InetAddress.java:1631)
... (stack omitted)
#00 pc 000000000003b938  /system/lib64/libc.so (android_detectaddrtype+1164)
#01 pc 000000000003b454  /system/lib64/libc.so (android_getaddrinfofornet+72)
#02 pc 000000000002b5f4  /system/lib64/libjavacore.so (_ZL25Linux_android_getaddrinfoP7_JNIEnvP8_jobjectP8_jstringS2_i+336)

Solution: Hook android_getaddrinfofornet with an inline‑hook, catch the segmentation fault, and force the function to return -1 , which is then handled by the existing Java fallback logic.

#include
#include
#include
static sigjmp_buf buf;
void SIGSEGV_handler(int sig, siginfo_t *info, void *ucontext) {
    printf("signal %d\n", sig);
    siglongjmp(buf, -1);
}
int main() {
    if (!sigsetjmp(buf, 0)) {
        struct sigaction sa = {0};
        sa.sa_sigaction = SIGSEGV_handler;
        sigaction(SIGSEGV, &sa, NULL);
        int *ptr = NULL; *ptr = 1; // trigger segfault
    } else {
        printf("caught segfault\n");
    }
    return 0;
}

2. MediaCodec State‑Exception Crash

Background: On Android 11, MediaCodec may abort with SIGABRT due to a state‑exception bug in the system library.

Analysis: The crash stack shows the abort occurring in MediaCodec::postPendingRepliesAndDeferredMessages when mReplyID is null.

#00 pc 0000000000089b1c  /apex/com.android.runtime/lib64/bionic/libc.so (abort+164)
#04 pc 0000000000122074  /system/lib64/libstagefright.so (_ZN7android10MediaCodec37postPendingRepliesAndDeferredMessages...)
... (stack omitted)

Solution: Use an inline‑hook to proxy onMessageReceived . Inside the proxy, set a setjmp checkpoint, hook __android_log_assert via PLT‑hook, detect the specific error string, and jump back to the safe path.

#include
#include
#include
static thread_local jmp_buf _buf;
void* origin_onMessageReceived = nullptr;
void* origin__android_log_assert = nullptr;
void _android_log_assert_proxy(const char* cond, const char* tag, const char* fmt, ...) {
    std::cout << "__android_log_assert start" << std::endl;
    if (!strncmp(fmt, "postPendingRepliesAndDeferredMessages: mReplyID == null", 55)) {
        longjmp(_buf, -1);
    }
    raise(SIGABRT);
}
void onMessageReceived_proxy(void* thiz, void* msg) {
    std::cout << "onMessageReceived_proxy start" << std::endl;
    if (!setjmp(_buf)) {
        _android_log_assert_proxy(nullptr, nullptr, "postPendingRepliesAndDeferredMessages: mReplyID == null, from kWhatRelease:STOPPING");
    } else {
        std::cout << "protected return" << std::endl;
    }
    std::cout << "onMessageReceived_proxy end" << std::endl;
}
int main() { onMessageReceived_proxy(nullptr, nullptr); return 0; }

3. BIO Multi‑Thread Crash

Background: Concurrent close() on a BIO object in Android 11 can lead to a native null‑pointer crash.

Analysis: The stack points to bio_ctrl and BIO_ctrl_pending in OpenSSL, triggered from Conscrypt's native crypto layer.

at com.android.org.conscrypt.NativeCrypto.SSL_pending_written_bytes_in_BIO(Native method)
#00 pc 0000000000064060  /system/lib64/libcrypto.so (bio_ctrl+144)
#01 pc 00000000000615d8  /system/lib64/libcrypto.so (BIO_ctrl_pending+40)

Solution: Hook the JNI functions that correspond to the new read‑write lock logic introduced in Android 12. The proxy obtains a Java ReadWriteLock via reflection, acquires the lock, then forwards the call to the original JNI implementation.

4. Xiaomi Android 15 Focus‑Handling Null‑Pointer Crash

Background: A NullPointerException occurs in ViewRootImpl.handleWindowFocusChanged when mView is null during focus changes on Android 15 devices, especially Xiaomi/Redmi.

java.lang.NullPointerException: Attempt to invoke virtual method 'android.view.ViewGroup$LayoutParams android.view.View.getLayoutParams()' on a null object reference
    at android.view.ViewRootImpl.handleWindowFocusChanged(ViewRootImpl.java:5307)

Analysis: The crash happens after setView has been called, mAdded is true, and later mView becomes null during window detach, leading to a race between window destruction and focus handling.

Solution: Initially attempted a hook on handleWindowFocusChanged to abort when mView is null, but the approach was abandoned due to invasiveness. The issue was ultimately resolved by a firmware update (MIUI v2.0.28) from the OEM.

Summary

Through systematic crash triage—identifying root causes, reproducing the bugs, and applying inline‑hook, PLT‑hook, or JNI‑hook fixes—the overall native crash rate on DeWu Android clients dropped from a peak of 2/10 000 to approximately 1.1–1.5/10 000, with system‑bug‑related crashes now accounting for only ~40 % of remaining incidents.