Frida Stalker Crash

foo.c

#include <stdio.h>
#include <unistd.h>

int main() {
    while (1) {
        printf("hello\n");
        sleep(1);
    }
}

gistfile1.txt

Creating block for 0x7fe8d11409d0:
0x7fe8d11409d0  cmp rax, -0x1000
; 0x7fe8d11409d0        48 3d 00 f0 ff ff
        0x7fe8c81c4498  cmp rax, -0x1000
        ; 0x7fe8c81c4498        48 3d 00 f0 ff ff
0x7fe8d11409d6  ja 0x7fe8d1140a02
; 0x7fe8d11409d6        77 2a
        0x7fe8c81c449e  jbe 0x7fe8c81c449e
        0x7fe8c81c44a4  lea rsp, [rsp - 0x80]
        0x7fe8c81c44ac  call 0x7fe8c81c4000
        0x7fe8c81c44b1  push rax
        0x7fe8c81c44b2  movabs rax, 0x7fe8d1140a02
        0x7fe8c81c44bc  xchg qword ptr [rsp], rax
        0x7fe8c81c44c0  pop rsi
        0x7fe8c81c44c1  movabs rdi, 0x7fe8c81c3000
        0x7fe8c81c44cb  sub rsp, 0x40
        0x7fe8c81c44cf  movabs rax, 0x7fe8cabd3edf
        0x7fe8c81c44d9  call rax
        0x7fe8c81c44db  add rsp, 0x40
        0x7fe8c81c44df  mov rax, qword ptr [rip - 0x13b6]
        0x7fe8c81c44e6  movabs rdx, 0
        0x7fe8c81c44f0  movabs rsi, 0x7fe8c81c44a4
        0x7fe8c81c44fa  mov rdi, rax
        0x7fe8c81c44fd  call 0x7fe8cabd2d95
        0x7fe8c81c4502  call 0x7fe8c81c40d5
        0x7fe8c81c4507  mov rsp, qword ptr [rip - 0x13ae]
        0x7fe8c81c450e  jmp qword ptr [rip - 0x13c4]
        0x7fe8c81c4514  lea rsp, [rsp - 0x80]
        0x7fe8c81c451c  call 0x7fe8c81c4000
        0x7fe8c81c4521  push rax
        0x7fe8c81c4522  movabs rax, 0x7fe8d11409d8
        0x7fe8c81c452c  xchg qword ptr [rsp], rax
        0x7fe8c81c4530  pop rsi
        0x7fe8c81c4531  movabs rdi, 0x7fe8c81c3000
        0x7fe8c81c453b  sub rsp, 0x40
        0x7fe8c81c453f  movabs rax, 0x7fe8cabd3edf
        0x7fe8c81c4549  call rax
        0x7fe8c81c454b  add rsp, 0x40
        0x7fe8c81c454f  mov rax, qword ptr [rip - 0x1426]
        0x7fe8c81c4556  movabs rdx, 0
        0x7fe8c81c4560  movabs rsi, 0x7fe8c81c4514
        0x7fe8c81c456a  mov rdi, rax
        0x7fe8c81c456d  call 0x7fe8cabd2d95
        0x7fe8c81c4572  call 0x7fe8c81c40d5
        0x7fe8c81c4577  mov rsp, qword ptr [rip - 0x141e]
        0x7fe8c81c457e  jmp qword ptr [rip - 0x1434]
        ; 0x7fe8c81c449e        0f 86 fa ff ff ff 48 8d a4 24 80 ff ff ff e8 4f
        ; 0x7fe8c81c44ae        fb ff ff 50 48 b8 02 0a 14 d1 e8 7f 00 00 48 87
        ; 0x7fe8c81c44be        04 24 5e 48 bf 00 30 1c c8 e8 7f 00 00 48 83 ec
        ; 0x7fe8c81c44ce        40 48 b8 df 3e bd ca e8 7f 00 00 ff d0 48 83 c4
        ; 0x7fe8c81c44de        40 48 8b 05 4a ec ff ff 48 ba 00 00 00 00 00 00
        ; 0x7fe8c81c44ee        00 00 48 be a4 44 1c c8 e8 7f 00 00 48 89 c7 e8
        ; 0x7fe8c81c44fe        93 e8 a0 02 e8 ce fb ff ff 48 8b 25 52 ec ff ff
        ; 0x7fe8c81c450e        ff 25 3c ec ff ff 48 8d a4 24 80 ff ff ff e8 df
        ; 0x7fe8c81c451e        fa ff ff 50 48 b8 d8 09 14 d1 e8 7f 00 00 48 87
        ; 0x7fe8c81c452e        04 24 5e 48 bf 00 30 1c c8 e8 7f 00 00 48 83 ec
        ; 0x7fe8c81c453e        40 48 b8 df 3e bd ca e8 7f 00 00 ff d0 48 83 c4
        ; 0x7fe8c81c454e        40 48 8b 05 da eb ff ff 48 ba 00 00 00 00 00 00
        ; 0x7fe8c81c455e        00 00 48 be 14 45 1c c8 e8 7f 00 00 48 89 c7 e8
        ; 0x7fe8c81c456e        23 e8 a0 02 e8 5e fb ff ff 48 8b 25 e2 eb ff ff
        ; 0x7fe8c81c457e        ff 25 cc eb ff ff
Segmentation fault (core dumped)

inject.js

Process.enumerateThreads({
    onMatch: function (thread) {
        Stalker.follow(thread.id, {
            events: {
                compile: true
            },
            onReceive: function (events) {
                console.log("a");
            }
        })
    },
    onComplete: function() { console.log("Done"); }
})

Compile foo.c with:

$ gcc -o foo foo.c

Inject with frida after running foo:

frida -n foo -l inject.js

Other related issues:

frida/frida#639
frida/frida#672