java.lang.VerifyError: Verifier rejected class xxx failed to verify: xxx [0x3F] copy1 v2<-v18 type=Integer cat=3 (declaration of 'xxx appears in /data/app/~~rhy3UPO5XTPJh8Mnsx2ouw==/com.awesomeproject-RQOu3jVjveEXAk0l7OyN0g==/base.apk!classes2.dex)

[xiaoxiongwang]

HI, I encountered a strange problem.
We're instrumenting code to a apk made by React Native and the generated bytecode doesn't pass the verifier.
The error says:

FATAL EXCEPTION: create_react_context
Process: com.awesomeproject, PID: 29978
 java.lang.VerifyError: Verifier rejected class com.awesomeproject.IPCJSAPIModuleExperimental: void com.awesomeproject.IPCJSAPIModuleExperimental.visitActivity1(com.facebook.react.bridge.Callback, com.facebook.react.bridge.Callback) failed to verify: void com.awesomeproject.IPCJSAPIModuleExperimental.visitActivity1(com.facebook.react.bridge.Callback, com.facebook.react.bridge.Callback): [0x5F] copy1 v0<-v17 type=Integer cat=3 (declaration of 'com.awesomeproject.IPCJSAPIModuleExperimental' appears in /data/app/~~oGNXO9lSM0PC64PCxgbcdA==/com.awesomeproject-TGSXnExkkC7HHGn48V_BlQ==/base.apk!classes2.dex)
                                                                                                    	at com.awesomeproject.CustomToastPackage.createNativeModules(Unknown Source:37)
                                                                                                    	at com.facebook.react.ReactPackageHelper.getNativeModuleIterator(Unknown Source:45)
                                                                                                    	at com.facebook.react.NativeModuleRegistryBuilder.processPackage(Unknown Source:50)
                                                                                                    	at com.facebook.react.ReactInstanceManager.processPackage(Unknown Source:36)
                                                                                                    	at com.facebook.react.ReactInstanceManager.processPackages(Unknown Source:74)
                                                                                                    	at com.facebook.react.ReactInstanceManager.createReactContext(Unknown Source:48)
                                                                                                    	at com.facebook.react.ReactInstanceManager.-$$Nest$mcreateReactContext(Unknown Source:0)
                                                                                                    	at com.facebook.react.ReactInstanceManager$5.run(Unknown Source:84)

And here is the smail code:

.method public visitActivity1(Lcom/facebook/react/bridge/Callback;Lcom/facebook/react/bridge/Callback;)V
    .registers 30
    .param p2, "successCallback"    # Lcom/facebook/react/bridge/Callback;
    .annotation runtime Lcom/facebook/react/bridge/ReactMethod;
    .end annotation
    sget-object v4, Lcom/awesomeproject/IPCJSAPIModuleExperimental;->reactContext:Landroid/content/Context;

    .local v4, "r4":Landroid/content/Context;, ""
    const-string v6, "com.www.ssss"

    const/4 v7, 0x1

    invoke-static {v4, v6, v7}, Landroid/widget/Toast;->makeText(Landroid/content/Context;Ljava/lang/CharSequence;I)Landroid/widget/Toast;

    move-result-object v5

    .local v5, "$r5":Landroid/widget/Toast;, ""
    invoke-virtual {v5}, Landroid/widget/Toast;->show()V

    new-instance v8, Landroid/content/Intent;

    .local v8, "r6":Landroid/content/Intent;, ""
    invoke-direct {v8}, Landroid/content/Intent;-><init>()V

    new-instance v9, Landroid/content/ComponentName;

    .local v9, "r3":Landroid/content/ComponentName;, ""
    const-string v6, "com.helloe"

    const-string v10, "com.worlds"

    invoke-direct {v9, v6, v10}, Landroid/content/ComponentName;-><init>(Ljava/lang/String;Ljava/lang/String;)V

    invoke-virtual {v8, v9}, Landroid/content/Intent;->setComponent(Landroid/content/ComponentName;)Landroid/content/Intent;

    const v7, 0x10000000

    invoke-virtual {v8, v7}, Landroid/content/Intent;->setFlags(I)Landroid/content/Intent;

    sget-object v4, Lcom/awesomeproject/IPCJSAPIModuleExperimental;->reactContext:Landroid/content/Context;

    new-instance v11, Landroid/os/Bundle;

    .local v11, "$r7":Landroid/os/Bundle;, ""
    invoke-direct {v11}, Landroid/os/Bundle;-><init>()V

    invoke-static {}, Landroid/os/Process;->myPid()I

    move-result v12

    .local v12, "mypidint":Lint;, ""
    invoke-static {v12}, Lcom/awesomeproject/policycenter/Utils;->pid2str(I)Ljava/lang/String;

    move-result-object v13

    .local v13, "mypid":Ljava/lang/String;, ""
    move-object v14, v13

    .local v14, "id":Ljava/lang/String;, ""
    sget v15, Lcom/awesomeproject/policycenter/Constant$User;->JS:I

    .local v15, "user":Lint;, ""
    move-object/from16 v16, v13

    sget-object v17, Lcom/awesomeproject/policycenter/Constant$Type;->ANY:Ljava/lang/String;

    .local v17, "type":Ljava/lang/String;, ""
    sget v18, Lcom/awesomeproject/policycenter/Constant$LEVEL;->ANY:I

    .local v18, "level":Lint;, ""
    move-object/from16 v0, v16

    move-object/from16 v1, v17

    move-object/from16 v2, v18

    invoke-static {v14, v15, v0, v1, v2}, Lcom/awesomeproject/policycenter/SEContextItem;->getInstance(Ljava/lang/String;ILjava/lang/String;Ljava/lang/String;I)Lcom/awesomeproject/policycenter/SEContextItem;

    move-result-object v19

    .local v19, "secontext1":Lcom/awesomeproject/policycenter/SEContextItem;, ""
    new-instance v20, Ljava/util/HashSet;

    .local v20, "opems":Ljava/util/HashSet;, ""
    move-object/from16 v0, v20

    invoke-direct {v0}, Ljava/util/HashSet;-><init>()V

    sget-object v21, Lcom/awesomeproject/policycenter/Constant$PEM;->OPEN_ACTIVITY:Ljava/lang/String;

    .local v21, "opem":Ljava/lang/String;, ""
    move-object/from16 v0, v20

    move-object/from16 v1, v21

    invoke-interface {v0, v1}, Ljava/util/Set;->add(Ljava/lang/Object;)Z

    sget-object v22, Lcom/awesomeproject/MainActivity;->saveContext:Landroid/content/Context;

    .local v22, "thisContext":Landroid/content/Context;, ""
    sget-object v23, Lcom/awesomeproject/policycenter/Constant$Type;->ACTIVITY_INTENT:Ljava/lang/String;

    .local v23, "type2":Ljava/lang/String;, ""
    move-object/from16 v0, v23

    move-object/from16 v1, v20

    move-object/from16 v2, v22

    move-object/from16 v3, v19

    invoke-static {v8, v0, v1, v2, v3}, Lcom/awesomeproject/policycenter/PolicyUtils;->authentication(Landroid/content/Intent;Ljava/lang/String;Ljava/util/Set;Landroid/content/Context;Lcom/awesomeproject/policycenter/SEContextItem;)Z

    invoke-static {v4, v8, v11}, Landroidx/core/content/ContextCompat;->startActivity(Landroid/content/Context;Landroid/content/Intent;Landroid/os/Bundle;)V

    const/4 v7, 0x1

    new-array v0, v7, [Ljava/lang/Object;

    .local v0, "$r8":[Ljava/lang/Object;, ""
    move-object/from16 v24, v0

    .end local v0    # "$r8":[Ljava/lang/Object;, ""
    .local v24, "$r8":[Ljava/lang/Object;, ""
    new-instance v25, Ljava/lang/StringBuilder;

    .local v25, "$r9":Ljava/lang/StringBuilder;, ""
    move-object/from16 v0, v25

    invoke-direct {v0}, Ljava/lang/StringBuilder;-><init>()V

    const-string/jumbo v6, "\u5524\u7aef\u6210\u529f:"

    move-object/from16 v0, v25

    invoke-virtual {v0, v6}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;

    move-result-object v25

    const-string v6, "com.www"

    move-object/from16 v0, v25

    invoke-virtual {v0, v6}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;

    move-result-object v25

    move-object/from16 v0, v25

    invoke-virtual {v0}, Ljava/lang/StringBuilder;->toString()Ljava/lang/String;

    move-result-object v26

    .local v26, "$r10":Ljava/lang/String;, ""
    const/4 v7, 0x0

    aput-object v26, v24, v7

    move-object/from16 v0, p2

    move-object/from16 v1, v24

    invoke-interface {v0, v1}, Lcom/facebook/react/bridge/Callback;->invoke([Ljava/lang/Object;)V

    sget-object v4, Lcom/awesomeproject/IPCJSAPIModuleExperimental;->reactContext:Landroid/content/Context;

    const-string/jumbo v6, "\u5524\u7aef\u6210\u529f"

    const/4 v7, 0x1

    invoke-static {v4, v6, v7}, Landroid/widget/Toast;->makeText(Landroid/content/Context;Ljava/lang/CharSequence;I)Landroid/widget/Toast;

    move-result-object v5

    invoke-virtual {v5}, Landroid/widget/Toast;->show()V

    return-void
    .end local v4    # "r4":Landroid/content/Context;, ""
    .end local v19    # "secontext1":Lcom/awesomeproject/policycenter/SEContextItem;, ""
    .end local v14    # "id":Ljava/lang/String;, ""
    .end local v17    # "type":Ljava/lang/String;, ""
    .end local v24    # "$r8":[Ljava/lang/Object;, ""
    .end local v8    # "r6":Landroid/content/Intent;, ""
    .end local v18    # "level":Lint;, ""
    .end local v23    # "type2":Ljava/lang/String;, ""
    .end local v5    # "$r5":Landroid/widget/Toast;, ""
    .end local v25    # "$r9":Ljava/lang/StringBuilder;, ""
    .end local v9    # "r3":Landroid/content/ComponentName;, ""
    .end local v20    # "opems":Ljava/util/HashSet;, ""
    .end local v26    # "$r10":Ljava/lang/String;, ""
    .end local v21    # "opem":Ljava/lang/String;, ""
    .end local v12    # "mypidint":Lint;, ""
    .end local v11    # "$r7":Landroid/os/Bundle;, ""
    .end local v13    # "mypid":Ljava/lang/String;, ""
    .end local v15    # "user":Lint;, ""
    .end local v22    # "thisContext":Landroid/content/Context;, ""
.end method

I know that this type of problem is often caused by incorrect smali code, but I can't figure out the issue with this generated smali code. At the same time, if I remove the authentication function call statement, then there is no problem.

[xiaoxiongwang]

Hi, I find what causes the error. The type of variable v18 is int, but the instruction move-object/from16 is used. The correct instruction should be move not move-object.

 sget v18, Lcom/awesomeproject/policycenter/Constant$LEVEL;->ANY:I
    .local v18, "level":Lint;, ""
    move-object/from16 v0, v16
    move-object/from16 v1, v17
    move-object/from16 v2, v18

So how can I control soot to ouput the correct instruction?