[Mono-bugs] [Bug 51776][Nor] Changed - Mono 0.28 appears to have problems running obfuscated code

bugzilla-daemon@bugzilla.ximian.com bugzilla-daemon@bugzilla.ximian.com
Fri, 5 Dec 2003 12:46:41 -0500 (EST)

Please do not reply to this email- if you want to comment on the bug, go to the
URL shown below and enter your comments there.

Changed by lupus@ximian.com.


--- shadow/51776	2003-12-05 11:41:03.000000000 -0500
+++ shadow/51776.tmp.22594	2003-12-05 12:46:41.000000000 -0500
@@ -2,13 +2,13 @@
 Product: Mono/Runtime
 Version: unspecified
 OS: Fedora 1.0
 OS Details: 
 Status: NEW   
+Severity: Unknown
 Priority: Normal
 Component: misc
 AssignedTo: mono-bugs@ximian.com                            
 ReportedBy: eric@sourcegear.com               
 QAContact: mono-bugs@ximian.com
 TargetMilestone: ---
@@ -103,6 +103,73 @@
 Identical results were obtained on another box (Linux Intel) running a 
 fresh install of Fedora 1.0, also with Mono 0.28.
 Something very similar happens under MacOS X using Mono 0.29.  The first 
 few error messages are identical, but it proceeds to fail in a different 
 way due to the current state of Mono on PPC.
+------- Additional Comments From lupus@ximian.com  2003-12-05 12:46 -------
+I fixed the _Deleted issue in my tree (the metadata for the field is
+wrong, but since it's marked as deleted we should ignore it anyway).
+There is another issue, though, that the obfuscated code triggers.
+And this one is a bug in the obfuscator: it produces non
+standard-conforming code. The issue was discussed a few months ago on
+the mono list and at the ECMA meeting as well. The MS folks admitted
+the behaviour is accidentally allowed by their jit, but it's
+non-standard and broken IL code.
+Basically, the tool arranges the basic blocks in the code, but in
+doing so it doesn't respect the standard rules that specifically say
+(Partition III):
+It must be possible, with a single forward-pass through the CIL
+instruction stream for any method, to infer the
+exact state of the evaluation stack at every instruction (where by
+"state" we mean the number and type of each
+item on the evaluation stack).
+In particular, if that single-pass analysis arrives at an instruction,
+call it location X, that immediately follows an
+unconditional branch, and where X is not the target of an earlier
+branch instruction, then the state of the
+evaluation stack at X, clearly, cannot be derived from existing
+information. In this case, the CLI demands that
+the evaluation stack at X be empty.
+Following on from this rule, it would clearly be invalid CIL if a
+later branch instruction to X were to have a
+non-empty evaluation stack
+This doesn't happen in the FileCRC32::.ctor() method whre the
+following code is found:
+        IL_0000:  ldarg.0 
+        IL_0001:  ldnull 
+        IL_0002:  stfld  unsigned int32[]
+        IL_0007:  ldarg.0 
+        IL_0008:  call instance void valuetype
+        IL_000d:  ldc.i4 79764919
+        IL_0012:  stloc.0 
+        IL_0013:  ldarg.0 
+        IL_0014:  ldc.i4 256
+        IL_0019:  newarr valuetype [mscorlib]'System.UInt32'
+        IL_001e:  stfld  unsigned int32[]
+        IL_0023:  ldc.i4.0 
+        IL_0024:  stloc.1 
+        IL_0025:  br.s IL_0065
+        IL_0027:  ldloc.2 
+        IL_0028:  ldc.i4.8 
+        IL_0029:  blt.s IL_003b
+        IL_002b:  br IL_0089
+        IL_0030:  xor 
+        IL_00aa:  ldloc.0 
+        IL_00ab:  br IL_0030
+With a linear scan of the code, we conclude that at IL_0030 there are
+no items on the stack, but xor requires to arguments, so the code is
+invalid IL and we refuse to compile it.
+You may try to see if you can disable the control flow tranformations
+in the obfuscator, that likely makes the tool generate
+standards-conforming code.