[Mono-bugs] [Bug 450050] New: Mono crashes to freeing invalid pointer when using custom ICustomMarshaler marshaling return value

bugzilla_noreply at novell.com bugzilla_noreply at novell.com
Fri Nov 28 07:20:46 EST 2008 

https://bugzilla.novell.com/show_bug.cgi?id=450050


           Summary: Mono crashes to freeing invalid pointer when using
                    custom ICustomMarshaler marshaling return value
           Product: Mono: Runtime
           Version: 2.0.x
          Platform: x86
        OS/Version: Linux
            Status: NEW
          Severity: Major
          Priority: P5 - None
         Component: interop
        AssignedTo: mono-bugs at lists.ximian.com
        ReportedBy: juhovh at iki.fi
         QAContact: mono-bugs at lists.ximian.com
          Found By: Community User


I have tested this on Linux (Ubuntu 10.4) x86 (mono runtime 1.2.6) and Mac OS X
(10.4) PPC (mono runtime 2.0.1), and the crash is exactly the same on both.
When I use a class derived from ICustomMarshaler to marshal a return value, it
gets a call to CleanUpNativeData with an invalid pointer value. When testing
the exactly same assembly file on Microsoft .Net 3.5 framework it doesn't
crash.

Test cases are attached in the zip. Steps to reproduce (on Linux):

gcc -shared -fPIC -o libcrash.so crash.c
gmcs Crash.cs
mono Crash.exe

The test case in mono unit testing directory that tests for ICustomMarshaler
can be found from:

http://anonsvn.mono-project.com/viewvc/trunk/mono/mono/tests/marshal9.cs?view=markup

It has a REALLY weird condition that causes this bug not to reproduce:

                int alloc_type = Marshal.ReadInt32 (pNativeData);
                if (alloc_type == 1)
                        Marshal.FreeHGlobal (pNativeData);

So the test case doesn't crash for this bug, but the bug is still there. I had
to write a workaround in my program to store each allocated memory block and
when freeing check that the freed pointers are valid to avoid the mono crash. I
think this bug is quite fatal, please comment.


-- 
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.
You are the assignee for the bug.

More information about the mono-bugs mailing list