[Mono-bugs] [Bug 558145] New: [verifier] SIGSEGV in mono_method_verify/mono_type_fullname on a bad assembly

bugzilla_noreply at novell.com bugzilla_noreply at novell.com
Tue Nov 24 15:25:49 EST 2009 

http://bugzilla.novell.com/show_bug.cgi?id=558145

http://bugzilla.novell.com/show_bug.cgi?id=558145#c0


           Summary: [verifier] SIGSEGV in
                    mono_method_verify/mono_type_fullname on a bad
                    assembly
    Classification: Mono
           Product: Mono: Runtime
           Version: 2.6.x
          Platform: Other
        OS/Version: Other
            Status: NEW
          Severity: Normal
          Priority: P5 - None
         Component: misc
        AssignedTo: rkumpera at novell.com
        ReportedBy: spouliot at novell.com
         QAContact: mono-bugs at lists.ximian.com
          Found By: ---
           Blocker: ---


note: The only test case I got (so far) is the same as #558124 (see binary
attachment) when the included patch is applied.

The problem is that mono_class_inflate_generic_type_checked can return NULL
when it set an error (erasing the existing, non-null, un-inflated MonoType*).

However, if an error occurs, the code in mono_method_verify tries to determine
the full name of the type (using mono_type_full_name) leading to the SEGSIGV.

There also seems to be a typo in the second loop (around line 4945) between
ctx.params and ctx.locals

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fb925855710 (LWP 7361)]
mono_type_get_desc (res=0x884540, type=0x0, include_namespace=1) at
debug-helpers.c:94
94        switch (type->type) {
(gdb) bt
#0  mono_type_get_desc (res=0x884540, type=0x0, include_namespace=1) at
debug-helpers.c:94
#1  0x0000000000423500 in mono_type_full_name (type=0x0) at debug-helpersc:197
#2  0x0000000000495d72 in mono_method_verify (method=<value optimized out>,
level=<value optimized out>) at verify.c:4945
#3  0x000000000040daed in main (argc=8430352, argv=<value optimized out>) at
pedump.c:374
(gdb) up 2
#2  0x0000000000495d72 in mono_method_verify (method=<value optimized out>,
level=<value optimized out>) at verify.c:4945
4945                char *name = mono_type_full_name (ctx.locals [i]);
(gdb) p i
$1 = 0
(gdb) p ctx.locals [i]
$2 = (MonoType *) 0x0
(gdb) p ctx
$3 = {max_args = 1, max_stack = 5, verifiable = 1, valid = 1, level = 135,
code_size = 88, code = 0x887750, eval = {stack = 0x0, size = 0, flags = 0},
params = 0x87af10, list = 0x0, funptrs = 0x0, 
  exception_types = 0x0, num_locals = 3, locals = 0x87a2b0, target = 0,
ip_offset = 0, signature = 0x883770, header = 0x883798, generic_context =
0x87f228, image = 0x85da80, method = 0x883740, 
  has_this_store = 0, super_ctor_called = 0, prefix_set = 0, has_flags = 0,
constrained_type = 0x0}
(gdb) p ctx.num_locals
$4 = 3
(gdb) p ctx.locals [1]
$5 = (MonoType *) 0x516390
(gdb) p ctx.locals [2]
$6 = (MonoType *) 0x883810
(gdb) p error
$7 = {error_code = 5, hidden_0 = 0, hidden_1 = {0x0, 0x50f210, 0x0, 0x0, 0x0,
0x0, 0x0, 0xa3a0010010a, 0x21d00000000, 0x620000001f, 0x300, 0xa5e00100001}, 
  hidden_2 = "VAR 2 () cannot be expanded in this context with 1
instantiations\000<$\000\000\000\000\000\003\000\000\000\000\000\000 at 7\210\000\000\000\000\000\200�\205\000\000\000\000\000\t\000\000\002\000\000\000\000\200�\205\000\000\000\000\000[",
'\0' <repeats 14 times>}

-- 
Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.

More information about the mono-bugs mailing list