[Mono-bugs] [Bug 558230] New: [verifier] SIGSEGV in mono_class_is_open_constructed_type on a bad assembly

bugzilla_noreply at novell.com bugzilla_noreply at novell.com
Tue Nov 24 20:51:55 EST 2009 

http://bugzilla.novell.com/show_bug.cgi?id=558230

http://bugzilla.novell.com/show_bug.cgi?id=558230#c0


           Summary: [verifier] SIGSEGV in
                    mono_class_is_open_constructed_type on a bad assembly
    Classification: Mono
           Product: Mono: Runtime
           Version: 2.6.x
          Platform: Other
        OS/Version: Other
            Status: NEW
          Severity: Normal
          Priority: P5 - None
         Component: misc
        AssignedTo: rkumpera at novell.com
        ReportedBy: spouliot at novell.com
         QAContact: mono-bugs at lists.ximian.com
          Found By: ---
           Blocker: ---


Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fd1a07c1710 (LWP 20431)]
0x00000000004135d7 in mono_class_is_open_constructed_type (t=0x0) at
class.c:478
478        switch (t->type) {
(gdb) bt
#0  0x00000000004135d7 in mono_class_is_open_constructed_type (t=0x0) at
class.c:478
#1  0x000000000044a1a5 in mono_metadata_get_generic_inst (type_argc=1,
type_argv=0x863530) at metadata.c:2393
#2  0x000000000044b810 in mono_metadata_inflate_generic_inst (ginst=0x863620,
context=0x87f268) at metadata.c:2507
#3  0x000000000041b7cd in inflate_generic_type (image=0x0, type=0x87f8d0,
context=0x87f268, error=<value optimized out>) at class.c:571
#4  0x000000000041c96a in mono_type_retrieve_from_typespec (image=<value
optimized out>, type_spec=<value optimized out>, context=0x87f268,
did_inflate=0x7fffa87dfff4) at class.c:5095
#5  0x000000000041cc84 in mono_class_get_full (image=0x85da80,
type_token=8795440, context=0x50da40) at class.c:5117
#6  0x000000000042f552 in mono_field_from_token (image=0x85da80,
token=167772270, retklass=0x7fffa87e00a8, context=0x87f268) at loader.c:447
#7  0x000000000049488f in verifier_load_field (ctx=0x7fffa87e0310,
token=167772270, out_klass=0x7fffa87e00f0, opcode=0x523f3b "stfld") at
verify.c:826
#8  0x000000000049492e in check_is_valid_type_for_field_ops (ctx=0x0,
token=8795440, obj=0x862bc0, ret_field=0x7fffa87e0128,
opcode=0x2525252525252525 <Address 0x2525252525252525 out of bounds>)
    at verify.c:3542
#9  0x0000000000494fd3 in do_store_field (ctx=0x7fffa87e0310, token=167772270)
at verify.c:3621
#10 0x000000000049a5fd in mono_method_verify (method=<value optimized out>,
level=<value optimized out>) at verify.c:5525
#11 0x000000000040daed in main (argc=8430352, argv=<value optimized out>) at
pedump.c:374


The loop calling mono_class_inflate_generic_type in
mono_metadata_inflate_generic_inst (#2) does not check the result, which can be
NULL on error, and then goes on to call mono_metadata_get_generic_inst (#1)
with a vector that contains NULL values (which the code does not handle).

The solution seems to change the call to use
mono_class_inflate_generic_type_checked (easy) then deal with/propagate the
error upward (less fun).

-- 
Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.

More information about the mono-bugs mailing list