|Summary:||Crash occurs when passing an array of objects to a COM method|
|Severity:||normal||CC:||mono-bugs+mono, mono-bugs+runtime, vargaz|
|Tags:||Is this bug a regression?:||---|
|Last known good build:|
Description daspits 2014-11-19 01:48:48 UTC
When an array of objects (marshaled as UnmanagedType.LPArray) is passed to a COM method, a crash occurs while freeing the array. The crash occurs in the "mono_object_hash" function (in monitor.c), because data that is not a MonoObject is passed in. The root cause seems to be that the CCWs or RCWs from the native array are passed to "mono_marshal_free_ccw" in "mono_free_lparray" (in marshal.c) instead of the MonoObjects from the MonoArray. The CCW or RCW is then incorrectly treated like a MonoObject, thus eventually causing a crash in "mono_object_hash" when it tries to access the "synchronisation" field. I believe that this might also cause a memory leak as "mono_marshal_free_ccw" is never being called properly in this case. I believe that the fix would be to pass in the MonoObjects from the MonoArray to "mono_marshal_free_ccw" in "mono_free_lparray".
Comment 1 Zoltan Varga 2015-01-08 05:09:45 UTC
Fixed in mono marshal 62b4e3a314dc2df9a1a835623c99667c2d27e78f. Thanks for tracking this down.
Comment 2 Zoltan Varga 2015-01-08 05:10:00 UTC
I mean mono master 62b4e3a314dc2df9a1a835623c99667c2d27e78f.