Bug 24638

Summary: Crash occurs when passing an array of objects to a COM method
Product: [Mono] Runtime Reporter: daspits
Component: InteropAssignee: Bugzilla <bugzilla>
Status: RESOLVED FIXED    
Severity: normal CC: mono-bugs+mono, mono-bugs+runtime, vargaz
Priority: ---    
Version: 3.4.0   
Target Milestone: ---   
Hardware: PC   
OS: Linux   
Tags: Is this bug a regression?: ---
Last known good build:

Description daspits 2014-11-19 01:48:48 UTC
When an array of objects (marshaled as UnmanagedType.LPArray) is passed to a COM method, a crash occurs while freeing the array. The crash occurs in the "mono_object_hash" function (in monitor.c), because data that is not a MonoObject is passed in. The root cause seems to be that the CCWs or RCWs from the native array are passed to "mono_marshal_free_ccw" in "mono_free_lparray" (in marshal.c) instead of the MonoObjects from the MonoArray. The CCW or RCW is then incorrectly treated like a MonoObject, thus eventually causing a crash in "mono_object_hash" when it tries to access the "synchronisation" field. I believe that this might also cause a memory leak as "mono_marshal_free_ccw" is never being called properly in this case.

I believe that the fix would be to pass in the MonoObjects from the MonoArray to "mono_marshal_free_ccw" in "mono_free_lparray".
Comment 1 Zoltan Varga 2015-01-08 05:09:45 UTC
Fixed in mono marshal 62b4e3a314dc2df9a1a835623c99667c2d27e78f. Thanks for tracking this down.
Comment 2 Zoltan Varga 2015-01-08 05:10:00 UTC
I mean mono master 62b4e3a314dc2df9a1a835623c99667c2d27e78f.