Bug 24638 - Crash occurs when passing an array of objects to a COM method
Summary: Crash occurs when passing an array of objects to a COM method
Alias: None
Product: Runtime
Classification: Mono
Component: Interop (show other bugs)
Version: 3.4.0
Hardware: PC Linux
: --- normal
Target Milestone: ---
Assignee: Bugzilla
Depends on:
Reported: 2014-11-19 01:48 UTC by daspits
Modified: 2015-01-08 05:10 UTC (History)
3 users (show)

See Also:
Is this bug a regression?: ---
Last known good build:


Description daspits 2014-11-19 01:48:48 UTC
When an array of objects (marshaled as UnmanagedType.LPArray) is passed to a COM method, a crash occurs while freeing the array. The crash occurs in the "mono_object_hash" function (in monitor.c), because data that is not a MonoObject is passed in. The root cause seems to be that the CCWs or RCWs from the native array are passed to "mono_marshal_free_ccw" in "mono_free_lparray" (in marshal.c) instead of the MonoObjects from the MonoArray. The CCW or RCW is then incorrectly treated like a MonoObject, thus eventually causing a crash in "mono_object_hash" when it tries to access the "synchronisation" field. I believe that this might also cause a memory leak as "mono_marshal_free_ccw" is never being called properly in this case.

I believe that the fix would be to pass in the MonoObjects from the MonoArray to "mono_marshal_free_ccw" in "mono_free_lparray".
Comment 1 Zoltan Varga 2015-01-08 05:09:45 UTC
Fixed in mono marshal 62b4e3a314dc2df9a1a835623c99667c2d27e78f. Thanks for tracking this down.
Comment 2 Zoltan Varga 2015-01-08 05:10:00 UTC
I mean mono master 62b4e3a314dc2df9a1a835623c99667c2d27e78f.

Note You need to log in before you can comment on or make changes to this bug.