Bug 24638 - Crash occurs when passing an array of objects to a COM method
Summary: Crash occurs when passing an array of objects to a COM method
Status: RESOLVED FIXED
Alias: None
Product: Runtime
Classification: Mono
Component: Interop (show other bugs)
Version: 3.4.0
Hardware: PC Linux
: --- normal
Target Milestone: ---
Assignee: Bugzilla
URL:
Depends on:
Blocks:
 
Reported: 2014-11-19 01:48 UTC by daspits
Modified: 2015-01-08 05:10 UTC (History)
3 users (show)

Tags:
Is this bug a regression?: ---
Last known good build:

Notice (2018-05-24): bugzilla.xamarin.com is now in read-only mode.

Please join us on Visual Studio Developer Community and in the Xamarin and Mono organizations on GitHub to continue tracking issues. Bugzilla will remain available for reference in read-only mode. We will continue to work on open Bugzilla bugs, copy them to the new locations as needed for follow-up, and add the new items under Related Links.

Our sincere thanks to everyone who has contributed on this bug tracker over the years. Thanks also for your understanding as we make these adjustments and improvements for the future.


Please create a new report on GitHub or Developer Community with your current version information, steps to reproduce, and relevant error messages or log files if you are hitting an issue that looks similar to this resolved bug and you do not yet see a matching new report.

Related Links:
Status:
RESOLVED FIXED

Description daspits 2014-11-19 01:48:48 UTC
When an array of objects (marshaled as UnmanagedType.LPArray) is passed to a COM method, a crash occurs while freeing the array. The crash occurs in the "mono_object_hash" function (in monitor.c), because data that is not a MonoObject is passed in. The root cause seems to be that the CCWs or RCWs from the native array are passed to "mono_marshal_free_ccw" in "mono_free_lparray" (in marshal.c) instead of the MonoObjects from the MonoArray. The CCW or RCW is then incorrectly treated like a MonoObject, thus eventually causing a crash in "mono_object_hash" when it tries to access the "synchronisation" field. I believe that this might also cause a memory leak as "mono_marshal_free_ccw" is never being called properly in this case.

I believe that the fix would be to pass in the MonoObjects from the MonoArray to "mono_marshal_free_ccw" in "mono_free_lparray".
Comment 1 Zoltan Varga 2015-01-08 05:09:45 UTC
Fixed in mono marshal 62b4e3a314dc2df9a1a835623c99667c2d27e78f. Thanks for tracking this down.
Comment 2 Zoltan Varga 2015-01-08 05:10:00 UTC
I mean mono master 62b4e3a314dc2df9a1a835623c99667c2d27e78f.