When an array of objects (marshaled as UnmanagedType.LPArray) is passed to a COM method, a crash occurs while freeing the array. The crash occurs in the "mono_object_hash" function (in monitor.c), because data that is not a MonoObject is passed in. The root cause seems to be that the CCWs or RCWs from the native array are passed to "mono_marshal_free_ccw" in "mono_free_lparray" (in marshal.c) instead of the MonoObjects from the MonoArray. The CCW or RCW is then incorrectly treated like a MonoObject, thus eventually causing a crash in "mono_object_hash" when it tries to access the "synchronisation" field. I believe that this might also cause a memory leak as "mono_marshal_free_ccw" is never being called properly in this case.
I believe that the fix would be to pass in the MonoObjects from the MonoArray to "mono_marshal_free_ccw" in "mono_free_lparray".
Fixed in mono marshal 62b4e3a314dc2df9a1a835623c99667c2d27e78f. Thanks for tracking this down.
I mean mono master 62b4e3a314dc2df9a1a835623c99667c2d27e78f.