This is Xamarin's bug tracking system. For product support, please use the support links listed in your Xamarin Account.
Bug 43291 - Runtime crash at reflection.c:mono_custom_attrs_construct_by_type while calling GetCustomAttributes for a proxy class
Summary: Runtime crash at reflection.c:mono_custom_attrs_construct_by_type while calli...
Alias: None
Product: Runtime
Classification: Mono
Component: Reflection (show other bugs)
Version: Trunk
Hardware: PC All
: --- normal
Target Milestone: ---
Assignee: Aleksey Kliger
Depends on:
Reported: 2016-08-11 22:28 UTC by Pablo Ruiz García
Modified: 2016-08-18 11:21 UTC (History)
7 users (show)

See Also:
Is this bug a regression?: ---
Last known good build:

Sample project/code demostrating the issue. (949.44 KB, application/zip)
2016-08-11 22:28 UTC, Pablo Ruiz García
Standalone reproduciton (2.03 KB, text/plain)
2016-08-12 22:31 UTC, Aleksey Kliger

Description Pablo Ruiz García 2016-08-11 22:28:21 UTC
Created attachment 16998 [details]
Sample project/code demostrating the issue.


Attached to this issue is a sample Program.cs which provokes a runtime crash with the following code:

using System;
using System.Collections.Generic;
using System.ComponentModel;
using System.Reflection;

using HermaFx.Settings;

namespace TestValidateObject
        public interface ISettings
                string Field { get; set; }

        class Program
                static void Main(string[] args)
                        var config = new System.Collections.Specialized.NameValueCollection(1);
                        config.Add("TestValidateObject:Field", "XXX");
                        var _settings = new SettingsAdapter().Create<ISettings>(config);
                        var attrs = _settings.GetType().GetCustomAttributes<Attribute>(true);
                        Console.WriteLine(attrs != null);

In order to reproduce the issue the following commands should be invoked:

# unzip
# cd TestValidateObject
# xbuild TestValidateObject
# mono --debug TestValidateObject/bin/Debug/TestValidateObject.exe

And this is the output obtained from the previous command invocation:

[root@barney Debug]# mono --debug TestValidateObject.exe

  at <unknown> <0xffffffff>
  at (wrapper managed-to-native) System.MonoCustomAttrs.GetCustomAttributesInternal (System.Reflection.ICustomAttributeProvider,System.Type,bool) <IL 0x00009, 0x0005d>
  at System.MonoCustomAttrs.GetCustomAttributesBase (System.Reflection.ICustomAttributeProvider,System.Type,bool) [0x00019] in /home/abuild/rpmbuild/BUILD/mono-4.4.2/mcs/class/corlib/System/MonoCustomAttrs.cs:128
  at System.MonoCustomAttrs.GetCustomAttributes (System.Reflection.ICustomAttributeProvider,System.Type,bool) [0x00040] in /home/abuild/rpmbuild/BUILD/mono-4.4.2/mcs/class/corlib/System/MonoCustomAttrs.cs:158
  at System.RuntimeType.GetCustomAttributes (System.Type,bool) [0x0003e] in /home/abuild/rpmbuild/BUILD/mono-4.4.2/external/referencesource/mscorlib/system/rttype.cs:5093
  at System.Attribute.GetCustomAttributes (System.Reflection.MemberInfo,System.Type,bool) [0x0009f] in /home/abuild/rpmbuild/BUILD/mono-4.4.2/external/referencesource/mscorlib/system/attribute.cs:572
  at System.Reflection.CustomAttributeExtensions.GetCustomAttributes (System.Reflection.MemberInfo,System.Type,bool) [0x00000] in /home/abuild/rpmbuild/BUILD/mono-4.4.2/external/referencesource/mscorlib/system/reflection/CustomAttributeExtensions.cs:126
  at System.Reflection.CustomAttributeExtensions.GetCustomAttributes<T_REF> (System.Reflection.MemberInfo,bool) [0x00000] in /home/abuild/rpmbuild/BUILD/mono-4.4.2/external/referencesource/mscorlib/system/reflection/CustomAttributeExtensions.cs:135
  at TestValidateObject.Program.Main (string[]) [0x00035] in /tmp/TestValidateObject/TestValidateObject/Program.cs:25
  at (wrapper runtime-invoke) <Module>.runtime_invoke_void_object (object,intptr,intptr,intptr) <IL 0x00051, 0x000c8>

Native stacktrace:

        mono() [0x49ffe0]
        mono() [0x4f8e3a]
        mono() [0x415189]
        /lib64/ [0x7fdb27af5500]
        mono() [0x5ce0c4]
        mono(mono_reflection_get_custom_attrs_by_type+0x42) [0x5ce292]
        mono() [0x53e95b]

Debug info from gdb:

Mono support loaded.
[New LWP 27974]
[New LWP 27973]
[Thread debugging using libthread_db enabled]
0x00007fdb27af509d in __libc_waitpid (pid=<value optimized out>, stat_loc=<value optimized out>, options=<value optimized out>) at ../sysdeps/unix/sysv/linux/waitpid.c:41
41        int result = INLINE_SYSCALL (wait4, 4, pid, stat_loc, options, NULL);
  3 Thread 0x7fdb20fff700 (LWP 27973)  pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:162
  2 Thread 0x7fdb216a3700 (LWP 27974)  sem_wait () at ../nptl/sysdeps/unix/sysv/linux/x86_64/sem_wait.S:86
* 1 Thread 0x7fdb28596760 (LWP 27972)  0x00007fdb27af509d in __libc_waitpid (pid=<value optimized out>, stat_loc=<value optimized out>, options=<value optimized out>) at ../sysdeps/unix/sysv/linux/waitpid.c:41

Thread 3 (Thread 0x7fdb20fff700 (LWP 27973)):
#0  pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:162
#1  0x000000000060e02c in mono_os_cond_wait (thread_data=0x0) at ../../mono/utils/mono-os-mutex.h:105
#2  thread_func (thread_data=0x0) at sgen-thread-pool.c:118
#3  0x00007fdb27aed851 in start_thread (arg=0x7fdb20fff700) at pthread_create.c:301
#4  0x00007fdb2762594d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:115

Thread 2 (Thread 0x7fdb216a3700 (LWP 27974)):
#0  sem_wait () at ../nptl/sysdeps/unix/sysv/linux/x86_64/sem_wait.S:86
#1  0x00000000005b3795 in mono_os_sem_wait (unused=<value optimized out>) at ../../mono/utils/mono-os-semaphore.h:163
#2  mono_coop_sem_wait (unused=<value optimized out>) at ../../mono/utils/mono-coop-semaphore.h:40
#3  finalizer_thread (unused=<value optimized out>) at gc.c:711
#4  0x0000000000590992 in start_wrapper_internal (data=<value optimized out>) at threads.c:717
#5  start_wrapper (data=<value optimized out>) at threads.c:764
#6  0x000000000063e69a in inner_start_thread (arg=<value optimized out>) at mono-threads-posix.c:92
#7  0x00007fdb27aed851 in start_thread (arg=0x7fdb216a3700) at pthread_create.c:301
#8  0x00007fdb2762594d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:115

Thread 1 (Thread 0x7fdb28596760 (LWP 27972)):
#0  0x00007fdb27af509d in __libc_waitpid (pid=<value optimized out>, stat_loc=<value optimized out>, options=<value optimized out>) at ../sysdeps/unix/sysv/linux/waitpid.c:41
#1  0x00000000004a0074 in mono_handle_native_sigsegv (signal=<value optimized out>, ctx=<value optimized out>, info=<value optimized out>) at mini-exceptions.c:2348
#2  0x00000000004f8e3a in mono_arch_handle_altstack_exception (sigctx=0x7fdb285a8c40, siginfo=0x7fdb285a8d70, fault_addr=<value optimized out>, stack_ovf=0) at exceptions-amd64.c:808
#3  0x0000000000415189 in mono_sigsegv_signal_handler (_dummy=11, _info=0x7fdb285a8d70, context=0x7fdb285a8c40) at mini-runtime.c:2888
#4  <signal handler called>
#5  0x00000000005ce0c4 in mono_custom_attrs_construct_by_type (cinfo=0x1c310b0, attr_klass=0x1899d10, error=0x7fff13032820) at reflection.c:9006
#6  0x00000000005ce292 in mono_reflection_get_custom_attrs_by_type (obj=<value optimized out>, attr_klass=0x1899d10, error=0x7fff13032820) at reflection.c:9498
#7  0x000000000053e95b in custom_attrs_get_by_type (obj=0x7fdb284f5e70, attr_type=<value optimized out>) at icall.c:7206
#8  0x000000004055ea4e in ?? ()
#9  0x00007fdb28532020 in ?? ()
#10 0x0000000000000020 in ?? ()
#11 0x00007fdb284f5e70 in ?? ()
#12 0x00007fdb28532020 in ?? ()
#13 0x0000000000000001 in ?? ()
#14 0x00000000018c74b0 in ?? ()
#15 0x00007fdb284f5e70 in ?? ()
#16 0x00007fff13032c10 in ?? ()
#17 0x00007fff13032930 in ?? ()
#18 0x000000004055e7ec in ?? ()
#19 0x00007fdb28532020 in ?? ()
#20 0x00007fff13032c10 in ?? ()
#21 0x0000000000000020 in ?? ()
#22 0x00007fdb284f5e70 in ?? ()
#23 0x00007fdb28532020 in ?? ()
#24 0x0000000000000000 in ?? ()

Got a SIGSEGV while executing native code. This usually indicates
a fatal error in the mono runtime or one of the native libraries
used by your application.

Comment 1 Aleksey Kliger 2016-08-12 22:31:43 UTC
Created attachment 17015 [details]
Standalone reproduciton

1. (Actual cause) When we filter out non-visible custom attributes in mono_custom_attrs_from_builders, we update the count of custom attributes and then use it as a loop bound.  That means if non-visible custom attributes occur in the middle of the list, we will drop some legitimate custom attributes.
2. (Symptom) The crash happens because when we leave out the legitimate attributes, we end up with some number of zeroed-inited MonoCustomAttrEntry structs.

So the fix is:
1. Use the old cattrs array length for the second iteration over the attrs in mono_custom_attrs_from_builders.
2. Check for null in custom_attrs_get_by_type and throw a TLE earlier.

Attached is a standalone repro.
Comment 2 Aleksey Kliger 2016-08-16 14:23:09 UTC
Fixed on mono master with commit 694b115595bb12688a1ad1de18868e5c837dd6df
Fixed on mono mono-4.6.0-branch with commit d0fc1a66e21eddba20ade505d6880238a0253d9e
Comment 3 Pablo Ruiz García 2016-08-18 11:21:27 UTC
Kool, thnks Aleksey.

Note You need to log in before you can comment on or make changes to this bug.