Bug 43563 - Crash when struct Foo contains static field of type Foo[][]
Summary: Crash when struct Foo contains static field of type Foo[][]
Status: RESOLVED FIXED
Alias: None
Product: Runtime
Classification: Mono
Component: JIT (show other bugs)
Version: 5.4 (2017-06)
Hardware: PC Windows
: Normal normal
Target Milestone: Future Cycle (TBD)
Assignee: Aleksey Kliger
URL:
Depends on:
Blocks:
 
Reported: 2016-08-20 20:39 UTC by Alex Zhdankin
Modified: 2017-10-19 19:34 UTC (History)
8 users (show)

See Also:
Tags: bugpool-archive
Is this bug a regression?: ---
Last known good build:


Attachments
This code crashes the runtime (1.04 KB, text/plain)
2016-08-20 20:39 UTC, Alex Zhdankin
Details

Description Alex Zhdankin 2016-08-20 20:39:37 UTC
Created attachment 17140 [details]
This code crashes the runtime

If a struct Foo contains a static field foo of type Foo[][], the runtime generates an error and crashes the runtime.

A simple repro code like this just shows the error (Invalid type Foo[][] for instance field Foo:foo) but continues to run.

using System;
static class Test {
	struct Foo {
		static Foo[][] foo;
	}

	static void Main() {
		Console.WriteLine(typeof(Foo).Name);
	}
}

A bit more complex example (attached to this report) shows the same error and crashes the runtime:

Invalid type IntVector2[][] for instance field IntVector2:foo
Unhandled Exception:
System.BadImageFormatException: Could not resolve field token 0x04000003
File name: 'Test'
[ERROR] FATAL UNHANDLED EXCEPTION: System.BadImageFormatException: Could not resolve field token 0x04000003
File name: 'Test'

Both examples run just fine under .net
Comment 1 Alex Zhdankin 2016-08-20 21:41:07 UTC
It turned out it doesn't matter if the field is static. It can also be an instance field of type Foo[][] or Foo[][][] etc. The errors are the same.
Comment 2 Alex Rønne Petersen 2016-08-29 06:32:59 UTC
Can reproduce with Mono master on Linux (amd64). Simply compile and run the attached repro.
Comment 3 Zoltan Varga 2016-09-06 01:07:00 UTC
This happens because we are trying to compute the instance size of 'Foo' recursively:

#0  mono_class_set_failure (klass=0x10132ff18, ex_type=7, ex_data=0x10132af40) at class.c:9932
#1  0x000000010024293a in mono_class_init (klass=0x10132ff18) at class.c:5115
#2  0x000000010024e0bd in mono_class_instance_size (klass=0x10132ff18) at class.c:6862
#3  0x000000010024e19c in mono_class_array_element_size (klass=0x10132ff18) at class.c:8708
#4  0x000000010024d82b in mono_bounded_array_class_get (eclass=0x10132ff18, rank=1, bounded=0) at class.c:6747
#5  0x000000010024de7d in mono_array_class_get (eclass=0x10132ff18, rank=1) at class.c:6847
#6  0x000000010023ede1 in mono_class_from_mono_type (type=0x101330048) at class.c:6570
#7  0x00000001002ccf3b in do_mono_metadata_parse_type (type=0x7fff5fbfca28, m=0x102005600, container=0x0, transient=0, ptr=0x102a8b4ef "\006", rptr=0x7fff5fbfca58, error=0x7fff5fbfcca0) at metadata.c:3386
#8  0x00000001002c3391 in mono_metadata_parse_type_internal (m=0x102005600, container=0x0, opt_attrs=17, transient=0, ptr=0x102a8b4eb "\035\035\021\f\006", rptr=0x7fff5fbfcb40, error=0x7fff5fbfcca0) at metadata.c:1688
#9  0x00000001002c3041 in mono_metadata_parse_type_checked (m=0x102005600, container=0x0, opt_attrs=17, transient=0, ptr=0x102a8b4eb "\035\035\021\f\006", rptr=0x7fff5fbfcb40, error=0x7fff5fbfcca0) at metadata.c:1742
#10 0x0000000100254bb3 in mono_field_resolve_type (field=0x101330028, error=0x7fff5fbfcca0) at class.c:10724
#11 0x00000001002402e2 in mono_class_setup_fields (klass=0x10132ff18) at class.c:1683
#12 0x0000000100242df9 in mono_class_init (klass=0x10132ff18) at class.c:5183
Comment 4 Ludovic Henry 2017-09-06 19:43:25 UTC
I can reproduce with Mono 5.4.0.135 (2017-06/6425f06)
Comment 5 Aleksey Kliger 2017-09-12 21:44:15 UTC
We eagerly compute the element size for arrays, which for valuetypes means we need to recursively find out the instance type for the array element type.  A fix is to initialize a MonoClass for an array lazily (and in particular not to initialize the array element size field until later).
Comment 6 Ludovic Henry 2017-09-15 22:38:07 UTC
Fixed in master with https://github.com/mono/mono/pull/5559
Comment 7 Aleksey Kliger 2017-09-19 14:20:34 UTC
Fixed on 2017-08 with https://github.com/mono/mono/commit/726b2befe96b2e3046e50223444d5781a7cb069d

Note You need to log in before you can comment on or make changes to this bug.