Disable desktop CLR and single-file DAC tests blocked by CDB SecureLoadDotNetExtensions#5759
Conversation
CDB 10.0.26100.1 introduced SecureLoadDotNetExtensions which verifies digital signatures of DAC DLLs before loading them. Both the .NET Framework mscordacwks.dll (from local Framework directory and symbol server) and servicing .NET Core DAC DLLs fail this verification, causing all desktop.cli, DualRuntimes, and singlefile servicing SOS tests to fail with: Failed to verify signature of file: ...mscordacwks.dll Error code - 0x000021BE Failed to load data access module, 0x80004002 This disables SecureLoadDotNetExtensions for CDB and DacSignatureVerification for dotnet-dump until the DAC signing issue is resolved. Also adds the Microsoft symbol server to the CDB sympath so mscordacwks.dll can be downloaded when needed. Fixes dotnet#5757 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
This PR updates SOS.UnitTests debugger startup configuration to work around CDB 10.0.26100.1 DAC signature verification failures and ensure the .NET Framework DAC can be resolved during desktop CLR debugging on Windows.
Changes:
- Add the Microsoft public symbol server to CDB’s initial symbol path (
-y) to enable downloadingmscordacwks.dllwhen needed. - Unconditionally disable CDB
SecureLoadDotNetExtensionsto bypass DAC signature checks that reject .NET Framework and servicing .NET DACs. - Unconditionally disable
dotnet-dumpDAC signature verification viaruntimes --DacSignatureVerification:false.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
noahfalk
left a comment
noahfalk
left a comment
There was a problem hiding this comment.
I'm guessing the signing changes alone are sufficient to resolve the issue without introducing symbol server. If for some reason it isn't then we should try to explicitly put the directory where clr.dll is installed on the symbol path.
src/tests/SOS.UnitTests/SOSRunner.cs
Outdated
| arguments.AppendFormat(@" -y ""{0}""", debuggeeConfig.BinaryDirPath); | ||
| // the .nuget cache) and set to just the directory containing the debuggee binaries | ||
| // plus the Microsoft symbol server so CDB can download mscordacwks.dll for desktop CLR debugging. | ||
| arguments.AppendFormat(@" -y ""{0};srv*https://msdl.microsoft.com/download/symbols""", debuggeeConfig.BinaryDirPath); |
There was a problem hiding this comment.
We shouldn't need the symbol server, mscordacwks.dll is already on the machine in the directory adjacent to clr.dll. Symbol server will add perf overhead and is an extra potential failure point.
There was a problem hiding this comment.
We will need to look into the machines to see why things started tanking. Can this be a temporary workaround so that we don't fail the tests?
There was a problem hiding this comment.
I'm fine if its a temporary workaround, but is it even necessary? Disabling the verification alone wasn't enough to make it work?
There was a problem hiding this comment.
I am not a fan of disabling checks since that's our prod scenario. Loading from local should be enough. If that didn't fix this, then the issue probably lies elsewhere.
Remove the Microsoft symbol server from CDB sympath — mscordacwks.dll should already be available locally. Fix comment on DacSignatureVerification to correctly attribute it to dotnet-dump instead of CDB. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Restore the original conditional DacSignatureVerification logic for dotnet-dump — only CDB tests are failing, not dotnet-dump tests. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…failure Temporarily skip tests that fail because CDB SecureLoadDotNetExtensions and dotnet-dump DacSignatureVerification reject DAC DLLs: - Filter desktop CLR configs from Configurations (13 desktop.cli tests) - Skip DualRuntimes on Windows (desktop CLR DAC fails in dotnet-dump) - Skip StackAndOtherTests single-file on Windows (.NET 8 servicing DAC fails) Fixes dotnet#5757 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…nsions' into fix/sos-disable-secure-load-extensions
steveisok
changed the title
The disabled tests no longer exercise the CDB SecureLoadDotNetExtensions or dotnet-dump DacSignatureVerification code paths, so the original conditional logic can remain as-is. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
max-charlamb
left a comment
max-charlamb
left a comment
There was a problem hiding this comment.
Seems reasonable to temporarily disable these test runs until we have a more permanent fix.
Summary
Contributes to #5757
CDB 10.0.26100.1 introduced
SecureLoadDotNetExtensionswhich verifies digital signatures of DAC DLLs before loading them. Both the .NET Frameworkmscordacwks.dll(from local Framework directory and symbol server) and servicing .NET Core DAC DLLs fail this verification, causing 16 test failures across all Windows legs:Root Cause
The test infrastructure conditionally enables
SecureLoadDotNetExtensions=truefor non-nightly, non-private builds. CDB then rejects the DAC DLLs because their signatures cannot be verified:.NET Framework DAC—mscordacwks.dllfromC:\Windows\Microsoft.Net\Framework64\v4.0.30319\and from the symbol serverServicing .NET Core DAC— for .NET 8.0 servicing runtimesThis affects three test categories:
desktop.clitests — desktop CLR DAC signature verification failsprojectk.sdk.prebuilttests (DualRuntimes) — desktop CLR portion of dual-runtime dump failsprojectk.cli.singlefiletest (StackAndOtherTests) — .NET 8.0 servicing DAC failsChanges
All changes are in
SOS.cs— disable the affected tests until the CDB signing issue is resolved:SOS.Configurations— filters outIsDesktopconfigs that rely onmscordacwks.dllStackAndOtherTestsfor single-file on Windows — .NET 8.0 servicing DAC signature verification fails under CDBDualRuntimeson Windows — desktop CLR DAC portion of dual-runtime dump failsImpact