Fix TypeLoadException in GetMarshalAs when SafeArray has zero-length user-defined type name by Copilot · Pull Request #124355 · dotnet/runtime

Copilot · 2026-02-12T21:26:38Z

Description

MetadataImport.GetMarshalAs returns raw byte pointers to managed code without their associated lengths. When a MarshalAs blob contains NATIVE_TYPE_SAFEARRAY with a zero-length user-defined type name (common in tlbimp-generated COM interop assemblies), the native code returned a non-null pointer pointing past the blob data. The managed code then used CreateReadOnlySpanFromNullTerminated on this pointer, reading garbage memory until hitting a null byte, producing a garbled string that failed type resolution with TypeLoadException.

Regression introduced by commit a3dc133 which switched from returning managed strings to returning raw byte pointers.

Native fix (managedmdimport.cpp): Return NULL when byte count is 0 for safeArrayUserDefinedSubType, marshalType, and marshalCookie:

// Before: returned dangling pointer when m_cSafeArrayUserDefTypeNameBytes == 0
*safeArrayUserDefinedSubType = info.m_strSafeArrayUserDefTypeName;

// After: check byte count first
*safeArrayUserDefinedSubType = info.m_cSafeArrayUserDefTypeNameBytes > 0
    ? info.m_strSafeArrayUserDefTypeName : NULL;

Managed defense-in-depth (MdImport.cs): Wrapped safeArrayUserDefinedType resolution in try/catch(TypeLoadException), matching the existing pattern for marshalTypeRef.

Regression test (MarshalAsAttributeTests.cs): The SafeArrayParameter_ZeroLengthUserDefinedSubType_DoesNotThrow test uses PersistedAssemblyBuilder to create a PE assembly and then injects a FieldMarshal blob with the exact bytes that tlbimp produces: 0x1D (NATIVE_TYPE_SAFEARRAY) | 0x09 (VT_DISPATCH) | 0x00 (compressed string length 0). The trailing zero-length string is what distinguishes this from blobs the C# compiler produces (which omit the length byte entirely), and is the specific trigger for the bug. The test loads the PE, reflects on the parameter, and verifies that GetCustomAttributes does not throw TypeLoadException and that SafeArrayUserDefinedSubType is null.

Original prompt

This section details on the original issue you should resolve

<issue_title>Getting CustomAttributes of ParameterInfo throws TypeLoadException</issue_title>
<issue_description>### Description

When getting the CustomAttributes of the parameter of the setter for the property Icon of the interface MFilesAPI.IObjectType from the NuGet package Interop.MFilesAPI version 26.2.2, the following TypeLoadException is thrown:
Unhandled exception. System.TypeLoadException: Could not resolve type ' in assembly 'Interop.MFilesAPI, Version=7.0.0.0, Culture=neutral, PublicKeyToken=f1b4733f444f7ad0'.
   at System.Reflection.TypeNameResolver.GetTypeFromDefaultAssemblies(String typeName, ReadOnlySpan`1 nestedTypeNames, TypeName parsedName)
   at System.Reflection.TypeNameResolver.GetType(String escapedTypeName, ReadOnlySpan`1 nestedTypeNames, TypeName parsedName)
   at System.Reflection.TypeNameResolver.GetSimpleType(TypeName typeName)
   at System.Reflection.TypeNameResolver.Resolve(TypeName typeName)
   at System.Reflection.TypeNameResolver.GetTypeReferencedByCustomAttribute(String typeName, RuntimeModule scope)
   at System.Reflection.MetadataImport.GetMarshalAs(ConstArray nativeType, RuntimeModule scope)
   at System.Reflection.PseudoCustomAttribute.GetMarshalAsCustomAttribute(Int32 token, RuntimeModule scope)
   at System.Reflection.PseudoCustomAttribute.GetCustomAttributes(RuntimeParameterInfo parameter, RuntimeType caType, ListBuilder`1& pcas)
   at System.Reflection.RuntimeCustomAttributeData.GetCustomAttributesInternal(RuntimeParameterInfo target)
Reproduction Steps

Execute this Program.cs
using MFilesAPI;

var parameterInfo = typeof(IObjectType).GetMethod("set_Icon").GetParameters().Single();
_ = parameterInfo.CustomAttributes;
together with this .csproj
<Project Sdk="Microsoft.NET.Sdk">
    <PropertyGroup>
        <OutputType>Exe</OutputType>
        <TargetFramework>net10.0-windows</TargetFramework>
        <ImplicitUsings>enable</ImplicitUsings>
        <Nullable>enable</Nullable>
    </PropertyGroup>
    <ItemGroup>
        <PackageReference Include="Interop.MFilesAPI" Version="26.2.2" />
    </ItemGroup>
</Project>
Expected behavior

No exception thrown.

Actual behavior

TypeLoadException is thrown.

Regression?

Yes: Using <TargetFramework>net8.0-windows</TargetFramework>, no exception is thrown.

Known Workarounds

No response

Configuration

Which version of .NET is the code running on?
Microsoft.NETCore.App 10.0.2
.NET SDK 10.0.102

What OS and version, and what distro if applicable?
Windows 11

What is the architecture (x64, x86, ARM, ARM64)?
x64

Do you know whether it is specific to that configuration?
The problem also happens with Windows 10 x64, so is likely not specific to the configuration.

If you're using Blazor, which web browser(s) do you see this issue in?
N/A

Other information

Debugging shows that System.Reflection.MetadataImport.GetMarshalAs used to return an empty string in safeArrayUserDefinedSubType under .NET 8, but now (.NET 9 and .NET 10) decodes safeArrayUserDefinedSubTypeRaw into a garbled string in safeArrayUserDefinedTypeName in this instance. The method changed in a3dc133#diff-ca5f2236fd8d5cc746ac054393ca381a074ca52e5d7712a65b5a47cb804cfa46.</issue_description>

Comments on the Issue (you are @copilot in this section)

Fixes Getting CustomAttributes of ParameterInfo throws TypeLoadException #124346

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

…with empty SafeArray type name When a MarshalAs blob contains NATIVE_TYPE_SAFEARRAY with a zero-length user-defined type name, the native GetMarshalAs returned a non-null pointer despite having zero bytes. The managed code then used CreateReadOnlySpanFromNullTerminated to decode this pointer, reading past the blob into garbage memory, producing a garbled string that failed type resolution with TypeLoadException. Fix: Return NULL from native code when byte count is 0 for safeArrayUserDefinedSubType, marshalType, and marshalCookie. Also add try/catch around safeArrayUserDefinedType resolution for defense-in-depth, matching the existing pattern for marshalTypeRef. Fixes #115953 Co-authored-by: stephentoub <2642209+stephentoub@users.noreply.github.com>

dotnet-policy-service · 2026-02-12T21:58:49Z

Tagging subscribers to this area: @dotnet/area-system-reflection
See info in area-owners.md if you want to be subscribed.

AaronRobinsonMSFT · 2026-02-12T22:59:20Z

@copilot Please add a test for this scenario. It should be possible to add validation for the parsing of MarshalAs attributes in under the src/libraries/System.Runtime.InteropServices test suite.

Verifies that accessing CustomAttributes on a parameter annotated with MarshalAs(UnmanagedType.SafeArray) without SafeArrayUserDefinedSubType does not throw TypeLoadException. Co-authored-by: AaronRobinsonMSFT <30635565+AaronRobinsonMSFT@users.noreply.github.com>

Copilot · 2026-02-12T23:23:20Z

@copilot Please add a test for this scenario. It should be possible to add validation for the parsing of MarshalAs attributes in under the src/libraries/System.Runtime.InteropServices test suite.

Added in 5478b0d. The test (SafeArrayParameter_NoUserDefinedSubType_CustomAttributesDoNotThrow) uses a COM interface with parameters annotated with [MarshalAs(UnmanagedType.SafeArray, SafeArraySubType = VarEnum.VT_DISPATCH)] and verifies that accessing CustomAttributes and GetCustomAttribute on those parameters doesn't throw TypeLoadException, and that SafeArrayUserDefinedSubType is null.

....Runtime.InteropServices.UnitTests/System/Runtime/InteropServices/MarshalAsAttributeTests.cs

MichalStrehovsky · 2026-02-13T00:41:30Z

....Runtime.InteropServices.UnitTests/System/Runtime/InteropServices/MarshalAsAttributeTests.cs

+        [Theory]
+        [InlineData(nameof(ISafeArrayMarshallingTest.Method1))]
+        [InlineData(nameof(ISafeArrayMarshallingTest.Method2))]
+        public void SafeArrayParameter_NoUserDefinedSubType_CustomAttributesDoNotThrow(string methodName)
+        {
+            MethodInfo method = typeof(ISafeArrayMarshallingTest).GetMethod(methodName);
+            ParameterInfo parameter = method.GetParameters().Single();
+
+            // Accessing CustomAttributes should not throw TypeLoadException
+            // when SafeArrayUserDefinedSubType is not specified.
+            var attributes = parameter.CustomAttributes.ToList();
+
+            MarshalAsAttribute marshalAs = (MarshalAsAttribute)Attribute.GetCustomAttribute(parameter, typeof(MarshalAsAttribute));
+            Assert.NotNull(marshalAs);
+            Assert.Equal(UnmanagedType.SafeArray, marshalAs.Value);
+            Assert.Null(marshalAs.SafeArrayUserDefinedSubType);
+        }
+
+        [ComImport]
+        [Guid("1FC06EAF-2B18-4D54-B7D4-E654A8BEEF5B")]
+        [InterfaceType(ComInterfaceType.InterfaceIsIDispatch)]
+        private interface ISafeArrayMarshallingTest
+        {
+            void Method1([MarshalAs(UnmanagedType.SafeArray, SafeArraySubType = VarEnum.VT_DISPATCH)] object[] args);
+            void Method2([MarshalAs(UnmanagedType.SafeArray, SafeArraySubType = VarEnum.VT_UNKNOWN)] object[] args);
+        }


I was curious about the metadata shapes this generates so I tried this in a .NET10-windows project. The test passes as-is, without this fix. Is that expected?

Boo. I was afraid of that. The issue is ParseNativeTypeInfo which is in mlinfo.cpp. It reads into the middle of the data stream and sets the pointer also sets the length. So the pointer may be non-null, but the size is 0. The OP's example fails as expected, but I'm not sure how to force the metadata into that state to be honest.

Yes, that's expected — the C# compiler omits the zero-length string from the FieldMarshal blob entirely, so the native NATIVE_TYPE_SAFEARRAY parsing never sets m_strSafeArrayUserDefTypeName. The bug only triggers when the blob contains the explicit 0x00 compressed-string-length byte that tlbimp produces (3 bytes: 1D 09 00 vs the 2 bytes 1D 09 from the C# compiler).

Replaced the test in fe17a0b with one that uses PersistedAssemblyBuilder to create a valid PE, then injects the exact problematic FieldMarshal blob bytes [0x1D, 0x09, 0x00] via MetadataBuilder.AddMarshallingDescriptor.

@copilot and did you confirm that this new test fails without the fix and passes with it? From the session log it looks like you may not have run it without the fix. Please do.

@copilot I tried the test locally and it does not fail without the fix on Windows. This, however, does:

// Builds a PE with a FieldMarshal blob containing NATIVE_TYPE_SAFEARRAY // with a zero-length user-defined sub type name followed by poison bytes. // Without the native fix, the FCALL returns a dangling pointer into the // poison bytes; the managed side reads "X" and throws TypeLoadException. using System.Reflection; using System.Reflection.Emit; using System.Reflection.Metadata; using System.Reflection.Metadata.Ecma335; using System.Reflection.PortableExecutable; using System.Runtime.Loader; byte[] peImage = CreatePEWithSafeArrayFieldMarshal(); AssemblyLoadContext alc = new("TestALC", isCollectible: true); try { Assembly asm = alc.LoadFromStream(new MemoryStream(peImage)); Type iface = asm.GetType("TestInterface")!; MethodInfo method = iface.GetMethod("TestMethod")!; ParameterInfo param = method.GetParameters()[0]; // Without the fix, this throws TypeLoadException because the native FCALL // returns a non-null dangling pointer for the zero-length type name string, // and CreateReadOnlySpanFromNullTerminated reads the poison "X" from it. _ = param.GetCustomAttributes(false); Console.WriteLine("PASS: No exception thrown."); } catch (TypeLoadException ex) { Console.WriteLine($"FAIL: TypeLoadException: {ex.Message}"); } finally { alc.Unload(); } static byte[] CreatePEWithSafeArrayFieldMarshal() { PersistedAssemblyBuilder ab = new(new AssemblyName("SafeArrayTestAsm"), typeof(object).Assembly); ModuleBuilder moduleDef = ab.DefineDynamicModule("SafeArrayTestAsm.dll"); TypeBuilder typeDef = moduleDef.DefineType("TestInterface", TypeAttributes.Interface | TypeAttributes.Abstract | TypeAttributes.Public); MethodBuilder methodDef = typeDef.DefineMethod("TestMethod", MethodAttributes.Public | MethodAttributes.Abstract | MethodAttributes.Virtual | MethodAttributes.NewSlot | MethodAttributes.HideBySig, typeof(void), [typeof(object[])]); methodDef.DefineParameter(1, ParameterAttributes.HasFieldMarshal, "args"); typeDef.CreateType(); MetadataBuilder mdBuilder = ab.GenerateMetadata(out BlobBuilder ilStream, out _); // Inject a FieldMarshal blob that reproduces the native bug: // 0x1D NATIVE_TYPE_SAFEARRAY // 0x09 VT_DISPATCH (compressed uint) // 0x00 compressed string length = 0 (empty user-defined type name) // 0x58 'X' — poison byte, NOT consumed by the parser (it read length 0) // 0x00 null terminator for CreateReadOnlySpanFromNullTerminated // // The native parser sets m_strSafeArrayUserDefTypeName to the current // position after reading the zero string length, which points at the 'X'. // m_cSafeArrayUserDefTypeNameBytes is 0. Without the native fix, the // FCALL returns that non-null pointer; the managed side calls // CreateReadOnlySpanFromNullTerminated on it, reads "X", and then // TypeNameResolver throws TypeLoadException trying to resolve it. // // With the native fix (return NULL when byte count == 0), the managed // side sees null and skips type resolution entirely. // // Plain {0x1D, 0x09, 0x00} doesn't reliably repro because the blob // lands near the end of the #Blob heap where null padding follows, // so the dangling pointer hits 0x00 immediately → empty string → no throw. BlobBuilder marshalDescriptor = new(); marshalDescriptor.WriteBytes(new byte[] { 0x1D, 0x09, 0x00, 0x58, 0x00 }); mdBuilder.AddMarshallingDescriptor( MetadataTokens.ParameterHandle(1), mdBuilder.GetOrAddBlob(marshalDescriptor)); ManagedPEBuilder peAssembler = new( PEHeaderBuilder.CreateLibraryHeader(), new MetadataRootBuilder(mdBuilder), ilStream, flags: CorFlags.ILOnly); BlobBuilder peOutput = new(); peAssembler.Serialize(peOutput); return peOutput.ToArray(); }

Copilot

Pull request overview

This PR fixes a TypeLoadException that occurs when accessing CustomAttributes on parameters with [MarshalAs(UnmanagedType.SafeArray)] attributes that don't specify a SafeArrayUserDefinedSubType. The regression was introduced in commit a3dc133 when the native code was changed to return raw byte pointers instead of managed strings.

Changes:

Fixed native code in managedmdimport.cpp to return NULL instead of dangling pointers when string byte counts are zero
Added defensive error handling in MdImport.cs to catch TypeLoadException when resolving safeArrayUserDefinedType
Added regression test to verify that accessing CustomAttributes doesn't throw when SafeArrayUserDefinedSubType is not specified
Fixed typo in test method name from Ctor_UmanagedTye to Ctor_UnmanagedType

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.

File	Description
`src/coreclr/vm/managedmdimport.cpp`	Added null checks for zero-length strings before returning pointers to prevent dangling pointer issues
`src/coreclr/System.Private.CoreLib/src/System/Reflection/MdImport.cs`	Added try-catch for `TypeLoadException` when resolving `safeArrayUserDefinedType` as defense-in-depth
`src/libraries/System.Runtime.InteropServices/tests/System.Runtime.InteropServices.UnitTests/System/Runtime/InteropServices/MarshalAsAttributeTests.cs`	Added regression test and fixed typo in existing test method name

…blob The C# compiler never generates a zero-length user-defined type name in the FieldMarshal blob - it omits the length byte entirely. The previous test using C# attributes therefore did not exercise the bug. This new test uses PersistedAssemblyBuilder to create a valid PE and then injects a FieldMarshal blob with the exact bytes that tlbimp produces: 0x1D (NATIVE_TYPE_SAFEARRAY) | 0x09 (VT_DISPATCH) | 0x00 (string len 0) The trailing zero-length string is the trigger for the bug. Co-authored-by: stephentoub <2642209+stephentoub@users.noreply.github.com>

jkotas · 2026-02-13T02:57:58Z

src/coreclr/System.Private.CoreLib/src/System/Reflection/MdImport.cs

+            try
+            {
+                safeArrayUserDefinedType = string.IsNullOrEmpty(safeArrayUserDefinedTypeName) ? null :
+                    TypeNameResolver.GetTypeReferencedByCustomAttribute(safeArrayUserDefinedTypeName, scope);


Update marshalTypeName resolution below to use IsNullOrEmpty for consistency?

stephentoub · 2026-02-13T03:29:25Z

@copilot Can you address the comments?

adityamandaleeka · 2026-02-13T04:01:43Z

@copilot Can you address the comments?

stephentoub · 2026-02-13T23:22:48Z

CCA got into a bad state on this PR. I'm replacing it with #124406.

Initial plan

6f32250

Copilot AI assigned Copilot and stephentoub Feb 12, 2026

Copilot started work on behalf of stephentoub February 12, 2026 21:26 View session

github-actions bot added the needs-area-label An area label is needed to ensure this gets routed to the appropriate area owners label Feb 12, 2026

github-actions bot added area-System.Reflection and removed needs-area-label An area label is needed to ensure this gets routed to the appropriate area owners labels Feb 12, 2026

Copilot AI changed the title ~~[WIP] Fix TypeLoadException when getting CustomAttributes of ParameterInfo~~ Fix TypeLoadException in GetMarshalAs when SafeArray has zero-length user-defined type name Feb 12, 2026

Copilot AI requested a review from stephentoub February 12, 2026 22:04

Copilot finished work on behalf of stephentoub February 12, 2026 22:04

stephentoub requested a review from AaronRobinsonMSFT February 12, 2026 22:05

Copilot started work on behalf of AaronRobinsonMSFT February 12, 2026 22:59 View session

Copilot finished work on behalf of AaronRobinsonMSFT February 12, 2026 23:24

AaronRobinsonMSFT reviewed Feb 12, 2026

View reviewed changes

....Runtime.InteropServices.UnitTests/System/Runtime/InteropServices/MarshalAsAttributeTests.cs Outdated Show resolved Hide resolved

Apply suggestion from @AaronRobinsonMSFT

0da8620

AaronRobinsonMSFT approved these changes Feb 12, 2026

View reviewed changes

MichalStrehovsky reviewed Feb 13, 2026

View reviewed changes

stephentoub marked this pull request as ready for review February 13, 2026 01:11

Copilot AI review requested due to automatic review settings February 13, 2026 01:11

Copilot started work on behalf of stephentoub February 13, 2026 01:11 View session

Copilot started reviewing on behalf of stephentoub February 13, 2026 01:12 View session

Copilot AI reviewed Feb 13, 2026

View reviewed changes

Copilot finished work on behalf of stephentoub February 13, 2026 01:47

Copilot started work on behalf of stephentoub February 13, 2026 01:50 View session

Copilot started work on behalf of stephentoub February 13, 2026 02:18 View session

jkotas reviewed Feb 13, 2026

View reviewed changes

Copilot started work on behalf of stephentoub February 13, 2026 03:29 View session

Copilot started work on behalf of adityamandaleeka February 13, 2026 04:06 View session

Copilot AI requested a review from adityamandaleeka February 13, 2026 04:11

Copilot AI mentioned this pull request Feb 13, 2026

Fix TypeLoadException in GetMarshalAs when SafeArray has zero-length user-defined type name #124408

Open

stephentoub closed this Feb 13, 2026

Conversation

Copilot AI commented Feb 12, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Description

Reproduction Steps

Expected behavior

Actual behavior

Regression?

Known Workarounds

Configuration

Other information

Comments on the Issue (you are @copilot in this section)

Uh oh!

dotnet-policy-service bot commented Feb 12, 2026

Uh oh!

AaronRobinsonMSFT commented Feb 12, 2026

Uh oh!

Copilot AI commented Feb 12, 2026

Uh oh!

Uh oh!

MichalStrehovsky Feb 13, 2026

Choose a reason for hiding this comment

Uh oh!

stephentoub Feb 13, 2026

Choose a reason for hiding this comment

Uh oh!

AaronRobinsonMSFT Feb 13, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Copilot AI Feb 13, 2026

Choose a reason for hiding this comment

Uh oh!

stephentoub Feb 13, 2026

Choose a reason for hiding this comment

Uh oh!

stephentoub Feb 13, 2026

Choose a reason for hiding this comment

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Reviewed changes

Uh oh!

jkotas Feb 13, 2026

Choose a reason for hiding this comment

Uh oh!

stephentoub commented Feb 13, 2026 • edited by adityamandaleeka Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

adityamandaleeka commented Feb 13, 2026

Uh oh!

stephentoub commented Feb 13, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

6 participants

Copilot AI commented Feb 12, 2026 •

edited

Loading

AaronRobinsonMSFT Feb 13, 2026 •

edited

Loading

stephentoub commented Feb 13, 2026 •

edited by adityamandaleeka

Loading