Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

mono-cil-strip crashes when called against the monotouch_Microsoft.CSharp_xunit-test.dll #13639

Closed
mandel-macaque opened this issue Mar 25, 2019 · 5 comments

Comments

@mandel-macaque
Copy link
Contributor

@mandel-macaque mandel-macaque commented Mar 25, 2019

While integrating the test dlls with xamarin-macios, we started using device tests. When using the cil stip command we have the following failure:

Error: System.IndexOutOfRangeException: Index was outside the bounds of the array. at Mono.Cecil.Metadata.Utilities.ReadCompressedInteger (System.Byte[] data, System.Int32 pos, System.Int32& start) [0x0002f] in <5ab86655477f49bf9e849e708f3dcbc9>:0 at Mono.Cecil.Signatures.SignatureReader.ReadMarshalSig (System.Byte[] data) [0x00000] in <5ab86655477f49bf9e849e708f3dcbc9>:0 at Mono.Cecil.Signatures.SignatureReader.GetMarshalSig (System.UInt32 index) [0x00031] in <5ab86655477f49bf9e849e708f3dcbc9>:0 at Mono.Cecil.AggressiveReflectionReader.ReadMarshalSpecs () [0x00081] in <5ab86655477f49bf9e849e708f3dcbc9>:0 at Mono.Cecil.AggressiveReflectionReader.VisitTypeDefinitionCollection (Mono.Cecil.TypeDefinitionCollection types) [0x00055] in <5ab86655477f49bf9e849e708f3dcbc9>:0 at Mono.Cecil.ReflectionReader.VisitModuleDefinition (Mono.Cecil.ModuleDefinition mod) [0x00007] in <5ab86655477f49bf9e849e708f3dcbc9>:0 at Mono.Cecil.StructureReader.TerminateAssemblyDefinition (Mono.Cecil.AssemblyDefinition asm) [0x0002e] in <5ab86655477f49bf9e849e708f3dcbc9>:0 at Mono.Cecil.AssemblyDefinition.Accept (Mono.Cecil.IReflectionStructureVisitor visitor) [0x0001f] in <5ab86655477f49bf9e849e708f3dcbc9>:0 at Mono.Cecil.AssemblyFactory.GetAssembly (Mono.Cecil.Binary.ImageReader irv, System.Boolean manifestOnly) [0x00013] in <5ab86655477f49bf9e849e708f3dcbc9>:0 at Mono.Cecil.AssemblyFactory.GetAssembly (Mono.Cecil.Binary.ImageReader reader) [0x00000] in <5ab86655477f49bf9e849e708f3dcbc9>:0 at Mono.Cecil.AssemblyFactory.GetAssembly (System.String file) [0x00006] in <5ab86655477f49bf9e849e708f3dcbc9>:0 at Mono.CilStripper.Program.Main (System.String[] arguments) [0x0005e] in <5ab86655477f49bf9e849e708f3dcbc9>:0

Steps to Reproduce

  1. Perform the following call against the test dll monotouch_Microsoft.CSharp_xunit-test.dll
    /Library/Frameworks/Mono.framework/Versions/Current/bin/mono /Library/Frameworks/Mono.framework/Versions/Current/lib/mono/4.5/mono-cil-strip.exe 'monotouch_Microsoft.CSharp_xunit-test.dll'

Current Behavior

The application crashes with the following exception:
Error: System.IndexOutOfRangeException: Index was outside the bounds of the array. at Mono.Cecil.Metadata.Utilities.ReadCompressedInteger (System.Byte[] data, System.Int32 pos, System.Int32& start) [0x0002f] in <5ab86655477f49bf9e849e708f3dcbc9>:0 at Mono.Cecil.Signatures.SignatureReader.ReadMarshalSig (System.Byte[] data) [0x00000] in <5ab86655477f49bf9e849e708f3dcbc9>:0 at Mono.Cecil.Signatures.SignatureReader.GetMarshalSig (System.UInt32 index) [0x00031] in <5ab86655477f49bf9e849e708f3dcbc9>:0 at Mono.Cecil.AggressiveReflectionReader.ReadMarshalSpecs () [0x00081] in <5ab86655477f49bf9e849e708f3dcbc9>:0 at Mono.Cecil.AggressiveReflectionReader.VisitTypeDefinitionCollection (Mono.Cecil.TypeDefinitionCollection types) [0x00055] in <5ab86655477f49bf9e849e708f3dcbc9>:0 at Mono.Cecil.ReflectionReader.VisitModuleDefinition (Mono.Cecil.ModuleDefinition mod) [0x00007] in <5ab86655477f49bf9e849e708f3dcbc9>:0 at Mono.Cecil.StructureReader.TerminateAssemblyDefinition (Mono.Cecil.AssemblyDefinition asm) [0x0002e] in <5ab86655477f49bf9e849e708f3dcbc9>:0 at Mono.Cecil.AssemblyDefinition.Accept (Mono.Cecil.IReflectionStructureVisitor visitor) [0x0001f] in <5ab86655477f49bf9e849e708f3dcbc9>:0 at Mono.Cecil.AssemblyFactory.GetAssembly (Mono.Cecil.Binary.ImageReader irv, System.Boolean manifestOnly) [0x00013] in <5ab86655477f49bf9e849e708f3dcbc9>:0 at Mono.Cecil.AssemblyFactory.GetAssembly (Mono.Cecil.Binary.ImageReader reader) [0x00000] in <5ab86655477f49bf9e849e708f3dcbc9>:0 at Mono.Cecil.AssemblyFactory.GetAssembly (System.String file) [0x00006] in <5ab86655477f49bf9e849e708f3dcbc9>:0 at Mono.CilStripper.Program.Main (System.String[] arguments) [0x0005e] in <5ab86655477f49bf9e849e708f3dcbc9>:0

Expected Behavior

Application does not crash.

On which platforms did you notice this

[X] iOS
[X] macOS
[ ] Linux
[ ] Windows

Version Used:

Mono with hash bfb988

@mandel-macaque

This comment has been minimized.

Copy link
Contributor Author

@mandel-macaque mandel-macaque commented Mar 25, 2019

Adding the dll for better debugging:

monotouch_Microsoft.CSharp_xunit-test.dll.zip

@mandel-macaque

This comment has been minimized.

Copy link
Contributor Author

@mandel-macaque mandel-macaque commented Mar 25, 2019

Mono full version:

Mono JIT compiler version 5.20.0.220 (2018-10/d390bb6901f Thu Feb 21 14:52:09 EST 2019)
Copyright (C) 2002-2014 Novell, Inc, Xamarin Inc and Contributors. www.mono-project.com
TLS:
SIGSEGV: altstack
Notification: kqueue
Architecture: amd64
Disabled: none
Misc: softdebug
Interpreter: yes
LLVM: yes(600)
Suspend: hybrid
GC: sgen (concurrent by default)

@akoeplinger

This comment has been minimized.

Copy link
Member

@akoeplinger akoeplinger commented Mar 25, 2019

This looks like a Cecil issue. mono-cil-strip still uses its own copy of Cecil.

@akoeplinger

This comment has been minimized.

Copy link
Member

@akoeplinger akoeplinger commented Apr 9, 2019

It's not just Cecil, ikdasm (which uses IKVM.Reflection) also crashes on the dll:

Unhandled Exception:
IKVM.Reflection.BadImageFormatException: Exception of type 'IKVM.Reflection.BadImageFormatException' was thrown.
  at IKVM.Reflection.Reader.ByteReader.ReadByte () [0x00013] in <2bf05c123fbc4f08b6fb4dbce50843b5>:0
  at IKVM.Reflection.Reader.ByteReader.ReadCompressedUInt () [0x0001c] in <2bf05c123fbc4f08b6fb4dbce50843b5>:0
  at IKVM.Reflection.FieldMarshal.ReadFieldMarshal (IKVM.Reflection.Module module, System.Int32 token, IKVM.Reflection.FieldMarshal& fm) [0x00046] in <2bf05c123fbc4f08b6fb4dbce50843b5>:0
  at IKVM.Reflection.Reader.ParameterInfoImpl.__TryGetFieldMarshal (IKVM.Reflection.FieldMarshal& fieldMarshal) [0x0000c] in <2bf05c123fbc4f08b6fb4dbce50843b5>:0
  at Ildasm.Disassembler.WriteMethod (Ildasm.LineWriter lw, IKVM.Reflection.MethodBase method) [0x00352] in <2bf05c123fbc4f08b6fb4dbce50843b5>:0
  at Ildasm.Disassembler.WriteType (Ildasm.LineWriter lw, IKVM.Reflection.Type type) [0x004a8] in <2bf05c123fbc4f08b6fb4dbce50843b5>:0
  at Ildasm.Disassembler.WriteType (Ildasm.LineWriter lw, IKVM.Reflection.Type type) [0x003ff] in <2bf05c123fbc4f08b6fb4dbce50843b5>:0
  at Ildasm.Disassembler.WriteTypes (Ildasm.LineWriter lw) [0x00039] in <2bf05c123fbc4f08b6fb4dbce50843b5>:0
  at Ildasm.Disassembler.Save (System.IO.TextWriter writer) [0x00082] in <2bf05c123fbc4f08b6fb4dbce50843b5>:0
  at Ildasm.Program.Main (System.String[] args) [0x003ca] in <2bf05c123fbc4f08b6fb4dbce50843b5>:0

Both tools are having trouble processing this method: https://github.com/mono/corefx/blob/f54e64b341a7b114c3502e197b46670cacb28639/src/Microsoft.CSharp/tests/DefaultParameterTests.cs#L88 which is doing MarshalAs((UnmanagedType)2000.

@marek-safar

This comment has been minimized.

Copy link
Member

@marek-safar marek-safar commented Apr 9, 2019

@akoeplinger please disable the test for now and report the issue to Cecil

akoeplinger added a commit to akoeplinger/mono that referenced this issue Apr 9, 2019
cil-strip crashed when processing this method: https://github.com/mono/corefx/blob/f54e64b341a7b114c3502e197b46670cacb28639/src/Microsoft.CSharp/tests/DefaultParameterTests.cs#L88

It uses `MarshalAs((UnmanagedType)2000)`, i.e. an undefined value for the
native type. The old Cecil embedded in cil-strip tried to read more than one
byte which blows up in this case. Upstream Cecil just reads a single byte:
https://github.com/jbevain/cecil/blob/1b79b96d29f1e8e9ba832191b1b42ea9cb750d20/Mono.Cecil/AssemblyReader.cs#L3700-L3703

Fixes mono#13639
akoeplinger added a commit that referenced this issue Apr 9, 2019
cil-strip crashed when processing this method: https://github.com/mono/corefx/blob/f54e64b341a7b114c3502e197b46670cacb28639/src/Microsoft.CSharp/tests/DefaultParameterTests.cs#L88

It uses `MarshalAs((UnmanagedType)2000)`, i.e. an undefined value for the
native type. The old Cecil embedded in cil-strip tried to read more than one
byte which blows up in this case. Upstream Cecil just reads a single byte:
https://github.com/jbevain/cecil/blob/1b79b96d29f1e8e9ba832191b1b42ea9cb750d20/Mono.Cecil/AssemblyReader.cs#L3700-L3703

Fixes #13639
monojenkins added a commit to monojenkins/mono that referenced this issue Apr 11, 2019
cil-strip crashed when processing this method: https://github.com/mono/corefx/blob/f54e64b341a7b114c3502e197b46670cacb28639/src/Microsoft.CSharp/tests/DefaultParameterTests.cs#L88

It uses `MarshalAs((UnmanagedType)2000)`, i.e. an undefined value for the
native type. The old Cecil embedded in cil-strip tried to read more than one
byte which blows up in this case. Upstream Cecil just reads a single byte:
https://github.com/jbevain/cecil/blob/1b79b96d29f1e8e9ba832191b1b42ea9cb750d20/Mono.Cecil/AssemblyReader.cs#L3700-L3703

Fixes mono#13639
akoeplinger added a commit that referenced this issue Apr 11, 2019
…13954)

cil-strip crashed when processing this method: https://github.com/mono/corefx/blob/f54e64b341a7b114c3502e197b46670cacb28639/src/Microsoft.CSharp/tests/DefaultParameterTests.cs#L88

It uses `MarshalAs((UnmanagedType)2000)`, i.e. an undefined value for the native type. The old Cecil embedded in cil-strip tried to read more than one byte which blows up in this case.

Upstream Cecil just reads a single byte:
https://github.com/jbevain/cecil/blob/1b79b96d29f1e8e9ba832191b1b42ea9cb750d20/Mono.Cecil/AssemblyReader.cs#L3700-L3703

Fixes #13639
marek-safar added a commit that referenced this issue Apr 11, 2019
cil-strip crashed when processing this method: https://github.com/mono/corefx/blob/f54e64b341a7b114c3502e197b46670cacb28639/src/Microsoft.CSharp/tests/DefaultParameterTests.cs#L88

It uses `MarshalAs((UnmanagedType)2000)`, i.e. an undefined value for the
native type. The old Cecil embedded in cil-strip tried to read more than one
byte which blows up in this case. Upstream Cecil just reads a single byte:
https://github.com/jbevain/cecil/blob/1b79b96d29f1e8e9ba832191b1b42ea9cb750d20/Mono.Cecil/AssemblyReader.cs#L3700-L3703

Fixes #13639
jonpryor added a commit to xamarin/xamarin-android that referenced this issue Apr 24, 2019
Bumps to mono/api-snapshot@ae01378
Bumps to mono/reference-assemblies@e5173a5
Bumps to mono/bockbuild@d30329d
Bumps to mono/boringssl@3d87996
Bumps to mono/corefx@72f7d76
Bumps to mono/corert@1b7d4a1
Bumps to mono/helix-binaries@7e893ea
Bumps to mono/illinker-test-assets@f21ff68
Bumps to mono/linker@13d864e
Bumps to mono/llvm@1aaaaa5 [mono]
Bumps to mono/llvm@2c2cffe [xamarin-android]
Bumps to mono/NUnitLite@0029561
Bumps to mono/roslyn-binaries@0bbc9b4
Bumps to mono/xunit-binaries@8f6e62e

	$ git diff --shortstat 886c4901..e66c7667      # mono
        3597 files changed, 350850 insertions(+), 91128 deletions(-)
	$ git diff --shortstat 349752c464c5fc93b32e7d45825f2890c85c8b7d..2c2cffedf01e0fe266b9aaad2c2563e05b750ff4
	 240 files changed, 18562 insertions(+), 6581 deletions(-)

Context: dotnet/coreclr#22046

Fixes: CVE 2018-8292 on macOS
Fixes: http://work.devdiv.io/737323
Fixes: dotnet/corefx#33965
Fixes: dotnet/standard#642
Fixes: mono/mono#6997
Fixes: mono/mono#7326
Fixes: mono/mono#7517
Fixes: mono/mono#7750
Fixes: mono/mono#7859
Fixes: mono/mono#8360
Fixes: mono/mono#8460
Fixes: mono/mono#8766
Fixes: mono/mono#8922
Fixes: mono/mono#9418
Fixes: mono/mono#9507
Fixes: mono/mono#9951
Fixes: mono/mono#10024
Fixes: mono/mono#10030
Fixes: mono/mono#10038
Fixes: mono/mono#10448
Fixes: mono/mono#10735
Fixes: mono/mono#10735
Fixes: mono/mono#10737
Fixes: mono/mono#10743
Fixes: mono/mono#10834
Fixes: mono/mono#10837
Fixes: mono/mono#10838
Fixes: mono/mono#10863
Fixes: mono/mono#10945
Fixes: mono/mono#11020
Fixes: mono/mono#11021
Fixes: mono/mono#11021
Fixes: mono/mono#11049
Fixes: mono/mono#11091
Fixes: mono/mono#11095
Fixes: mono/mono#11123
Fixes: mono/mono#11138
Fixes: mono/mono#11146
Fixes: mono/mono#11202
Fixes: mono/mono#11214
Fixes: mono/mono#11317
Fixes: mono/mono#11326
Fixes: mono/mono#11378
Fixes: mono/mono#11385
Fixes: mono/mono#11478
Fixes: mono/mono#11479
Fixes: mono/mono#11488
Fixes: mono/mono#11489
Fixes: mono/mono#11527
Fixes: mono/mono#11529
Fixes: mono/mono#11596
Fixes: mono/mono#11603
Fixes: mono/mono#11613
Fixes: mono/mono#11623
Fixes: mono/mono#11663
Fixes: mono/mono#11681
Fixes: mono/mono#11684
Fixes: mono/mono#11693
Fixes: mono/mono#11697
Fixes: mono/mono#11779
Fixes: mono/mono#11809
Fixes: mono/mono#11858
Fixes: mono/mono#11895
Fixes: mono/mono#11898
Fixes: mono/mono#11898
Fixes: mono/mono#11965
Fixes: mono/mono#12182
Fixes: mono/mono#12193
Fixes: mono/mono#12218
Fixes: mono/mono#12235
Fixes: mono/mono#12263
Fixes: mono/mono#12307
Fixes: mono/mono#12331
Fixes: mono/mono#12362
Fixes: mono/mono#12374
Fixes: mono/mono#12402
Fixes: mono/mono#12421
Fixes: mono/mono#12461
Fixes: mono/mono#12479
Fixes: mono/mono#12479
Fixes: mono/mono#12552
Fixes: mono/mono#12603
Fixes: mono/mono#12747
Fixes: mono/mono#12831
Fixes: mono/mono#12843
Fixes: mono/mono#12881
Fixes: mono/mono#13030
Fixes: mono/mono#13284
Fixes: mono/mono#13297
Fixes: mono/mono#13455
Fixes: mono/mono#13460
Fixes: mono/mono#13478
Fixes: mono/mono#13479
Fixes: mono/mono#13522
Fixes: mono/mono#13607
Fixes: mono/mono#13610
Fixes: mono/mono#13610
Fixes: mono/mono#13639
Fixes: mono/mono#13672
Fixes: mono/mono#13834
Fixes: mono/mono#13878
Fixes: mono/mono#6352
Fixes: mono/monodevelop#6898
Fixes: xamarin/maccore#1069
Fixes: xamarin/maccore#1407
Fixes: xamarin/maccore#604
Fixes: xamarin/xamarin-macios#4984
Fixes: xamarin/xamarin-macios#5289
Fixes: xamarin/xamarin-macios#5363
Fixes: xamarin/xamarin-macios#5381
Fixes: https://issuetracker.unity3d.com/issues/editor-crashes-with-g-logv-when-entering-play-mode-with-active-flowcanvas-script
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.