Using BinaryFormatter to deserialize an array in a struct in a parent class fails with unfriendly exception [reproducible test case i promise]

[mcclure]

Hello everyone, how are you? The following is a reduced-case of code from a commercial Unity product (a friend's).

Steps to Reproduce

Run csc monotest.cs && mono monotest.exe on the following test case. Locally I can reproduce the crash with Unity 2017.4, Homebrew mono 5.0.1.1 and Homebrew mono 5.4.1.6 (all on OS X). Katelyn Gadd says that she tested it on a master-branch build from last week and also saw the problem.

using System;
using System.Runtime.Serialization.Formatters.Binary;
using System.IO;

// NOTE A: Change the "struct" to a "class" on line NOTE A below and crash disappears
// NOTE B: Change the "float[] data" to "float data;" on line NOTE B below and crash disappears
// NOTE C: Change SamCombatant() to PlayerCombatant() on line NOTE C below and crash disappears

class Test {
	[Serializable()]
	public struct SerializableColor { // NOTE A
		public float[] data;          // NOTE B
		public SerializableColor(float a) {
			data = new float[] {a};
		}
	}

	[Serializable()]
	public class PlayerCombatant {
		SerializableColor color;
		public PlayerCombatant() {
			color = new SerializableColor(1);
		}
	}

	[Serializable()]
	public class SamCombatant : PlayerCombatant {
	}

	static void Main() {
		Console.WriteLine("AWAKE");

		// Serialize to file
		{
			FileStream fs = new FileStream("DataFile.dat", FileMode.Create);
			BinaryFormatter formatter = new BinaryFormatter();
			formatter.Serialize(fs, new SamCombatant()); // NOTE C
			fs.Close();
		}

		// Deserialize from file
		{
			FileStream fs = new FileStream("DataFile.dat", FileMode.Open);
			BinaryFormatter formatter = new BinaryFormatter();
			formatter.Deserialize(fs);
			fs.Close();
		}
	}
}

Expected Behavior

The test case is valid C# and should print "AWAKE", serialize the object to a file, and then load it back into memory.

Current Behavior

The program crashes with an extremely user-unfriendly error. The crash is an exception which occurs inside formatter.Deserialize.

System.ArgumentException: 
Parameter name: field
  at (wrapper managed-to-native) System.TypedReference:MakeTypedReferenceInternal (object,System.Reflection.FieldInfo[])
  at System.TypedReference.MakeTypedReference (System.Object target, System.Reflection.FieldInfo[] flds) [0x00123] in <6e9b92f0d119424382ef180639777acb>:0 
  at System.Runtime.Serialization.ObjectManager.DoValueTypeFixup (System.Reflection.FieldInfo memberToFix, System.Runtime.Serialization.ObjectHolder holder, System.Object value) [0x0014d] in <6e9b92f0d119424382ef180639777acb>:0 
  at System.Runtime.Serialization.ObjectManager.CompleteObject (System.Runtime.Serialization.ObjectHolder holder, System.Boolean bObjectFullyComplete) [0x0021a] in <6e9b92f0d119424382ef180639777acb>:0 
[Continues for many lines]

Analysis

MakeTypedReference in referencesource typedreference.cs takes an array of FieldInfos. It iterates the array and runs flds[i] as RuntimeFieldInfo on each one. Apparently a member of the array is null or not a RuntimeFieldInfo.

Although the steps to reproduce the bug are somewhat specific (see the "NOTE A" comments; changing the code even a little causes the bug to not appear) the bug involves only straightforward usage of a non-obscure feature (serialization); a typical user who is not familiar with mono internals could easily encounter this but would not be able to make sense of the error they get.

[mcclure]

For the record, I tested with dotnet 2.1.200 on OS X and this did not reproduce there.

[mcclure]

Can confirm this is fixed in 3c7a203 on my machine, thanks