Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

possible null ref in SignatureHelper #110832

Open
leeriorio opened this issue Dec 19, 2024 · 2 comments
Open

possible null ref in SignatureHelper #110832

leeriorio opened this issue Dec 19, 2024 · 2 comments
Labels
area-VM-reflection-mono Reflection issues specific to MonoVM runtime-mono specific to the Mono runtime untriaged New issue has not been triaged by the area owner

Comments

@leeriorio
Copy link

I analyzed .net runtime sources with Svace static analyzer and it found an error of DEREF_AFTER_NULL category (situations where first, a pointer is compared to NULL (which indicates that it could have a NULL value), and then it is dereferenced (unconditionally)) here

Analyzer says "Value tone, which can have null value due to comparison with null, is dereferenced in member access expression tone!.Length"

Searching code history I found commit 5cd7e97 where there was added nullable-forgiving operator. But I think in this situation, it may be a real error: it seems that in lines below

if (tone == null)
{
if (ttwo == null)
continue;
}
else if (ttwo == null)
return false;

in situation tone==null && ttwo!=null construction return false must be added. Because this code construction is similar to

if (uone == null)
{
if (utwo == null)
continue;
return false;
}
else if (utwo == null)
return false;

Firstly, in function CompareOK this case tells that comparison is failed. Secondly, there is potentially null in tone can be dereferenced when ttwo is not null. Isn't it?


Found by Linux Verification Center (linuxtesting.org) with SVACE.

@dotnet-issue-labeler dotnet-issue-labeler bot added the needs-area-label An area label is needed to ensure this gets routed to the appropriate area owners label Dec 19, 2024
@dotnet-policy-service dotnet-policy-service bot added the untriaged New issue has not been triaged by the area owner label Dec 19, 2024
@KalleOlaviNiemitalo
Copy link

KalleOlaviNiemitalo commented Dec 19, 2024

I tried to reproduce the null dereference like this

using System;
using System.Reflection;
using System.Reflection.Emit;
using System.Runtime.CompilerServices;

namespace Runtime110832
{
    class Program
    {
        static void Main()
        { 
            AssemblyBuilder assemblyBuilder = AssemblyBuilder.DefineDynamicAssembly(
                new AssemblyName("DemoAssembly"), 
                AssemblyBuilderAccess.Run);
            ModuleBuilder moduleBuilder = assemblyBuilder.DefineDynamicModule("DemoModule");
            SignatureHelper s1 = SignatureHelper.GetMethodSigHelper(
                moduleBuilder,
                CallingConventions.Standard,
                returnType: typeof(void));
            SignatureHelper s2 = SignatureHelper.GetMethodSigHelper(
                moduleBuilder,
                CallingConventions.Standard,
                returnType: typeof(void));
            s1.AddArgument(
                typeof(int),
                requiredCustomModifiers: null,
                optionalCustomModifiers: new Type[] { typeof(IsLong) });
            s2.AddArgument(
                typeof(int),
                requiredCustomModifiers: null,
                optionalCustomModifiers: null);
            _ = s1.Equals(s2);
            _ = s2.Equals(s1);
        }
    }
}

With .NET 9.0.0 on Windows (thus not using the Mono version of SignatureHelper), it does not throw.

I don't have Mono installed. @leeriorio, can you try this code on Mono?

@jkotas jkotas added area-System.Reflection.Emit runtime-mono specific to the Mono runtime and removed needs-area-label An area label is needed to ensure this gets routed to the appropriate area owners labels Dec 19, 2024
Copy link
Contributor

Tagging subscribers to this area: @dotnet/area-system-reflection-emit
See info in area-owners.md if you want to be subscribed.

@steveharter steveharter added area-VM-reflection-mono Reflection issues specific to MonoVM and removed area-System.Reflection.Emit labels Dec 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area-VM-reflection-mono Reflection issues specific to MonoVM runtime-mono specific to the Mono runtime untriaged New issue has not been triaged by the area owner
Projects
None yet
Development

No branches or pull requests

4 participants