Bug 6718 - Incorrect release of XPCOM object causes segmentation fault
Summary: Incorrect release of XPCOM object causes segmentation fault
Status: RESOLVED FIXED
Alias: None
Product: Runtime
Classification: Mono
Component: Interop ()
Version: unspecified
Hardware: All Linux
: --- normal
Target Milestone: ---
Assignee: Bugzilla
URL:
Depends on:
Blocks:
 
Reported: 2012-08-27 20:14 UTC by Ivo Smits
Modified: 2012-09-02 12:46 UTC (History)
3 users (show)

Tags:
Is this bug a regression?: ---
Last known good build:


Attachments
Proposed patch (658 bytes, patch)
2012-08-27 20:14 UTC, Ivo Smits
Details
Test case using VirtualBox on Linux (4.37 KB, text/plain)
2012-08-27 20:15 UTC, Ivo Smits
Details


Notice (2018-05-24): bugzilla.xamarin.com is now in read-only mode.

Please join us on Visual Studio Developer Community and in the Xamarin and Mono organizations on GitHub to continue tracking issues. Bugzilla will remain available for reference in read-only mode. We will continue to work on open Bugzilla bugs, copy them to the new locations as needed for follow-up, and add the new items under Related Links.

Our sincere thanks to everyone who has contributed on this bug tracker over the years. Thanks also for your understanding as we make these adjustments and improvements for the future.


Please create a new report on GitHub or Developer Community with your current version information, steps to reproduce, and relevant error messages or log files if you are hitting an issue that looks similar to this resolved bug and you do not yet see a matching new report.

Related Links:
Status:
RESOLVED FIXED

Description Ivo Smits 2012-08-27 20:14:24 UTC
In rare situations (Mono, Linux, VirtualBox), Mono crashes when trying to get a proxy object for a COM object. The problem is in the Mono.Interop.ComInteropProxy.GetProxy method, which, after calling Marshal.QueryInterface and creating a proxy object for the returned pointer ("ppv"), calls Marshal.Release on the original pointer ("pItf") instead of the pointer returned by QueryInterface ("ppv"). This works when the call to QueryInterface returns the same pointer as it was called on, but will result in a double-free of the COM object at some point if the pointers differ.

I've attached a patch and a test case. The test case depends on VirtualBox being installed on Linux. The first tests in the test code verify that the COM functions provided by VirtualBox work properly, and that the interface pointers returned for the IUnknown and IVirtualBox interfaces are different. The last test shows that the reference count for the IVirtualBox pointer has been decremented (by the call to Release in ComInteropProxy.GetProxy), while the reference count for the IUnknown interface has been incremented twice (by the call to QueryInterface in ComInteropProxy.GetProxy and the constructor of the actual proxy).
Comment 1 Ivo Smits 2012-08-27 20:14:45 UTC
Created attachment 2420 [details]
Proposed patch
Comment 2 Ivo Smits 2012-08-27 20:15:50 UTC
Created attachment 2421 [details]
Test case using VirtualBox on Linux

The test case depends on VirtualBox being installed on Linux. The first tests in the test code verify that the COM functions provided by VirtualBox work properly, and that the interface pointers returned for the IUnknown and IVirtualBox interfaces are different. The last test shows that the reference count for the IVirtualBox pointer has been decremented (by the call to Release in ComInteropProxy.GetProxy), while the reference count for the IUnknown interface has been incremented twice (by the call to QueryInterface in ComInteropProxy.GetProxy and the constructor of the actual proxy).
Comment 3 Ivo Smits 2012-08-27 21:15:39 UTC
GitHub pull request at https://github.com/mono/mono/pull/446
Comment 4 Miguel de Icaza [MSFT] 2012-09-02 12:46:53 UTC
Thanks for the fix!

Applied the patch