From 58ff688ef2e28300c4019c31c56eb4fdbcb5fc13 Mon Sep 17 00:00:00 2001 From: Jonathan Chambers Date: Thu, 4 Jan 2024 12:44:42 -0500 Subject: [PATCH] Fix domain reload crash in inflate_info. The allocated memory is stored in a per image data structure (rgctx_template_hash) that can outlive domains. This results in a dangling pointer when the domain is reloaded. --- mono/mini/mini-generic-sharing.c | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/mono/mini/mini-generic-sharing.c b/mono/mini/mini-generic-sharing.c index 37507f22422e..bafebea2bfce 100644 --- a/mono/mini/mini-generic-sharing.c +++ b/mono/mini/mini-generic-sharing.c @@ -726,17 +726,21 @@ inflate_info (MonoRuntimeGenericContextInfoTemplate *oti, MonoGenericContext *co MonoType *t = mono_class_inflate_generic_type_checked (m_class_get_byval_arg (dele_info->klass), context, error); mono_error_assert_msg_ok (error, "Could not inflate generic type"); /* FIXME proper error handling */ - MonoClass *klass = mono_class_from_mono_type_internal (t); + MonoClass *inflated_klass = mono_class_from_mono_type_internal (t); mono_metadata_free_type (t); MonoMethod *method = mono_class_inflate_generic_method_checked (dele_info->method, context, error); mono_error_assert_msg_ok (error, "Could not inflate generic method"); /* FIXME proper error handling */ - // FIXME: Temporary - MonoDelegateClassMethodPair *res = (MonoDelegateClassMethodPair *)mono_domain_alloc0 (domain, sizeof (MonoDelegateClassMethodPair)); + MonoDelegateClassMethodPair* res = NULL; + if (temporary) + res = (MonoDelegateClassMethodPair*)g_malloc0 (sizeof (MonoDelegateClassMethodPair)); + else + res = (MonoDelegateClassMethodPair*)mono_image_alloc0 (m_class_get_image (klass), sizeof (MonoDelegateClassMethodPair)); + res->is_virtual = dele_info->is_virtual; res->method = method; - res->klass = klass; + res->klass = inflated_klass; return res; } @@ -763,6 +767,9 @@ free_inflated_info (MonoRgctxInfoType info_type, gpointer info) case MONO_RGCTX_INFO_CAST_CACHE: mono_metadata_free_type ((MonoType *)info); break; + case MONO_RGCTX_INFO_DELEGATE_TRAMP_INFO: + g_free (info); + break; default: break; }