Description
Hello, folks!
The crash happens because the current algorithm of calculating the size of the memory behind a ref field can't correctly determine the real size of the allocated memory the ref struct points to. This causes writing outside of the allocated memory and results in AVE.
It can be reproduced by the following code snippet(included into the repro project):
using System.Diagnostics;
using System.Runtime.CompilerServices;
namespace TestScriptLib;
public ref struct MyRefStruct
{
public ref char Ptr;
public int Length;
public MyRefStruct(ref char ptr, int length)
{
Ptr = ref ptr;
Length = length;
}
public void Write()
{
for (int i = 0; i < Length; i++)
Unsafe.Add(ref Ptr, i) = '0';
}
}
public class TestClass
{
public static void TestMethod()
{
var myString = new string('1', 1 << 16).ToCharArray();
var myStruct = new MyRefStruct(ref myString[0], myString.Length);
} // set a breakpoint here and evaluate myStruct.Write() in the Immediate Window
}Reproduction Steps
You can reproduce the problem on the following solution on Windows x64 VS 2026 (I used 18.4.3, but I think any 26 version is affected):
thinmono.zip
- Open
thinmono\TestScriptLib\TestScriptLib.sln in VS and build it (if VS complains .NET 11 is not installed you can edit TestScriptLib.csproj to set the TargetFramework net11.0 -> net10.0)
- Set a breakpoint at
TestFile.cs:32
- Go to
thinmono\ThinMono.vcxproj and set the PathToDotnet to the path to runtime directory. Ensure the build.cmd-subset mono+libs is executed
- Open
thinmono\ThinMono.sln in VS and run Debug AnyCPU configuration
- Once the native host is running attach to the app via VS's "Attach Unity Debugger" action with 9000 debug port specified, please see the attached screenshot
7. Once the managed debugger attaches the breakpoint set on the step 2 will be hit. Evaluate `myStruct.Write()` in the Immediate Window
Expected behavior
Successful evaluation
Actual behavior
Access Violation exception
Regression?
No response
Known Workarounds
No response
Configuration
Windows 11 x64, VS 2026 (I used 18.4.3, but I think any 26 version is affected)
Other information
I have tried to implement an approach which reuses the real addresses of by ref fields, it is probably incomplete, but works fine in the reproduction scenario. You can find it here
Description
Hello, folks!
The crash happens because the current algorithm of calculating the size of the memory behind a ref field can't correctly determine the real size of the allocated memory the ref struct points to. This causes writing outside of the allocated memory and results in AVE.
It can be reproduced by the following code snippet(included into the repro project):
Reproduction Steps
You can reproduce the problem on the following solution on Windows x64 VS 2026 (I used 18.4.3, but I think any 26 version is affected):
thinmono.zip
thinmono\TestScriptLib\TestScriptLib.slnin VS and build it (if VS complains .NET 11 is not installed you can editTestScriptLib.csprojto set theTargetFramework net11.0 -> net10.0)TestFile.cs:32thinmono\ThinMono.vcxprojand set thePathToDotnetto the path toruntimedirectory. Ensure thebuild.cmd-subset mono+libsis executedthinmono\ThinMono.slnin VS and run Debug AnyCPU configurationExpected behavior
Successful evaluation
Actual behavior
Access Violation exception
Regression?
No response
Known Workarounds
No response
Configuration
Windows 11 x64, VS 2026 (I used 18.4.3, but I think any 26 version is affected)
Other information
I have tried to implement an approach which reuses the real addresses of by ref fields, it is probably incomplete, but works fine in the reproduction scenario. You can find it here