Roslyn: Symbol API exposes data that can be mutated by the caller

Created on 23 Apr 2018 · 4Comments · Source: dotnet/roslyn

Found while working on: https://github.com/dotnet/roslyn/pull/26325

Right now the symbol model has IEnumerable<string> INamedTypeSymbo.MemberNames { get; }. However, both the VB and C# implementations implement that member with a simple string[] that is passed directly out to the caller. This means the caller can trivially cast this to the real type and mutate the array, corrupting the internal data of the compiler.

This returned value needs to be a true immutable value that cannot be changed by the caller in order to preserve hte important immutability invariants of the compiler API.

Area-Compilers Bug Concept-API Concept-Design Debt

Source

CyrusNajmabadi

All 4 comments

Tagging @jcouv

CyrusNajmabadi on 23 Apr 2018

I'm tempted to say that if you tamper with the compilation, then yes, bad things will happen. You can probably use Reflection on returned symbols and do bad things too.
On the other hand, it seems an easy fix (add .AsImmutableArray()).
Tagging @gafter for thoughts.

jcouv on 24 Apr 2018

Reflection is "outside the language" and can and should circumvent the language. However casts are not outside the language.

I agree: we should be returning an immutable array.

gafter on 24 Apr 2018

👍1

I agree with neal. This is not a case of reflection. This is a case of casting a publicly exposed piece of data to a public mutable type, and having that succeed. Note: this is also fixed as part of: https://github.com/dotnet/roslyn/pull/26330

If https://github.com/dotnet/roslyn/pull/26325 goes in, we can then review that PR.

CyrusNajmabadi on 24 Apr 2018

👍1

Was this page helpful?

0 / 5 - 0 ratings