[release/2.0.x] Fix built-in GetHashCode crash on nested structs (#17720)

jkotas · web-flow · commit 19b74c1ea201 · 2018-04-21T23:30:01.000-07:00
Fixes #17661
diff --git a/src/vm/comutilnative.cpp b/src/vm/comutilnative.cpp
@@ -2688,13 +2688,14 @@ static INT32 RegularGetValueTypeHashCode(MethodTable *mt, void *pObjRef)
     } CONTRACTL_END;
 
     INT32 hashCode = 0;
-    INT32 *pObj = (INT32*)pObjRef;
+
+    GCPROTECT_BEGININTERIOR(pObjRef);
 
     // While we shouln't get here directly from ValueTypeHelper::GetHashCode, if we recurse we need to 
     // be able to handle getting the hashcode for an embedded structure whose hashcode is computed by the fast path.
     if (CanUseFastGetHashCodeHelper(mt))
     {
-        return FastGetValueTypeHashCodeHelper(mt, pObjRef);
+        hashCode = FastGetValueTypeHashCodeHelper(mt, pObjRef);
     }
     else
     {
@@ -2715,13 +2716,13 @@ static INT32 RegularGetValueTypeHashCode(MethodTable *mt, void *pObjRef)
             {
                 FieldDesc *field = fdIterator.Next();
                 _ASSERTE(!field->IsRVA());
-                void *pFieldValue = (BYTE *)pObj + field->GetOffsetUnsafe();
                 if (field->IsObjRef())
                 {
+                    void *pFieldValue = (BYTE *)pObjRef + field->GetOffsetUnsafe();
+
                     // if we get an object reference we get the hash code out of that
                     if (*(Object**)pFieldValue != NULL)
                     {
-
                         OBJECTREF fieldObjRef = ObjectToOBJECTREF(*(Object **) pFieldValue);
                         GCPROTECT_BEGIN(fieldObjRef);
 
@@ -2741,26 +2742,28 @@ static INT32 RegularGetValueTypeHashCode(MethodTable *mt, void *pObjRef)
                 }
                 else
                 {
-                    UINT fieldSize = field->LoadSize();
-                    INT32 *pValue = (INT32*)pFieldValue;
                     CorElementType fieldType = field->GetFieldType();
                     if (fieldType != ELEMENT_TYPE_VALUETYPE)
                     {
+                        UINT fieldSize = field->LoadSize();
+                        INT32 *pValue = (INT32*)((BYTE *)pObjRef + field->GetOffsetUnsafe());
                         for (INT32 j = 0; j < (INT32)(fieldSize / sizeof(INT32)); j++)
                             hashCode ^= *pValue++;
                     }
                     else
                     {
                         // got another value type. Get the type
-                        TypeHandle fieldTH = field->LookupFieldTypeHandle(); // the type was loaded already
+                        TypeHandle fieldTH = field->GetFieldTypeHandleThrowing();
                         _ASSERTE(!fieldTH.IsNull());
-                        hashCode = RegularGetValueTypeHashCode(fieldTH.GetMethodTable(), pValue);
+                        hashCode = RegularGetValueTypeHashCode(fieldTH.GetMethodTable(), (BYTE *)pObjRef + field->GetOffsetUnsafe());
                     }
                 }
                 break;
             }
         }
     }
+    GCPROTECT_END();
+
     return hashCode;
 }
 

Original file line number	Diff line number	Diff line change
`@@ -2688,13 +2688,14 @@ static INT32 RegularGetValueTypeHashCode(MethodTable mt, void pObjRef)`
`2688`	`2688`	`} CONTRACTL_END;`
`2689`	`2689`
`2690`	`2690`	`INT32 hashCode = 0;`
`2691`		`- INT32 pObj = (INT32)pObjRef;`
	`2691`	`+`
	`2692`	`+ GCPROTECT_BEGININTERIOR(pObjRef);`
`2692`	`2693`
`2693`	`2694`	`// While we shouln't get here directly from ValueTypeHelper::GetHashCode, if we recurse we need to`
`2694`	`2695`	`// be able to handle getting the hashcode for an embedded structure whose hashcode is computed by the fast path.`
`2695`	`2696`	`if (CanUseFastGetHashCodeHelper(mt))`
`2696`	`2697`	`{`
`2697`		`- return FastGetValueTypeHashCodeHelper(mt, pObjRef);`
	`2698`	`+ hashCode = FastGetValueTypeHashCodeHelper(mt, pObjRef);`
`2698`	`2699`	`}`
`2699`	`2700`	`else`
`2700`	`2701`	`{`
`@@ -2715,13 +2716,13 @@ static INT32 RegularGetValueTypeHashCode(MethodTable mt, void pObjRef)`
`2715`	`2716`	`{`
`2716`	`2717`	`FieldDesc *field = fdIterator.Next();`
`2717`	`2718`	`_ASSERTE(!field->IsRVA());`
`2718`		`- void pFieldValue = (BYTE )pObj + field->GetOffsetUnsafe();`
`2719`	`2719`	`if (field->IsObjRef())`
`2720`	`2720`	`{`
	`2721`	`+ void pFieldValue = (BYTE )pObjRef + field->GetOffsetUnsafe();`
	`2722`	`+`
`2721`	`2723`	`// if we get an object reference we get the hash code out of that`
`2722`	`2724`	`if ((Object*)pFieldValue != NULL)`
`2723`	`2725`	`{`
`2724`		`-`
`2725`	`2726`	`OBJECTREF fieldObjRef = ObjectToOBJECTREF((Object *) pFieldValue);`
`2726`	`2727`	`GCPROTECT_BEGIN(fieldObjRef);`
`2727`	`2728`
`@@ -2741,26 +2742,28 @@ static INT32 RegularGetValueTypeHashCode(MethodTable mt, void pObjRef)`
`2741`	`2742`	`}`
`2742`	`2743`	`else`
`2743`	`2744`	`{`
`2744`		`- UINT fieldSize = field->LoadSize();`
`2745`		`- INT32 pValue = (INT32)pFieldValue;`
`2746`	`2745`	`CorElementType fieldType = field->GetFieldType();`
`2747`	`2746`	`if (fieldType != ELEMENT_TYPE_VALUETYPE)`
`2748`	`2747`	`{`
	`2748`	`+ UINT fieldSize = field->LoadSize();`
	`2749`	`+ INT32 pValue = (INT32)((BYTE *)pObjRef + field->GetOffsetUnsafe());`
`2749`	`2750`	`for (INT32 j = 0; j < (INT32)(fieldSize / sizeof(INT32)); j++)`
`2750`	`2751`	`hashCode ^= *pValue++;`
`2751`	`2752`	`}`
`2752`	`2753`	`else`
`2753`	`2754`	`{`
`2754`	`2755`	`// got another value type. Get the type`
`2755`		`- TypeHandle fieldTH = field->LookupFieldTypeHandle(); // the type was loaded already`
	`2756`	`+ TypeHandle fieldTH = field->GetFieldTypeHandleThrowing();`
`2756`	`2757`	`_ASSERTE(!fieldTH.IsNull());`
`2757`		`- hashCode = RegularGetValueTypeHashCode(fieldTH.GetMethodTable(), pValue);`
	`2758`	`+ hashCode = RegularGetValueTypeHashCode(fieldTH.GetMethodTable(), (BYTE *)pObjRef + field->GetOffsetUnsafe());`
`2758`	`2759`	`}`
`2759`	`2760`	`}`
`2760`	`2761`	`break;`
`2761`	`2762`	`}`
`2762`	`2763`	`}`
`2763`	`2764`	`}`
	`2765`	`+ GCPROTECT_END();`
	`2766`	`+`
`2764`	`2767`	`return hashCode;`
`2765`	`2768`	`}`
`2766`	`2769`