ChallengeWhy isn’t select broken?
Here is a crash report that I got.
System.ArgumentException: Destination array was not long enough. Check destIndex and length, and the array's lower bounds.
at System.Array.Copy(Array sourceArray, Int32 sourceIndex, Array destinationArray, Int32 destinationIndex, Int32 length, Boolean reliable)
at System.Collections.Generic.List`1.CopyTo(T[] array, Int32 arrayIndex)
at System.Collections.ObjectModel.Collection`1.CopyTo(T[] array, Int32 index)
at System.Linq.Buffer`1..ctor(IEnumerable`1 source)
at System.Linq.Enumerable.ToArray[TSource](IEnumerable`1 source)
Now, it is tempting to blame Microsoft for this, but it is actually my fault.
Care to guess why?
More posts in "Challenge" series:
- (01 Jul 2024) Efficient snapshotable state
- (13 Oct 2023) Fastest node selection metastable error state–answer
- (12 Oct 2023) Fastest node selection metastable error state
- (19 Sep 2023) Spot the bug
- (04 Jan 2023) what does this code print?
- (14 Dec 2022) What does this code print?
- (01 Jul 2022) Find the stack smash bug… – answer
- (30 Jun 2022) Find the stack smash bug…
- (03 Jun 2022) Spot the data corruption
- (06 May 2022) Spot the optimization–solution
- (05 May 2022) Spot the optimization
- (06 Apr 2022) Why is this code broken?
- (16 Dec 2021) Find the slow down–answer
- (15 Dec 2021) Find the slow down
- (03 Nov 2021) The code review bug that gives me nightmares–The fix
- (02 Nov 2021) The code review bug that gives me nightmares–the issue
- (01 Nov 2021) The code review bug that gives me nightmares
- (16 Jun 2021) Detecting livelihood in a distributed cluster
- (21 Apr 2020) Generate matching shard id–answer
- (20 Apr 2020) Generate matching shard id
- (02 Jan 2020) Spot the bug in the stream
- (28 Sep 2018) The loop that leaks–Answer
- (27 Sep 2018) The loop that leaks
- (03 Apr 2018) The invisible concurrency bug–Answer
- (02 Apr 2018) The invisible concurrency bug
- (31 Jan 2018) Find the bug in the fix–answer
- (30 Jan 2018) Find the bug in the fix
- (19 Jan 2017) What does this code do?
- (26 Jul 2016) The race condition in the TCP stack, answer
- (25 Jul 2016) The race condition in the TCP stack
- (28 Apr 2015) What is the meaning of this change?
- (26 Sep 2013) Spot the bug
- (27 May 2013) The problem of locking down tasks…
- (17 Oct 2011) Minimum number of round trips
- (23 Aug 2011) Recent Comments with Future Posts
- (02 Aug 2011) Modifying execution approaches
- (29 Apr 2011) Stop the leaks
- (23 Dec 2010) This code should never hit production
- (17 Dec 2010) Your own ThreadLocal
- (03 Dec 2010) Querying relative information with RavenDB
- (29 Jun 2010) Find the bug
- (23 Jun 2010) Dynamically dynamic
- (28 Apr 2010) What killed the application?
- (19 Mar 2010) What does this code do?
- (04 Mar 2010) Robust enumeration over external code
- (16 Feb 2010) Premature optimization, and all of that…
- (12 Feb 2010) Efficient querying
- (10 Feb 2010) Find the resource leak
- (21 Oct 2009) Can you spot the bug?
- (18 Oct 2009) Why is this wrong?
- (17 Oct 2009) Write the check in comment
- (15 Sep 2009) NH Prof Exporting Reports
- (02 Sep 2009) The lazy loaded inheritance many to one association OR/M conundrum
- (01 Sep 2009) Why isn’t select broken?
- (06 Aug 2009) Find the bug fixes
- (26 May 2009) Find the bug
- (14 May 2009) multi threaded test failure
- (11 May 2009) The regex that doesn’t match
- (24 Mar 2009) probability based selection
- (13 Mar 2009) C# Rewriting
- (18 Feb 2009) write a self extracting program
- (04 Sep 2008) Don't stop with the first DSL abstraction
- (02 Aug 2008) What is the problem?
- (28 Jul 2008) What does this code do?
- (26 Jul 2008) Find the bug fix
- (05 Jul 2008) Find the deadlock
- (03 Jul 2008) Find the bug
- (02 Jul 2008) What is wrong with this code
- (05 Jun 2008) why did the tests fail?
- (27 May 2008) Striving for better syntax
- (13 Apr 2008) calling generics without the generic type
- (12 Apr 2008) The directory tree
- (24 Mar 2008) Find the version
- (21 Jan 2008) Strongly typing weakly typed code
- (28 Jun 2007) Windsor Null Object Dependency Facility
Comments
Infinite IEnumerable?
The source is changing during evaluation.
Threading issue as the IEnumerable was having elements added to it whilst the ToArray was called?
It's taking the code path where the IEnumerable is really a ICollection, and using it's Count property to size the buffer. This property was possibly lying.
+1 on Rob Jan's reason
Indeed, as the others above have suggested, I would guess its a threading issue. This one was pretty easy to reproduce:
var ints = new List <int();
var thread = new Thread(delegate() { while (true) ints.Add(0); });
thread.Start();
while(true) Console.WriteLine(ints.ToArray().Length);
Argh, I always forget to html encode my generics when posting blog comments.... :(
Rob,
Well, that was fast.
@Paul,
I'm quite surprised <int> is not being HTML encoded by the blog engine. What about tags such as and <script>?
@Um,
I'm not at all surprised that the blog engine takes the approach of stripping everything that is enclosed by < and > rather than trying to figure out what is safe and encoding the rest. In the long run, stripping is safer.
Threading issue came to mind first, and looks like the case here. I could also see this happening if you had some custom Collection <t implementation that didn't return the correct Count. Looking at S.L.Buffer, it looks like it reuses ICollection.Count if you're passing a collection, otherwise, it loops over the IEnumerable and counts manually.
@dave-ilsw: how is stripping safer than Html-encoding the whole comment?? It certainly is a lot more inconvenient.
Um, Rob, test
Removed your comments
I am aware of the issue, and it will be fixed shortly.
There is no data disclosure possible here, so I don't rate it critical
But a simple XSS attack is possible, which puts your visitors at risk. I can't imagine that the default configuration of Subtext doesn't encode comments?!
Um,
As I said, I contacted the SubText team and they are working on that.
What information do you think XSS can steal from visitors to this blog?
Ayende,
I don't know, probably nothing. However, there are other risks with XSS. The worst involve exploiting browser vulnerabilities to install trojans or hijackers ( http://www.owasp.org/index.php/XSS).
Comment preview