[release/9.0-rc2] NRBF Fuzzer and bug fixes (dotnet#107788)

* [NRBF] Don't use Unsafe.As when decoding DateTime(s) (dotnet#105749)

* Add NrbfDecoder Fuzzer (dotnet#107385)

* [NRBF] Fix bugs discovered by the fuzzer (dotnet#107368)

* bug #1: don't allow for values out of the SerializationRecordType enum range

* bug #2: throw SerializationException rather than KeyNotFoundException when the referenced record is missing or it points to a record of different type

* bug #3: throw SerializationException rather than FormatException when it's being thrown by BinaryReader (or sth else that we use)

* bug #4: document the fact that IOException can be thrown

* bug #5: throw SerializationException rather than OverflowException when parsing the decimal fails

* bug #6: 0 and 17 are illegal values for PrimitiveType enum

* bug dotnet#7: throw SerializationException when a surrogate character is read (so far an ArgumentException was thrown)
# Conflicts:
#	src/libraries/System.Formats.Nrbf/src/System/Formats/Nrbf/NrbfDecoder.cs

* [NRBF] throw SerializationException when a surrogate character is read (dotnet#107532)

 (so far an ArgumentException was thrown)

* [NRBF] Fuzzing non-seekable stream input (dotnet#107605)

* [NRBF] More bug fixes (dotnet#107682)

- Don't use `Debug.Fail` not followed by an exception (it may cause problems for apps deployed in Debug)
- avoid Int32 overflow
- throw for unexpected enum values just in case parsing has not rejected them
- validate the number of chars read by BinaryReader.ReadChars
- pass serialization record id to ex message
- return false rather than throw EndOfStreamException when provided Stream has not enough data
- don't restore the position in finally 
- limit max SZ and MD array length to Array.MaxLength, stop using LinkedList<T> as List<T> will be able to hold all elements now
- remove internal enum values that were always illegal, but needed to be handled everywhere
- Fix DebuggerDisplay

* [NRBF] Comments and bug fixes from internal code review (dotnet#107735)

* copy comments and asserts from Levis internal code review

* apply Levis suggestion: don't store Array.MaxLength as a const, as it may change in the future

* add missing and fix some of the existing comments

* first bug fix: SerializationRecord.TypeNameMatches should throw ArgumentNullException for null Type argument

* second bug fix: SerializationRecord.TypeNameMatches should know the difference between SZArray and single-dimension, non-zero offset arrays (example: int[] and int[*])

* third bug fix: don't cast bytes to booleans

* fourth bug fix: don't cast bytes to DateTimes

* add one test case that I've forgot in previous PR
# Conflicts:
#	src/libraries/System.Formats.Nrbf/src/System/Formats/Nrbf/SerializationRecord.cs

* [NRBF] Address issues discovered by Threat Model  (dotnet#106629)

* introduce ArrayRecord.FlattenedLength

* do not include invalid Type or Assembly names in the exception messages, as it's most likely corrupted/tampered/malicious data and could be used as a vector of attack.

* It is possible to have binary array records have an element type of array without being marked as jagged

---------

Co-authored-by: Buyaa Namnan <bunamnan@microsoft.com>

eng/pipelines/libraries/fuzzing/deploy-to-onefuzz.yml

@@ -97,6 +97,14 @@ extends:
  SYSTEM_ACCESSTOKEN: $(System.AccessToken)
  displayName: Send JsonDocumentFuzzer to OneFuzz
 
+ - task: onefuzz-task@0
+ inputs:
+ onefuzzOSes: 'Windows'
+ env:
+ onefuzzDropDirectory: $(fuzzerProject)/deployment/NrbfDecoderFuzzer
+ SYSTEM_ACCESSTOKEN: $(System.AccessToken)
+ displayName: Send NrbfDecoderFuzzer to OneFuzz
+
  - task: onefuzz-task@0
  inputs:
  onefuzzOSes: 'Windows'

src/libraries/Fuzzing/DotnetFuzzing/Assert.cs

@@ -18,6 +18,17 @@ static void Throw(T expected, T actual) =>
  throw new Exception($"Expected={expected} Actual={actual}");
  }
 
+ public static void NotNull<T>(T value)
+ {
+ if (value == null)
+ {
+ ThrowNull();
+ }
+
+ static void ThrowNull() =>
+ throw new Exception("Value is null");
+ }
+
  public static void SequenceEqual<T>(ReadOnlySpan<T> expected, ReadOnlySpan<T> actual)
  {
  if (!expected.SequenceEqual(actual))

src/libraries/Fuzzing/DotnetFuzzing/Dictionaries/nrbfdecoder.dict

@@ -0,0 +1,16 @@
+# "Hello World!"
+"\x00\x01\x00\x00\x00\xFF\xFF\xFF\xFF\x01\x00\x00\x00\x00\x00\x00\x00\x06\x01\x00\x00\x00\x0C\x48\x65\x6C\x6C\x6F\x20\x57\x6F\x72\x6C\x64\x21\x0B"
+# new DateTime(2024, 2, 29)
+"\x00\x01\x00\x00\x00\xFF\xFF\xFF\xFF\x01\x00\x00\x00\x00\x00\x00\x00\x04\x01\x00\x00\x00\x0F\x53\x79\x73\x74\x65\x6D\x2E\x44\x61\x74\x65\x54\x69\x6D\x65\x02\x00\x00\x00\x05\x74\x69\x63\x6B\x73\x08\x64\x61\x74\x65\x44\x61\x74\x61\x00\x00\x09\x10\x00\x00\x60\x5F\xB9\x38\xDC\x08\x00\x00\x60\x5F\xB9\x38\xDC\x08\x0B"
+# new int[] { 1, 2, 3 }
+"\x00\x01\x00\x00\x00\xFF\xFF\xFF\xFF\x01\x00\x00\x00\x00\x00\x00\x00\x0F\x01\x00\x00\x00\x03\x00\x00\x00\x08\x01\x00\x00\x00\x02\x00\x00\x00\x03\x00\x00\x00\x0B"
+# new object[] { int.MaxValue, "string", null }
+"\x00\x01\x00\x00\x00\xFF\xFF\xFF\xFF\x01\x00\x00\x00\x00\x00\x00\x00\x10\x01\x00\x00\x00\x03\x00\x00\x00\x08\x08\xFF\xFF\xFF\x7F\x06\x02\x00\x00\x00\x06\x73\x74\x72\x69\x6E\x67\x0A\x0B"
+# new int?[Array.MaxLength] (plenty of nulls)
+"\x00\x01\x00\x00\x00\xFF\xFF\xFF\xFF\x01\x00\x00\x00\x00\x00\x00\x00\x07\x01\x00\x00\x00\x00\x01\x00\x00\x00\xC7\xFF\xFF\x7F\x03\x6E\x53\x79\x73\x74\x65\x6D\x2E\x4E\x75\x6C\x6C\x61\x62\x6C\x65\x60\x31\x5B\x5B\x53\x79\x73\x74\x65\x6D\x2E\x49\x6E\x74\x33\x32\x2C\x20\x6D\x73\x63\x6F\x72\x6C\x69\x62\x2C\x20\x56\x65\x72\x73\x69\x6F\x6E\x3D\x34\x2E\x30\x2E\x30\x2E\x30\x2C\x20\x43\x75\x6C\x74\x75\x72\x65\x3D\x6E\x65\x75\x74\x72\x61\x6C\x2C\x20\x50\x75\x62\x6C\x69\x63\x4B\x65\x79\x54\x6F\x6B\x65\x6E\x3D\x62\x37\x37\x61\x35\x63\x35\x36\x31\x39\x33\x34\x65\x30\x38\x39\x5D\x5D\x0E\xC7\xFF\xFF\x7F\x0B"
+# [["jagged", "array"], ["of", "strings"]]
+"\x00\x01\x00\x00\x00\xFF\xFF\xFF\xFF\x01\x00\x00\x00\x00\x00\x00\x00\x07\x01\x00\x00\x00\x01\x01\x00\x00\x00\x02\x00\x00\x00\x06\x09\x02\x00\x00\x00\x09\x03\x00\x00\x00\x11\x02\x00\x00\x00\x02\x00\x00\x00\x06\x04\x00\x00\x00\x06\x6A\x61\x67\x67\x65\x64\x06\x05\x00\x00\x00\x05\x61\x72\x72\x61\x79\x11\x03\x00\x00\x00\x02\x00\x00\x00\x06\x06\x00\x00\x00\x02\x6F\x66\x06\x07\x00\x00\x00\x07\x73\x74\x72\x69\x6E\x67\x73\x0B"
+# new Dictionary<string, bool> { { "1", true }, { "2", false } }
+"\x00\x01\x00\x00\x00\xFF\xFF\xFF\xFF\x01\x00\x00\x00\x00\x00\x00\x00\x04\x01\x00\x00\x00\xE3\x01\x53\x79\x73\x74\x65\x6D\x2E\x43\x6F\x6C\x6C\x65\x63\x74\x69\x6F\x6E\x73\x2E\x47\x65\x6E\x65\x72\x69\x63\x2E\x44\x69\x63\x74\x69\x6F\x6E\x61\x72\x79\x60\x32\x5B\x5B\x53\x79\x73\x74\x65\x6D\x2E\x53\x74\x72\x69\x6E\x67\x2C\x20\x6D\x73\x63\x6F\x72\x6C\x69\x62\x2C\x20\x56\x65\x72\x73\x69\x6F\x6E\x3D\x34\x2E\x30\x2E\x30\x2E\x30\x2C\x20\x43\x75\x6C\x74\x75\x72\x65\x3D\x6E\x65\x75\x74\x72\x61\x6C\x2C\x20\x50\x75\x62\x6C\x69\x63\x4B\x65\x79\x54\x6F\x6B\x65\x6E\x3D\x62\x37\x37\x61\x35\x63\x35\x36\x31\x39\x33\x34\x65\x30\x38\x39\x5D\x2C\x5B\x53\x79\x73\x74\x65\x6D\x2E\x42\x6F\x6F\x6C\x65\x61\x6E\x2C\x20\x6D\x73\x63\x6F\x72\x6C\x69\x62\x2C\x20\x56\x65\x72\x73\x69\x6F\x6E\x3D\x34\x2E\x30\x2E\x30\x2E\x30\x2C\x20\x43\x75\x6C\x74\x75\x72\x65\x3D\x6E\x65\x75\x74\x72\x61\x6C\x2C\x20\x50\x75\x62\x6C\x69\x63\x4B\x65\x79\x54\x6F\x6B\x65\x6E\x3D\x62\x37\x37\x61\x35\x63\x35\x36\x31\x39\x33\x34\x65\x30\x38\x39\x5D\x5D\x04\x00\x00\x00\x07\x56\x65\x72\x73\x69\x6F\x6E\x08\x43\x6F\x6D\x70\x61\x72\x65\x72\x08\x48\x61\x73\x68\x53\x69\x7A\x65\x0D\x4B\x65\x79\x56\x61\x6C\x75\x65\x50\x61\x69\x72\x73\x00\x03\x00\x03\x08\x92\x01\x53\x79\x73\x74\x65\x6D\x2E\x43\x6F\x6C\x6C\x65\x63\x74\x69\x6F\x6E\x73\x2E\x47\x65\x6E\x65\x72\x69\x63\x2E\x47\x65\x6E\x65\x72\x69\x63\x45\x71\x75\x61\x6C\x69\x74\x79\x43\x6F\x6D\x70\x61\x72\x65\x72\x60\x31\x5B\x5B\x53\x79\x73\x74\x65\x6D\x2E\x53\x74\x72\x69\x6E\x67\x2C\x20\x6D\x73\x63\x6F\x72\x6C\x69\x62\x2C\x20\x56\x65\x72\x73\x69\x6F\x6E\x3D\x34\x2E\x30\x2E\x30\x2E\x30\x2C\x20\x43\x75\x6C\x74\x75\x72\x65\x3D\x6E\x65\x75\x74\x72\x61\x6C\x2C\x20\x50\x75\x62\x6C\x69\x63\x4B\x65\x79\x54\x6F\x6B\x65\x6E\x3D\x62\x37\x37\x61\x35\x63\x35\x36\x31\x39\x33\x34\x65\x30\x38\x39\x5D\x5D\x08\xE7\x01\x53\x79\x73\x74\x65\x6D\x2E\x43\x6F\x6C\x6C\x65\x63\x74\x69\x6F\x6E\x73\x2E\x47\x65\x6E\x65\x72\x69\x63\x2E\x4B\x65\x79\x56\x61\x6C\x75\x65\x50\x61\x69\x72\x60\x32\x5B\x5B\x53\x79\x73\x74\x65\x6D\x2E\x53\x74\x72\x69\x6E\x67\x2C\x20\x6D\x73\x63\x6F\x72\x6C\x69\x62\x2C\x20\x56\x65\x72\x73\x69\x6F\x6E\x3D\x34\x2E\x30\x2E\x30\x2E\x30\x2C\x20\x43\x75\x6C\x74\x75\x72\x65\x3D\x6E\x65\x75\x74\x72\x61\x6C\x2C\x20\x50\x75\x62\x6C\x69\x63\x4B\x65\x79\x54\x6F\x6B\x65\x6E\x3D\x62\x37\x37\x61\x35\x63\x35\x36\x31\x39\x33\x34\x65\x30\x38\x39\x5D\x2C\x5B\x53\x79\x73\x74\x65\x6D\x2E\x42\x6F\x6F\x6C\x65\x61\x6E\x2C\x20\x6D\x73\x63\x6F\x72\x6C\x69\x62\x2C\x20\x56\x65\x72\x73\x69\x6F\x6E\x3D\x34\x2E\x30\x2E\x30\x2E\x30\x2C\x20\x43\x75\x6C\x74\x75\x72\x65\x3D\x6E\x65\x75\x74\x72\x61\x6C\x2C\x20\x50\x75\x62\x6C\x69\x63\x4B\x65\x79\x54\x6F\x6B\x65\x6E\x3D\x62\x37\x37\x61\x35\x63\x35\x36\x31\x39\x33\x34\x65\x30\x38\x39\x5D\x5D\x5B\x5D\x02\x00\x00\x00\x09\x02\x00\x00\x00\x03\x00\x00\x00\x09\x03\x00\x00\x00\x04\x02\x00\x00\x00\x92\x01\x53\x79\x73\x74\x65\x6D\x2E\x43\x6F\x6C\x6C\x65\x63\x74\x69\x6F\x6E\x73\x2E\x47\x65\x6E\x65\x72\x69\x63\x2E\x47\x65\x6E\x65\x72\x69\x63\x45\x71\x75\x61\x6C\x69\x74\x79\x43\x6F\x6D\x70\x61\x72\x65\x72\x60\x31\x5B\x5B\x53\x79\x73\x74\x65\x6D\x2E\x53\x74\x72\x69\x6E\x67\x2C\x20\x6D\x73\x63\x6F\x72\x6C\x69\x62\x2C\x20\x56\x65\x72\x73\x69\x6F\x6E\x3D\x34\x2E\x30\x2E\x30\x2E\x30\x2C\x20\x43\x75\x6C\x74\x75\x72\x65\x3D\x6E\x65\x75\x74\x72\x61\x6C\x2C\x20\x50\x75\x62\x6C\x69\x63\x4B\x65\x79\x54\x6F\x6B\x65\x6E\x3D\x62\x37\x37\x61\x35\x63\x35\x36\x31\x39\x33\x34\x65\x30\x38\x39\x5D\x5D\x00\x00\x00\x00\x07\x03\x00\x00\x00\x00\x01\x00\x00\x00\x02\x00\x00\x00\x03\xE5\x01\x53\x79\x73\x74\x65\x6D\x2E\x43\x6F\x6C\x6C\x65\x63\x74\x69\x6F\x6E\x73\x2E\x47\x65\x6E\x65\x72\x69\x63\x2E\x4B\x65\x79\x56\x61\x6C\x75\x65\x50\x61\x69\x72\x60\x32\x5B\x5B\x53\x79\x73\x74\x65\x6D\x2E\x53\x74\x72\x69\x6E\x67\x2C\x20\x6D\x73\x63\x6F\x72\x6C\x69\x62\x2C\x20\x56\x65\x72\x73\x69\x6F\x6E\x3D\x34\x2E\x30\x2E\x30\x2E\x30\x2C\x20\x43\x75\x6C\x74\x75\x72\x65\x3D\x6E\x65\x75\x74\x72\x61\x6C\x2C\x20\x50\x75\x62\x6C\x69\x63\x4B\x65\x79\x54\x6F\x6B\x65\x6E\x3D\x62\x37\x37\x61\x35\x63\x35\x36\x31\x39\x33\x34\x65\x30\x38\x39\x5D\x2C\x5B\x53\x79\x73\x74\x65\x6D\x2E\x42\x6F\x6F\x6C\x65\x61\x6E\x2C\x20\x6D\x73\x63\x6F\x72\x6C\x69\x62\x2C\x20\x56\x65\x72\x73\x69\x6F\x6E\x3D\x34\x2E\x30\x2E\x30\x2E\x30\x2C\x20\x43\x75\x6C\x74\x75\x72\x65\x3D\x6E\x65\x75\x74\x72\x61\x6C\x2C\x20\x50\x75\x62\x6C\x69\x63\x4B\x65\x79\x54\x6F\x6B\x65\x6E\x3D\x62\x37\x37\x61\x35\x63\x35\x36\x31\x39\x33\x34\x65\x30\x38\x39\x5D\x5D\x04\xFC\xFF\xFF\xFF\xE5\x01\x53\x79\x73\x74\x65\x6D\x2E\x43\x6F\x6C\x6C\x65\x63\x74\x69\x6F\x6E\x73\x2E\x47\x65\x6E\x65\x72\x69\x63\x2E\x4B\x65\x79\x56\x61\x6C\x75\x65\x50\x61\x69\x72\x60\x32\x5B\x5B\x53\x79\x73\x74\x65\x6D\x2E\x53\x74\x72\x69\x6E\x67\x2C\x20\x6D\x73\x63\x6F\x72\x6C\x69\x62\x2C\x20\x56\x65\x72\x73\x69\x6F\x6E\x3D\x34\x2E\x30\x2E\x30\x2E\x30\x2C\x20\x43\x75\x6C\x74\x75\x72\x65\x3D\x6E\x65\x75\x74\x72\x61\x6C\x2C\x20\x50\x75\x62\x6C\x69\x63\x4B\x65\x79\x54\x6F\x6B\x65\x6E\x3D\x62\x37\x37\x61\x35\x63\x35\x36\x31\x39\x33\x34\x65\x30\x38\x39\x5D\x2C\x5B\x53\x79\x73\x74\x65\x6D\x2E\x42\x6F\x6F\x6C\x65\x61\x6E\x2C\x20\x6D\x73\x63\x6F\x72\x6C\x69\x62\x2C\x20\x56\x65\x72\x73\x69\x6F\x6E\x3D\x34\x2E\x30\x2E\x30\x2E\x30\x2C\x20\x43\x75\x6C\x74\x75\x72\x65\x3D\x6E\x65\x75\x74\x72\x61\x6C\x2C\x20\x50\x75\x62\x6C\x69\x63\x4B\x65\x79\x54\x6F\x6B\x65\x6E\x3D\x62\x37\x37\x61\x35\x63\x35\x36\x31\x39\x33\x34\x65\x30\x38\x39\x5D\x5D\x02\x00\x00\x00\x03\x6B\x65\x79\x05\x76\x61\x6C\x75\x65\x01\x00\x01\x06\x05\x00\x00\x00\x01\x31\x01\x01\xFA\xFF\xFF\xFF\xFC\xFF\xFF\xFF\x06\x07\x00\x00\x00\x01\x32\x00\x0B"
+# new ComplexType2D { I = 1, J = 2 } (non-system class)
+"\x00\x01\x00\x00\x00\xFF\xFF\xFF\xFF\x01\x00\x00\x00\x00\x00\x00\x00\x0C\x02\x00\x00\x00\x3D\x42\x66\x44\x65\x6D\x6F\x2C\x20\x56\x65\x72\x73\x69\x6F\x6E\x3D\x31\x2E\x30\x2E\x30\x2E\x30\x2C\x20\x43\x75\x6C\x74\x75\x72\x65\x3D\x6E\x65\x75\x74\x72\x61\x6C\x2C\x20\x50\x75\x62\x6C\x69\x63\x4B\x65\x79\x54\x6F\x6B\x65\x6E\x3D\x6E\x75\x6C\x6C\x05\x01\x00\x00\x00\x14\x42\x66\x44\x65\x6D\x6F\x2E\x43\x6F\x6D\x70\x6C\x65\x78\x54\x79\x70\x65\x32\x44\x02\x00\x00\x00\x01\x49\x01\x4A\x00\x00\x08\x08\x02\x00\x00\x00\x01\x00\x00\x00\x02\x00\x00\x00\x0B"

src/libraries/Fuzzing/DotnetFuzzing/DotnetFuzzing.csproj

@@ -30,4 +30,8 @@
  </None>
  </ItemGroup>
 
+ <ItemGroup>
+ <ProjectReference Include="..\..\System.Formats.Nrbf\src\System.Formats.Nrbf.csproj" />
+ </ItemGroup>
+
 </Project>

src/libraries/Fuzzing/DotnetFuzzing/Fuzzers/AssemblyNameInfoFuzzer.cs

@@ -24,15 +24,15 @@ public void FuzzTarget(ReadOnlySpan<byte> bytes)
  using PooledBoundedMemory<char> inputPoisonedBefore = PooledBoundedMemory<char>.Rent(chars, PoisonPagePlacement.Before);
  using PooledBoundedMemory<char> inputPoisonedAfter = PooledBoundedMemory<char>.Rent(chars, PoisonPagePlacement.After);
 
- Test(inputPoisonedBefore);
- Test(inputPoisonedAfter);
+ Test(inputPoisonedBefore.Span);
+ Test(inputPoisonedAfter.Span);
  }
 
- private static void Test(PooledBoundedMemory<char> inputPoisoned)
+ private static void Test(Span<char> span)
  {
- if (AssemblyNameInfo.TryParse(inputPoisoned.Span, out AssemblyNameInfo? fromTryParse))
+ if (AssemblyNameInfo.TryParse(span, out AssemblyNameInfo? fromTryParse))
  {
- AssemblyNameInfo fromParse = AssemblyNameInfo.Parse(inputPoisoned.Span);
+ AssemblyNameInfo fromParse = AssemblyNameInfo.Parse(span);
 
  Assert.Equal(fromTryParse.Name, fromParse.Name);
  Assert.Equal(fromTryParse.FullName, fromParse.FullName);
@@ -66,7 +66,7 @@ private static void Test(PooledBoundedMemory<char> inputPoisoned)
  {
  try
  {
- _ = AssemblyNameInfo.Parse(inputPoisoned.Span);
+ _ = AssemblyNameInfo.Parse(span);
  }
  catch (ArgumentException)
  {

src/libraries/Fuzzing/DotnetFuzzing/Fuzzers/NrbfDecoderFuzzer.cs

@@ -0,0 +1,126 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+
+using System.Buffers;
+using System.Formats.Nrbf;
+using System.Runtime.Serialization;
+using System.Text;
+
+namespace DotnetFuzzing.Fuzzers
+{
+ internal sealed class NrbfDecoderFuzzer : IFuzzer
+ {
+ public string[] TargetAssemblies { get; } = ["System.Formats.Nrbf"];
+
+ public string[] TargetCoreLibPrefixes => [];
+
+ public string Dictionary => "nrbfdecoder.dict";
+
+ public void FuzzTarget(ReadOnlySpan<byte> bytes)
+ {
+ Test(bytes, PoisonPagePlacement.Before);
+ Test(bytes, PoisonPagePlacement.After);
+ }
+
+ private static void Test(ReadOnlySpan<byte> bytes, PoisonPagePlacement poisonPagePlacement)
+ {
+ using PooledBoundedMemory<byte> inputPoisoned = PooledBoundedMemory<byte>.Rent(bytes, poisonPagePlacement);
+
+ using MemoryStream seekableStream = new(inputPoisoned.Memory.ToArray());
+ Test(inputPoisoned.Span, seekableStream);
+
+ // NrbfDecoder has few code paths dedicated to non-seekable streams, let's test them as well.
+ using NonSeekableStream nonSeekableStream = new(inputPoisoned.Memory.ToArray());
+ Test(inputPoisoned.Span, nonSeekableStream);
+ }
+
+ private static void Test(Span<byte> testSpan, Stream stream)
+ {
+ if (NrbfDecoder.StartsWithPayloadHeader(testSpan))
+ {
+ try
+ {
+ SerializationRecord record = NrbfDecoder.Decode(stream, out IReadOnlyDictionary<SerializationRecordId, SerializationRecord> recordMap);
+ switch (record.RecordType)
+ {
+ case SerializationRecordType.ArraySingleObject:
+ SZArrayRecord<object?> arrayObj = (SZArrayRecord<object?>)record;
+ object?[] objArray = arrayObj.GetArray();
+ Assert.Equal(arrayObj.Length, objArray.Length);
+ Assert.Equal(1, arrayObj.Rank);
+ break;
+ case SerializationRecordType.ArraySingleString:
+ SZArrayRecord<string?> arrayString = (SZArrayRecord<string?>)record;
+ string?[] array = arrayString.GetArray();
+ Assert.Equal(arrayString.Length, array.Length);
+ Assert.Equal(1, arrayString.Rank);
+ Assert.Equal(true, arrayString.TypeNameMatches(typeof(string[])));
+ break;
+ case SerializationRecordType.ArraySinglePrimitive:
+ case SerializationRecordType.BinaryArray:
+ ArrayRecord arrayBinary = (ArrayRecord)record;
+ Assert.NotNull(arrayBinary.TypeName);
+ break;
+ case SerializationRecordType.BinaryObjectString:
+ _ = ((PrimitiveTypeRecord<string>)record).Value;
+ break;
+ case SerializationRecordType.ClassWithId:
+ case SerializationRecordType.ClassWithMembersAndTypes:
+ case SerializationRecordType.SystemClassWithMembersAndTypes:
+ ClassRecord classRecord = (ClassRecord)record;
+ Assert.NotNull(classRecord.TypeName);
+
+ foreach (string name in classRecord.MemberNames)
+ {
+ Assert.Equal(true, classRecord.HasMember(name));
+ }
+ break;
+ case SerializationRecordType.MemberPrimitiveTyped:
+ PrimitiveTypeRecord primitiveType = (PrimitiveTypeRecord)record;
+ Assert.NotNull(primitiveType.Value);
+ break;
+ case SerializationRecordType.MemberReference:
+ Assert.NotNull(record.TypeName);
+ break;
+ case SerializationRecordType.BinaryLibrary:
+ Assert.Equal(false, record.Id.Equals(default));
+ break;
+ case SerializationRecordType.ObjectNull:
+ case SerializationRecordType.ObjectNullMultiple:
+ case SerializationRecordType.ObjectNullMultiple256:
+ Assert.Equal(default, record.Id);
+ break;
+ case SerializationRecordType.MessageEnd:
+ case SerializationRecordType.SerializedStreamHeader:
+ // case SerializationRecordType.ClassWithMembers: will cause NotSupportedException
+ // case SerializationRecordType.SystemClassWithMembers: will cause NotSupportedException
+ default:
+ throw new Exception("Unexpected RecordType");
+ }
+ }
+ catch (SerializationException) { /* Reading from the stream encountered invalid NRBF data.*/ }
+ catch (NotSupportedException) { /* Reading from the stream encountered unsupported records */ }
+ catch (DecoderFallbackException) { /* Reading from the stream encountered an invalid UTF8 sequence. */ }
+ catch (EndOfStreamException) { /* The end of the stream was reached before reading SerializationRecordType.MessageEnd record. */ }
+ catch (IOException) { /* An I/O error occurred. */ }
+ }
+ else
+ {
+ try
+ {
+ NrbfDecoder.Decode(stream);
+ throw new Exception("Decoding supposed to fail!");
+ }
+ catch (SerializationException) { /* Everything has to start with a header */ }
+ catch (NotSupportedException) { /* Reading from the stream encountered unsupported records */ }
+ catch (EndOfStreamException) { /* The end of the stream was reached before reading SerializationRecordType.MessageEnd record. */ }
+ }
+ }
+
+ private class NonSeekableStream : MemoryStream
+ {
+ public NonSeekableStream(byte[] buffer) : base(buffer) { }
+ public override bool CanSeek => false;
+ }
+ }
+}

src/libraries/Fuzzing/DotnetFuzzing/Fuzzers/TypeNameFuzzer.cs

@@ -3,8 +3,6 @@
 
 using System.Buffers;
 using System.Reflection.Metadata;
-using System.Runtime.InteropServices;
-using System.Runtime.InteropServices.Marshalling;
 using System.Text;
 
 namespace DotnetFuzzing.Fuzzers
@@ -55,7 +53,7 @@ private static void Test(Span<char> testSpan)
  try
  {
  TypeName.Parse(testSpan);
- Assert.Equal(true, false); // should never succeed
+ throw new Exception("Parsing was supposed to fail!");
  }
  catch (ArgumentException) { }
  catch (InvalidOperationException) { }

src/libraries/System.Formats.Nrbf/ref/System.Formats.Nrbf.cs

@@ -11,6 +11,7 @@ public abstract partial class ArrayRecord : System.Formats.Nrbf.SerializationRec
  internal ArrayRecord() { }
  public override System.Formats.Nrbf.SerializationRecordId Id { get { throw null; } }
  public abstract System.ReadOnlySpan<int> Lengths { get; }
+ public virtual long FlattenedLength { get; }
  public int Rank { get { throw null; } }
  [System.Diagnostics.CodeAnalysis.RequiresDynamicCode("The code for an array of the specified type might not be available.")]
  public System.Array GetArray(System.Type expectedArrayType, bool allowNulls = true) { throw null; }