Add cast to ComAwareWeakReference rehydrate path (#119132)

jkotas · web-flow · commit 0be0db22ff26 · 2025-08-27T05:51:14.000-07:00
Prevents hard to diagnose crashes caused by COM interop rehydrating wrong type.
diff --git a/src/libraries/System.Private.CoreLib/src/System/ComAwareWeakReference.cs b/src/libraries/System.Private.CoreLib/src/System/ComAwareWeakReference.cs
@@ -100,21 +100,24 @@ private void SetTarget(object? target, ComInfo? comInfo)
             }
         }
 
-        internal object? Target => GCHandle.InternalGet(_weakHandle) ?? RehydrateTarget();
+        internal object? Target => GCHandle.InternalGet(_weakHandle);
 
-        private object? RehydrateTarget()
+        internal nint WeakHandle => _weakHandle;
+
+        internal T? RehydrateTarget<T>() where T: class?
         {
-            object? target = null;
+            T? target = null;
             lock (this)
             {
                 if (_comInfo != null)
                 {
-                    // check if the target is still null
-                    target = GCHandle.InternalGet(_weakHandle);
+                    // Check if the target is still null
+                    target = Unsafe.As<T?>(GCHandle.InternalGet(_weakHandle));
                     if (target == null)
                     {
-                        // resolve and reset
-                        target = _comInfo.ResolveTarget();
+                        // Resolve and reset. Perform runtime cast to catch bugs
+                        // in COM interop where it rehydrates wrong type.
+                        target = (T?)_comInfo.ResolveTarget();
                         if (target != null)
                             GCHandle.InternalSet(_weakHandle, target);
                     }
@@ -147,16 +150,10 @@ private static ComAwareWeakReference EnsureComAwareReference(ref nint taggedHand
         }
 
         [MethodImpl(MethodImplOptions.AggressiveInlining)]
-        internal static object? GetTarget(nint taggedHandle)
-        {
-            Debug.Assert((taggedHandle & ComAwareBit) != 0);
-            return Unsafe.As<ComAwareWeakReference>(GCHandle.InternalGet(taggedHandle & ~HandleTagBits)).Target;
-        }
-
-        internal static nint GetWeakHandle(nint taggedHandle)
+        internal static ComAwareWeakReference GetFromTaggedReference(nint taggedHandle)
         {
             Debug.Assert((taggedHandle & ComAwareBit) != 0);
-            return Unsafe.As<ComAwareWeakReference>(GCHandle.InternalGet(taggedHandle & ~HandleTagBits))._weakHandle;
+            return Unsafe.As<ComAwareWeakReference>(GCHandle.InternalGet(taggedHandle & ~HandleTagBits));
         }
 
         [MethodImpl(MethodImplOptions.NoInlining)]
diff --git a/src/libraries/System.Private.CoreLib/src/System/WeakReference.T.cs b/src/libraries/System.Private.CoreLib/src/System/WeakReference.T.cs
@@ -141,7 +141,9 @@ private T? Target
 #if FEATURE_COMINTEROP || FEATURE_COMWRAPPERS
                 if ((th & ComAwareBit) != 0)
                 {
-                    target = Unsafe.As<T?>(ComAwareWeakReference.GetTarget(th));
+                    ComAwareWeakReference cwr = ComAwareWeakReference.GetFromTaggedReference(th);
+
+                    target = Unsafe.As<T?>(cwr.Target) ?? cwr.RehydrateTarget<T>();
 
                     // must keep the instance alive as long as we use the handle.
                     GC.KeepAlive(this);
diff --git a/src/libraries/System.Private.CoreLib/src/System/WeakReference.cs b/src/libraries/System.Private.CoreLib/src/System/WeakReference.cs
@@ -107,7 +107,7 @@ internal nint WeakHandle
 
 #if FEATURE_COMINTEROP || FEATURE_COMWRAPPERS
                 if ((th & ComAwareBit) != 0)
-                    return ComAwareWeakReference.GetWeakHandle(th);
+                    return ComAwareWeakReference.GetFromTaggedReference(th).WeakHandle;
 #endif
                 return th & ~HandleTagBits;
             }
@@ -166,7 +166,9 @@ public virtual object? Target
 #if FEATURE_COMINTEROP || FEATURE_COMWRAPPERS
                 if ((th & ComAwareBit) != 0)
                 {
-                    target = ComAwareWeakReference.GetTarget(th);
+                    ComAwareWeakReference cwr = ComAwareWeakReference.GetFromTaggedReference(th);
+
+                    target = cwr.Target ?? cwr.RehydrateTarget<object>();
 
                     // must keep the instance alive as long as we use the handle.
                     GC.KeepAlive(this);

Original file line number	Diff line number	Diff line change
`@@ -100,21 +100,24 @@ private void SetTarget(object? target, ComInfo? comInfo)`
`100`	`100`	`}`
`101`	`101`	`}`
`102`	`102`
`103`		`- internal object? Target => GCHandle.InternalGet(_weakHandle) ?? RehydrateTarget();`
	`103`	`+ internal object? Target => GCHandle.InternalGet(_weakHandle);`
`104`	`104`
`105`		`- private object? RehydrateTarget()`
	`105`	`+ internal nint WeakHandle => _weakHandle;`
	`106`	`+`
	`107`	`+ internal T? RehydrateTarget<T>() where T: class?`
`106`	`108`	`{`
`107`		`- object? target = null;`
	`109`	`+ T? target = null;`
`108`	`110`	`lock (this)`
`109`	`111`	`{`
`110`	`112`	`if (_comInfo != null)`
`111`	`113`	`{`
`112`		`- // check if the target is still null`
`113`		`- target = GCHandle.InternalGet(_weakHandle);`
	`114`	`+ // Check if the target is still null`
	`115`	`+ target = Unsafe.As<T?>(GCHandle.InternalGet(_weakHandle));`
`114`	`116`	`if (target == null)`
`115`	`117`	`{`
`116`		`- // resolve and reset`
`117`		`- target = _comInfo.ResolveTarget();`
	`118`	`+ // Resolve and reset. Perform runtime cast to catch bugs`
	`119`	`+ // in COM interop where it rehydrates wrong type.`
	`120`	`+ target = (T?)_comInfo.ResolveTarget();`
`118`	`121`	`if (target != null)`
`119`	`122`	`GCHandle.InternalSet(_weakHandle, target);`
`120`	`123`	`}`
`@@ -147,16 +150,10 @@ private static ComAwareWeakReference EnsureComAwareReference(ref nint taggedHand`
`147`	`150`	`}`
`148`	`151`
`149`	`152`	`[MethodImpl(MethodImplOptions.AggressiveInlining)]`
`150`		`- internal static object? GetTarget(nint taggedHandle)`
`151`		`- {`
`152`		`- Debug.Assert((taggedHandle & ComAwareBit) != 0);`
`153`		`- return Unsafe.As<ComAwareWeakReference>(GCHandle.InternalGet(taggedHandle & ~HandleTagBits)).Target;`
`154`		`- }`
`155`		`-`
`156`		`- internal static nint GetWeakHandle(nint taggedHandle)`
	`153`	`+ internal static ComAwareWeakReference GetFromTaggedReference(nint taggedHandle)`
`157`	`154`	`{`
`158`	`155`	`Debug.Assert((taggedHandle & ComAwareBit) != 0);`
`159`		`- return Unsafe.As<ComAwareWeakReference>(GCHandle.InternalGet(taggedHandle & ~HandleTagBits))._weakHandle;`
	`156`	`+ return Unsafe.As<ComAwareWeakReference>(GCHandle.InternalGet(taggedHandle & ~HandleTagBits));`
`160`	`157`	`}`
`161`	`158`
`162`	`159`	`[MethodImpl(MethodImplOptions.NoInlining)]`