Hold that upgrade: Critical bug in .NET 4.6 'breaks applications'
Methods get wrong parameters, claim Stack Overflow dev
A critical bug in the optimizer in the just-released .NET 4.6 runtime could break and crash production applications, we're warned.
"The methods you call can get different parameter values than you passed in," says Nick Craver – software developer and system administrator for Stack Exchange, home of the popular programming support site Stack Overflow – in a post today.
The bug was hard to spot because it only occurs when optimizations are enabled. This means you can build an application, run it in Visual Studio, and everything is fine. It is only when you compile a production build that the problem occurs. Attaching a debugger, says Craver, changes the behavior and usually hides the issue. It was noticed at Stack Overflow because its heavily exercised HTTP caching code was not working with the new runtime, delivering unpredictable results.
The flaw has been documented on GitHub as "Tail Call bug in RyuJIT – incorrect parameters passed," complete with code that reproduces the problem. "When the parameters you're passing aren't the ones the method is getting, all sanity goes out the window. What if your method says how much stock to buy? What if it gives dosing information to a patient? What if it tells a plane what altitude to climb to?" reads the report.
The issue appears to be in the new JIT compiler called RyuJIT. When optimization is enabled, the last method in the call stack can get a random value passed to it.
"The team is taking this very seriously. We're going to talk about it later today as folks get into the office," said Microsoft .NET Program Manager Rich Lander.
Since the bug is in the JIT compiler, the workaround is not to install .NET 4.6 at all. If you install it, even applications targeting earlier versions of .NET may be impacted, since the same compiler is used. A version of .NET 4.6 ships with Windows 10. Craver claimed that Microsoft has "fixed the bug internally, but not for users," in which case, if the bug is as severe as it appears, you can expect a patch to appear soon. ®
Sponsored: Becoming a Pragmatic Security Leader