BlobBuilder.ReserveBytes needs to zero the memory

[jaredpar]

Description

The BlobBuilder.ReserveBytes method allows for callers to observe the backing byte[] before any data is written to it. Normally that is fine because BlobBuilder instances newly allocate the byte[] on construction so the data is zero'd out. In the case the BlobBuilder is created via pooling (the type supports pooling) then the data is whatever was written by the last consumer of the instance.

Reproduction Steps

Can observe using the following steps:

// Using PooledBlobBuilder from the SMR code base. Put used content 
// into the pool
var builder = PooledBlobBuilder.GetInstance();
builder.WriteBytes(42, 4);
builder.Free();

// Now grab a builder from the pool
builder = PooledBlobBuilder.GetInstance();
var blob = builder.ReserveBytes(4);
Console.WriteLine(blob.GetBytes()[0]); // prints 42

Expected behavior

The consumer should not be able to meaningfully observe the content from the previous writer.

Actual behavior

The consumer can observe the content from the previous writer

Regression?

This makes it more difficult for roslyn to widely use pooled BlobBuilder instances in our code base. Consider for example the code in PEBuilder.WriteCoffHeader:

stampFixup = builder.ReserveBytes(sizeof(uint));

This means that the BlobBuilder used for writing out the COFF header has four bytes that are uninitialized / non-zero. That means the underlying Blob for the COFF header is non-deterministic in the face of a pooled BlobBuilder. That non-determinism is then passed to PEBuilder.IdProvider resulting in non-deterministic MVID + timestamps being generated for the PE.

Known Workarounds

Roslyn can work around this by force zero-ing BlobBuilder that are used in COFF generation but it's better to fix the underlying bug.

Configuration

No response

Other information

No response

Tagging subscribers to this area: @dotnet/area-system-reflection-metadata
See info in area-owners.md if you want to be subscribed.

Issue Details

---

Description

The BlobBuilder.ReserveBytes method allows for callers to observe the backing byte[] before any data is written to it. Normally that is fine because BlobBuilder instances newly allocate the byte[] on construction so the data is zero'd out. In the case the BlobBuilder is created via pooling (the type supports pooling) then the data is whatever was written by the last consumer of the instance.

Reproduction Steps

Can observe using the following steps:

// Using PooledBlobBuilder from the SMR code base. Put used content 
// into the pool
var builder = PooledBlobBuilder.GetInstance();
builder.WriteBytes(42, 4);
builder.Free();

// Now grab a builder from the pool
builder = PooledBlobBuilder.GetInstance();
var blob = builder.ReserveBytes(4);
Console.WriteLine(blob.GetBytes()[0]); // prints 42

Expected behavior

The consumer should not be able to meaningfully observe the content from the previous writer.

Actual behavior

The consumer can observe the content from the previous writer

Regression?

This makes it more difficult for roslyn to widely use pooled BlobBuilder instances in our code base. Consider for example the code in [PEBuilder.WriteCoffHeader][writecoffheadeer]:

stampFixup = builder.ReserveBytes(sizeof(uint));

This means that the BlobBuilder used for writing out the COFF header has four bytes that are uninitialized / non-zero. That means the underlying Blob for the COFF header is non-deterministic in the face of a pooled BlobBuilder. That non-determinism is then passed to PEBuilder.IdProvider resulting in non-deterministic MVID + timestamps being generated for the PE.

Known Workarounds

Roslyn can work around this by force zero-ing BlobBuilder that are used in COFF generation but it's better to fix the underlying bug.

Configuration

No response

Other information

No response

Author:	jaredpar
Assignees:	-
Labels:	area-System.Reflection.Metadata, untriaged, needs-area-label
Milestone:	-

[buyaa-n]

@jaredpar is this needed for 9.0?

[ericstj]

I think this is valuable to fix, but I can also imagine some callers caring about the performance hit of zeroing the memory. I wonder if we need API around it to allow callers to express that?

I see @jaredpar likely opened this while working on dotnet/roslyn#72383 and implemented zero-ing there (with an API, presumably for similar concerns).

As a result I don't think Roslyn is blocked on this, and we should take this as a good API suggestion to evaluate in the next release.

[jaredpar]

As a result I don't think Roslyn is blocked on this, and we should take this as a good API suggestion to evaluate in the next release.

It's true that we found a work around but it's definitely not optimal. Instead of directly clearing the memory using a fast span primitive as the implementation of ReserveBytes can do we have to do a WriteBytes which is less efficient.

I wonder if we need API around it to allow callers to express that?

I'm fine with a different API that did this. Even a simple Zero method is enough as it can efficiently clear the memory.

[teo-tsirpanis]

Will implement alongside #100418.