[Android] Prevent race condition by synchronizing buffer access

[kotlarmilos]

Problem

Android SSL callbacks WriteToConnection/ReadFromConnection receive an IntPtr that should reference a GCHandle to SafeDeleteSslContext. The handle was freed while native code could still invoke the callbacks with the IntPtr referencing a different object. This led to a NullReferenceException or InvalidCastException:

System.InvalidCastException: Unable to cast object of type 'System.Threading.Thread' to type 'System.Net.SafeDeleteSslContext'

Description

This PR synchronizes all buffer mutations behind a shared _lock, and updates the managed callbacks to verify that the handle is still allocated and its target is a SafeDeleteSslContext before using it.

Changes

• Implemented WriteToConnection/ReadFromConnection checks for allocated GCHandle
• Implemented lock in all buffer mutations to prevent race condition

Testing

The System.Net.Http.Functional.Tests now pass without the crash on Android.

Fixes #117045

[kotlarmilos]

/azp run runtime-android,runtime-androidemulator

[azure-pipelines]

Azure Pipelines will not run the associated pipelines, because the pull request was updated after the run command was issued. Review the pull request again and issue a new run command.

[kotlarmilos]

/azp run runtime-android,runtime-androidemulator

[azure-pipelines]

Azure Pipelines successfully started running 2 pipeline(s).

[dotnet-policy-service]

Tagging subscribers to 'arch-android': @vitek-karas, @simonrozsival, @steveisok, @akoeplinger
See info in area-owners.md if you want to be subscribed.

[Copilot]

Pull Request Overview

This PR fixes a race condition in Android SSL implementation where GCHandle references were being freed while native callbacks could still access them, causing InvalidCastException or NullReferenceException. The fix extends the GCHandle lifetime to match the SafeDeleteSslContext object and adds proper synchronization for buffer operations.

Key changes:

• Replace weak GCHandle allocation with persistent handle that lives for the full object lifetime
• Add comprehensive locking around all buffer operations to prevent race conditions
• Implement null/disposed checks in native callbacks with graceful error handling

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.

File	Description
src/libraries/tests.proj	Re-enables System.Net.Http.Functional.Tests for Android and adds it to smoke tests
src/libraries/System.Net.Security/src/System/Net/Security/Pal.Android/SafeDeleteSslContext.cs	Implements persistent GCHandle, thread-safe buffer access, and defensive callback handling

[kotlarmilos]

/azp run runtime-android,runtime-androidemulator

[azure-pipelines]

Azure Pipelines successfully started running 2 pipeline(s).

[kotlarmilos]

/azp run runtime-android,runtime-androidemulator

[azure-pipelines]

Azure Pipelines successfully started running 2 pipeline(s).

[kotlarmilos]

/azp run runtime-android,runtime-androidemulator

[azure-pipelines]

Azure Pipelines successfully started running 2 pipeline(s).

[simonrozsival]

All the failing tests are known and unrelated to these changes.

[kotlarmilos]

/azp run runtime-android,runtime-androidemulator

[azure-pipelines]

Azure Pipelines successfully started running 2 pipeline(s).

[simonrozsival]

All the failing tests are known and unrelated to these changes.

[jkotas]

All the failing tests are known

What's the known issue for the wasm failure?

[17:58:18] fail: [MONO] no object of size 536935192d

Error
    at Mc (http://127.0.0.1:58317/_framework/dotnet.runtime.js:3:172233)
    at wasm_trace_logger (http://127.0.0.1:58317/_framework/dotnet.native.wasm:wasm-function[158]:0xb02e)
    at eglib_log_adapter (http://127.0.0.1:58317/_framework/dotnet.native.wasm:wasm-function[656]:0x455d4)
    at monoeg_g_logv_nofree (http://127.0.0.1:58317/_framework/dotnet.native.wasm:wasm-function[581]:0x436c9)
    at monoeg_g_log (http://127.0.0.1:58317/_framework/dotnet.native.wasm:wasm-function[583]:0x4378c)
    at ms_find_block_obj_size_index (http://127.0.0.1:58317/_framework/dotnet.native.wasm:wasm-function[952]:0x52e7b)
    at alloc_obj (http://127.0.0.1:58317/_framework/dotnet.native.wasm:wasm-function[991]:0x593be)
    at major_alloc_object (http://127.0.0.1:58317/_framework/dotnet.native.wasm:wasm-function[982]:0x54a4a)
    at alloc_for_promotion (http://127.0.0.1:58317/_framework/dotnet.native.wasm:wasm-function[1058]:0x5c4ec)
    at copy_object_no_checks (http://127.0.0.1:58317/_framework/dotnet.native.wasm:wasm-function[998]:0x5a05b)

[jkotas]

I have opened #118244 on the wasm test failure.

All CI failure - even the ones unrelated to the change - should have tracking issue: https://github.com/dotnet/runtime/blob/main/docs/workflow/ci/failure-analysis.md#what-to-do-if-you-determine-the-failure-is-unrelated

[kotlarmilos]

Thanks Jan — I merged the PR on the second CI attempt and the failure occurred on the first attempt, which is why it let me merge without an escape comment.