Object Serializers uses Type.GetMembers wrongly

Equinox shared this bug 8 months ago

The order that members get serialized by the MySerializer system is based on the order returned by Type.GetMembers via TypeExtensions.GetDataMembers. This is not safe, as the documentation clearly states:

The GetMembers method does not return members in a particular order, such as alphabetical or declaration order. Your code must not depend on the order in which members are returned, because that order varies.

This occurs when you use the GetMember(name) methods, then use GetMembers() at least twice (see attached file for a way to reproduce in the CLR)

In ME/SE this can occur if the XML/protobuf serializers are generated before the MyObjectSerializer is created, or if a plugin uses reflection too early. Since MyObjectSerializer is created lazily there's no way to know for sure the order will be the same on the client and server.

Proposed fix: Change TypeExtensions.GetDataMembers to sort results by full name (declaring type's full name + the member's name).

Comments (1)


Hello, thank you for a report. I created a ticket for this issue.