Object Serializers uses Type.GetMembers wrongly

Equinox shared this bug 5 years ago

The order that members get serialized by the MySerializer system is based on the order returned by Type.GetMembers via TypeExtensions.GetDataMembers. This is not safe, as the documentation clearly states:

The GetMembers method does not return members in a particular order, such as alphabetical or declaration order. Your code must not depend on the order in which members are returned, because that order varies.

This occurs when you use the GetMember(name) methods, then use GetMembers() at least twice (see attached file for a way to reproduce in the CLR)

In ME/SE this can occur if the XML/protobuf serializers are generated before the MyObjectSerializer is created, or if a plugin uses reflection too early. Since MyObjectSerializer is created lazily there's no way to know for sure the order will be the same on the client and server.

Proposed fix: Change TypeExtensions.GetDataMembers to sort results by full name (declaring type's full name + the member's name).

Replies (1)


Just for my own sake, and anyone else reading this and going "what?", I'll detail the issue how equinox explained to me:

This issue arises in network communications (netcode!).

Server serializes data in one order, but that order isn't rigidly defined, as the MSDN documentation states, so the client sees the data, but it's not always in the order it's expecting, as it may be expecting the data in a different order.

This can cause network crashes.

Leave a Comment
Attach a file