Mat*_*Mut 14 c# struct casting class memory-layout
警告:这仅仅是那些热衷于破解东西以理解其力学的人的练习.
我正在探索我在C#中可以实现的极限,并且我编写了一个ForceCast()函数来执行一个没有任何类型检查的强力转换.切勿考虑在生产代码中使用此功能.
我写了一个名为call的类Original和一个名为struct的结构LikeOriginal,两个都有两个整数变量.在Main()我创建了一个名为新变量orig,并将其设置为一个新的实例Original与a=7和b=20.何时orig被转换LikeOriginal并存储casted,其值cG和dG未定义,这LikeOriginal是一个结构和类实例包含比结构实例更多的元数据,因此导致内存布局不匹配.
示例输出:
Casted Original to LikeOriginal
1300246376, 542
1300246376, 542
added 3
Casted LikeOriginal back to Original
1300246379, 545
但是请注意,当我打电话casted.Add(3),并转换回Original并打印的价值a和b,令人惊讶的是,他们成功地通过3递增,而这一直是重复的.
让我感到困惑的是,将类强制转换为struct将导致cG并dG映射到类元数据,但是当它们被修改并强制转换为类时,它们会正确映射到a和b.
为什么会这样?
使用的代码:
using System;
using System.Runtime.InteropServices;
namespace BreakingStuff {
public class Original {
public int a, b;
public Original(int a, int b)
{
this.a = a;
this.b = b;
}
public void Add(int val)
{
}
}
public struct LikeOriginal {
public int cG, dG;
public override string ToString() {
return cG + ", " + dG;
}
public void Add(int val) {
cG += val;
dG += val;
}
}
public static class Program {
public unsafe static void Main() {
Original orig = new Original(7, 20);
LikeOriginal casted = ForceCast<Original, LikeOriginal>(orig);
Console.WriteLine("Casted Original to LikeOriginal");
Console.WriteLine(casted.cG + ", " + casted.dG);
Console.WriteLine(casted.ToString());
casted.Add(3);
Console.WriteLine("added 3");
orig = ForceCast<LikeOriginal, Original>(casted);
Console.WriteLine("Casted LikeOriginal back to Original");
Console.WriteLine(orig.a + ", " + orig.b);
Console.ReadLine();
}
//performs a pointer cast but with the same memory layout.
private static unsafe TOut ForceCast<TIn, TOut>(this TIn input) {
GCHandle handle = GCHandle.Alloc(input);
TOut result = Read<TOut>(GCHandle.ToIntPtr(handle));
handle.Free();
return result;
}
private static unsafe T Read<T>(this IntPtr address) {
T obj = default(T);
if (address == IntPtr.Zero)
return obj;
TypedReference tr = __makeref(obj);
*(IntPtr*) (&tr) = address;
return __refvalue(tr, T);
}
}
}
\xe2\x82\xacdit:长话短说:首先创建一个 ForceCast 函数来正确处理身份转换ForceCast<LikeOriginal, LikeOriginal>和ForceCast<Original, Original>,然后您可能有机会进行实际的转换
通过为类->类(CC)、类->结构(CS)、结构->类(SC)和结构->结构(SS)提供不同的代码,用作Nullable<T>结构的中间体,我得到了一个工作示例:
// class -> class\nprivate static unsafe TOut ForceCastCC<TIn, TOut>(TIn input)\n where TIn : class\n where TOut : class\n{\n var handle = __makeref(input);\n return Read<TOut>(*(IntPtr*)(&handle));\n}\n\n// struct -> struct, require nullable types for in-out\nprivate static unsafe TOut? ForceCastSS<TIn, TOut>(TIn? input)\n where TIn : struct\n where TOut : struct\n{\n var handle = __makeref(input);\n return Read<TOut?>(*(IntPtr*)(&handle));\n}\n\n// class -> struct\nprivate static unsafe TOut? ForceCastCS<TIn, TOut>(TIn input)\n where TIn : class\n where TOut : struct\n{\n var handle = __makeref(input);\n // one extra de-reference of the input pointer\n return Read<TOut?>(*(IntPtr*)*(IntPtr*)(&handle));\n}\n\n// struct -> class\nprivate static unsafe TOut ForceCastSC<TIn, TOut>(TIn? input)\n where TIn : struct\n where TOut : class\n{\n // get a real pointer to the struct, so it can be turned into a reference type\n var handle = GCHandle.Alloc(input);\n var result = Read<TOut>(GCHandle.ToIntPtr(handle));\n handle.Free();\n return result;\n}\n现在,在示例中使用适当的函数并按照编译器的要求处理可为 null 的类型:
\n\nOriginal orig = new Original(7, 20);\nLikeOriginal casted = ForceCastCS<Original, LikeOriginal>(orig) ?? default(LikeOriginal);\nConsole.WriteLine("Casted Original to LikeOriginal");\nConsole.WriteLine(casted.cG + ", " + casted.dG);\nConsole.WriteLine(casted.ToString());\ncasted.Add(3);\nConsole.WriteLine("added 3");\norig = ForceCastSC<LikeOriginal, Original>(casted);\nConsole.WriteLine("Casted LikeOriginal back to Original");\nConsole.WriteLine(orig.a + ", " + orig.b);\n\nConsole.ReadLine();\n对我来说,这会在每个点返回正确的数字。
\n\n一些细节:
\n\n基本上,您的问题是您将值类型视为引用类型......
\n\n让我们首先看一下工作案例:LikeOriginal-> Original:
var h1 = GCHandle.Alloc(likeOriginal);\nvar ptr1 = GCHandle.ToIntPtr(h1);\n这将创建一个指向内存区域的指针LikeOriginal(\xe2\x82\xacdit:实际上,并不完全是那个内存区域,见下文)
var obj1 = default(Original);\nTypedReference t1 = __makeref(obj1);\n*(IntPtr*)(&t1) = ptr1;\n这将创建一个带有指针值的引用(指针)Original,指向LikeOriginal
var original = __refvalue( t1,Original);\n这会将类型化引用转换为托管引用,指向 的内存LikeOriginal。likeOriginal保留起始对象的所有值。
现在让我们分析一些应该有效的中间情况,如果您的代码可以双向工作:LikeOriginal-> LikeOriginal:
var h2 = GCHandle.Alloc(likeOriginal);\nvar ptr2 = GCHandle.ToIntPtr(h2);\n同样,我们有一个指向内存区域的指针LikeOriginal
var obj2 = default(LikeOriginal);\nTypedReference t2 = __makeref(obj2);\n现在,这是出现问题的第一个提示:__makeref(obj2)将创建对对象的引用LikeOriginal,而不是对存储指针的某个单独区域的引用。
*(IntPtr*)(&t2) = ptr2;\nptr2然而,是一个指向某些参考值的指针
var likeOriginal2 = __refvalue( t2,LikeOriginal);\n在这里,我们得到了垃圾,因为t2应该是对对象内存的直接引用,而不是对某些指针内存的引用。
以下是我执行的一些测试代码,以更好地了解您的方法以及出了什么问题(其中一些非常结构化,然后是我尝试了一些其他操作的某些部分):
\n\nOriginal o1 = new Original(111, 222);\nLikeOriginal o2 = new LikeOriginal { cG = 333, dG = 444 };\n\n// get handles to the objects themselfes and to their individual properties\nGCHandle h1 = GCHandle.Alloc(o1);\nGCHandle h2 = GCHandle.Alloc(o1.a);\nGCHandle h3 = GCHandle.Alloc(o1.b);\nGCHandle h4 = GCHandle.Alloc(o2);\nGCHandle h5 = GCHandle.Alloc(o2.cG);\nGCHandle h6 = GCHandle.Alloc(o2.dG);\n\n// get pointers from the handles, each pointer has an individual value\nIntPtr i1 = GCHandle.ToIntPtr(h1);\nIntPtr i2 = GCHandle.ToIntPtr(h2);\nIntPtr i3 = GCHandle.ToIntPtr(h3);\nIntPtr i4 = GCHandle.ToIntPtr(h4);\nIntPtr i5 = GCHandle.ToIntPtr(h5);\nIntPtr i6 = GCHandle.ToIntPtr(h6);\n\n// get typed references for the objects and properties\nTypedReference t1 = __makeref(o1);\nTypedReference t2 = __makeref(o1.a);\nTypedReference t3 = __makeref(o1.b);\nTypedReference t4 = __makeref(o2);\nTypedReference t5 = __makeref(o2.cG);\nTypedReference t6 = __makeref(o2.dG);\n\n// get the associated pointers\nIntPtr j1 = *(IntPtr*)(&t1);\nIntPtr j2 = *(IntPtr*)(&t2); // j1 != j2, because a class handle points to the pointer/reference memory\nIntPtr j3 = *(IntPtr*)(&t3);\nIntPtr j4 = *(IntPtr*)(&t4);\nIntPtr j5 = *(IntPtr*)(&t5); // j4 == j5, because a struct handle points directly to the instance memory\nIntPtr j6 = *(IntPtr*)(&t6);\n\n// direct translate-back is working for all objects and properties\nvar r1 = __refvalue( t1,Original);\nvar r2 = __refvalue( t2,int);\nvar r3 = __refvalue( t3,int);\nvar r4 = __refvalue( t4,LikeOriginal);\nvar r5 = __refvalue( t5,int);\nvar r6 = __refvalue( t6,int);\n\n// assigning the pointers that where inferred from the GCHandles\n*(IntPtr*)(&t1) = i1;\n*(IntPtr*)(&t2) = i2;\n*(IntPtr*)(&t3) = i3;\n*(IntPtr*)(&t4) = i4;\n*(IntPtr*)(&t5) = i5;\n*(IntPtr*)(&t6) = i6;\n\n// translate back the changed references\nvar s1 = __refvalue( t1,Original); // Ok\n// rest is garbage values!\nvar s2 = __refvalue( t2,int);\nvar s3 = __refvalue( t3,int);\nvar s4 = __refvalue( t4,LikeOriginal);\nvar s5 = __refvalue( t5,int);\nvar s6 = __refvalue( t6,int);\n\n// a variation, primitively dereferencing the pointer to get to the actual memory\n*(IntPtr*)(&t4) = *(IntPtr*)i4;\nvar s4_1 = __refvalue( t4,LikeOriginal); // partial result, getting { garbage, 333 } instead of { 333, 444 }\n\n// prepare TypedReference for translation between Original and LikeOriginal\nvar obj1 = default(Original);\nvar obj2 = default(LikeOriginal);\nTypedReference t7 = __makeref(obj1);\nTypedReference t8 = __makeref(obj2);\n\n// translate between Original and LikeOriginal\n*(IntPtr*)(&t7) = i4; // From struct to class, the pointer aquired through GCHandle is apropriate\nvar s7 = __refvalue( t7,Original); // Ok\n\n*(IntPtr*)(&t8) = *(IntPtr*)j1;\nvar s8 = __refvalue( t8,LikeOriginal); // Not Ok - Original has some value comming before its first member - getting { garbage, 111 } instead of { 111, 222 }\n\n*(IntPtr*)(&t8) = j2;\nvar s9 = __refvalue( t8,LikeOriginal); // Ok by starting at the address of the first member\n结论:通过GCHandle->IntPtr创建一个指针,该指针指向第一个成员前面的一个内存位置,无论起始点是结构体还是类。这会导致一种情况,其中 struct -> class 或 class -> class 正在工作,但 class -> struct 或 struct -> struct 不起作用。
我发现定位结构的唯一方法是获取指向其第一个成员的指针(在输入结构的情况下等于__makeref结构而不通过 via GCHandle)。