问题
Have a look at the following code:
static void Main(string[] args)
{
string s = null;
string[] myArray = new string[1];
{ } // do something evil here
if (s.GetType() == typeof(int))
{
Console.WriteLine("This should not happen!");
}
Console.ReadLine();
}
Is there any way to get This should not happen to write? One would assume not. However, it can be done with the debugger: Put a breakpoint into the line { } // do something evil here and execute the following commands in the Immediate Window before continuing:
((object[])myArray)[0] = 99;
s = myArray[0];
Execution continues and This should not happen will be printed. Tested with Visual Studio 2008; here is a screenshot:
Is this kind of trickery only possible with the debugger or is there some way to do such an "unsafe assignment" in code?
(Obviously, I ask only out of scientific curiosity. This question and the related comments made me ask this question.)
回答1:
One technique is using LayoutKind.Explicit to implement a union which can be used to reinterpret cast an arbitrary object to string. First box an int, then assign it to the object field of the union and then read out the string field.
[StructLayout(LayoutKind.Explicit)]
public struct Evil
{
[FieldOffset(0)]
public string s;
[FieldOffset(0)]
public object o;
}
string ReinterpretCastToString(object o)
{
Evil evil=new Evil();
evil.o=o;
return evil.s;
}
void Main()
{
string s = ReinterpretCastToString(1);
if (s.GetType() == typeof(int))
{
Console.WriteLine("This should not happen!");
}
}
This is most likely undefined behavior that may stop working at any time. Obviously you shouldn't use this in a real program.
来源:https://stackoverflow.com/questions/17641734/bypassing-cs-type-safeguards-and-storing-an-integer-in-a-string