Use cached ManualResetEvent + CancelIoEx for safe sync-over-async IO

Copilot · adamsitnik · web-flow · commit 38cf5d030a6f · 2026-06-08T11:08:18.000Z
- Cache ManualResetEvent (not raw nint) in SafeFileHandle using Interlocked rent/return pattern
- Use public ManualResetEvent ctor, Reset() on reuse to ensure non-signaled state
- Use WaitOne() to respect SynchronizationContext
- When WaitOne throws, cancel pending IO with CancelIoEx + GetOverlappedResult(bWait:true) before freeing overlapped
- Add test demonstrating SynchronizationContext.Wait exception scenario

Co-authored-by: adamsitnik &lt;6011991+adamsitnik@users.noreply.github.com&gt;
diff --git a/src/libraries/System.Private.CoreLib/src/Microsoft/Win32/SafeHandles/SafeFileHandle.OverlappedValueTaskSource.Windows.cs b/src/libraries/System.Private.CoreLib/src/Microsoft/Win32/SafeHandles/SafeFileHandle.OverlappedValueTaskSource.Windows.cs
@@ -14,51 +14,36 @@ namespace Microsoft.Win32.SafeHandles
     public sealed partial class SafeFileHandle : SafeHandleZeroOrMinusOneIsInvalid
     {
         private OverlappedValueTaskSource? _reusableOverlappedValueTaskSource; // reusable OverlappedValueTaskSource that is currently NOT being used
-        private nint _reusableWaitHandle = -1; // reusable native event handle for sync-over-async I/O; -1 means empty
+        private ManualResetEvent? _reusableSyncWaitEvent; // reusable event for sync-over-async I/O
 
         // Rent the reusable OverlappedValueTaskSource, or create a new one to use if we couldn't get one (which
         // should only happen on first use or if the SafeFileHandle is being used concurrently).
         internal OverlappedValueTaskSource GetOverlappedValueTaskSource() =>
             Interlocked.Exchange(ref _reusableOverlappedValueTaskSource, null) ?? new OverlappedValueTaskSource(this);
 
-        internal nint RentSyncWaitHandle()
+        // Rent the reusable ManualResetEvent for sync-over-async I/O, or create a new one.
+        // The returned event is guaranteed to be in non-signaled state.
+        internal ManualResetEvent RentSyncWaitEvent()
         {
-            nint handle = Interlocked.Exchange(ref _reusableWaitHandle, -1);
-            if (handle != -1)
+            ManualResetEvent? mre = Interlocked.Exchange(ref _reusableSyncWaitEvent, null);
+            if (mre is not null)
             {
-                return handle;
+                mre.Reset();
+                return mre;
             }
 
-            using SafeWaitHandle safeHandle = Interop.Kernel32.CreateEventEx(
-                IntPtr.Zero,
-                null,
-                Interop.Kernel32.CREATE_EVENT_MANUAL_RESET,
-                (uint)(Interop.Kernel32.SYNCHRONIZE | Interop.Kernel32.EVENT_MODIFY_STATE));
-
-            if (safeHandle.IsInvalid)
-            {
-                throw Win32Marshal.GetExceptionForLastWin32Error();
-            }
-
-            handle = safeHandle.DangerousGetHandle();
-            safeHandle.SetHandleAsInvalid();
-
-            return handle;
+            return new ManualResetEvent(false);
         }
 
-        internal void ReturnSyncWaitHandle(nint waitHandle)
+        internal void ReturnSyncWaitEvent(ManualResetEvent waitEvent)
         {
-            if (Interlocked.CompareExchange(ref _reusableWaitHandle, waitHandle, -1) != -1)
+            if (Interlocked.CompareExchange(ref _reusableSyncWaitEvent, waitEvent, null) is not null)
             {
-                Interop.Kernel32.CloseHandle(waitHandle);
+                waitEvent.Dispose();
             }
             else if (IsClosed)
             {
-                nint h = Interlocked.Exchange(ref _reusableWaitHandle, -1);
-                if (h != -1)
-                {
-                    Interop.Kernel32.CloseHandle(h);
-                }
+                Interlocked.Exchange(ref _reusableSyncWaitEvent, null)?.Dispose();
             }
         }
 
@@ -67,12 +52,7 @@ protected override bool ReleaseHandle()
             bool result = Interop.Kernel32.CloseHandle(handle);
 
             Interlocked.Exchange(ref _reusableOverlappedValueTaskSource, null)?.Dispose();
-
-            nint waitHandle = Interlocked.Exchange(ref _reusableWaitHandle, -1);
-            if (waitHandle != -1)
-            {
-                Interop.Kernel32.CloseHandle(waitHandle);
-            }
+            Interlocked.Exchange(ref _reusableSyncWaitEvent, null)?.Dispose();
 
             return result;
         }
diff --git a/src/libraries/System.Private.CoreLib/src/System/IO/RandomAccess.Windows.cs b/src/libraries/System.Private.CoreLib/src/System/IO/RandomAccess.Windows.cs
@@ -67,12 +67,12 @@ _ when IsEndOfFile(errorCode, handle, fileOffset) => 0,
 
         private static unsafe int ReadSyncUsingAsyncHandle(SafeFileHandle handle, Span<byte> buffer, long fileOffset)
         {
-            IntPtr eventHandle = handle.RentSyncWaitHandle();
+            ManualResetEvent waitEvent = handle.RentSyncWaitEvent();
             NativeOverlapped* overlapped = null;
 
             try
             {
-                overlapped = AllocNativeOverlappedWithEventHandle(handle, fileOffset, eventHandle);
+                overlapped = AllocNativeOverlappedWithEventHandle(handle, fileOffset, waitEvent);
 
                 fixed (byte* pinned = &MemoryMarshal.GetReference(buffer))
                 {
@@ -81,8 +81,22 @@ private static unsafe int ReadSyncUsingAsyncHandle(SafeFileHandle handle, Span<b
                     int errorCode = FileStreamHelpers.GetLastWin32ErrorAndDisposeHandleIfInvalid(handle);
                     if (errorCode is Interop.Errors.ERROR_IO_PENDING or Interop.Errors.ERROR_SUCCESS)
                     {
+                        try
+                        {
+                            waitEvent.WaitOne();
+                        }
+                        catch
+                        {
+                            // WaitOne can throw arbitrary exceptions (e.g., via SynchronizationContext).
+                            // Cancel the pending IO and wait for completion before freeing the overlapped.
+                            Interop.Kernel32.CancelIoEx(handle, overlapped);
+                            int canceledBytes = 0;
+                            Interop.Kernel32.GetOverlappedResult(handle, overlapped, ref canceledBytes, bWait: true);
+                            throw;
+                        }
+
                         int result = 0;
-                        if (Interop.Kernel32.GetOverlappedResult(handle, overlapped, ref result, bWait: true))
+                        if (Interop.Kernel32.GetOverlappedResult(handle, overlapped, ref result, bWait: false))
                         {
                             Debug.Assert(result >= 0 && result <= buffer.Length, $"GetOverlappedResult returned {result} for {buffer.Length} bytes request");
                             return result;
@@ -106,7 +120,7 @@ private static unsafe int ReadSyncUsingAsyncHandle(SafeFileHandle handle, Span<b
                     NativeMemory.Free(overlapped);
                 }
 
-                handle.ReturnSyncWaitHandle(eventHandle);
+                handle.ReturnSyncWaitEvent(waitEvent);
             }
         }
 
@@ -144,12 +158,12 @@ private static unsafe void WriteSyncUsingAsyncHandle(SafeFileHandle handle, Read
                 return;
             }
 
-            IntPtr eventHandle = handle.RentSyncWaitHandle();
+            ManualResetEvent waitEvent = handle.RentSyncWaitEvent();
             NativeOverlapped* overlapped = null;
 
             try
             {
-                overlapped = AllocNativeOverlappedWithEventHandle(handle, fileOffset, eventHandle);
+                overlapped = AllocNativeOverlappedWithEventHandle(handle, fileOffset, waitEvent);
 
                 fixed (byte* pinned = &MemoryMarshal.GetReference(buffer))
                 {
@@ -158,8 +172,22 @@ private static unsafe void WriteSyncUsingAsyncHandle(SafeFileHandle handle, Read
                     int errorCode = FileStreamHelpers.GetLastWin32ErrorAndDisposeHandleIfInvalid(handle);
                     if (errorCode is Interop.Errors.ERROR_IO_PENDING or Interop.Errors.ERROR_SUCCESS)
                     {
+                        try
+                        {
+                            waitEvent.WaitOne();
+                        }
+                        catch
+                        {
+                            // WaitOne can throw arbitrary exceptions (e.g., via SynchronizationContext).
+                            // Cancel the pending IO and wait for completion before freeing the overlapped.
+                            Interop.Kernel32.CancelIoEx(handle, overlapped);
+                            int canceledBytes = 0;
+                            Interop.Kernel32.GetOverlappedResult(handle, overlapped, ref canceledBytes, bWait: true);
+                            throw;
+                        }
+
                         int result = 0;
-                        if (Interop.Kernel32.GetOverlappedResult(handle, overlapped, ref result, bWait: true))
+                        if (Interop.Kernel32.GetOverlappedResult(handle, overlapped, ref result, bWait: false))
                         {
                             Debug.Assert(result == buffer.Length, $"GetOverlappedResult returned {result} for {buffer.Length} bytes request");
                             return;
@@ -186,7 +214,7 @@ private static unsafe void WriteSyncUsingAsyncHandle(SafeFileHandle handle, Read
                     NativeMemory.Free(overlapped);
                 }
 
-                handle.ReturnSyncWaitHandle(eventHandle);
+                handle.ReturnSyncWaitEvent(waitEvent);
             }
         }
 
@@ -686,7 +714,7 @@ private static async ValueTask WriteGatherAtOffsetMultipleSyscallsAsync(SafeFile
             }
         }
 
-        private static unsafe NativeOverlapped* AllocNativeOverlappedWithEventHandle(SafeFileHandle handle, long fileOffset, IntPtr eventHandle)
+        private static unsafe NativeOverlapped* AllocNativeOverlappedWithEventHandle(SafeFileHandle handle, long fileOffset, EventWaitHandle waitHandle)
         {
             NativeOverlapped* result = (NativeOverlapped*)NativeMemory.AllocZeroed((nuint)sizeof(NativeOverlapped));
 
@@ -707,7 +735,7 @@ private static async ValueTask WriteGatherAtOffsetMultipleSyscallsAsync(SafeFile
             // "If the file handle associated with the completion packet was previously associated with an I/O completion port
             // [...] setting the low-order bit of hEvent in the OVERLAPPED structure prevents the I/O completion
             // from being queued to a completion port."
-            result->EventHandle = eventHandle | 1;
+            result->EventHandle = waitHandle.SafeWaitHandle.DangerousGetHandle() | 1;
 
             return result;
         }
diff --git a/src/libraries/System.Runtime/tests/System.IO.FileSystem.Tests/RandomAccess/Mixed.Windows.cs b/src/libraries/System.Runtime/tests/System.IO.FileSystem.Tests/RandomAccess/Mixed.Windows.cs
@@ -3,6 +3,7 @@
 
 using System.Collections.Generic;
 using System.Runtime.InteropServices;
+using System.Threading;
 using System.Threading.Tasks;
 using Microsoft.Win32.SafeHandles;
 using Xunit;
@@ -143,5 +144,46 @@ static async Task Validate(SafeFileHandle handle, FileOptions options, bool[] sy
                 }
             }
         }
+
+        [Fact]
+        public void SyncIOOnAsyncHandle_DoesNotCorruptMemory_WhenSynchronizationContextThrows()
+        {
+            // This test verifies that when WaitOne() throws via SynchronizationContext,
+            // the pending IO is properly canceled before freeing the NativeOverlapped,
+            // preventing use-after-free / heap corruption.
+            string filePath = GetTestFilePath();
+            File.WriteAllBytes(filePath, new byte[1024]);
+
+            SynchronizationContext previous = SynchronizationContext.Current;
+            try
+            {
+                var throwingContext = new ThrowingSynchronizationContext();
+                SynchronizationContext.SetSynchronizationContext(throwingContext);
+
+                using SafeFileHandle handle = File.OpenHandle(filePath, FileMode.Open, FileAccess.Read, options: FileOptions.Asynchronous);
+
+                byte[] buffer = new byte[512];
+
+                // The ThrowingSynchronizationContext.Wait throws, which should be caught
+                // and the IO should be canceled gracefully.
+                Assert.Throws<InvalidOperationException>(() => RandomAccess.Read(handle, buffer, 0));
+            }
+            finally
+            {
+                SynchronizationContext.SetSynchronizationContext(previous);
+            }
+        }
+
+        /// <summary>
+        /// A SynchronizationContext that throws from Wait to simulate the scenario
+        /// where WaitOne() can throw arbitrary exceptions via user code.
+        /// </summary>
+        private sealed class ThrowingSynchronizationContext : SynchronizationContext
+        {
+            public override int Wait(IntPtr[] waitHandles, bool waitAll, int millisecondsTimeout)
+            {
+                throw new InvalidOperationException("SynchronizationContext.Wait threw an exception");
+            }
+        }
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -67,12 +67,12 @@ _ when IsEndOfFile(errorCode, handle, fileOffset) => 0,`
`67`	`67`
`68`	`68`	`private static unsafe int ReadSyncUsingAsyncHandle(SafeFileHandle handle, Span<byte> buffer, long fileOffset)`
`69`	`69`	`{`
`70`		`- IntPtr eventHandle = handle.RentSyncWaitHandle();`
	`70`	`+ ManualResetEvent waitEvent = handle.RentSyncWaitEvent();`
`71`	`71`	`NativeOverlapped* overlapped = null;`
`72`	`72`
`73`	`73`	`try`
`74`	`74`	`{`
`75`		`- overlapped = AllocNativeOverlappedWithEventHandle(handle, fileOffset, eventHandle);`
	`75`	`+ overlapped = AllocNativeOverlappedWithEventHandle(handle, fileOffset, waitEvent);`
`76`	`76`
`77`	`77`	`fixed (byte* pinned = &MemoryMarshal.GetReference(buffer))`
`78`	`78`	`{`
`@@ -81,8 +81,22 @@ private static unsafe int ReadSyncUsingAsyncHandle(SafeFileHandle handle, Span<b`
`81`	`81`	`int errorCode = FileStreamHelpers.GetLastWin32ErrorAndDisposeHandleIfInvalid(handle);`
`82`	`82`	`if (errorCode is Interop.Errors.ERROR_IO_PENDING or Interop.Errors.ERROR_SUCCESS)`
`83`	`83`	`{`
	`84`	`+ try`
	`85`	`+ {`
	`86`	`+ waitEvent.WaitOne();`
	`87`	`+ }`
	`88`	`+ catch`
	`89`	`+ {`
	`90`	`+ // WaitOne can throw arbitrary exceptions (e.g., via SynchronizationContext).`
	`91`	`+ // Cancel the pending IO and wait for completion before freeing the overlapped.`
	`92`	`+ Interop.Kernel32.CancelIoEx(handle, overlapped);`
	`93`	`+ int canceledBytes = 0;`
	`94`	`+ Interop.Kernel32.GetOverlappedResult(handle, overlapped, ref canceledBytes, bWait: true);`
	`95`	`+ throw;`
	`96`	`+ }`
	`97`	`+`
`84`	`98`	`int result = 0;`
`85`		`- if (Interop.Kernel32.GetOverlappedResult(handle, overlapped, ref result, bWait: true))`
	`99`	`+ if (Interop.Kernel32.GetOverlappedResult(handle, overlapped, ref result, bWait: false))`
`86`	`100`	`{`
`87`	`101`	`Debug.Assert(result >= 0 && result <= buffer.Length, $"GetOverlappedResult returned {result} for {buffer.Length} bytes request");`
`88`	`102`	`return result;`
`@@ -106,7 +120,7 @@ private static unsafe int ReadSyncUsingAsyncHandle(SafeFileHandle handle, Span<b`
`106`	`120`	`NativeMemory.Free(overlapped);`
`107`	`121`	`}`
`108`	`122`
`109`		`- handle.ReturnSyncWaitHandle(eventHandle);`
	`123`	`+ handle.ReturnSyncWaitEvent(waitEvent);`
`110`	`124`	`}`
`111`	`125`	`}`
`112`	`126`
`@@ -144,12 +158,12 @@ private static unsafe void WriteSyncUsingAsyncHandle(SafeFileHandle handle, Read`
`144`	`158`	`return;`
`145`	`159`	`}`
`146`	`160`
`147`		`- IntPtr eventHandle = handle.RentSyncWaitHandle();`
	`161`	`+ ManualResetEvent waitEvent = handle.RentSyncWaitEvent();`
`148`	`162`	`NativeOverlapped* overlapped = null;`
`149`	`163`
`150`	`164`	`try`
`151`	`165`	`{`
`152`		`- overlapped = AllocNativeOverlappedWithEventHandle(handle, fileOffset, eventHandle);`
	`166`	`+ overlapped = AllocNativeOverlappedWithEventHandle(handle, fileOffset, waitEvent);`
`153`	`167`
`154`	`168`	`fixed (byte* pinned = &MemoryMarshal.GetReference(buffer))`
`155`	`169`	`{`
`@@ -158,8 +172,22 @@ private static unsafe void WriteSyncUsingAsyncHandle(SafeFileHandle handle, Read`
`158`	`172`	`int errorCode = FileStreamHelpers.GetLastWin32ErrorAndDisposeHandleIfInvalid(handle);`
`159`	`173`	`if (errorCode is Interop.Errors.ERROR_IO_PENDING or Interop.Errors.ERROR_SUCCESS)`
`160`	`174`	`{`
	`175`	`+ try`
	`176`	`+ {`
	`177`	`+ waitEvent.WaitOne();`
	`178`	`+ }`
	`179`	`+ catch`
	`180`	`+ {`
	`181`	`+ // WaitOne can throw arbitrary exceptions (e.g., via SynchronizationContext).`
	`182`	`+ // Cancel the pending IO and wait for completion before freeing the overlapped.`
	`183`	`+ Interop.Kernel32.CancelIoEx(handle, overlapped);`
	`184`	`+ int canceledBytes = 0;`
	`185`	`+ Interop.Kernel32.GetOverlappedResult(handle, overlapped, ref canceledBytes, bWait: true);`
	`186`	`+ throw;`
	`187`	`+ }`
	`188`	`+`
`161`	`189`	`int result = 0;`
`162`		`- if (Interop.Kernel32.GetOverlappedResult(handle, overlapped, ref result, bWait: true))`
	`190`	`+ if (Interop.Kernel32.GetOverlappedResult(handle, overlapped, ref result, bWait: false))`
`163`	`191`	`{`
`164`	`192`	`Debug.Assert(result == buffer.Length, $"GetOverlappedResult returned {result} for {buffer.Length} bytes request");`
`165`	`193`	`return;`
`@@ -186,7 +214,7 @@ private static unsafe void WriteSyncUsingAsyncHandle(SafeFileHandle handle, Read`
`186`	`214`	`NativeMemory.Free(overlapped);`
`187`	`215`	`}`
`188`	`216`
`189`		`- handle.ReturnSyncWaitHandle(eventHandle);`
	`217`	`+ handle.ReturnSyncWaitEvent(waitEvent);`
`190`	`218`	`}`
`191`	`219`	`}`
`192`	`220`
`@@ -686,7 +714,7 @@ private static async ValueTask WriteGatherAtOffsetMultipleSyscallsAsync(SafeFile`
`686`	`714`	`}`
`687`	`715`	`}`
`688`	`716`
`689`		`- private static unsafe NativeOverlapped* AllocNativeOverlappedWithEventHandle(SafeFileHandle handle, long fileOffset, IntPtr eventHandle)`
	`717`	`+ private static unsafe NativeOverlapped* AllocNativeOverlappedWithEventHandle(SafeFileHandle handle, long fileOffset, EventWaitHandle waitHandle)`
`690`	`718`	`{`
`691`	`719`	`NativeOverlapped* result = (NativeOverlapped*)NativeMemory.AllocZeroed((nuint)sizeof(NativeOverlapped));`
`692`	`720`
`@@ -707,7 +735,7 @@ private static async ValueTask WriteGatherAtOffsetMultipleSyscallsAsync(SafeFile`
`707`	`735`	`// "If the file handle associated with the completion packet was previously associated with an I/O completion port`
`708`	`736`	`// [...] setting the low-order bit of hEvent in the OVERLAPPED structure prevents the I/O completion`
`709`	`737`	`// from being queued to a completion port."`
`710`		`- result->EventHandle = eventHandle \| 1;`
	`738`	`+ result->EventHandle = waitHandle.SafeWaitHandle.DangerousGetHandle() \| 1;`
`711`	`739`
`712`	`740`	`return result;`
`713`	`741`	`}`