Windows Update KB2742616

by Remco 14. January 2013 07:53

A problem that I'm fairly certain almost every developer is familiar with: How to maintain security in software that isn't hosted under the control of the company developing it?

A well known solution to this problem in the world we live in is for the software to update itself automatically.  The truely wonderful thing about this is that we don't need to think about needing to stop and think about installing security fixes - they just get rolled out automatically.  Every week, Microsoft releases a fresh barrage of automatic updates to solve critical issues and reported security problems.  For most of us that work on a Microsoft operating system, we're comfortably oblivious to the changes our systems are happily gobbling up and installing ... at least, until something goes wrong.

Windows update KB2742616 has been quietly making its way out over the last few days to address an issue with code access security (CAS) in v3.5 of the .NET framework.  The update fixes a vulnerability that allows an attacker to by-pass CAS and potentially gain control of a system that they are intended to have restricted access to.

Unfortunately, the update makes a very fundamental change to the way in which the JIT compiler handles the IL within the constructors of generic types.  After the update, certain IL sequences cause the application to throw InvalidProgramExceptions while attempting to JIT these constructor calls.

As far as I know, there isn't any way to create these IL sequences by using the C# compiler, so under normal circumstances there would be no problem here.  Unfortunately, NCrunch doesn't write MSIL using C#, so its performance analysis instrumentation causes it to bomb out due to these new constraints.

So anyway, if you've just started seeing your tests throwing InvalidProgramException out of the blue without any apparent reason, then don't worry - you're not crazy.  The following options are available to you:

1. Install NCrunch v1.44 (released specifically to solve this problem)

2. Turn off the 'Analyse line execution times' for all the v3.5 assemblies in your solution (though you'll lose inline hotspots and performance information if you do this)

3. Upgrade all your test projects to v4.0 of the .NET framework or higher (v4.0 and above use a different CAS model and aren't impacted by this update)

4. Find a way to uninstall KB2742616 (likely will require system restore.  Pain pills recommended)


========= Important Update 

If you are experiencing problems with missing coverage markers after upgrading to v1.44, try downloading and installing the latest version from the download page.  I've just included a fix for an installer problem that was causing this issue.