警告:对于那些热衷于打破事物以了解其原理的人来说,这只是一个练习。
我正在探索在C#中可以完成的工作的极限,并且编写了ForceCast()函数来执行蛮力强制转换而无需任何类型检查。 不要考虑在生产代码中使用此功能。
我编写了一个名为Original的类和一个名为LikeOriginal的结构,它们都有两个整数变量。在Main()中,我创建了一个名为orig的新变量,并将其设置为带有Original和a=7的b=20的新实例。当将orig转换为LikeOriginal并存储在casted中时,cG和dG的值将变得不确定,这是可以预期的,因为LikeOriginal是一个结构,并且类实例包含的元数据多于该结构实例,从而导致内存布局不匹配。
示例输出:
Casted Original to LikeOriginal
1300246376, 542
1300246376, 542
added 3
Casted LikeOriginal back to Original
1300246379, 545
但是请注意,当我调用
casted.Add(3)并强制转换回Original并打印a和b的值时,令人惊讶的是它们成功地增加了3,这是可重复的。让我感到困惑的是,将类强制转换为struct会导致
cG和dG映射到类元数据,但是当它们被修改并强制转换回类时,它们会使用a和b正确映射。为什么会这样呢?
使用的代码:
using System;
using System.Runtime.InteropServices;
namespace BreakingStuff {
public class Original {
public int a, b;
public Original(int a, int b)
{
this.a = a;
this.b = b;
}
public void Add(int val)
{
}
}
public struct LikeOriginal {
public int cG, dG;
public override string ToString() {
return cG + ", " + dG;
}
public void Add(int val) {
cG += val;
dG += val;
}
}
public static class Program {
public unsafe static void Main() {
Original orig = new Original(7, 20);
LikeOriginal casted = ForceCast<Original, LikeOriginal>(orig);
Console.WriteLine("Casted Original to LikeOriginal");
Console.WriteLine(casted.cG + ", " + casted.dG);
Console.WriteLine(casted.ToString());
casted.Add(3);
Console.WriteLine("added 3");
orig = ForceCast<LikeOriginal, Original>(casted);
Console.WriteLine("Casted LikeOriginal back to Original");
Console.WriteLine(orig.a + ", " + orig.b);
Console.ReadLine();
}
//performs a pointer cast but with the same memory layout.
private static unsafe TOut ForceCast<TIn, TOut>(this TIn input) {
GCHandle handle = GCHandle.Alloc(input);
TOut result = Read<TOut>(GCHandle.ToIntPtr(handle));
handle.Free();
return result;
}
private static unsafe T Read<T>(this IntPtr address) {
T obj = default(T);
if (address == IntPtr.Zero)
return obj;
TypedReference tr = __makeref(obj);
*(IntPtr*) (&tr) = address;
return __refvalue(tr, T);
}
}
}
最佳答案
€dit:长话短说:首先创建一个ForceCast函数,该函数可以正确处理身份转换ForceCast<LikeOriginal, LikeOriginal>和ForceCast<Original, Original>,然后您就有机会获得实际的转换效果
工作样本
通过使用Nullable<T>作为结构的中间层,为class-> class(CC),class-> struct(CS),struct-> class(SC)和struct-> struct(SS)提供不同的代码,我得到了一个工作示例:
// class -> class
private static unsafe TOut ForceCastCC<TIn, TOut>(TIn input)
where TIn : class
where TOut : class
{
var handle = __makeref(input);
return Read<TOut>(*(IntPtr*)(&handle));
}
// struct -> struct, require nullable types for in-out
private static unsafe TOut? ForceCastSS<TIn, TOut>(TIn? input)
where TIn : struct
where TOut : struct
{
var handle = __makeref(input);
return Read<TOut?>(*(IntPtr*)(&handle));
}
// class -> struct
private static unsafe TOut? ForceCastCS<TIn, TOut>(TIn input)
where TIn : class
where TOut : struct
{
var handle = __makeref(input);
// one extra de-reference of the input pointer
return Read<TOut?>(*(IntPtr*)*(IntPtr*)(&handle));
}
// struct -> class
private static unsafe TOut ForceCastSC<TIn, TOut>(TIn? input)
where TIn : struct
where TOut : class
{
// get a real pointer to the struct, so it can be turned into a reference type
var handle = GCHandle.Alloc(input);
var result = Read<TOut>(GCHandle.ToIntPtr(handle));
handle.Free();
return result;
}
现在,在示例中使用适当的函数并按照编译器的要求处理可为空的类型:
Original orig = new Original(7, 20);
LikeOriginal casted = ForceCastCS<Original, LikeOriginal>(orig) ?? default(LikeOriginal);
Console.WriteLine("Casted Original to LikeOriginal");
Console.WriteLine(casted.cG + ", " + casted.dG);
Console.WriteLine(casted.ToString());
casted.Add(3);
Console.WriteLine("added 3");
orig = ForceCastSC<LikeOriginal, Original>(casted);
Console.WriteLine("Casted LikeOriginal back to Original");
Console.WriteLine(orig.a + ", " + orig.b);
Console.ReadLine();
对我来说,这将在每个点返回正确的数字。
细节
一些细节:
基本上,您的问题是您将值类型视为引用类型...
首先来看一下工作案例:
LikeOriginal-> Original:var h1 = GCHandle.Alloc(likeOriginal);
var ptr1 = GCHandle.ToIntPtr(h1);
这将创建一个指向
LikeOriginal的存储区的指针(€dit:实际上,并非完全是该存储区,请参见下文)var obj1 = default(Original);
TypedReference t1 = __makeref(obj1);
*(IntPtr*)(&t1) = ptr1;
这将使用指向
Original的指针的值创建对LikeOriginal的引用(指针)var original = __refvalue( t1,Original);
这会将类型化引用转换为托管引用,指向
LikeOriginal的内存。保留起始likeOriginal对象的所有值。现在,让我们分析一些中间情况,如果您的代码可以双向工作,它们应该可以工作:
LikeOriginal-> LikeOriginal:var h2 = GCHandle.Alloc(likeOriginal);
var ptr2 = GCHandle.ToIntPtr(h2);
同样,我们有一个指向
LikeOriginal内存区域的指针var obj2 = default(LikeOriginal);
TypedReference t2 = __makeref(obj2);
现在,这里是出现问题的第一个提示:
__makeref(obj2)将创建对LikeOriginal对象的引用,而不是对存储指针的某个单独区域的引用。*(IntPtr*)(&t2) = ptr2;
ptr2是指向某些引用值的指针var likeOriginal2 = __refvalue( t2,LikeOriginal);
在这里,我们变得越来越垃圾,因为
t2应该被视为对对象内存的直接引用,而不是对某些指针内存的引用。以下是我执行的一些测试代码,以更好地了解您的方法和出了什么问题(其中一些结构化,然后在某些部分中尝试了一些其他操作):
Original o1 = new Original(111, 222);
LikeOriginal o2 = new LikeOriginal { cG = 333, dG = 444 };
// get handles to the objects themselfes and to their individual properties
GCHandle h1 = GCHandle.Alloc(o1);
GCHandle h2 = GCHandle.Alloc(o1.a);
GCHandle h3 = GCHandle.Alloc(o1.b);
GCHandle h4 = GCHandle.Alloc(o2);
GCHandle h5 = GCHandle.Alloc(o2.cG);
GCHandle h6 = GCHandle.Alloc(o2.dG);
// get pointers from the handles, each pointer has an individual value
IntPtr i1 = GCHandle.ToIntPtr(h1);
IntPtr i2 = GCHandle.ToIntPtr(h2);
IntPtr i3 = GCHandle.ToIntPtr(h3);
IntPtr i4 = GCHandle.ToIntPtr(h4);
IntPtr i5 = GCHandle.ToIntPtr(h5);
IntPtr i6 = GCHandle.ToIntPtr(h6);
// get typed references for the objects and properties
TypedReference t1 = __makeref(o1);
TypedReference t2 = __makeref(o1.a);
TypedReference t3 = __makeref(o1.b);
TypedReference t4 = __makeref(o2);
TypedReference t5 = __makeref(o2.cG);
TypedReference t6 = __makeref(o2.dG);
// get the associated pointers
IntPtr j1 = *(IntPtr*)(&t1);
IntPtr j2 = *(IntPtr*)(&t2); // j1 != j2, because a class handle points to the pointer/reference memory
IntPtr j3 = *(IntPtr*)(&t3);
IntPtr j4 = *(IntPtr*)(&t4);
IntPtr j5 = *(IntPtr*)(&t5); // j4 == j5, because a struct handle points directly to the instance memory
IntPtr j6 = *(IntPtr*)(&t6);
// direct translate-back is working for all objects and properties
var r1 = __refvalue( t1,Original);
var r2 = __refvalue( t2,int);
var r3 = __refvalue( t3,int);
var r4 = __refvalue( t4,LikeOriginal);
var r5 = __refvalue( t5,int);
var r6 = __refvalue( t6,int);
// assigning the pointers that where inferred from the GCHandles
*(IntPtr*)(&t1) = i1;
*(IntPtr*)(&t2) = i2;
*(IntPtr*)(&t3) = i3;
*(IntPtr*)(&t4) = i4;
*(IntPtr*)(&t5) = i5;
*(IntPtr*)(&t6) = i6;
// translate back the changed references
var s1 = __refvalue( t1,Original); // Ok
// rest is garbage values!
var s2 = __refvalue( t2,int);
var s3 = __refvalue( t3,int);
var s4 = __refvalue( t4,LikeOriginal);
var s5 = __refvalue( t5,int);
var s6 = __refvalue( t6,int);
// a variation, primitively dereferencing the pointer to get to the actual memory
*(IntPtr*)(&t4) = *(IntPtr*)i4;
var s4_1 = __refvalue( t4,LikeOriginal); // partial result, getting { garbage, 333 } instead of { 333, 444 }
// prepare TypedReference for translation between Original and LikeOriginal
var obj1 = default(Original);
var obj2 = default(LikeOriginal);
TypedReference t7 = __makeref(obj1);
TypedReference t8 = __makeref(obj2);
// translate between Original and LikeOriginal
*(IntPtr*)(&t7) = i4; // From struct to class, the pointer aquired through GCHandle is apropriate
var s7 = __refvalue( t7,Original); // Ok
*(IntPtr*)(&t8) = *(IntPtr*)j1;
var s8 = __refvalue( t8,LikeOriginal); // Not Ok - Original has some value comming before its first member - getting { garbage, 111 } instead of { 111, 222 }
*(IntPtr*)(&t8) = j2;
var s9 = __refvalue( t8,LikeOriginal); // Ok by starting at the address of the first member
结论:通过
GCHandle-> IntPtr会创建一个指向第一个成员前面一个内存位置的指针,无论起始点是结构还是类。这会导致struct-> class或class-> class在起作用,但class-> struct或struct-> struct不起作用的情况。我发现以结构为目标的唯一方法是获得指向其第一个成员的指针(在输入结构的情况下,无需通过
__makeref就等于该结构的GCHandle)。