AI-generated audit finding — this issue was opened from an automated security/correctness audit. It has not been triaged by a human yet; verify the reasoning, reproducibility, and severity before acting on it.
Medium: malformed or version-skewed service interfaces can crash the generator instead of producing diagnostics — CONFIRMED
Affected code:
Verification:
Confirmed. In release builds Debug.Assert is a no-op and the null-forgiving ! operator doesn't add a runtime check. For example:
- A hand-written
[RpcMethod("Op")] on a parameterless method triggers IndexOutOfRangeException at ProtobufServiceMethod.cs:56 (method.Parameters[0]).
- A Slice/Ice interface that doesn't have the generator-produced nested
Request class triggers NullReferenceException at SliceServiceMethod.cs:234 / IceServiceMethod.cs:186.
- A version-skewed attribute with a different constructor argument count hits the
items.Length == 1 assert and then crashes on the index access at line 51.
Each crash propagates out of the generator and manifests as an opaque "source generator threw" MSBuild failure, not an actionable C# diagnostic.
Impact:
- Build breaks for hand-authored service interfaces or under package-version skew with no clear diagnostic.
- Developer experience degrades sharply when the code almost matches the expected IDL shape.
Recommendation:
- Replace
Debug.Assert and naked casts with explicit validation; on shape mismatch emit a Diagnostic with an IceRPC-specific descriptor and return early (the factory should return false or the parser should skip the offending class).
- Add a
DiagnosticDescriptors entry for each shape mismatch so users see a targeted message.
Status: Valid, Medium severity.
Source report: src-IceRpc.ServiceGenerator-audit-2026-04-14.md (finding malformed or version-skewed service interfaces can crash the generator instead of producing diagnostics — **CONFIRMED**)
Severity (auditor-assigned): Medium
Medium: malformed or version-skewed service interfaces can crash the generator instead of producing diagnostics — CONFIRMED
Affected code:
Debug.Assert(items.Length == 1);method.Parameters[0].Type;Debug.Assert(genericType.TypeArguments.Length == 1); unchecked(INamedTypeSymbol)method.ReturnTypecastrequestClass?.GetMembers()…FirstOrDefaultreturnsnull;Debug.Assert(decodeArgsMethod is not null);decodeArgsMethod!.ReturnTypewith null-forgiving operatorVerification:
Confirmed. In release builds
Debug.Assertis a no-op and the null-forgiving!operator doesn't add a runtime check. For example:[RpcMethod("Op")]on a parameterless method triggersIndexOutOfRangeExceptionat ProtobufServiceMethod.cs:56 (method.Parameters[0]).Requestclass triggersNullReferenceExceptionat SliceServiceMethod.cs:234 / IceServiceMethod.cs:186.items.Length == 1assert and then crashes on the index access at line 51.Each crash propagates out of the generator and manifests as an opaque "source generator threw" MSBuild failure, not an actionable C# diagnostic.
Impact:
Recommendation:
Debug.Assertand naked casts with explicit validation; on shape mismatch emit aDiagnosticwith an IceRPC-specific descriptor and return early (the factory should returnfalseor the parser should skip the offending class).DiagnosticDescriptorsentry for each shape mismatch so users see a targeted message.Status: Valid, Medium severity.
Source report: src-IceRpc.ServiceGenerator-audit-2026-04-14.md (finding
malformed or version-skewed service interfaces can crash the generator instead of producing diagnostics — **CONFIRMED**)Severity (auditor-assigned): Medium