Advisory serializing/deserializing a CultureAwareComparer with .NET Framework 4.6+

Richard

August 13th, 2018

An issue with serializing/deserializing a CultureAwareComparer was discovered with .NET Framework 4.7.1. This issue was resolved earlier this year, with the May 2018 Preview of Quality Rollup. We recently learned that some applications, including Johnson Controls’ C-CURE 9000 Software, were negatively impacted by this change as this update requires all client and server workstations to be updated simultaneously with the appropriate Microsoft updates. The changes made to .NET Framework 4.7.1 were also integrated into .NET Framework 4.6 and later servicing releases. As a result, this advisory applies to .NET Framework 4.6 and later versions.

This advisory is provided so that developers can correctly diagnose this issue and be aware of our guidance. We will continue to update this issue and dotnet/announcements #81 as we have new information to share.

Guidance

This guidance only applies to customers that have experienced this issue.

We have released an update for .NET Framework 4.6 and later that resolves the issue. You must deploy the .NET Framework update for this issue to all .NET Framework 4.6+ machines that communicate via serialized objects. After doing that, cross-machine serialization will work as expected.

Please consult your software vendor to understand if this impacts the software you are using.

Technical Context

In the May 2018 Preview of Quality Rollup, we made a change to the internal type CultureAwareComparer to implement ISerializable. We made the change in order to address issue with serializing/deserializing a CultureAwareComparer.

The issue reported was that a type that contains an instance of CultureAwareComparer was not able to correctly serialize and deserialize across different versions of the .NET Framework. There are a few types in .NET Framework that do this, the most commonly impacted one being the Dictionary<TKey, TValue> type.

The change to implement the ISerializable interface had unintended side effects when exchanging this type across different machines. We have had a small number of reports from customers who have been affected.

A common, but not unique way, of exchanging objects across machines is to use WCF in conjunction with a serializer. One of the common serializers being DataContractSerializer. The side-effect of the change prevented data serialized on systems where the type implements ISerializable to correctly deserialize of systems where the type does NOT implement ISerializable. The same is true of the opposite case, that systems where the type does not implement ISerializable will not correctly deserialize data from systems where the type does implement ISerializable.

We have an updated fix that we intend to release within the next month that will remove the implementation of the ISerializable interface on the type and use a different internal mechanism for ensuring the cross-version serialization continues to work as expected. This change addresses the break experienced with WCF.

The upcoming fix will remove the implementation of the ISerializable interface on the type and use a different mechanism for ensuring the cross-version serialization of that type continues to work. This change addresses the break experienced with WCF.

Symptoms

An application that is affected by this issue will most likely crash when trying to deserialize an object. It may print or log an error message similar to the following one: