Solution for system. Security. verificationexception in code coverage tests on ASP. NET websites

When youASP. Network 4.0Website executionCodeDuring coverage testing, the following exception may occur:

System. Security. verificationexception: Operation cocould destabilize the runtime.

generally, verificiationexception all about code access security ( CAS ), . net before executing the managed code, the managed strong signature of the Program , determine the permissions that the managed program should possess by determining its source. For example, if the hosting program is signed by Microsoft, we certainly trust it-unless you do not need to Windows operating system. The host administrator can also determine the permissions that the Host Program should have based on the host program source. For example, operations such as reading disk files and operating the registry can be configured. For example, the administrator can set it on the machine by 360 and QQ the released hosting program can only access the video card (drawing interface) and read/write network, but cannot access disk files or other operations.

the prerequisite for code security is, the entire program is completely written by the hosted code. If the hosted code contains a mix of unmanaged code, either by hosting C ++ , or the platform call ( P/invoke ). The rule is broken, because the unmanaged code can use pointer operations and call other methods of unmanaged code, or even-start a process and then kill the original hosted program. Therefore, the prerequisite for secure code access is that the entire application is written using managed code. To ensure this, CLR before running a hosted program, first, it will verify if the program meets-the entire program is written with managed code. If this condition is not met, CLR verificationexception , interrupt the execution of the managed program, in . net SDK , you can use peverify.exe This program verifies whether a program can pass this verification.

 

Of course, you may say that even if many hosting programs run on the local machine call unmanaged code, such as executing a platform call, they can still be executed as usual. That's because when your program uses/UnsafeWhen compiling options,C #The compiler automatically addsSuppressunmanagedcodesecurityattributeThis property tellsCLR. If the program is executed on the local machine, skip the process of verifying whether the unmanaged code is called. Interested readers can put the hosting program that calls the unmanaged code on a network path and execute it from there, you can seeSecurityexception.

 

Back ASP. NET Website, when you ASP. NET Website accessories ( Assembly ) Use Vsinstr.exe Create an assembly that can collect code coverage ( Assembly , Vsinstr.exe In fact ( Assembly ) Il Code, added a lot of code to collect code coverage. For more information about this process, see my previousArticle: Automated Software Testing- Code coverage . One important step in the code is to contact the local machine to run Vsperfmon.exe , Vsperfmon.exe It is used to collect the code coverage rate on the entire machine. If you don't know what you want, contact the local machine to run it. Vsperfmon.exe The process is through unmanaged API Implementation, which means Vsinstr.exe Generated Accessories ( Assembly ), You must call the unmanaged code. CLR .

 

You may not encounter this problem in 2.0, but in 4.0, you may encounter this problem frequently, especially when the website runs under IIS.

 

Now that the truth is clear, it is easy to fix it:

1. Install the website and all the accessories that require code coverage ( Assembly )-That is Vsinstr.exe Processed accessories ( Assembly ), In theirSource code(Since you want to collect code coverage, it must be from the source code .) Assemblyinfo. CS Add the following line

 

[Assembly: securityrules (securityruleset. level1, skipverificationinfulltrust = true)]

 

1. ThenWeb. config(This option can also be modified throughIisadmin.exeModify ):

 

<System. Web>

<Trust level = "medium"/>

 

...

</System. Web>

 

Description, Securityrules This property tells CLR , This Assembly ( Assembly ) There is a custom security mechanism, Securityruleset. level1 Description used . NET 2.0 The following Security Authentication Policy, Skipverificationinfulltrust Tell CLR Only websites running on Fulltrust To skip security verification. The second step is to change the website running mode Fulltrust Mode.