I encountered a, at least to my expectations, strange behavior in the binary serialization of .NET.
All items of a Dictionary
that are loaded are added to their parent AFTER the OnDeserialization
callback. In contrast List
does the other way. This can be really annoying in real world repository code, for example when you need to add some delegates to dictionary items. Please check the example code and watch the asserts.
Is it normal behaviour?
[Serializable]
public class Data : IDeserializationCallback
{
public List<string> List { get; set; }
public Dictionary<string, string> Dictionary { get; set; }
public Data()
{
Dictionary = new Dictionary<string, string> { { "hello", "hello" }, { "CU", "CU" } };
List = new List<string> { "hello", "CU" };
}
public static Data Load(string filename)
{
using (Stream stream = File.OpenRead(filename))
{
Data result = (Data)new BinaryFormatter().Deserialize(stream);
TestsLengthsOfDataStructures(result);
return result;
}
}
public void Save(string fileName)
{
using (Stream stream = File.Create(fileName))
{
new BinaryFormatter().Serialize(stream, this);
}
}
public void OnDeserialization(object sender)
{
TestsLengthsOfDataStructures(this);
}
private static void TestsLengthsOfDataStructures(Data data)
{
Debug.Assert(data.List.Count == 2, "List");
Debug.Assert(data.Dictionary.Count == 2, "Dictionary");
}
}
BinaryFormatter uses violates 2.), which is a huge security risk because it makes possible to run any code.
The BinaryFormatter type is dangerous and is not recommended for data processing. Applications should stop using BinaryFormatter as soon as possible, even if they believe the data they're processing to be trustworthy. BinaryFormatter is insecure and can't be made secure.
The class BinaryFormatter in C# performs the actions of “serialization” and “deserialization” of binary data. It takes simple data structures such as integers (int), decimal numbers (float), and collections of letters and numbers (string) and can convert them into a binary format.
Yes, you've discovered an annoying quirk in Dictionary<TKey, TValue>
deserialization. You can get around it by manually calling the dictionary's OnDeserialization()
method:
public void OnDeserialization(object sender)
{
Dictionary.OnDeserialization(this);
TestsLengthsOfDataStructures(this);
}
Incidentally, you can also use the [OnDeserialized]
attribute rather than IDeserializationCallback
:
[OnDeserialized]
public void OnDeserialization(StreamingContext context)
{
Dictionary.OnDeserialization(this);
TestsLengthsOfDataStructures(this);
}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With