Implement IDisposable on VirtualizationInstance to prevent zombie processes

miniksa · miniksa · commit 0db583735850 · 2026-03-06T21:22:06.000-08:00
VirtualizationInstance holds native ProjFS handles (PRJ_NAMESPACE_VIRTUALIZATION_CONTEXT)
and GCHandles that must be released when the instance is no longer needed. Previously,
StopVirtualizing() had to be called explicitly — if the process crashed or exited without
calling it, ProjFS kept the virtualization root alive, creating zombie processes.

Changes:
- IVirtualizationInstance now extends IDisposable
- VirtualizationInstance implements full dispose pattern:
  - Dispose() calls PrjStopVirtualizing, frees GCHandles, frees
    Marshal.StringToHGlobalUni notification strings
  - Finalizer ~VirtualizationInstance() as safety net
  - StopVirtualizing() calls Dispose() for backward compat (Stream.Close pattern)
  - Thread-safe: _disposed flag prevents double-free
  - All public methods throw ObjectDisposedException after disposal
- Fixed memory leak: _notificationRootStrings and _notificationMappingsHandle
  were never freed in StopVirtualizing
- Enabled .NET analyzers (CA1001/CA2213 would have caught this)
- Added 8 unit tests for disposal mechanics (all pass without ProjFS feature)

Version bumped to 2.1.0 (breaking: IVirtualizationInstance now requires Dispose)
diff --git a/Directory.Build.props b/Directory.Build.props
@@ -1,9 +1,11 @@
 <Project>
 
   <PropertyGroup>
-    <ProjFSManagedVersion>2.0.0</ProjFSManagedVersion>
+    <ProjFSManagedVersion>2.1.0</ProjFSManagedVersion>
     <LangVersion>latest</LangVersion>
     <Nullable>enable</Nullable>
+    <EnableNETAnalyzers>true</EnableNETAnalyzers>
+    <AnalysisLevel>latest-recommended</AnalysisLevel>
   </PropertyGroup>
 
 </Project>
diff --git a/ProjectedFSLib.Managed.Test/DisposeTests.cs b/ProjectedFSLib.Managed.Test/DisposeTests.cs
@@ -0,0 +1,156 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
+
+using Microsoft.Windows.ProjFS;
+using NUnit.Framework;
+using System;
+
+namespace ProjectedFSLib.Managed.Test
+{
+    /// <summary>
+    /// Tests for VirtualizationInstance IDisposable implementation.
+    /// These tests verify the dispose pattern mechanics without requiring
+    /// the ProjFS optional feature to be enabled on the machine.
+    /// </summary>
+    public class DisposeTests
+    {
+        [Test]
+        public void VirtualizationInstance_ImplementsIDisposable()
+        {
+            // VirtualizationInstance must implement IDisposable to prevent zombie processes.
+            var instance = new VirtualizationInstance(
+                "C:\\nonexistent",
+                poolThreadCount: 0,
+                concurrentThreadCount: 0,
+                enableNegativePathCache: false,
+                notificationMappings: new System.Collections.Generic.List<NotificationMapping>());
+
+            Assert.That(instance, Is.InstanceOf<IDisposable>());
+        }
+
+        [Test]
+        public void IVirtualizationInstance_ExtendsIDisposable()
+        {
+            // The interface itself must extend IDisposable so all implementations are required
+            // to support disposal.
+            Assert.That(typeof(IDisposable).IsAssignableFrom(typeof(IVirtualizationInstance)));
+        }
+
+        [Test]
+        public void Dispose_CanBeCalledMultipleTimes()
+        {
+            var instance = new VirtualizationInstance(
+                "C:\\nonexistent",
+                poolThreadCount: 0,
+                concurrentThreadCount: 0,
+                enableNegativePathCache: false,
+                notificationMappings: new System.Collections.Generic.List<NotificationMapping>());
+
+            // Should not throw on any call.
+            instance.Dispose();
+            instance.Dispose();
+            instance.Dispose();
+        }
+
+        [Test]
+        public void StopVirtualizing_CanBeCalledMultipleTimes()
+        {
+            var instance = new VirtualizationInstance(
+                "C:\\nonexistent",
+                poolThreadCount: 0,
+                concurrentThreadCount: 0,
+                enableNegativePathCache: false,
+                notificationMappings: new System.Collections.Generic.List<NotificationMapping>());
+
+            // Should not throw on any call.
+            instance.StopVirtualizing();
+            instance.StopVirtualizing();
+        }
+
+        [Test]
+        public void StopVirtualizing_ThenDispose_DoesNotThrow()
+        {
+            var instance = new VirtualizationInstance(
+                "C:\\nonexistent",
+                poolThreadCount: 0,
+                concurrentThreadCount: 0,
+                enableNegativePathCache: false,
+                notificationMappings: new System.Collections.Generic.List<NotificationMapping>());
+
+            instance.StopVirtualizing();
+            instance.Dispose();
+        }
+
+        [Test]
+        public void AfterDispose_MethodsThrowObjectDisposedException()
+        {
+            var instance = new VirtualizationInstance(
+                "C:\\nonexistent",
+                poolThreadCount: 0,
+                concurrentThreadCount: 0,
+                enableNegativePathCache: false,
+                notificationMappings: new System.Collections.Generic.List<NotificationMapping>());
+
+            instance.Dispose();
+
+            Assert.Throws<ObjectDisposedException>(() =>
+                instance.ClearNegativePathCache(out _));
+
+            Assert.Throws<ObjectDisposedException>(() =>
+                instance.DeleteFile("test.txt", UpdateType.AllowDirtyMetadata, out _));
+
+            Assert.Throws<ObjectDisposedException>(() =>
+                instance.WritePlaceholderInfo(
+                    "test.txt", DateTime.Now, DateTime.Now, DateTime.Now, DateTime.Now,
+                    System.IO.FileAttributes.Normal, 0, false, new byte[128], new byte[128]));
+
+            Assert.Throws<ObjectDisposedException>(() =>
+                instance.CreateWriteBuffer(4096));
+
+            Assert.Throws<ObjectDisposedException>(() =>
+                instance.CompleteCommand(0));
+
+            Assert.Throws<ObjectDisposedException>(() =>
+                instance.StartVirtualizing(null!));
+        }
+
+        [Test]
+        public void AfterStopVirtualizing_MethodsThrowObjectDisposedException()
+        {
+            var instance = new VirtualizationInstance(
+                "C:\\nonexistent",
+                poolThreadCount: 0,
+                concurrentThreadCount: 0,
+                enableNegativePathCache: false,
+                notificationMappings: new System.Collections.Generic.List<NotificationMapping>());
+
+            instance.StopVirtualizing();
+
+            // StopVirtualizing should have the same effect as Dispose.
+            Assert.Throws<ObjectDisposedException>(() =>
+                instance.ClearNegativePathCache(out _));
+
+            Assert.Throws<ObjectDisposedException>(() =>
+                instance.CreateWriteBuffer(4096));
+        }
+
+        [Test]
+        public void UsingStatement_DisposesAutomatically()
+        {
+            VirtualizationInstance instance;
+            using (instance = new VirtualizationInstance(
+                "C:\\nonexistent",
+                poolThreadCount: 0,
+                concurrentThreadCount: 0,
+                enableNegativePathCache: false,
+                notificationMappings: new System.Collections.Generic.List<NotificationMapping>()))
+            {
+                // Instance is alive here.
+            }
+
+            // After using block, instance should be disposed.
+            Assert.Throws<ObjectDisposedException>(() =>
+                instance.ClearNegativePathCache(out _));
+        }
+    }
+}
diff --git a/ProjectedFSLib.Managed/ProjFSLib.cs b/ProjectedFSLib.Managed/ProjFSLib.cs
@@ -128,7 +128,7 @@ public string NotificationRoot
 
         private static void ValidateNotificationRoot(string root)
         {
-            if (root == "." || (root != null && root.StartsWith(".\\")))
+            if (root == "." || (root != null && root.StartsWith(".\\", StringComparison.Ordinal)))
             {
                 throw new ArgumentException(
                     "notificationRoot cannot be \".\" or begin with \".\\\"");
@@ -216,7 +216,9 @@ public delegate bool NotifyPreCreateHardlinkCallback(
     // Interfaces
     public interface IWriteBuffer : IDisposable
     {
+#pragma warning disable CA1720 // Identifier contains type name — established public API, cannot rename
         IntPtr Pointer { get; }
+#pragma warning restore CA1720
         UnmanagedMemoryStream Stream { get; }
         long Length { get; }
     }
@@ -289,7 +291,7 @@ HResult GetFileDataCallback(
             string triggeringProcessImageFileName);
     }
 
-    public interface IVirtualizationInstance
+    public interface IVirtualizationInstance : IDisposable
     {
         /// <summary>Returns the virtualization instance GUID.</summary>
         Guid VirtualizationInstanceId { get; }
diff --git a/ProjectedFSLib.Managed/ProjFSNative.cs b/ProjectedFSLib.Managed/ProjFSNative.cs
@@ -30,8 +30,11 @@ internal static extern int PrjStartVirtualizing(
             ref PRJ_CALLBACKS callbacks,
             IntPtr instanceContext,
             ref PRJ_STARTVIRTUALIZING_OPTIONS options,
-            out IntPtr namespaceVirtualizationContext);
+            out SafeProjFsHandle namespaceVirtualizationContext);
 
+        // PrjStopVirtualizing takes raw IntPtr (not SafeProjFsHandle) because it is
+        // called from SafeProjFsHandle.ReleaseHandle(), where the SafeHandle is already
+        // closed and cannot be marshaled. All other ProjFS APIs use SafeProjFsHandle.
 #if NET7_0_OR_GREATER
         [LibraryImport(ProjFSLib)]
         internal static partial void PrjStopVirtualizing(IntPtr namespaceVirtualizationContext);
@@ -51,7 +54,7 @@ internal static partial int PrjWritePlaceholderInfo(
         [DllImport(ProjFSLib, CharSet = CharSet.Unicode, ExactSpelling = true)]
         internal static extern int PrjWritePlaceholderInfo(
 #endif
-            IntPtr namespaceVirtualizationContext,
+            SafeProjFsHandle namespaceVirtualizationContext,
             string destinationFileName,
             ref PRJ_PLACEHOLDER_INFO placeholderInfo,
             uint length);
@@ -63,7 +66,7 @@ internal static partial int PrjWritePlaceholderInfo2(
         [DllImport(ProjFSLib, CharSet = CharSet.Unicode, ExactSpelling = true)]
         internal static extern int PrjWritePlaceholderInfo2(
 #endif
-            IntPtr namespaceVirtualizationContext,
+            SafeProjFsHandle namespaceVirtualizationContext,
             string destinationFileName,
             ref PRJ_PLACEHOLDER_INFO placeholderInfo,
             uint placeholderInfoSize,
@@ -76,7 +79,7 @@ internal static partial int PrjWritePlaceholderInfo2Raw(
         [DllImport(ProjFSLib, CharSet = CharSet.Unicode, ExactSpelling = true, EntryPoint = "PrjWritePlaceholderInfo2")]
         internal static extern int PrjWritePlaceholderInfo2Raw(
 #endif
-            IntPtr namespaceVirtualizationContext,
+            SafeProjFsHandle namespaceVirtualizationContext,
             IntPtr destinationFileName,
             IntPtr placeholderInfo,
             uint placeholderInfoSize,
@@ -89,7 +92,7 @@ internal static partial int PrjUpdateFileIfNeeded(
         [DllImport(ProjFSLib, CharSet = CharSet.Unicode, ExactSpelling = true)]
         internal static extern int PrjUpdateFileIfNeeded(
 #endif
-            IntPtr namespaceVirtualizationContext,
+            SafeProjFsHandle namespaceVirtualizationContext,
             string destinationFileName,
             ref PRJ_PLACEHOLDER_INFO placeholderInfo,
             uint length,
@@ -103,7 +106,7 @@ internal static partial int PrjDeleteFile(
         [DllImport(ProjFSLib, CharSet = CharSet.Unicode, ExactSpelling = true)]
         internal static extern int PrjDeleteFile(
 #endif
-            IntPtr namespaceVirtualizationContext,
+            SafeProjFsHandle namespaceVirtualizationContext,
             string destinationFileName,
             uint updateFlags,
             out uint failureReason);
@@ -146,7 +149,7 @@ internal static partial int PrjWriteFileData(
         [DllImport(ProjFSLib, ExactSpelling = true)]
         internal static extern int PrjWriteFileData(
 #endif
-            IntPtr namespaceVirtualizationContext,
+            SafeProjFsHandle namespaceVirtualizationContext,
             ref Guid dataStreamId,
             IntPtr buffer,
             ulong byteOffset,
@@ -159,7 +162,7 @@ internal static partial IntPtr PrjAllocateAlignedBuffer(
         [DllImport(ProjFSLib, ExactSpelling = true)]
         internal static extern IntPtr PrjAllocateAlignedBuffer(
 #endif
-            IntPtr namespaceVirtualizationContext,
+            SafeProjFsHandle namespaceVirtualizationContext,
             UIntPtr size);
 
 #if NET7_0_OR_GREATER
@@ -181,7 +184,7 @@ internal static partial int PrjCompleteCommand(
         [DllImport(ProjFSLib, ExactSpelling = true)]
         internal static extern int PrjCompleteCommand(
 #endif
-            IntPtr namespaceVirtualizationContext,
+            SafeProjFsHandle namespaceVirtualizationContext,
             int commandId,
             int completionResult,
             IntPtr extendedParameters);
@@ -193,7 +196,7 @@ internal static partial int PrjCompleteCommandWithNotification(
         [DllImport(ProjFSLib, ExactSpelling = true, EntryPoint = "PrjCompleteCommand")]
         internal static extern int PrjCompleteCommandWithNotification(
 #endif
-            IntPtr namespaceVirtualizationContext,
+            SafeProjFsHandle namespaceVirtualizationContext,
             int commandId,
             int completionResult,
             ref PRJ_COMPLETE_COMMAND_EXTENDED_PARAMETERS extendedParameters);
@@ -209,7 +212,7 @@ internal static partial int PrjClearNegativePathCache(
         [DllImport(ProjFSLib, ExactSpelling = true)]
         internal static extern int PrjClearNegativePathCache(
 #endif
-            IntPtr namespaceVirtualizationContext,
+            SafeProjFsHandle namespaceVirtualizationContext,
             out uint totalEntryNumber);
 
         // ============================
@@ -306,7 +309,7 @@ internal static partial int PrjGetVirtualizationInstanceInfo(
         [DllImport(ProjFSLib, ExactSpelling = true)]
         internal static extern int PrjGetVirtualizationInstanceInfo(
 #endif
-            IntPtr namespaceVirtualizationContext,
+            SafeProjFsHandle namespaceVirtualizationContext,
             ref PRJ_VIRTUALIZATION_INSTANCE_INFO virtualizationInstanceInfo);
 
         // ============================
@@ -318,7 +321,7 @@ internal struct PRJ_CALLBACK_DATA
         {
             public uint Size;
             public uint Flags;
-            public IntPtr NamespaceVirtualizationContext;
+            public SafeProjFsHandle namespaceVirtualizationContext;
             public int CommandId;
             public Guid FileId;
             public Guid DataStreamId;
diff --git a/ProjectedFSLib.Managed/SafeProjFsHandle.cs b/ProjectedFSLib.Managed/SafeProjFsHandle.cs
@@ -0,0 +1,37 @@
+using System;
+using System.Runtime.InteropServices;
+using Microsoft.Win32.SafeHandles;
+
+namespace Microsoft.Windows.ProjFS
+{
+    /// <summary>
+    /// SafeHandle wrapper for the PRJ_NAMESPACE_VIRTUALIZATION_CONTEXT returned
+    /// by PrjStartVirtualizing. Guarantees PrjStopVirtualizing is called even
+    /// during rude app domain unloads, Environment.Exit, or finalizer-only cleanup.
+    /// </summary>
+    /// <remarks>
+    /// <para>
+    /// SafeHandle is a CriticalFinalizerObject — the CLR guarantees its
+    /// ReleaseHandle runs after all normal finalizers and during constrained
+    /// execution regions. This provides the strongest possible guarantee that
+    /// the ProjFS virtualization root is released, preventing zombie processes.
+    /// </para>
+    /// </remarks>
+    internal class SafeProjFsHandle : SafeHandleZeroOrMinusOneIsInvalid
+    {
+        /// <summary>
+        /// Parameterless constructor required by P/Invoke marshaler for out-parameter usage.
+        /// </summary>
+        public SafeProjFsHandle() : base(ownsHandle: true) { }
+
+        protected override bool ReleaseHandle()
+        {
+            // Must use the raw 'handle' field (IntPtr) here, not 'this'.
+            // Inside ReleaseHandle, the SafeHandle is already marked as closed —
+            // passing 'this' to a P/Invoke taking SafeProjFsHandle would fail
+            // because the marshaler refuses to marshal a closed SafeHandle.
+            ProjFSNative.PrjStopVirtualizing(handle);
+            return true;
+        }
+    }
+}
diff --git a/ProjectedFSLib.Managed/VirtualizationInstance.cs b/ProjectedFSLib.Managed/VirtualizationInstance.cs
diff --git a/ProjectedFSLib.Managed/WriteBuffer.cs b/ProjectedFSLib.Managed/WriteBuffer.cs

Original file line number	Diff line number	Diff line change
`@@ -128,7 +128,7 @@ public string NotificationRoot`
`128`	`128`
`129`	`129`	`private static void ValidateNotificationRoot(string root)`
`130`	`130`	`{`
`131`		`- if (root == "." \|\| (root != null && root.StartsWith(".\\")))`
	`131`	`+ if (root == "." \|\| (root != null && root.StartsWith(".\\", StringComparison.Ordinal)))`
`132`	`132`	`{`
`133`	`133`	`throw new ArgumentException(`
`134`	`134`	`"notificationRoot cannot be \".\" or begin with \".\\\"");`
`@@ -216,7 +216,9 @@ public delegate bool NotifyPreCreateHardlinkCallback(`
`216`	`216`	`// Interfaces`
`217`	`217`	`public interface IWriteBuffer : IDisposable`
`218`	`218`	`{`
	`219`	`+#pragma warning disable CA1720 // Identifier contains type name — established public API, cannot rename`
`219`	`220`	`IntPtr Pointer { get; }`
	`221`	`+#pragma warning restore CA1720`
`220`	`222`	`UnmanagedMemoryStream Stream { get; }`
`221`	`223`	`long Length { get; }`
`222`	`224`	`}`
`@@ -289,7 +291,7 @@ HResult GetFileDataCallback(`
`289`	`291`	`string triggeringProcessImageFileName);`
`290`	`292`	`}`
`291`	`293`
`292`		`- public interface IVirtualizationInstance`
	`294`	`+ public interface IVirtualizationInstance : IDisposable`
`293`	`295`	`{`
`294`	`296`	`/// <summary>Returns the virtualization instance GUID.</summary>`
`295`	`297`	`Guid VirtualizationInstanceId { get; }`