[dotnet-sdk-9.0.100-preview.6.24325.8] paintdotnet get System.NotSupportedException: BinaryFormatter serialization and deserialization have been removed

[Junjun-zhao]

.NET version

Dotnet Info:

.NET SDK:
 Version:           9.0.100-preview.6.24325.8
 Commit:            89054b0c37
 Workload version:  9.0.100-manifests.29b7987d
 MSBuild version:   17.11.0-preview-24318-05+4a45d5633

Runtime Environment:
 OS Name:     Windows
 OS Version:  10.0.19045
 OS Platform: Windows
 RID:         win-x64
 Base Path:   C:\Program Files\dotnet\sdk\9.0.100-preview.6.24325.8\

.NET workloads installed:
Configured to use loose manifests when installing new manifests.
There are no installed workloads to display.

Host:
  Version:      9.0.0-preview.6.24321.8
  Architecture: x64
  Commit:       static

.NET SDKs installed:
  9.0.100-preview.6.24325.8 [C:\Program Files\dotnet\sdk]

.NET runtimes installed:
  Microsoft.AspNetCore.App 9.0.0-preview.6.24324.2 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.NETCore.App 9.0.0-preview.6.24321.8 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.WindowsDesktop.App 9.0.0-preview.6.24322.3 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]

Did it work in .NET Framework?

Not tested/verified

Did it work in any of the earlier releases of .NET Core or .NET 5+?

Yes
Verify Scenarios:
1). Windows 10 21H2 AMD64 + dotnet-sdk-9.0.100-preview.6.24317.13: Pass
2). Windows 10 21H2 AMD64 + dotnet-sdk-9.0.100-preview.6.24325.8: Fail
3). Windows 10 21H2 AMD64 + dotnet-sdk-9.0.100-preview.7.24321.3: Fail

Issue description

When run the 3rd party application with the latest .NET 9 build "dotnet-sdk-9.0.100-preview.6.24325.8", application operate failed with "System.NotSupportedException: BinaryFormatter serialization and deserialization have been removed. See https://aka.ms/binaryformatter for more information.".

Application Name: paint.netcore (WinForms/WPF, .NET 8)
OS： Windows 10 21H2
CPU: X64
.NET Build Number: dotnet-sdk-9.0.100-preview.6.24325.8
App or App Source checking at: https://devdiv.visualstudio.com/DevDiv/_workitems/edit/2110612

Steps to reproduce

1.Change the runtime.config file to let the app run against with dotnet-sdk-9.0.100-preview.6.24325.8 and Enable BinaryFormatter.

"frameworks": [
      {
        "name": "Microsoft.NETCore.App",
        "version": "9.0.0-preview.6.24321.8"
      },
      {
        "name": "Microsoft.WindowsDesktop.App",
        "version": "9.0.0-preview.6.24322.3"
      }
    ],
"configProperties": {
      "System.Reflection.Metadata.MetadataUpdater.IsSupported": false,
      "System.Runtime.Serialization.EnableUnsafeBinaryFormatterSerialization": true
    }

2. Launch paintdotnet.exe.
3. Click anywhere in middle of the app.

Expected Result:
Application doesn't crash and work as normal.

Actual Result:
Application crashed.

Exception details (full log file attached):

System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation.
 ---> System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation.
 ---> System.PlatformNotSupportedException: BinaryFormatter serialization and deserialization have been removed. See https://aka.ms/binaryformatter for more information.
   at System.Runtime.Serialization.Formatters.Binary.BinaryFormatter.Serialize(Stream serializationStream, Object graph)
   at PaintDotNet.ReferenceValue.CloneCore[TResult]() in C:\AppBuild\paint.netcore\Base\ReferenceValue.cs:line 305
   at PaintDotNet.Tools.TransactedToolChanges`2.Clone() in C:\AppBuild\paint.netcore\PaintDotNet\Tools\TransactedToolChanges`2.cs:line 185
   at PaintDotNet.Tools.TransactedTool`2.CommitDrawing() in C:\AppBuild\paint.netcore\PaintDotNet\Tools\TransactedTool`2.cs:line 791
   at PaintDotNet.Tools.TransactedTool`2.TransactedToolDrawingTransactionTokenPrivate.OnCommit() in C:\AppBuild\paint.netcore\PaintDotNet\Tools\TransactedTool`2.cs:line 639
   at PaintDotNet.Tools.TransactedToolDrawingToken`1.Commit() in C:\AppBuild\paint.netcore\PaintDotNet\Tools\TransactedToolDrawingToken`1.cs:line 37
   at PaintDotNet.Tools.BrushBase.BrushToolBase`3.OnUIDragEnd(Object sender, PointerEventArgs e) in C:\AppBuild\paint.netcore\PaintDotNet\Tools\BrushBase\BrushToolBase`3.cs:line 451
   at InvokeStub_PointerEventHandler.Invoke(Object, Span`1)
   at System.Reflection.MethodBaseInvoker.InvokeWithFewArgs(Object obj, BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)
   --- End of inner exception stack trace ---
   at System.Reflection.MethodBaseInvoker.InvokeWithFewArgs(Object obj, BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)
   at System.Delegate.DynamicInvokeImpl(Object[] args)
   at PaintDotNet.UI.UIElement.OnEvent(RoutedEventArgs e) in C:\AppBuild\paint.netcore\UI\UI\UIElement.cs:line 901
   at PaintDotNet.ObjectModel.HierarchicalObject.PaintDotNet.UI.IRoutedEventSink.ReceiveEvent(RoutedEventArgs e) in C:\AppBuild\paint.netcore\UI\ObjectModel\HierarchicalObject.cs:line 93
   at PaintDotNet.UI.EventManager.RaiseDirect(IRoutedEventSink target, RoutedEventArgs e) in C:\AppBuild\paint.netcore\UI\UI\EventManager.cs:line 226
   at PaintDotNet.UI.EventManager.RaiseBubble(IRoutedEventSink target, RoutedEventArgs e) in C:\AppBuild\paint.netcore\UI\UI\EventManager.cs:line 181
   at PaintDotNet.UI.EventManager.Raise(RoutedEventArgs e) in C:\AppBuild\paint.netcore\UI\UI\EventManager.cs:line 146
   at PaintDotNet.ObjectModel.HierarchicalObject.RaiseEvent(RoutedEventArgs e) in C:\AppBuild\paint.netcore\UI\ObjectModel\HierarchicalObject.cs:line 73
   at PaintDotNet.UI.Controls.ClickDragBehavior.OnPointerReleased(Object sender, PointerButtonEventArgs e) in C:\AppBuild\paint.netcore\PaintDotNet\UI\Controls\ClickDragBehavior.cs:line 374
   at InvokeStub_PointerButtonEventHandler.Invoke(Object, Span`1)
   at System.Reflection.MethodBaseInvoker.InvokeWithFewArgs(Object obj, BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)
   --- End of inner exception stack trace ---
   at System.Reflection.MethodBaseInvoker.InvokeWithFewArgs(Object obj, BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)
   at System.Delegate.DynamicInvokeImpl(Object[] args)
   at PaintDotNet.UI.UIElement.OnEvent(RoutedEventArgs e) in C:\AppBuild\paint.netcore\UI\UI\UIElement.cs:line 901
   at PaintDotNet.ObjectModel.HierarchicalObject.PaintDotNet.UI.IRoutedEventSink.ReceiveEvent(RoutedEventArgs e) in C:\AppBuild\paint.netcore\UI\ObjectModel\HierarchicalObject.cs:line 93
   at PaintDotNet.UI.EventManager.RaiseDirect(IRoutedEventSink target, RoutedEventArgs e) in C:\AppBuild\paint.netcore\UI\UI\EventManager.cs:line 226
   at PaintDotNet.UI.EventManager.RaiseBubble(IRoutedEventSink target, RoutedEventArgs e) in C:\AppBuild\paint.netcore\UI\UI\EventManager.cs:line 181
   at PaintDotNet.UI.EventManager.Raise(RoutedEventArgs e) in C:\AppBuild\paint.netcore\UI\UI\EventManager.cs:line 146
   at PaintDotNet.ObjectModel.HierarchicalObject.RaiseEvent(RoutedEventArgs e) in C:\AppBuild\paint.netcore\UI\ObjectModel\HierarchicalObject.cs:line 73
   at PaintDotNet.UI.Input.PointerDevice.ProcessPointerReleased(PointerButton button) in C:\AppBuild\paint.netcore\UI\UI\Input\PointerDevice.cs:line 503
   at PaintDotNet.Canvas.CanvasPointerDevice.RelayPointerReleased(PointerPoint point, MouseButtons buttons) in C:\AppBuild\paint.netcore\PaintDotNet\Canvas\CanvasPointerDevice.cs:line 56
   at PaintDotNet.Tools.PresentationBasedTool`2.OnPointerReleased(DocumentPointerEventArgs e) in C:\AppBuild\paint.netcore\PaintDotNet\Tools\PresentationBasedTool`2.cs:line 285
   at PaintDotNet.Tools.Tool.PointerReleased(DocumentPointerEventArgs e) in C:\AppBuild\paint.netcore\PaintDotNet\Tools\Tool.cs:line 741
   at PaintDotNet.Tools.Tool.PerformPointerReleased(DocumentPointerEventArgs e) in C:\AppBuild\paint.netcore\PaintDotNet\Tools\Tool.cs:line 482
   at PaintDotNet.Controls.AppWorkspace.DocumentPointerReleasedHandler(Object sender, DocumentPointerEventArgs e) in C:\AppBuild\paint.netcore\PaintDotNet\Controls\AppWorkspace.cs:line 1808
   at PaintDotNet.Controls.DocumentView.OnDocumentPointerReleased(DocumentPointerEventArgs e) in C:\AppBuild\paint.netcore\PaintDotNet\Controls\DocumentView.cs:line 1005
   at PaintDotNet.Controls.DocumentView.PointerReleasedHandler(Object sender, IPointerInputEventArgs e) in C:\AppBuild\paint.netcore\PaintDotNet\Controls\DocumentView.cs:line 1141
   at PaintDotNet.EventHandlerExtensions.Raise[TEventArgs](EventHandler`1 handler, Object sender, TEventArgs e) in C:\AppBuild\paint.netcore\Fundamentals\EventHandlerExtensions.cs:line 30
   at PaintDotNet.Controls.Direct2DPointerControl.OnPointerReleased(IPointerInputEventArgs e) in C:\AppBuild\paint.netcore\Framework\Controls\Direct2DPointerControl.cs:line 136
   at PaintDotNet.Canvas.CanvasControl.OnPointerReleased(IPointerInputEventArgs e) in C:\AppBuild\paint.netcore\PaintDotNet\Canvas\CanvasControl.cs:line 579
   at PaintDotNet.Controls.Direct2DPointerControl.PaintDotNet.Input.IPointerEventSink.OnPointerReleased(Object sender, IPointerInputEventArgs e) in C:\AppBuild\paint.netcore\Framework\Controls\Direct2DPointerControl.cs:line 142
   at PaintDotNet.Input.PointerEventMultiplexer.OnPointerReleased(Object sender, IPointerInputEventArgs e) in C:\AppBuild\paint.netcore\Windows.Framework\Input\PointerEventMultiplexer.cs:line 126
   at PaintDotNet.Input.MouseToPointerEventsAdapter.RelayMouseUp(Object sender, MouseEventArgs e) in C:\AppBuild\paint.netcore\Windows.Framework\Input\MouseToPointerEventsAdapter.cs:line 174
   at PaintDotNet.Input.PointerInputProcessor.RelayMouseUp(Object sender, MouseEventArgs e) in C:\AppBuild\paint.netcore\Windows.Framework\Input\PointerInputProcessor.cs:line 159
   at PaintDotNet.Controls.Direct2DPointerControl.OnMouseUp(MouseEventArgs e) in C:\AppBuild\paint.netcore\Framework\Controls\Direct2DPointerControl.cs:line 202
   at System.Windows.Forms.Control.WmMouseUp(Message& m, MouseButtons button, Int32 clicks)
   at System.Windows.Forms.Control.WndProc(Message& m)
   at PaintDotNet.Gdi.GdiControl.WndProc(Message& m) in C:\AppBuild\paint.netcore\Windows.Framework\Gdi\GdiControl.cs:line 190
   at PaintDotNet.Input.PointerInputProcessor.RelayWndProc(Message& m) in C:\AppBuild\paint.netcore\Windows.Framework\Input\PointerInputProcessor.cs:line 111
   at PaintDotNet.Controls.Direct2DPointerControl.WndProc(Message& m) in C:\AppBuild\paint.netcore\Framework\Controls\Direct2DPointerControl.cs:line 29
   at System.Windows.Forms.Control.ControlNativeWindow.WndProc(Message& m)
   at System.Windows.Forms.NativeWindow.Callback(HWND hWnd, MessageId msg, WPARAM wparam, LPARAM lparam)

Known Workaround:
Yes.

It works with following steps. File this issue to track, we want to keep this issue active until we get and verify with the public System.Runtime.Serialization.Formatters nuget package.

1. Install System.Runtime.Serialization.Formatters nuget package
2. Turn on AppContext switch in runtime.config file: "System.Runtime.Serialization.EnableUnsafeBinaryFormatterSerialization": true
3. Build and run the app.

@dotnet-actwx-bot @dotnet/compat

[paul1956]

If people have to instal the NuGet package to get basic WinForms existing apps to work why is it being removed? And if the NuGet package is safe why isn’t it in the product? Will this requirement, break existing deployed applications? For many of us, this entire issue is very confusing. The only use of binary formatter in any application I work in is to decode stuff in form.designer that was written by WinForm designer. Wouldn’t it be better to do a 1 time upgrade of designer file and for the vast majority of applications not use problematic format? If this isn’t place to address this issue please let me know where is.

[elachlan]

@rickbrew just a heads up. I imagine you are probably very much aware.

[elachlan]

@paul1956 see #6267

[rickbrew]

@elachlan Yup I’ve been paying close attention to this. PDN uses BF for various things, and I’ll be dealing with it soon-ish, possibly deferring the upgrade to .NET 9/10 for a bit while I’m working on it.

[rickbrew]

If people have to instal the NuGet package to get basic WinForms existing apps to work why is it being removed?

Because BF is a security black hole. It’s not safe.

Also, Paint.NET is not a basic WinForms app, and uses BF in situations where it isn’t usually used. It isn’t representative of the larger ecosystem in other words.

And if the NuGet package is safe why isn’t it in the product?

It’s not safe. It’s a compromise. To use BF going forward you essentially have to “sign the consent form” declaring that you understand the risks of using BF and are taking responsibility for it going forward.

Will this requirement, break existing deployed applications?

This will only be an issue when migrating to .NET 9+. Existing app deployments shouldn’t be affected.

[paul1956]

@rickbrew @elachlan maybe I am misunderstanding. If my app only uses the WinForms form designer and the Resx files it creates when I upgrade to .Net 9.0 will something happen to those files that will remove the need to use BF and avoid this security black hole. The little I have played with .Net 9 for my applications seems to require I add below to project file.

<EnableUnsafeBinaryFormatterSerialization>True</EnableUnsafeBinaryFormatterSerialization>

[rickbrew]

@paul1956 You'll want to refer to the other issues etc. that discuss this, e.g. #6267 (comment) . IIUC it's something @JeremyKuhne et. al. are actively working on.

... at worst, you'll have to reference a new NuGet package to get this to work. We're working on making sure embedded resources just work (as they're considered trusted). I'm not sure what the BinaryFormatter workflow is for data sets, but we'll look to make sure we're fully clear how it might be impacted.

[Junjun-zhao]

Verify this issue for the workaround with the public System.Runtime.Serialization.Formatters Nuget package. It works. Hence closing this issue.