Fix TryOpenInner race cast and move regression tests to UnitTests

Author: paulmedynski

src/Microsoft.Data.SqlClient/src/Microsoft/Data/SqlClient/SqlConnection.cs

@@ -266,7 +266,7 @@ private SqlConnection(SqlConnection connection)
 
         internal static bool TryGetSystemColumnEncryptionKeyStoreProvider(string keyStoreName, out SqlColumnEncryptionKeyStoreProvider provider)
         {
-            return s_systemColumnEncryptionKeyStoreProviders.TryGetValue(keyStoreName, out provider); 
+            return s_systemColumnEncryptionKeyStoreProviders.TryGetValue(keyStoreName, out provider);
         }
 
         /// <summary>
@@ -1332,7 +1332,7 @@ public override void ChangeDatabase(string database)
             SqlStatistics statistics = null;
             RepairInnerConnection();
             SqlClientEventSource.Log.TryCorrelationTraceEvent("SqlConnection.ChangeDatabase | API | Correlation | Object Id {0}, Activity Id {1}, Database {2}", ObjectID, ActivityCorrelator.Current, database);
-            
+
             try
             {
                 statistics = SqlStatistics.StartTimer(Statistics);
@@ -1408,7 +1408,7 @@ public override void Close()
 
                 SqlStatistics statistics = null;
                 Exception e = null;
-                
+
                 try
                 {
                     statistics = SqlStatistics.StartTimer(Statistics);
@@ -1901,7 +1901,7 @@ internal void Abort(Exception e)
         }
 
         /// <include file='../../../../../../doc/snippets/Microsoft.Data.SqlClient/SqlConnection.xml' path='docs/members[@name="SqlConnection"]/OpenAsync/*' />
-        public override Task OpenAsync(CancellationToken cancellationToken) 
+        public override Task OpenAsync(CancellationToken cancellationToken)
             => OpenAsync(SqlConnectionOverrides.None, cancellationToken);
 
         /// <include file='../../../../../../doc/snippets/Microsoft.Data.SqlClient/SqlConnection.xml' path='docs/members[@name="SqlConnection"]/OpenAsyncWithOverrides/*' />
@@ -2224,7 +2224,18 @@ private bool TryOpenInner(TaskCompletionSource<DbConnectionInternal> retry)
             }
             // does not require GC.KeepAlive(this) because of ReRegisterForFinalize below.
 
-            var tdsInnerConnection = (SqlConnectionInternal)InnerConnection;
+            // Capture InnerConnection once into a local to avoid a TOCTOU race: another thread
+            // concurrently calling Open() on the same SqlConnection instance can change
+            // _innerConnection to DbConnectionClosedConnecting between the TryOpenConnection()
+            // call above and the cast below. Without this local capture the second read of
+            // InnerConnection may return DbConnectionClosedConnecting, which is not assignable
+            // to SqlConnectionInternal and would produce an opaque InvalidCastException.
+            // See GitHub issue #3314.
+            var innerConnection = InnerConnection;
+            if (innerConnection is not SqlConnectionInternal tdsInnerConnection)
+            {
+                throw ADP.ConnectionAlreadyOpen(State);
+            }
 
             Debug.Assert(tdsInnerConnection.Parser != null, "Where's the parser?");
 

src/Microsoft.Data.SqlClient/tests/FunctionalTests/SqlConnectionTest.ConcurrentOpen.cs

@@ -0,0 +1,128 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+// See the LICENSE file in the project root for more information.
+
+using System;
+using System.Data;
+using System.Reflection;
+using System.Threading.Tasks;
+using Xunit;
+
+namespace Microsoft.Data.SqlClient.UnitTests.Microsoft.Data.SqlClient
+{
+    /// <summary>
+    /// Regression tests for GitHub issue #3314.
+    ///
+    /// Root cause: TryOpenInner() read InnerConnection twice - once for TryOpenConnection() and
+    /// again for the cast to SqlConnectionInternal. Between those two reads another thread could
+    /// change _innerConnection to DbConnectionClosedConnecting, which is not assignable to
+    /// SqlConnectionInternal, causing an opaque InvalidCastException.
+    ///
+    /// Fix: InnerConnection is now captured into a local variable once; if it is not a
+    /// SqlConnectionInternal an InvalidOperationException with a descriptive message is thrown
+    /// instead of an InvalidCastException.
+    /// </summary>
+    public class SqlConnectionConcurrentOpenTests
+    {
+        private static object GetConnectingSingleton()
+        {
+            Type closedConnectingType = typeof(SqlConnection).Assembly
+                .GetType("Microsoft.Data.ProviderBase.DbConnectionClosedConnecting", throwOnError: true)!;
+            FieldInfo singletonField = closedConnectingType
+                .GetField("SingletonInstance", BindingFlags.Static | BindingFlags.NonPublic | BindingFlags.Public)!;
+            object? singletonInstance = singletonField.GetValue(null);
+            Assert.NotNull(singletonInstance);
+            return singletonInstance!;
+        }
+
+        private static void ForceInnerConnection(SqlConnection connection, object innerConnectionValue)
+        {
+            FieldInfo innerConnectionField = typeof(SqlConnection)
+                .GetField("_innerConnection", BindingFlags.Instance | BindingFlags.NonPublic)!;
+            innerConnectionField.SetValue(connection, innerConnectionValue);
+        }
+
+        [Fact]
+        public void InnerConnection_DbConnectionClosedConnecting_IsNotAssignableToSqlConnectionInternal()
+        {
+            object connectingSingleton = GetConnectingSingleton();
+
+            Type sqlConnectionInternalType = typeof(SqlConnection).Assembly
+                .GetType("Microsoft.Data.SqlClient.Connection.SqlConnectionInternal", throwOnError: true)!;
+
+            Assert.False(
+                sqlConnectionInternalType.IsInstanceOfType(connectingSingleton),
+                "DbConnectionClosedConnecting must NOT be assignable to SqlConnectionInternal. " +
+                "If it were, the race condition in #3314 would not manifest.");
+        }
+
+        [Fact]
+        public void InnerConnection_InConnectingState_ReportsConnectingState()
+        {
+            object connectingSingleton = GetConnectingSingleton();
+
+            var connection = new SqlConnection("Data Source=localhost");
+            ForceInnerConnection(connection, connectingSingleton);
+
+            Assert.Equal(ConnectionState.Connecting, connection.State);
+        }
+
+        [Fact]
+        public void Open_WhenAlreadyConnecting_ThrowsInvalidOperation()
+        {
+            object connectingSingleton = GetConnectingSingleton();
+
+            var connection = new SqlConnection("Data Source=localhost");
+            ForceInnerConnection(connection, connectingSingleton);
+
+            Assert.Throws<InvalidOperationException>(() => connection.Open());
+        }
+
+        [Fact]
+        public void TryOpenInner_WhenInnerConnectionRacesToConnectingState_ThrowsInvalidOperation_NotInvalidCast()
+        {
+            object connectingSingleton = GetConnectingSingleton();
+
+            Type openBusyType = typeof(SqlConnection).Assembly
+                .GetType("Microsoft.Data.ProviderBase.DbConnectionOpenBusy", throwOnError: true)!;
+            FieldInfo openBusySingleton = openBusyType
+                .GetField("SingletonInstance", BindingFlags.Static | BindingFlags.NonPublic | BindingFlags.Public)!;
+            object? openBusyInstance = openBusySingleton.GetValue(null);
+            Assert.NotNull(openBusyInstance);
+
+            var connection = new SqlConnection("Data Source=localhost");
+            ForceInnerConnection(connection, connectingSingleton);
+
+            Type dbConnectionInternalType = typeof(SqlConnection).Assembly
+                .GetType("Microsoft.Data.ProviderBase.DbConnectionInternal", throwOnError: true)!;
+            Type tcsType = typeof(TaskCompletionSource<>).MakeGenericType(dbConnectionInternalType);
+            object completedRetry = Activator.CreateInstance(tcsType)!;
+            MethodInfo setResultMethod = tcsType.GetMethod("SetResult")!;
+            setResultMethod.Invoke(completedRetry, new[] { openBusyInstance! });
+
+            MethodInfo tryOpenInner = typeof(SqlConnection)
+                .GetMethod("TryOpenInner", BindingFlags.Instance | BindingFlags.NonPublic)!;
+            Assert.NotNull(tryOpenInner);
+
+            Exception ex = Assert.ThrowsAny<Exception>(() =>
+            {
+                try
+                {
+                    tryOpenInner.Invoke(connection, new[] { completedRetry });
+                }
+                catch (TargetInvocationException tie) when (tie.InnerException != null)
+                {
+                    throw tie.InnerException;
+                }
+            });
+
+            Assert.True(
+                ex is InvalidOperationException,
+                $"Expected InvalidOperationException but got {ex.GetType().Name}: {ex.Message}. " +
+                "The fix for #3314 must throw InvalidOperationException (not InvalidCastException) " +
+                "when _innerConnection races to a non-SqlConnectionInternal state inside TryOpenInner.");
+
+            Assert.Contains("connection", ex.Message, StringComparison.OrdinalIgnoreCase);
+        }
+    }
+}