This is the tenth part of the Custom memory allocation series. For your convenience you can find other parts in the table of contents in Part 1 — Allocating object on a stack
I had .NET Core 2.1.103 x64 installed and I wanted to hijack new with the code from the last post. Unfortunately, it crashed because of very silly thing. Let’s see:
|
1 |
0:003> .loadby sos coreclr |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 |
0:003> !name2ee * Program Module: 00007ffb6db41000 Assembly: System.Private.CoreLib.dll -------------------------------------- Module: 00007ffb0ed04580 Assembly: GenericUnsafeAlloc_core.dll -------------------------------------- Module: 00007ffb0ed04df0 Assembly: System.Runtime.dll -------------------------------------- Module: 00007ffb0ed05bb8 Assembly: System.Console.dll -------------------------------------- Module: 00007ffb0ed06ef0 Assembly: System.Runtime.InteropServices.dll -------------------------------------- Module: 00007ffb0ed07b90 Assembly: System.Threading.dll -------------------------------------- Module: 00007ffb0ed08500 Assembly: System.Runtime.Extensions.dll |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 |
0:003> !dumpmodule -mt 00007ffb0ed04580 Name: C:\Users\adafurma\Desktop\msp_windowsinternals\GenericUnsafeAlloc_core\bin\Debug\netcoreapp2.0\GenericUnsafeAlloc_core.dll Attributes: PEFile SupportsUpdateableMethods Assembly: 000002803d1bbc60 LoaderHeap: 0000000000000000 TypeDefToMethodTableMap: 00007ffb0ed003a8 TypeRefToMethodTableMap: 00007ffb0ed003d8 MethodDefToDescMap: 00007ffb0ed004d0 FieldDefToDescMap: 00007ffb0ed00540 MemberRefToDescMap: 0000000000000000 FileReferencesMap: 00007ffb0ed00600 AssemblyReferencesMap: 00007ffb0ed00608 MetaData start address: 0000028001ca23a4 (3732 bytes) Types defined in this module MT TypeDef Name ------------------------------------------------------------------------------ 00007ffb0ed05858 0x02000003 GenericUnsafeAlloc_core.GenericMemoryAllocator 00007ffb0ed05688 0x02000004 GenericUnsafeAlloc_core.Program 00007ffb0ed05950 0x02000005 GenericUnsafeAlloc_core.TestClass Types referenced in this module MT TypeRef Name ------------------------------------------------------------------------------ 00007ffb6e570410 0x02000010 System.Object 00007ffb6e5705c0 0x02000012 System.RuntimeTypeHandle 00007ffb6e5745a0 0x02000013 System.RuntimeMethodHandle 00007ffb6e586dc8 0x02000014 System.IntPtr 00007ffb6e570690 0x02000015 System.Type 00007ffb6e571de8 0x02000016 System.Runtime.InteropServices.Marshal 00007ffb6e5740d0 0x02000019 System.Reflection.MethodBase 00007ffb6e573af0 0x0200001a System.Runtime.CompilerServices.RuntimeHelpers 00007ffb6e56fcb0 0x0200001b System.Byte 00007ffb0ed06d50 0x0200001c System.Console 00007ffb6e5745f0 0x0200001d System.GC 00007ffb6e571968 0x0200001e System.Int32 |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 |
0:003> !dumpmt -md 00007ffb0ed05858 EEClass: 00007ffb0eea1100 Module: 00007ffb0ed04580 Name: GenericUnsafeAlloc_core.GenericMemoryAllocator mdToken: 0000000002000003 File: C:\Users\adafurma\Desktop\msp_windowsinternals\GenericUnsafeAlloc_core\bin\Debug\netcoreapp2.0\GenericUnsafeAlloc_core.dll BaseSize: 0x18 ComponentSize: 0x0 Slots in VTable: 14 Number of IFaces in IFaceMap: 0 -------------------------------------- MethodDesc Table Entry MethodDesc JIT Name 00007ffb6e182020 00007ffb6dce0988 PreJIT System.Object.ToString() 00007ffb6e182040 00007ffb6dce0990 PreJIT System.Object.Equals(System.Object) 00007ffb6e182090 00007ffb6dce09b8 PreJIT System.Object.GetHashCode() 00007ffb6e1820a0 00007ffb6dce09d8 PreJIT System.Object.Finalize() 00007ffb0ee21e00 00007ffb0ed05840 JIT GenericUnsafeAlloc_core.GenericMemoryAllocator..cctor() 00007ffb0ee21a30 00007ffb0ed05838 JIT GenericUnsafeAlloc_core.GenericMemoryAllocator..ctor() 00007ffb0ee210f0 00007ffb0ed057d8 NONE GenericUnsafeAlloc_core.GenericMemoryAllocator.Allocate() 00007ffb0ee210c0 00007ffb0ed05770 NONE GenericUnsafeAlloc_core.GenericMemoryAllocator.VirtualProtect(IntPtr, UInt32, UInt32, UInt32 ByRef) 00007ffb0ee222f0 00007ffb0ed057b8 JIT GenericUnsafeAlloc_core.GenericMemoryAllocator.UnlockPage(IntPtr) 00007ffb0ee210e0 00007ffb0ed057c8 NONE GenericUnsafeAlloc_core.GenericMemoryAllocator.GetReferenceAsPointer(System.Object) 00007ffb0ee21bd0 00007ffb0ed057f8 JIT GenericUnsafeAlloc_core.GenericMemoryAllocator.RawAllocate(IntPtr) 00007ffb0ee22290 00007ffb0ed05808 NONE GenericUnsafeAlloc_core.GenericMemoryAllocator.CreateObject() 00007ffb0ee220f0 00007ffb0ed05818 JIT GenericUnsafeAlloc_core.GenericMemoryAllocator.GetAllocMethodAddress() 00007ffb0ee21ed0 00007ffb0ed05828 JIT GenericUnsafeAlloc_core.GenericMemoryAllocator.HijackNew() |
Yes, CreateObject is not jitted even though PrepareMethod was called. Quick look at GH and we have the following. So I updated the SDK and could carry on:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
0:003> !dumpmt -md 00007ffb0ed05688 EEClass: 00007ffb0eea1088 Module: 00007ffb0ed04580 Name: GenericUnsafeAlloc_core.Program mdToken: 0000000002000004 File: C:\Users\adafurma\Desktop\msp_windowsinternals\GenericUnsafeAlloc_core\bin\Debug\netcoreapp2.0\GenericUnsafeAlloc_core.dll BaseSize: 0x18 ComponentSize: 0x0 Slots in VTable: 6 Number of IFaces in IFaceMap: 0 -------------------------------------- MethodDesc Table Entry MethodDesc JIT Name 00007ffb6e182020 00007ffb6dce0988 PreJIT System.Object.ToString() 00007ffb6e182040 00007ffb6dce0990 PreJIT System.Object.Equals(System.Object) 00007ffb6e182090 00007ffb6dce09b8 PreJIT System.Object.GetHashCode() 00007ffb6e1820a0 00007ffb6dce09d8 PreJIT System.Object.Finalize() 00007ffb0ee210a0 00007ffb0ed05680 NONE GenericUnsafeAlloc_core.Program..ctor() 00007ffb0ee21810 00007ffb0ed05670 JIT GenericUnsafeAlloc_core.Program.Main() |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 |
0:003> !U 00007ffb0ee21810 Normal JIT generated code GenericUnsafeAlloc_core.Program.Main() Begin 00007ffb0ee21810, size 207 C:\Users\adafurma\Desktop\msp_windowsinternals\GenericUnsafeAlloc_core\Program.cs @ 163: >>> 00007ffb`0ee21810 55 push rbp 00007ffb`0ee21811 57 push rdi 00007ffb`0ee21812 4881ecb8000000 sub rsp,0B8h 00007ffb`0ee21819 488dac24c0000000 lea rbp,[rsp+0C0h] 00007ffb`0ee21821 488dbd6cffffff lea rdi,[rbp-94h] 00007ffb`0ee21828 b923000000 mov ecx,23h 00007ffb`0ee2182d 33c0 xor eax,eax 00007ffb`0ee2182f f3ab rep stos dword ptr [rdi] 00007ffb`0ee21831 833dc831eeff00 cmp dword ptr [00007ffb`0ed04a00],0 00007ffb`0ee21838 7405 je 00007ffb`0ee2183f 00007ffb`0ee2183a e801bfc45f call coreclr!JIT_DbgIsJustMyCode (00007ffb`6ea6d740) 00007ffb`0ee2183f 90 nop C:\Users\adafurma\Desktop\msp_windowsinternals\GenericUnsafeAlloc_core\Program.cs @ 165: 00007ffb`0ee21840 48b95858d00efb7f0000 mov rcx,7FFB0ED05858h (MT: GenericUnsafeAlloc_core.GenericMemoryAllocator) 00007ffb`0ee2184a e851e0ad5f call coreclr!JIT_TrialAllocSFastMP_InlineGetThread (00007ffb`6e8ff8a0) 00007ffb`0ee2184f 488945d0 mov qword ptr [rbp-30h],rax 00007ffb`0ee21853 488b4dd0 mov rcx,qword ptr [rbp-30h] 00007ffb`0ee21857 e8e4f8ffff call 00007ffb`0ee21140 (GenericUnsafeAlloc_core.GenericMemoryAllocator..ctor(), mdToken: 0000000006000009) 00007ffb`0ee2185c 488b4dd0 mov rcx,qword ptr [rbp-30h] 00007ffb`0ee21860 48894df0 mov qword ptr [rbp-10h],rcx C:\Users\adafurma\Desktop\msp_windowsinternals\GenericUnsafeAlloc_core\Program.cs @ 166: 00007ffb`0ee21864 488b4df0 mov rcx,qword ptr [rbp-10h] 00007ffb`0ee21868 48ba885ad00efb7f0000 mov rdx,7FFB0ED05A88h (MD: GenericUnsafeAlloc_core.GenericMemoryAllocator.Allocate[[GenericUnsafeAlloc_core.TestClass, GenericUnsafeAlloc_core]]()) 00007ffb`0ee21872 3909 cmp dword ptr [rcx],ecx 00007ffb`0ee21874 e8f7f8ffff call 00007ffb`0ee21170 (GenericUnsafeAlloc_core.GenericMemoryAllocator.Allocate[[System.__Canon, System.Private.CoreLib]](), mdToken: 0000000006000004) 00007ffb`0ee21879 488945c8 mov qword ptr [rbp-38h],rax 00007ffb`0ee2187d 488b4dc8 mov rcx,qword ptr [rbp-38h] 00007ffb`0ee21881 48894de8 mov qword ptr [rbp-18h],rcx C:\Users\adafurma\Desktop\msp_windowsinternals\GenericUnsafeAlloc_core\Program.cs @ 169: 00007ffb`0ee21885 48b91004576efb7f0000 mov rcx,offset System_Private_CoreLib+0xa30410 (00007ffb`6e570410) (MT: System.Object) 00007ffb`0ee2188f e80ce0ad5f call coreclr!JIT_TrialAllocSFastMP_InlineGetThread (00007ffb`6e8ff8a0) 00007ffb`0ee21894 488945c0 mov qword ptr [rbp-40h],rax 00007ffb`0ee21898 488b4dc0 mov rcx,qword ptr [rbp-40h] 00007ffb`0ee2189c e86f07365f call System_Private_CoreLib+0x642010 (00007ffb`6e182010) (System.Object..ctor(), mdToken: 0000000006000191) 00007ffb`0ee218a1 488b45c0 mov rax,qword ptr [rbp-40h] 00007ffb`0ee218a5 488945e0 mov qword ptr [rbp-20h],rax C:\Users\adafurma\Desktop\msp_windowsinternals\GenericUnsafeAlloc_core\Program.cs @ 172: 00007ffb`0ee218a9 e882f8ffff call 00007ffb`0ee21130 (GenericUnsafeAlloc_core.GenericMemoryAllocator.HijackNew(), mdToken: 0000000006000008) 00007ffb`0ee218ae 90 nop C:\Users\adafurma\Desktop\msp_windowsinternals\GenericUnsafeAlloc_core\Program.cs @ 173: 00007ffb`0ee218af e81cfeffff call 00007ffb`0ee216d0 (System.Console.ReadLine(), mdToken: 0000000006000075) 00007ffb`0ee218b4 488945b8 mov qword ptr [rbp-48h],rax 00007ffb`0ee218b8 90 nop C:\Users\adafurma\Desktop\msp_windowsinternals\GenericUnsafeAlloc_core\Program.cs @ 174: 00007ffb`0ee218b9 48b91004576efb7f0000 mov rcx,offset System_Private_CoreLib+0xa30410 (00007ffb`6e570410) (MT: System.Object) 00007ffb`0ee218c3 e8d8dfad5f call coreclr!JIT_TrialAllocSFastMP_InlineGetThread (00007ffb`6e8ff8a0) 00007ffb`0ee218c8 488945b0 mov qword ptr [rbp-50h],rax 00007ffb`0ee218cc 488b4db0 mov rcx,qword ptr [rbp-50h] 00007ffb`0ee218d0 e83b07365f call System_Private_CoreLib+0x642010 (00007ffb`6e182010) (System.Object..ctor(), mdToken: 0000000006000191) 00007ffb`0ee218d5 488b4db0 mov rcx,qword ptr [rbp-50h] 00007ffb`0ee218d9 48894dd8 mov qword ptr [rbp-28h],rcx C:\Users\adafurma\Desktop\msp_windowsinternals\GenericUnsafeAlloc_core\Program.cs @ 177: 00007ffb`0ee218dd 48b96830cf1180020000 mov rcx,28011CF3068h 00007ffb`0ee218e7 488b09 mov rcx,qword ptr [rcx] 00007ffb`0ee218ea 48894da8 mov qword ptr [rbp-58h],rcx 00007ffb`0ee218ee 488b4df0 mov rcx,qword ptr [rbp-10h] 00007ffb`0ee218f2 e8f957ad5f call coreclr!GCInterface::GetGeneration (00007ffb`6e8f70f0) 00007ffb`0ee218f7 8945a4 mov dword ptr [rbp-5Ch],eax 00007ffb`0ee218fa 48b96819576efb7f0000 mov rcx,offset System_Private_CoreLib+0xa31968 (00007ffb`6e571968) (MT: System.Int32) 00007ffb`0ee21904 e897dfad5f call coreclr!JIT_TrialAllocSFastMP_InlineGetThread (00007ffb`6e8ff8a0) 00007ffb`0ee21909 48894598 mov qword ptr [rbp-68h],rax 00007ffb`0ee2190d 488b5598 mov rdx,qword ptr [rbp-68h] 00007ffb`0ee21911 8b4da4 mov ecx,dword ptr [rbp-5Ch] 00007ffb`0ee21914 894a08 mov dword ptr [rdx+8],ecx 00007ffb`0ee21917 488b5598 mov rdx,qword ptr [rbp-68h] 00007ffb`0ee2191b 488b4da8 mov rcx,qword ptr [rbp-58h] 00007ffb`0ee2191f e824feffff call 00007ffb`0ee21748 (System.Console.WriteLine(System.String, System.Object), mdToken: 0000000006000084) 00007ffb`0ee21924 90 nop C:\Users\adafurma\Desktop\msp_windowsinternals\GenericUnsafeAlloc_core\Program.cs @ 178: 00007ffb`0ee21925 48b97030cf1180020000 mov rcx,28011CF3070h 00007ffb`0ee2192f 488b09 mov rcx,qword ptr [rcx] 00007ffb`0ee21932 48894d90 mov qword ptr [rbp-70h],rcx 00007ffb`0ee21936 488b4de8 mov rcx,qword ptr [rbp-18h] 00007ffb`0ee2193a e8b157ad5f call coreclr!GCInterface::GetGeneration (00007ffb`6e8f70f0) 00007ffb`0ee2193f 89458c mov dword ptr [rbp-74h],eax 00007ffb`0ee21942 48b96819576efb7f0000 mov rcx,offset System_Private_CoreLib+0xa31968 (00007ffb`6e571968) (MT: System.Int32) 00007ffb`0ee2194c e84fdfad5f call coreclr!JIT_TrialAllocSFastMP_InlineGetThread (00007ffb`6e8ff8a0) 00007ffb`0ee21951 48894598 mov qword ptr [rbp-68h],rax 00007ffb`0ee21955 488b5598 mov rdx,qword ptr [rbp-68h] 00007ffb`0ee21959 8b4d8c mov ecx,dword ptr [rbp-74h] 00007ffb`0ee2195c 894a08 mov dword ptr [rdx+8],ecx 00007ffb`0ee2195f 488b5598 mov rdx,qword ptr [rbp-68h] 00007ffb`0ee21963 488b4d90 mov rcx,qword ptr [rbp-70h] 00007ffb`0ee21967 e8dcfdffff call 00007ffb`0ee21748 (System.Console.WriteLine(System.String, System.Object), mdToken: 0000000006000084) 00007ffb`0ee2196c 90 nop C:\Users\adafurma\Desktop\msp_windowsinternals\GenericUnsafeAlloc_core\Program.cs @ 179: 00007ffb`0ee2196d 48b97830cf1180020000 mov rcx,28011CF3078h 00007ffb`0ee21977 488b09 mov rcx,qword ptr [rcx] 00007ffb`0ee2197a 48894d80 mov qword ptr [rbp-80h],rcx 00007ffb`0ee2197e 488b4de0 mov rcx,qword ptr [rbp-20h] 00007ffb`0ee21982 e86957ad5f call coreclr!GCInterface::GetGeneration (00007ffb`6e8f70f0) 00007ffb`0ee21987 89857cffffff mov dword ptr [rbp-84h],eax 00007ffb`0ee2198d 48b96819576efb7f0000 mov rcx,offset System_Private_CoreLib+0xa31968 (00007ffb`6e571968) (MT: System.Int32) 00007ffb`0ee21997 e804dfad5f call coreclr!JIT_TrialAllocSFastMP_InlineGetThread (00007ffb`6e8ff8a0) 00007ffb`0ee2199c 48894598 mov qword ptr [rbp-68h],rax 00007ffb`0ee219a0 488b5598 mov rdx,qword ptr [rbp-68h] 00007ffb`0ee219a4 8b8d7cffffff mov ecx,dword ptr [rbp-84h] 00007ffb`0ee219aa 894a08 mov dword ptr [rdx+8],ecx 00007ffb`0ee219ad 488b5598 mov rdx,qword ptr [rbp-68h] 00007ffb`0ee219b1 488b4d80 mov rcx,qword ptr [rbp-80h] 00007ffb`0ee219b5 e88efdffff call 00007ffb`0ee21748 (System.Console.WriteLine(System.String, System.Object), mdToken: 0000000006000084) 00007ffb`0ee219ba 90 nop C:\Users\adafurma\Desktop\msp_windowsinternals\GenericUnsafeAlloc_core\Program.cs @ 180: 00007ffb`0ee219bb 48b98030cf1180020000 mov rcx,28011CF3080h 00007ffb`0ee219c5 488b09 mov rcx,qword ptr [rcx] 00007ffb`0ee219c8 48898d70ffffff mov qword ptr [rbp-90h],rcx 00007ffb`0ee219cf 488b4dd8 mov rcx,qword ptr [rbp-28h] 00007ffb`0ee219d3 e81857ad5f call coreclr!GCInterface::GetGeneration (00007ffb`6e8f70f0) 00007ffb`0ee219d8 89856cffffff mov dword ptr [rbp-94h],eax 00007ffb`0ee219de 48b96819576efb7f0000 mov rcx,offset System_Private_CoreLib+0xa31968 (00007ffb`6e571968) (MT: System.Int32) 00007ffb`0ee219e8 e8b3dead5f call coreclr!JIT_TrialAllocSFastMP_InlineGetThread (00007ffb`6e8ff8a0) 00007ffb`0ee219ed 48894598 mov qword ptr [rbp-68h],rax 00007ffb`0ee219f1 488b5598 mov rdx,qword ptr [rbp-68h] 00007ffb`0ee219f5 8b8d6cffffff mov ecx,dword ptr [rbp-94h] 00007ffb`0ee219fb 894a08 mov dword ptr [rdx+8],ecx 00007ffb`0ee219fe 488b5598 mov rdx,qword ptr [rbp-68h] 00007ffb`0ee21a02 488b8d70ffffff mov rcx,qword ptr [rbp-90h] 00007ffb`0ee21a09 e83afdffff call 00007ffb`0ee21748 (System.Console.WriteLine(System.String, System.Object), mdToken: 0000000006000084) 00007ffb`0ee21a0e 90 nop C:\Users\adafurma\Desktop\msp_windowsinternals\GenericUnsafeAlloc_core\Program.cs @ 181: 00007ffb`0ee21a0f 90 nop 00007ffb`0ee21a10 488d65f8 lea rsp,[rbp-8] 00007ffb`0ee21a14 5f pop rdi 00007ffb`0ee21a15 5d pop rbp 00007ffb`0ee21a16 c3 ret |
Now the allocator is called coreclr!JIT_TrialAllocSFastMP_InlineGetThread Let’s see:
|
1 2 3 4 |
0:003> !U 00007ffb`6e8ff8a0 Unmanaged code >>> E:\A\_work\13\s\src\vm\amd64\JitHelpers_InlineGetThread.asm:40 00007ffb`6e8ff8a0 e92b2352a0 mov edx,dword ptr [rcx+4] |
Well, that was not very helpful, apparently something is wrong with WinDBG. Anyway, after updating .NET Core everything works like a charm. Tested with Windows 10 x64 1703, .NET Core 2.1.301 x64, compiled as .NET Core 2.1 for Debug Any CPU (works for Release as well).