This is the tenth part of the Custom memory allocation series. For your convenience you can find other parts in the table of contents in Part 1 — Allocating object on a stack

I had .NET Core 2.1.103 x64 installed and I wanted to hijack new with the code from the last post. Unfortunately, it crashed because of very silly thing. Let’s see:

0:003> .loadby sos coreclr
0:003> !name2ee * Program
Module:      00007ffb6db41000
Assembly:    System.Private.CoreLib.dll
--------------------------------------
Module:      00007ffb0ed04580
Assembly:    GenericUnsafeAlloc_core.dll
--------------------------------------
Module:      00007ffb0ed04df0
Assembly:    System.Runtime.dll
--------------------------------------
Module:      00007ffb0ed05bb8
Assembly:    System.Console.dll
--------------------------------------
Module:      00007ffb0ed06ef0
Assembly:    System.Runtime.InteropServices.dll
--------------------------------------
Module:      00007ffb0ed07b90
Assembly:    System.Threading.dll
--------------------------------------
Module:      00007ffb0ed08500
Assembly:    System.Runtime.Extensions.dll
0:003> !dumpmodule -mt 00007ffb0ed04580
Name:       C:\Users\adafurma\Desktop\msp_windowsinternals\GenericUnsafeAlloc_core\bin\Debug\netcoreapp2.0\GenericUnsafeAlloc_core.dll
Attributes: PEFile SupportsUpdateableMethods
Assembly:   000002803d1bbc60
LoaderHeap:              0000000000000000
TypeDefToMethodTableMap: 00007ffb0ed003a8
TypeRefToMethodTableMap: 00007ffb0ed003d8
MethodDefToDescMap:      00007ffb0ed004d0
FieldDefToDescMap:       00007ffb0ed00540
MemberRefToDescMap:      0000000000000000
FileReferencesMap:       00007ffb0ed00600
AssemblyReferencesMap:   00007ffb0ed00608
MetaData start address:  0000028001ca23a4 (3732 bytes)

Types defined in this module

              MT          TypeDef Name
------------------------------------------------------------------------------
00007ffb0ed05858 0x02000003 GenericUnsafeAlloc_core.GenericMemoryAllocator
00007ffb0ed05688 0x02000004 GenericUnsafeAlloc_core.Program
00007ffb0ed05950 0x02000005 GenericUnsafeAlloc_core.TestClass

Types referenced in this module

              MT            TypeRef Name
------------------------------------------------------------------------------
00007ffb6e570410 0x02000010 System.Object
00007ffb6e5705c0 0x02000012 System.RuntimeTypeHandle
00007ffb6e5745a0 0x02000013 System.RuntimeMethodHandle
00007ffb6e586dc8 0x02000014 System.IntPtr
00007ffb6e570690 0x02000015 System.Type
00007ffb6e571de8 0x02000016 System.Runtime.InteropServices.Marshal
00007ffb6e5740d0 0x02000019 System.Reflection.MethodBase
00007ffb6e573af0 0x0200001a System.Runtime.CompilerServices.RuntimeHelpers
00007ffb6e56fcb0 0x0200001b System.Byte
00007ffb0ed06d50 0x0200001c System.Console
00007ffb6e5745f0 0x0200001d System.GC
00007ffb6e571968 0x0200001e System.Int32
0:003> !dumpmt -md 00007ffb0ed05858 
EEClass:         00007ffb0eea1100
Module:          00007ffb0ed04580
Name:            GenericUnsafeAlloc_core.GenericMemoryAllocator
mdToken:         0000000002000003
File:            C:\Users\adafurma\Desktop\msp_windowsinternals\GenericUnsafeAlloc_core\bin\Debug\netcoreapp2.0\GenericUnsafeAlloc_core.dll
BaseSize:        0x18
ComponentSize:   0x0
Slots in VTable: 14
Number of IFaces in IFaceMap: 0
--------------------------------------
MethodDesc Table
           Entry       MethodDesc    JIT Name
00007ffb6e182020 00007ffb6dce0988 PreJIT System.Object.ToString()
00007ffb6e182040 00007ffb6dce0990 PreJIT System.Object.Equals(System.Object)
00007ffb6e182090 00007ffb6dce09b8 PreJIT System.Object.GetHashCode()
00007ffb6e1820a0 00007ffb6dce09d8 PreJIT System.Object.Finalize()
00007ffb0ee21e00 00007ffb0ed05840    JIT GenericUnsafeAlloc_core.GenericMemoryAllocator..cctor()
00007ffb0ee21a30 00007ffb0ed05838    JIT GenericUnsafeAlloc_core.GenericMemoryAllocator..ctor()
00007ffb0ee210f0 00007ffb0ed057d8   NONE GenericUnsafeAlloc_core.GenericMemoryAllocator.Allocate()
00007ffb0ee210c0 00007ffb0ed05770   NONE GenericUnsafeAlloc_core.GenericMemoryAllocator.VirtualProtect(IntPtr, UInt32, UInt32, UInt32 ByRef)
00007ffb0ee222f0 00007ffb0ed057b8    JIT GenericUnsafeAlloc_core.GenericMemoryAllocator.UnlockPage(IntPtr)
00007ffb0ee210e0 00007ffb0ed057c8   NONE GenericUnsafeAlloc_core.GenericMemoryAllocator.GetReferenceAsPointer(System.Object)
00007ffb0ee21bd0 00007ffb0ed057f8    JIT GenericUnsafeAlloc_core.GenericMemoryAllocator.RawAllocate(IntPtr)
00007ffb0ee22290 00007ffb0ed05808   NONE GenericUnsafeAlloc_core.GenericMemoryAllocator.CreateObject()
00007ffb0ee220f0 00007ffb0ed05818    JIT GenericUnsafeAlloc_core.GenericMemoryAllocator.GetAllocMethodAddress()
00007ffb0ee21ed0 00007ffb0ed05828    JIT GenericUnsafeAlloc_core.GenericMemoryAllocator.HijackNew()

Yes, CreateObject is not jitted even though PrepareMethod was called. Quick look at GH and we have the following. So I updated the SDK and could carry on:

0:003> !dumpmt -md 00007ffb0ed05688 
EEClass:         00007ffb0eea1088
Module:          00007ffb0ed04580
Name:            GenericUnsafeAlloc_core.Program
mdToken:         0000000002000004
File:            C:\Users\adafurma\Desktop\msp_windowsinternals\GenericUnsafeAlloc_core\bin\Debug\netcoreapp2.0\GenericUnsafeAlloc_core.dll
BaseSize:        0x18
ComponentSize:   0x0
Slots in VTable: 6
Number of IFaces in IFaceMap: 0
--------------------------------------
MethodDesc Table
           Entry       MethodDesc    JIT Name
00007ffb6e182020 00007ffb6dce0988 PreJIT System.Object.ToString()
00007ffb6e182040 00007ffb6dce0990 PreJIT System.Object.Equals(System.Object)
00007ffb6e182090 00007ffb6dce09b8 PreJIT System.Object.GetHashCode()
00007ffb6e1820a0 00007ffb6dce09d8 PreJIT System.Object.Finalize()
00007ffb0ee210a0 00007ffb0ed05680   NONE GenericUnsafeAlloc_core.Program..ctor()
00007ffb0ee21810 00007ffb0ed05670    JIT GenericUnsafeAlloc_core.Program.Main()
0:003> !U 00007ffb0ee21810 
Normal JIT generated code
GenericUnsafeAlloc_core.Program.Main()
Begin 00007ffb0ee21810, size 207

C:\Users\adafurma\Desktop\msp_windowsinternals\GenericUnsafeAlloc_core\Program.cs @ 163:
>>> 00007ffb`0ee21810 55              push    rbp
00007ffb`0ee21811 57              push    rdi
00007ffb`0ee21812 4881ecb8000000  sub     rsp,0B8h
00007ffb`0ee21819 488dac24c0000000 lea     rbp,[rsp+0C0h]
00007ffb`0ee21821 488dbd6cffffff  lea     rdi,[rbp-94h]
00007ffb`0ee21828 b923000000      mov     ecx,23h
00007ffb`0ee2182d 33c0            xor     eax,eax
00007ffb`0ee2182f f3ab            rep stos dword ptr [rdi]
00007ffb`0ee21831 833dc831eeff00  cmp     dword ptr [00007ffb`0ed04a00],0
00007ffb`0ee21838 7405            je      00007ffb`0ee2183f
00007ffb`0ee2183a e801bfc45f      call    coreclr!JIT_DbgIsJustMyCode (00007ffb`6ea6d740)
00007ffb`0ee2183f 90              nop

C:\Users\adafurma\Desktop\msp_windowsinternals\GenericUnsafeAlloc_core\Program.cs @ 165:
00007ffb`0ee21840 48b95858d00efb7f0000 mov rcx,7FFB0ED05858h (MT: GenericUnsafeAlloc_core.GenericMemoryAllocator)
00007ffb`0ee2184a e851e0ad5f      call    coreclr!JIT_TrialAllocSFastMP_InlineGetThread (00007ffb`6e8ff8a0)
00007ffb`0ee2184f 488945d0        mov     qword ptr [rbp-30h],rax
00007ffb`0ee21853 488b4dd0        mov     rcx,qword ptr [rbp-30h]
00007ffb`0ee21857 e8e4f8ffff      call    00007ffb`0ee21140 (GenericUnsafeAlloc_core.GenericMemoryAllocator..ctor(), mdToken: 0000000006000009)
00007ffb`0ee2185c 488b4dd0        mov     rcx,qword ptr [rbp-30h]
00007ffb`0ee21860 48894df0        mov     qword ptr [rbp-10h],rcx

C:\Users\adafurma\Desktop\msp_windowsinternals\GenericUnsafeAlloc_core\Program.cs @ 166:
00007ffb`0ee21864 488b4df0        mov     rcx,qword ptr [rbp-10h]
00007ffb`0ee21868 48ba885ad00efb7f0000 mov rdx,7FFB0ED05A88h (MD: GenericUnsafeAlloc_core.GenericMemoryAllocator.Allocate[[GenericUnsafeAlloc_core.TestClass, GenericUnsafeAlloc_core]]())
00007ffb`0ee21872 3909            cmp     dword ptr [rcx],ecx
00007ffb`0ee21874 e8f7f8ffff      call    00007ffb`0ee21170 (GenericUnsafeAlloc_core.GenericMemoryAllocator.Allocate[[System.__Canon, System.Private.CoreLib]](), mdToken: 0000000006000004)
00007ffb`0ee21879 488945c8        mov     qword ptr [rbp-38h],rax
00007ffb`0ee2187d 488b4dc8        mov     rcx,qword ptr [rbp-38h]
00007ffb`0ee21881 48894de8        mov     qword ptr [rbp-18h],rcx

C:\Users\adafurma\Desktop\msp_windowsinternals\GenericUnsafeAlloc_core\Program.cs @ 169:
00007ffb`0ee21885 48b91004576efb7f0000 mov rcx,offset System_Private_CoreLib+0xa30410 (00007ffb`6e570410) (MT: System.Object)
00007ffb`0ee2188f e80ce0ad5f      call    coreclr!JIT_TrialAllocSFastMP_InlineGetThread (00007ffb`6e8ff8a0)
00007ffb`0ee21894 488945c0        mov     qword ptr [rbp-40h],rax
00007ffb`0ee21898 488b4dc0        mov     rcx,qword ptr [rbp-40h]
00007ffb`0ee2189c e86f07365f      call    System_Private_CoreLib+0x642010 (00007ffb`6e182010) (System.Object..ctor(), mdToken: 0000000006000191)
00007ffb`0ee218a1 488b45c0        mov     rax,qword ptr [rbp-40h]
00007ffb`0ee218a5 488945e0        mov     qword ptr [rbp-20h],rax

C:\Users\adafurma\Desktop\msp_windowsinternals\GenericUnsafeAlloc_core\Program.cs @ 172:
00007ffb`0ee218a9 e882f8ffff      call    00007ffb`0ee21130 (GenericUnsafeAlloc_core.GenericMemoryAllocator.HijackNew(), mdToken: 0000000006000008)
00007ffb`0ee218ae 90              nop

C:\Users\adafurma\Desktop\msp_windowsinternals\GenericUnsafeAlloc_core\Program.cs @ 173:
00007ffb`0ee218af e81cfeffff      call    00007ffb`0ee216d0 (System.Console.ReadLine(), mdToken: 0000000006000075)
00007ffb`0ee218b4 488945b8        mov     qword ptr [rbp-48h],rax
00007ffb`0ee218b8 90              nop

C:\Users\adafurma\Desktop\msp_windowsinternals\GenericUnsafeAlloc_core\Program.cs @ 174:
00007ffb`0ee218b9 48b91004576efb7f0000 mov rcx,offset System_Private_CoreLib+0xa30410 (00007ffb`6e570410) (MT: System.Object)
00007ffb`0ee218c3 e8d8dfad5f      call    coreclr!JIT_TrialAllocSFastMP_InlineGetThread (00007ffb`6e8ff8a0)
00007ffb`0ee218c8 488945b0        mov     qword ptr [rbp-50h],rax
00007ffb`0ee218cc 488b4db0        mov     rcx,qword ptr [rbp-50h]
00007ffb`0ee218d0 e83b07365f      call    System_Private_CoreLib+0x642010 (00007ffb`6e182010) (System.Object..ctor(), mdToken: 0000000006000191)
00007ffb`0ee218d5 488b4db0        mov     rcx,qword ptr [rbp-50h]
00007ffb`0ee218d9 48894dd8        mov     qword ptr [rbp-28h],rcx

C:\Users\adafurma\Desktop\msp_windowsinternals\GenericUnsafeAlloc_core\Program.cs @ 177:
00007ffb`0ee218dd 48b96830cf1180020000 mov rcx,28011CF3068h
00007ffb`0ee218e7 488b09          mov     rcx,qword ptr [rcx]
00007ffb`0ee218ea 48894da8        mov     qword ptr [rbp-58h],rcx
00007ffb`0ee218ee 488b4df0        mov     rcx,qword ptr [rbp-10h]
00007ffb`0ee218f2 e8f957ad5f      call    coreclr!GCInterface::GetGeneration (00007ffb`6e8f70f0)
00007ffb`0ee218f7 8945a4          mov     dword ptr [rbp-5Ch],eax
00007ffb`0ee218fa 48b96819576efb7f0000 mov rcx,offset System_Private_CoreLib+0xa31968 (00007ffb`6e571968) (MT: System.Int32)
00007ffb`0ee21904 e897dfad5f      call    coreclr!JIT_TrialAllocSFastMP_InlineGetThread (00007ffb`6e8ff8a0)
00007ffb`0ee21909 48894598        mov     qword ptr [rbp-68h],rax
00007ffb`0ee2190d 488b5598        mov     rdx,qword ptr [rbp-68h]
00007ffb`0ee21911 8b4da4          mov     ecx,dword ptr [rbp-5Ch]
00007ffb`0ee21914 894a08          mov     dword ptr [rdx+8],ecx
00007ffb`0ee21917 488b5598        mov     rdx,qword ptr [rbp-68h]
00007ffb`0ee2191b 488b4da8        mov     rcx,qword ptr [rbp-58h]
00007ffb`0ee2191f e824feffff      call    00007ffb`0ee21748 (System.Console.WriteLine(System.String, System.Object), mdToken: 0000000006000084)
00007ffb`0ee21924 90              nop

C:\Users\adafurma\Desktop\msp_windowsinternals\GenericUnsafeAlloc_core\Program.cs @ 178:
00007ffb`0ee21925 48b97030cf1180020000 mov rcx,28011CF3070h
00007ffb`0ee2192f 488b09          mov     rcx,qword ptr [rcx]
00007ffb`0ee21932 48894d90        mov     qword ptr [rbp-70h],rcx
00007ffb`0ee21936 488b4de8        mov     rcx,qword ptr [rbp-18h]
00007ffb`0ee2193a e8b157ad5f      call    coreclr!GCInterface::GetGeneration (00007ffb`6e8f70f0)
00007ffb`0ee2193f 89458c          mov     dword ptr [rbp-74h],eax
00007ffb`0ee21942 48b96819576efb7f0000 mov rcx,offset System_Private_CoreLib+0xa31968 (00007ffb`6e571968) (MT: System.Int32)
00007ffb`0ee2194c e84fdfad5f      call    coreclr!JIT_TrialAllocSFastMP_InlineGetThread (00007ffb`6e8ff8a0)
00007ffb`0ee21951 48894598        mov     qword ptr [rbp-68h],rax
00007ffb`0ee21955 488b5598        mov     rdx,qword ptr [rbp-68h]
00007ffb`0ee21959 8b4d8c          mov     ecx,dword ptr [rbp-74h]
00007ffb`0ee2195c 894a08          mov     dword ptr [rdx+8],ecx
00007ffb`0ee2195f 488b5598        mov     rdx,qword ptr [rbp-68h]
00007ffb`0ee21963 488b4d90        mov     rcx,qword ptr [rbp-70h]
00007ffb`0ee21967 e8dcfdffff      call    00007ffb`0ee21748 (System.Console.WriteLine(System.String, System.Object), mdToken: 0000000006000084)
00007ffb`0ee2196c 90              nop

C:\Users\adafurma\Desktop\msp_windowsinternals\GenericUnsafeAlloc_core\Program.cs @ 179:
00007ffb`0ee2196d 48b97830cf1180020000 mov rcx,28011CF3078h
00007ffb`0ee21977 488b09          mov     rcx,qword ptr [rcx]
00007ffb`0ee2197a 48894d80        mov     qword ptr [rbp-80h],rcx
00007ffb`0ee2197e 488b4de0        mov     rcx,qword ptr [rbp-20h]
00007ffb`0ee21982 e86957ad5f      call    coreclr!GCInterface::GetGeneration (00007ffb`6e8f70f0)
00007ffb`0ee21987 89857cffffff    mov     dword ptr [rbp-84h],eax
00007ffb`0ee2198d 48b96819576efb7f0000 mov rcx,offset System_Private_CoreLib+0xa31968 (00007ffb`6e571968) (MT: System.Int32)
00007ffb`0ee21997 e804dfad5f      call    coreclr!JIT_TrialAllocSFastMP_InlineGetThread (00007ffb`6e8ff8a0)
00007ffb`0ee2199c 48894598        mov     qword ptr [rbp-68h],rax
00007ffb`0ee219a0 488b5598        mov     rdx,qword ptr [rbp-68h]
00007ffb`0ee219a4 8b8d7cffffff    mov     ecx,dword ptr [rbp-84h]
00007ffb`0ee219aa 894a08          mov     dword ptr [rdx+8],ecx
00007ffb`0ee219ad 488b5598        mov     rdx,qword ptr [rbp-68h]
00007ffb`0ee219b1 488b4d80        mov     rcx,qword ptr [rbp-80h]
00007ffb`0ee219b5 e88efdffff      call    00007ffb`0ee21748 (System.Console.WriteLine(System.String, System.Object), mdToken: 0000000006000084)
00007ffb`0ee219ba 90              nop

C:\Users\adafurma\Desktop\msp_windowsinternals\GenericUnsafeAlloc_core\Program.cs @ 180:
00007ffb`0ee219bb 48b98030cf1180020000 mov rcx,28011CF3080h
00007ffb`0ee219c5 488b09          mov     rcx,qword ptr [rcx]
00007ffb`0ee219c8 48898d70ffffff  mov     qword ptr [rbp-90h],rcx
00007ffb`0ee219cf 488b4dd8        mov     rcx,qword ptr [rbp-28h]
00007ffb`0ee219d3 e81857ad5f      call    coreclr!GCInterface::GetGeneration (00007ffb`6e8f70f0)
00007ffb`0ee219d8 89856cffffff    mov     dword ptr [rbp-94h],eax
00007ffb`0ee219de 48b96819576efb7f0000 mov rcx,offset System_Private_CoreLib+0xa31968 (00007ffb`6e571968) (MT: System.Int32)
00007ffb`0ee219e8 e8b3dead5f      call    coreclr!JIT_TrialAllocSFastMP_InlineGetThread (00007ffb`6e8ff8a0)
00007ffb`0ee219ed 48894598        mov     qword ptr [rbp-68h],rax
00007ffb`0ee219f1 488b5598        mov     rdx,qword ptr [rbp-68h]
00007ffb`0ee219f5 8b8d6cffffff    mov     ecx,dword ptr [rbp-94h]
00007ffb`0ee219fb 894a08          mov     dword ptr [rdx+8],ecx
00007ffb`0ee219fe 488b5598        mov     rdx,qword ptr [rbp-68h]
00007ffb`0ee21a02 488b8d70ffffff  mov     rcx,qword ptr [rbp-90h]
00007ffb`0ee21a09 e83afdffff      call    00007ffb`0ee21748 (System.Console.WriteLine(System.String, System.Object), mdToken: 0000000006000084)
00007ffb`0ee21a0e 90              nop

C:\Users\adafurma\Desktop\msp_windowsinternals\GenericUnsafeAlloc_core\Program.cs @ 181:
00007ffb`0ee21a0f 90              nop
00007ffb`0ee21a10 488d65f8        lea     rsp,[rbp-8]
00007ffb`0ee21a14 5f              pop     rdi
00007ffb`0ee21a15 5d              pop     rbp
00007ffb`0ee21a16 c3              ret

Now the allocator is called coreclr!JIT_TrialAllocSFastMP_InlineGetThread Let’s see:

0:003> !U 00007ffb`6e8ff8a0
Unmanaged code
>>> E:\A\_work\13\s\src\vm\amd64\JitHelpers_InlineGetThread.asm:40
00007ffb`6e8ff8a0 e92b2352a0          mov     edx,dword ptr [rcx+4]

Well, that was not very helpful, apparently something is wrong with WinDBG. Anyway, after updating .NET Core everything works like a charm. Tested with Windows 10 x64 1703, .NET Core 2.1.301 x64, compiled as .NET Core 2.1 for Debug Any CPU (works for Release as well).