What assembly is this RuntimeAssembly?

Say that you are debugging a .NET application in windbg and happen to have a System.Reflection.RuntimeAssembly (the actual implementation of System.Reflection.Assembly) and you want to find out which assembly it actually references. You could try dumping the object (i'm using the sosex extension here):

0:004> !mdt -r 05f7868c
05f7868c (System.Reflection.RuntimeAssembly)
_ModuleResolve:NULL (System.Reflection.ModuleResolveEventHandler)
m_fullname:NULL (System.String)
m_syncRoot:NULL (System.Object)
m_assembly:0eaa4ba8 (System.IntPtr)
m_flags:0x0 (ASSEMBLY_FLAGS_UNKNOWN) (System.Reflection.RuntimeAssembly+ASSEMBLY_FLAGS)

That wasn't very helpful. The object is just a thin wrapper around the native object pointed to by m_assembly. So what is this object? This is what it looks like:

0:004> dd 0eaa4ba8 L30
0eaa4ba8 692addec 014ad1b8 0f7307d8 00000000
0eaa4bb8 0fd49ca4 0000000c 0987de05 00000000
0eaa4bc8 00000007 00000001 00000000 00000000
0eaa4bd8 00000000 00000000 6d079b44 0987de01
0eaa4be8 0f842758 00000000 005508d0 00000002
0eaa4bf8 00000000 00000000 00000000 00000001
0eaa4c08 00000000 00000005 0eaa4ba8 f149a627
0eaa4c18 191e1826 33a15c96 1fa78d20 00000000
0eaa4c28 00000000 00000000 00000101 00000000
0eaa4c38 36664efa 8c001f00 692addec …

A good trick is to check whether the first value is a vtable pointer:

0:004> ln 692addec
(692addec) clr!DomainAssembly::`vftable’ …

So apparently the object is a DomainAssembly object, whatever that is (you can find some of these classes in the Rotor source, but the structure of them are vastly different). Using this trick combined with the !mln sosex command we find:

692addec: clr!DomainAssembly::`vftable’
014ad1b8: -> to clr!AppDomain
0f7307d8: -> to clr!PEAssembly
0fd49ca4: -> to clr!EditAndContinueModule
0987de05: Heap Object: 09877108[System.Object[]]
offset 00006cfd
0987de04 -> RuntimeModule (05f78868) : m_runtimeAssemblt = 05f7868c
6d079b44: not a pointer
0987de01: Heap Object: 09877108[System.Object[]]
offset 00006cf9
0987de01 -> RuntimeAssembly (05f7868c)
0f842758: -> to clr!AssemblySecurityDescriptor
0eaa4ba8: -> this
f149a627: not a pointer
191e1826: not a pointer
33a15c96: not a pointer
1fa78d20: not a pointer
36664efa: not a pointer
8c001f00: not a pointer

692addec: start of next clr!DomainAssembly object…

The PEAssembly object:

0:004> dd 0f7307d8 L100
0f7307d8 692e2a64 0f5cb928 0f5cc828 00000000
692e2a64: vtable (clr!PEAssembly::`vftable’)
0f5cb928: ???
0f5cc828: ??
0f7307e8 00000001 00000001 0149fc38 00000000
0149fc38: -> to clr!MDInternalRO
0f7307f8 00000000 00000000 00000000 00000000
0f730808 0f5b1340 00000006 00000000 00002002
0f5b1340: ??
0f730818 00000000 00000000 00000000 00000000
0f730828 ffffffff ffffffff 00000000 00000000
0f730838 00000000 020007d0 c0000000 00000000
020007d0: not a pointer
0f730848 00000000 00000000 0ea0b930 0f722e80
0ea0b930: -> to clr!CAssemblyName
0f722e80: -> to clr!CAssembly
0f730858 00000000 00000001 00000000 00000000
0f730868 00000000 00000002 00000000 00000001
0f730878 35f26672 88001820 692e2a64 00000000
35f26672: not a pointer
88001820: not a pointer
692e2a64: vtable pointer for next PEAssembly

CAssemblyName? That sounds promising, right?

0:004> dd 0ea0b930
0ea0b930 692b3210 692de934 454d414e 00000005
0ea0b940 504f5250 00000000 00000000 00000000
0ea0b950 00000000 00000000 00000000 0f722a58


0:004> du 0f722a58
0f722a58 “AxInterop.AcroPDFLib”

There was the name. And we had a pointer to the AppDomain earlier, so that should be sufficient to uniquely identify the assembly. I haven't figured out where the actual assembly or module objects as used by !DumpAssembly and !DumpModule resides, but they are probably somewhere in there (the modules are CModule objects, the assembly objects starts with a null pointer, so I couldn't tell the C++ class from that).

Fixing frequent freezing of Wasteland 1 when using mouse

UPDATE: According to inXile this fix will probably be incorporated into the next patch.

UPDATE2: This has been incorporated into patch 2.

Wasteland (the original) has a problem where it randomly freezes after playing for some time.
From the known issues FAQ:

The game freeze frequently.
o This is a heritage issue which may be circumvented by using only the keyboard to control the game.


In general, fixing legacy issues is a quasi-impossibility as the original is not buildable.

I'm not completely sure about what they mean by "not buildable", but frankly I would rather that inXile focus on T:ToN and Wasteland 2 than wasting resources on fixing legacy code from 25 years ago. However nothing prevents me from "wasting" resources on fixing 25 year old dos games. So I took it upon myself to localize and fix the issue.

The short version is this: find rom\DATA\WLA.BIN in your steamapps/GoG folder and open it in your favourite hex editor, go to offset 0E5E where it says "77 1F" and replace with "EB 1F". The long version below explains how I figured this out, and probably requires a good understanding of x86 assembler and the PC platform to read.
Continue reading

__declspec(thread) on windows

Microsoft Visual C++ Compiler v.100 (the one for Visual Studio 2010) compiles the main function of the following short program:

__declspec(thread) int i = 0;

int main() {

To this:

int main(int argc, char **argv) {
00CC1890  push        ebp
00CC1891  mov         ebp,esp
00CC1893  sub         esp,0C0h
00CC1899  push        ebx
00CC189A  push        esi
00CC189B  push        edi
00CC189C  lea         edi,[ebp+FFFFFF40h]
00CC18A2  mov         ecx,30h
00CC18A7  mov         eax,0CCCCCCCCh
00CC18AC  rep stos    dword ptr es:[edi]
00CC18AE  mov         eax,dword ptr ds:[00CC8194h]
00CC18B3  mov         ecx,dword ptr fs:[0000002Ch]
00CC18BA  mov         edx,dword ptr [ecx+eax*4]
00CC18BD  mov         eax,dword ptr [edx+00000104h]
00CC18C3  add         eax,1
00CC18C6  mov         ecx,dword ptr ds:[00CC8194h]
00CC18CC  mov         edx,dword ptr fs:[0000002Ch]
00CC18D3  mov         ecx,dword ptr [edx+ecx*4]
00CC18D6  mov         dword ptr [ecx+00000104h],eax
00CC18DC  xor         eax,eax
00CC18DE  pop         edi
00CC18DF  pop         esi
00CC18E0  pop         ebx
00CC18E1  mov         esp,ebp
00CC18E3  pop         ebp
00CC18E4  ret

So what is going on here? The interesting part here is this:

ecx,dword ptr fs:[0000002Ch]

What is at fs:[0000002Ch]? The fs segment is offset to start at the start of the Thread Environment Block (TEB). Microsoft won’t tell you much except for “don’t touch”. Wikipedia has more information. Offset 2Ch is a pointer to the Thread Local Storage (TLS) slots. So it stores a TLS index at 00CC8194h, looks up the data at that TLS slot, which apparently is a pointer to an array of thread local values for that thread – where the variable i is placed at offset 104h.

So Microsoft tells us that the TEB is an internal structure subject to change from one Windows version to another, and toying around with it is a big no-no. And yet their compiler happily generates code that directly accesses this “internal implementation detail”.

Hipocrisy much?