From 1692fbeeefa23fb0289e0222b789e2caba27a971 Mon Sep 17 00:00:00 2001
From: Max Charlamb <maxcharlamb@microsoft.com>
Date: Wed, 17 Jun 2026 19:00:12 -0400
Subject: [PATCH 1/4] [cdac] x86: implement IGCInfoDecoder.EnumerateLiveSlots;
 unblock GCRoots stackref tests

Builds on the partial x86 IGCInfo support added in #129456 by porting the
remaining decoder pieces required for GC-root scanning on x86, so that
`IStackWalk.WalkStackReferences` returns live frame slots on x86 cDAC.

The x86 GC info uses the legacy bit-packed `InfoHdr` byte-stream encoding
(`src/coreclr/vm/gc_unwind_x86.inl`, `src/coreclr/inc/gcdecoder.cpp`)
instead of the modern `GcInfoDecoder` shared by other architectures, so
the implementation lives entirely on the existing `X86GCInfo` decoder
under `Contracts/GCInfo/X86/`.

Changes
-------

* `X86GCInfo`: add `UntrackedSlots` lazy property +
  `DecodeUntrackedSlots()` -- delta-decoded signed varints with the
  double-align-frame rebase from `gc_unwind_x86.inl:3467`.
* `X86GCInfo`: add `VarPtrLifetimes` lazy property +
  `DecodeVarPtrLifetimes()` -- triplets of (varOffs, begOffs delta,
  endOffs delta) for EBP-frame tracked locals.
* Two new public record types `UntrackedSlot` and `VarPtrLifetime`
  capture the decoded entries.
* `IsCodeOffsetInProlog` / `IsCodeOffsetInEpilog` helpers
  (offset-parameterised, so EnumerateLiveSlots can answer for any
  instruction offset without re-constructing X86GCInfo).
* `RegMaskToRegisterNumber` helper maps the single-bit `RegMask`
  flags-enum values to the x86 ModRM register numbers used by
  `X86Context.TryReadRegister` and `LiveSlot.RegisterNumber`.
* Implement `IGCInfoDecoder.EnumerateLiveSlots(uint offset, options)`:
  early-return empty in prolog/epilog (or aborted+non-interruptible),
  emit untracked locals (suppressed for filter funclets), emit VarPtr
  lifetimes covering `offset`, walk `Transitions` up to `offset`
  accumulating live registers + pushed pointer args, and emit a
  partially-interruptible `GcTransitionCall` exactly at `offset`.
* Flip `IGCInfoDecoder.GetSizeOfStackParameterArea` from
  `NotSupportedException` to `return 0` for x86 -- x86 has no
  separate outgoing-argument scratch area; per-offset transitions
  report pushed args directly, so the GcScanner scratch-area filter is
  a no-op (correct).
* Remove the `[SkipOnArch("x86", "GCInfo decoder does not support
  x86")]` markers on `GCRoots_WalkStackReferences_FindsRefs` and
  `GCRoots_RefsPointToValidObjects`.
* `DumpTests.targets`: add optional `DebuggeeFilter=<Name>` to
  restrict `GenerateAllDumps` to a single debuggee. Useful for
  iterative local x86 work where some other debuggee's publish may
  fail.
* `docs/design/datacontracts/GCInfo.md`: enumerate which
  `IGCInfoDecoder` APIs are wired up on x86.

Out of scope (deferred)
-----------------------

* `GetInterruptibleRanges` for x86 -- the only consumer is the
  catch-handler PC override in `StackWalk_1`; no x86-relevant
  scenarios today.
* "this"-pointer special-case reporting for synchronized methods
  (VarPtr 0x2 bit currently masked out).
* IPtrMask interior-pointer bitmaps for pushed args (uses the simpler
  per-push `Iptr` flag).
* Funclet handling beyond the existing `IsParentOfFuncletStackFrame`
  caller-side early-skip.
* Finer `IsActiveFrame` register filter precision.

Validation
----------

* All 2525 cDAC unit tests pass.
* The two unblocked `GCRoots_*` tests pass against a freshly
  generated x86 GCRoots dump.
* Broader `DumpTests` x86 sweep: 34 pass / 46 fail / 830 skip --
  net +2 vs. before this change (the two GCRoots tests), zero
  regressions. The 46 pre-existing failures are all unrelated to
  GCInfo (`ThreadDumpTests` / `ComWrappersDumpTests` /
  `RuntimeInfoDumpTests` / `WorkstationGCDumpTests` and similar).

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 docs/design/datacontracts/GCInfo.md           |   2 +-
 .../Contracts/GCInfo/X86/GCInfo.cs            | 449 +++++++++++++++++-
 .../cdac/tests/DumpTests/DumpTests.targets    |   7 +-
 .../DumpTests/StackReferenceDumpTests.cs      |   2 -
 4 files changed, 450 insertions(+), 10 deletions(-)

diff --git a/docs/design/datacontracts/GCInfo.md b/docs/design/datacontracts/GCInfo.md
index 70964f409a93d1..871356c2ab9756 100644
--- a/docs/design/datacontracts/GCInfo.md
+++ b/docs/design/datacontracts/GCInfo.md
@@ -2,7 +2,7 @@
 
 This contract is for fetching information related to GCInfo associated with native code.
 
-The GCInfo contract has platform specific implementations as GCInfo differs per architecture. With the exception of x86, all platforms have a common encoding scheme with different encoding lengths and normalization functions for data. x86 uses an entirely different scheme which is partially supported by this contract.
+The GCInfo contract has platform specific implementations as GCInfo differs per architecture. With the exception of x86, all platforms have a common encoding scheme with different encoding lengths and normalization functions for data. x86 uses an entirely different scheme which is partially supported by this contract: x86 currently implements `GetCodeLength`, `GetStackBaseRegister`, `GetSizeOfStackParameterArea`, `GetCalleePoppedArgumentsSize`, and `EnumerateLiveSlots` (sufficient for SOS code-size lookups and for `WalkStackReferences` GC-root scanning). `GetInterruptibleRanges` is not yet implemented on x86 -- x86 does not encode explicit interruptible ranges; per-offset transitions are used instead, and the only consumer (catch-handler PC override in `StackWalk_1`) has no x86-relevant scenarios today.
 
 ## APIs of contract
 
diff --git a/src/native/managed/cdac/Microsoft.Diagnostics.DataContractReader.Contracts/Contracts/GCInfo/X86/GCInfo.cs b/src/native/managed/cdac/Microsoft.Diagnostics.DataContractReader.Contracts/Contracts/GCInfo/X86/GCInfo.cs
index 9a8c44f7234f38..93e23ac9e47484 100644
--- a/src/native/managed/cdac/Microsoft.Diagnostics.DataContractReader.Contracts/Contracts/GCInfo/X86/GCInfo.cs
+++ b/src/native/managed/cdac/Microsoft.Diagnostics.DataContractReader.Contracts/Contracts/GCInfo/X86/GCInfo.cs
@@ -69,6 +69,20 @@ public record X86GCInfo : IGCInfoDecoder
     public uint PushedArgSize => _pushedArgSize.Value;
     private readonly Lazy<uint> _pushedArgSize;
 
+    /// <summary>
+    /// The untracked frame variable table, always-live GC frame slots.
+    /// Decoded lazily on first access.
+    /// </summary>
+    public ImmutableArray<UntrackedSlot> UntrackedSlots => _untrackedSlots.Value;
+    private readonly Lazy<ImmutableArray<UntrackedSlot>> _untrackedSlots;
+
+    /// <summary>
+    /// The frame variable lifetime (VarPtr) table, per-offset-range tracked GC variables.
+    /// Decoded lazily on first access. Empty for non-EBP frames (only EBP frames track variables this way).
+    /// </summary>
+    public ImmutableArray<VarPtrLifetime> VarPtrLifetimes => _varPtrLifetimes.Value;
+    private readonly Lazy<ImmutableArray<VarPtrLifetime>> _varPtrLifetimes;
+
     public X86GCInfo(Target target, TargetPointer gcInfoAddress, uint gcInfoVersion, uint relativeOffset = 0)
     {
         if (gcInfoVersion < MINIMUM_SUPPORTED_GCINFO_VERSION)
@@ -151,6 +165,13 @@ public X86GCInfo(Target target, TargetPointer gcInfoAddress, uint gcInfoVersion,
 
         // Lazily calculate the pushed argument size. This forces the transitions to be decoded.
         _pushedArgSize = new(CalculatePushedArgSize);
+
+        // Lazily decode the untracked-locals and VarPtr tables. These live between the
+        // NoGCRegion table and the argument table in the bitstream; see DecodeTransitions
+        // for the layout. Like the transitions, the underlying GC info bytes are typically
+        // only present in full (or selectively included) memory dumps.
+        _untrackedSlots = new(DecodeUntrackedSlots);
+        _varPtrLifetimes = new(DecodeVarPtrLifetimes);
     }
 
     private ImmutableDictionary<int, List<BaseGcTransition>> DecodeTransitions()
@@ -243,6 +264,135 @@ private uint CalculatePushedArgSize()
         return (uint)(depth * _target.PointerSize);
     }
 
+    private ImmutableArray<UntrackedSlot> DecodeUntrackedSlots()
+    {
+        if (Header.UntrackedCount == 0)
+            return ImmutableArray<UntrackedSlot>.Empty;
+
+        // The untracked-locals table follows the NoGCRegions table in the bitstream
+        // (see DecodeTransitions for the section layout).
+        TargetPointer offset = _gcInfoAddress + _infoHdrSize;
+        for (int i = 0; i < Header.NoGCRegionCount; i++)
+        {
+            _target.GCDecodeUnsigned(ref offset);
+            _target.GCDecodeUnsigned(ref offset);
+        }
+
+        // Each entry is a signed varint, delta-encoded against the previous entry.
+        // Low 2 bits hold flags (byref=0x1, pinned=0x2); the remainder is the frame-relative
+        // stack offset. On EBP-frames the offset is EBP-relative; on ESP-frames it is
+        // ESP-relative. Double-aligned frames use a hybrid encoding: offsets that lie
+        // above the frame are EBP-relative even when the rest of the frame is ESP-based.
+        // Reference: gc_unwind_x86.inl:3467 (EnumGcRefsX86 untracked path) and
+        // ILCompiler.Reflection.ReadyToRun/x86/GcSlotTable.cs:127 (DecodeUntracked).
+        uint calleeSavedRegsCount = 0;
+        if (Header.DoubleAlign)
+        {
+            if (Header.EdiSaved) calleeSavedRegsCount++;
+            if (Header.EsiSaved) calleeSavedRegsCount++;
+            if (Header.EbxSaved) calleeSavedRegsCount++;
+        }
+
+        ImmutableArray<UntrackedSlot>.Builder builder = ImmutableArray.CreateBuilder<UntrackedSlot>((int)Header.UntrackedCount);
+        int lastStkOffs = 0;
+        for (uint i = 0; i < Header.UntrackedCount; i++)
+        {
+            int delta = _target.GCDecodeSigned(ref offset);
+            int stkOffs = lastStkOffs - delta;
+            lastStkOffs = stkOffs;
+
+            uint lowBits = OFFSET_MASK & (uint)stkOffs;
+            stkOffs = (int)((uint)stkOffs & ~OFFSET_MASK);
+
+            bool isEbpRelative = Header.EbpFrame;
+            if (Header.DoubleAlign &&
+                (uint)stkOffs >= _target.PointerSize * (Header.FrameSize + calleeSavedRegsCount))
+            {
+                // Double-aligned frame: offsets above the frame proper are EBP-relative.
+                isEbpRelative = true;
+                stkOffs -= (int)(_target.PointerSize * (Header.FrameSize + calleeSavedRegsCount));
+            }
+
+            builder.Add(new UntrackedSlot(stkOffs, isEbpRelative, lowBits));
+        }
+
+        return builder.MoveToImmutable();
+    }
+
+    private ImmutableArray<VarPtrLifetime> DecodeVarPtrLifetimes()
+    {
+        if (Header.VarPtrTableSize == 0)
+            return ImmutableArray<VarPtrLifetime>.Empty;
+
+        // The VarPtr table follows the untracked-locals table in the bitstream.
+        TargetPointer offset = _gcInfoAddress + _infoHdrSize;
+        for (int i = 0; i < Header.NoGCRegionCount; i++)
+        {
+            _target.GCDecodeUnsigned(ref offset);
+            _target.GCDecodeUnsigned(ref offset);
+        }
+        for (int i = 0; i < Header.UntrackedCount; i++)
+        {
+            _target.GCDecodeSigned(ref offset);
+        }
+
+        // Each entry is three unsigned varints: (varOffs, begOffs, endOffs).
+        // varOffs is absolute; begOffs is delta-from-previous-begOffs; endOffs is delta-from-begOffs.
+        // Low 2 bits of varOffs hold flags (byref=0x1, this=0x2 -- NOT pinned for tracked locals).
+        // Reference: gc_unwind_x86.inl varPtrTable processing and
+        // ILCompiler.Reflection.ReadyToRun/x86/GcSlotTable.cs:168 (DecodeFrameVariableLifetimeTable).
+        ImmutableArray<VarPtrLifetime>.Builder builder = ImmutableArray.CreateBuilder<VarPtrLifetime>((int)Header.VarPtrTableSize);
+        uint curOffs = 0;
+        for (uint i = 0; i < Header.VarPtrTableSize; i++)
+        {
+            uint varOffsRaw = _target.GCDecodeUnsigned(ref offset);
+            uint begOffs = _target.GCDecodeUDelta(ref offset, curOffs);
+            uint endOffs = _target.GCDecodeUDelta(ref offset, begOffs);
+
+            uint lowBits = varOffsRaw & OFFSET_MASK;
+            int stkOffs = (int)(varOffsRaw & ~OFFSET_MASK);
+
+            curOffs = begOffs;
+
+            builder.Add(new VarPtrLifetime(begOffs, endOffs, stkOffs, lowBits));
+        }
+
+        return builder.MoveToImmutable();
+    }
+
+    private const uint OFFSET_MASK = 0x3;
+
+    /// <summary>
+    /// Returns true if <paramref name="codeOffset"/> falls within the method's prolog.
+    /// </summary>
+    private bool IsCodeOffsetInProlog(uint codeOffset)
+        => codeOffset < Header.PrologSize;
+
+    /// <summary>
+    /// Returns true if <paramref name="codeOffset"/> falls within any epilog.
+    /// </summary>
+    private bool IsCodeOffsetInEpilog(uint codeOffset)
+    {
+        foreach (uint epilogStart in Header.Epilogs)
+        {
+            if (codeOffset > epilogStart && codeOffset < epilogStart + Header.EpilogSize)
+                return true;
+        }
+        return false;
+    }
+
+    /// <summary>
+    /// Converts a single-bit <see cref="RegMask"/> value to the platform-agnostic
+    /// register number used by <c>X86Context.TryReadRegister</c> and by <see cref="LiveSlot.RegisterNumber"/>.
+    /// EAX=0, ECX=1, EDX=2, EBX=3, ESP=4, EBP=5, ESI=6, EDI=7 -- matches the x86 ModRM encoding.
+    /// </summary>
+    private static uint RegMaskToRegisterNumber(RegMask reg)
+    {
+        // RegMask is a flags enum where each register sits on its own bit
+        // (EAX=0x1, ECX=0x2, ..., EDI=0x80). Log2 yields the register number.
+        return (uint)System.Numerics.BitOperations.Log2((uint)reg);
+    }
+
     uint IGCInfoDecoder.GetCodeLength() => MethodSize;
 
     uint IGCInfoDecoder.GetStackBaseRegister()
@@ -255,10 +405,14 @@ uint IGCInfoDecoder.GetStackBaseRegister()
     }
 
     uint IGCInfoDecoder.GetSizeOfStackParameterArea()
-        => throw new NotSupportedException(
-            "x86 GC info does not encode a separate outgoing-argument scratch area; the cDAC " +
-            "GC scanner does not consume scratch-area sizing on x86 (the legacy x86 GC walker " +
-            "reasons over per-offset transitions instead).");
+    {
+        // x86 GC info does not encode a separate outgoing-argument scratch area; the
+        // per-offset transitions report pushed argument pointers directly at each offset.
+        // Returning 0 disables the GcScanner's scratch-area filter on x86, which is the
+        // correct behaviour: the live state at a given offset (call site or fully-interruptible
+        // point) already excludes any args that have been popped by the time we resume there.
+        return 0;
+    }
 
     uint IGCInfoDecoder.GetCalleePoppedArgumentsSize()
     {
@@ -272,5 +426,290 @@ IReadOnlyList<InterruptibleRange> IGCInfoDecoder.GetInterruptibleRanges()
         => throw new NotSupportedException("x86 GC info does not encode explicit interruptible ranges; per-offset transitions are used instead. Decoding for the cDAC IGCInfoDecoder consumers is not yet implemented.");
 
     IReadOnlyList<LiveSlot> IGCInfoDecoder.EnumerateLiveSlots(uint instructionOffset, GcSlotEnumerationOptions options)
-        => throw new NotSupportedException("x86 GC info live-slot enumeration through IGCInfoDecoder is not yet implemented; the underlying InfoHdr/Transitions data is decoded but the IGCInfoDecoder.EnumerateLiveSlots adapter is future work.");
+    {
+        // x86 stack base encoding for LiveSlot.SpBase: 1 = SP-relative, 2 = FRAMEREG (EBP/EBP-double-aligned) relative.
+        // (See IGCInfo.cs LiveSlot docs and GcScanner.EnumGcRefsForManagedFrame for how these get resolved.)
+        const uint SP_REL = 1;
+        const uint FRAMEREG_REL = 2;
+
+        // In the prolog (before all locals are initialised) and in the epilog (after they've
+        // been torn down) the GC info doesn't accurately describe live slots. The runtime
+        // never suspends a thread inside the prolog/epilog under normal circumstances; the only
+        // path that reaches here is ExecutionAborted (thread abort or stack overflow). In that
+        // case we still drop reporting -- this matches native EnumGcRefsX86 in gc_unwind_x86.inl:3091
+        // which returns true without enumerating when we're in the prolog/epilog.
+        if (IsCodeOffsetInProlog(instructionOffset) || IsCodeOffsetInEpilog(instructionOffset))
+            return Array.Empty<LiveSlot>();
+
+        // For non-interruptible methods, an ExecutionAborted offset that isn't at a recorded
+        // safe point yields no reliable GC info; skip reporting as the native walker does
+        // (gc_unwind_x86.inl:3093).
+        if (options.IsExecutionAborted && !Header.Interruptible)
+            return Array.Empty<LiveSlot>();
+
+        List<LiveSlot> result = [];
+
+        // (1) Untracked frame locals -- always live for the entire method body.
+        // Filter funclets suppress untracked reporting because the parent frame already
+        // reports them (matches native EnumGcRefsX86 isFilterFunclet path).
+        if (!options.SuppressUntrackedSlots)
+        {
+            foreach (UntrackedSlot us in UntrackedSlots)
+            {
+                // LowBits encoding matches LiveSlot.GcFlags exactly: 0x1 = interior, 0x2 = pinned.
+                uint spBase = us.IsEbpRelative ? FRAMEREG_REL : SP_REL;
+                result.Add(new LiveSlot(IsRegister: false, RegisterNumber: 0, SpOffset: us.StackOffset, SpBase: spBase, GcFlags: us.LowBits));
+            }
+        }
+
+        // (2) VarPtr-tracked frame locals -- live when instructionOffset is within [Begin, End).
+        // Only EBP-frames produce entries here; the table is empty for ESP-frames.
+        {
+            uint spBase = Header.EbpFrame ? FRAMEREG_REL : SP_REL;
+            foreach (VarPtrLifetime vp in VarPtrLifetimes)
+            {
+                if (instructionOffset < vp.BeginOffset || instructionOffset >= vp.EndOffset)
+                    continue;
+
+                // VarPtr LowBits encoding differs from untracked: 0x1 = interior, 0x2 = "this"
+                // pointer (NOT pinned). The "this" pointer flag is consumed by special-case
+                // synchronized-method reporting in native code that this MVP cDAC decoder does
+                // not replicate. Map only the interior bit into LiveSlot.GcFlags.
+                uint gcFlags = vp.LowBits & 0x1u;
+                result.Add(new LiveSlot(IsRegister: false, RegisterNumber: 0, SpOffset: vp.StackOffset, SpBase: spBase, GcFlags: gcFlags));
+            }
+        }
+
+        // (3) Live registers and pushed pointer args from the transition stream.
+        EnumerateTransitionLiveSlots(instructionOffset, options, result, SP_REL);
+
+        return result;
+    }
+
+    /// <summary>
+    /// Walks <see cref="Transitions"/> up to and including <paramref name="instructionOffset"/>,
+    /// accumulating live register state and currently-pushed pointer arguments, and emits a
+    /// <see cref="LiveSlot"/> per live register / pushed pointer.
+    /// </summary>
+    /// <remarks>
+    /// For fully-interruptible methods, every transition strictly before
+    /// <paramref name="instructionOffset"/> contributes to the current state. For partially-
+    /// interruptible methods, the JIT only emits transitions at call sites (and at LIVE/DEAD
+    /// markers); the live state at the exact <paramref name="instructionOffset"/> is whatever
+    /// the most-recent call-site transition described.
+    /// </remarks>
+    private void EnumerateTransitionLiveSlots(
+        uint instructionOffset,
+        GcSlotEnumerationOptions options,
+        List<LiveSlot> result,
+        uint spRelBase)
+    {
+        // Set of registers currently holding live GC refs at the walked offset.
+        RegMask liveRegs = RegMask.NONE;
+        RegMask liveIptrRegs = RegMask.NONE;
+
+        // Pushed pointer args on the stack, keyed by ESP-relative byte offset (positive).
+        // Value: GcFlags (0x1 = interior). Use a sorted dictionary for deterministic output.
+        SortedDictionary<int, uint> pushedPtrs = new();
+
+        // Stack depth in pointer-size units, used by GcTransitionPointer offsets which are
+        // expressed as "argOffs from top of pushed args". Mirrors the depth bookkeeping in
+        // CalculatePushedArgSize.
+        int depthSlots = 0;
+
+        // For partially-interruptible methods, only the call-site state matters -- we collect
+        // the most-recent call site at-or-before instructionOffset and emit its registers/args.
+        GcTransitionCall? activeCallSite = null;
+
+        foreach (int offset in Transitions.Keys.OrderBy(o => o))
+        {
+            // Stop AFTER processing transitions at instructionOffset for fully-interruptible
+            // code. For partially-interruptible code, GcTransitionCall transitions can also
+            // contain register/arg state describing the call site.
+            if (offset > instructionOffset)
+                break;
+
+            foreach (BaseGcTransition transition in Transitions[offset])
+            {
+                switch (transition)
+                {
+                    case GcTransitionRegister regT:
+                        ApplyRegisterTransition(regT, ref liveRegs, ref liveIptrRegs, ref depthSlots, pushedPtrs);
+                        break;
+                    case GcTransitionPointer ptrT:
+                        ApplyPointerTransition(ptrT, ref depthSlots, pushedPtrs);
+                        break;
+                    case StackDepthTransition stackT:
+                        depthSlots += stackT.StackDepthChange;
+                        if (depthSlots < 0) depthSlots = 0;
+                        break;
+                    case GcTransitionCall callT when offset == (int)instructionOffset:
+                        // Partially-interruptible: this is the only kind of transition that
+                        // directly describes the call-site live state. For fully-interruptible
+                        // code, GcTransitionCall is informational only -- the surrounding
+                        // PUSH/POP/LIVE/DEAD transitions already maintain the state.
+                        activeCallSite = callT;
+                        break;
+                    case IPtrMask:
+                    case CalleeSavedRegister:
+                    case GcTransitionCall:
+                        // CalleeSavedRegister is purely informational for the stack walker.
+                        // IPtrMask is reserved for future interior-pointer-bitmap support;
+                        // the current MVP decoder does not propagate it onto pushed slots.
+                        // GcTransitionCall at offset != instructionOffset is also ignored.
+                        break;
+                    default:
+                        throw new InvalidOperationException($"Unsupported x86 GC transition: {transition.GetType().Name}");
+                }
+            }
+        }
+
+        // Emit live registers from accumulated state.
+        // The IsActiveFrame option controls whether scratch (callee-trashed) registers are
+        // reported. On non-leaf frames, the live registers are by definition scratch from the
+        // caller's perspective, so they should not be reported. Native EnumGcRefsX86 handles
+        // this via the willContinueExecution / ExecutionAborted flags interacting with the
+        // CHK_AND_REPORT_REG macro family.
+        if (options.IsActiveFrame || activeCallSite is not null)
+        {
+            // Iterate single-bit register values via RM_ALL.
+            foreach (RegMask r in EnumerateSingleRegs())
+            {
+                if ((liveRegs & r) == 0) continue;
+                uint gcFlags = (liveIptrRegs & r) != 0 ? 0x1u : 0u;
+                result.Add(new LiveSlot(IsRegister: true, RegisterNumber: RegMaskToRegisterNumber(r), SpOffset: 0, SpBase: 0, GcFlags: gcFlags));
+            }
+        }
+
+        // Emit pushed pointer args as SP-relative stack slots.
+        foreach (KeyValuePair<int, uint> pushed in pushedPtrs)
+        {
+            result.Add(new LiveSlot(IsRegister: false, RegisterNumber: 0, SpOffset: pushed.Key, SpBase: spRelBase, GcFlags: pushed.Value));
+        }
+
+        // Partially-interruptible call-site: emit its register set and pointer args directly.
+        if (activeCallSite is not null)
+        {
+            foreach (GcTransitionCall.CallRegister cr in activeCallSite.CallRegisters)
+            {
+                uint gcFlags = cr.IsByRef ? 0x1u : 0u;
+                result.Add(new LiveSlot(IsRegister: true, RegisterNumber: RegMaskToRegisterNumber(cr.Register), SpOffset: 0, SpBase: 0, GcFlags: gcFlags));
+            }
+            foreach (GcTransitionCall.PtrArg pa in activeCallSite.PtrArgs)
+            {
+                uint gcFlags = pa.LowBit != 0 ? 0x1u : 0u;
+                result.Add(new LiveSlot(IsRegister: false, RegisterNumber: 0, SpOffset: (int)pa.StackOffset, SpBase: spRelBase, GcFlags: gcFlags));
+            }
+        }
+    }
+
+    private static void ApplyRegisterTransition(
+        GcTransitionRegister regT,
+        ref RegMask liveRegs,
+        ref RegMask liveIptrRegs,
+        ref int depthSlots,
+        SortedDictionary<int, uint> pushedPtrs)
+    {
+        switch (regT.IsLive)
+        {
+            case Action.LIVE:
+                liveRegs |= regT.Register;
+                if (regT.Iptr) liveIptrRegs |= regT.Register;
+                else liveIptrRegs &= ~regT.Register;
+                break;
+            case Action.DEAD:
+                liveRegs &= ~regT.Register;
+                liveIptrRegs &= ~regT.Register;
+                break;
+            case Action.PUSH:
+                // The register's value is pushed onto the stack as a callee argument.
+                // Each push advances depth; record the slot at the new top-of-stack.
+                for (int i = 0; i < regT.PushCountOrPopSize; i++)
+                {
+                    depthSlots++;
+                    int sp = -depthSlots * 4; // x86 grows down; offset relative to call-site SP
+                    pushedPtrs[sp] = regT.Iptr ? 0x1u : 0u;
+                }
+                break;
+            case Action.POP:
+                // Pop unrolls the most recently pushed slots.
+                for (int i = 0; i < regT.PushCountOrPopSize && depthSlots > 0; i++)
+                {
+                    int sp = -depthSlots * 4;
+                    pushedPtrs.Remove(sp);
+                    depthSlots--;
+                }
+                break;
+            case Action.KILL:
+                // Used by EBP-frame partial-interrupt encoding to invalidate pushed args
+                // (kill all currently-tracked pushed pointers up to argOffset).
+                pushedPtrs.Clear();
+                depthSlots = 0;
+                break;
+        }
+    }
+
+    private static void ApplyPointerTransition(
+        GcTransitionPointer ptrT,
+        ref int depthSlots,
+        SortedDictionary<int, uint> pushedPtrs)
+    {
+        switch (ptrT.Act)
+        {
+            case Action.PUSH:
+                depthSlots++;
+                int spPush = -depthSlots * 4;
+                pushedPtrs[spPush] = ptrT.Iptr ? 0x1u : 0u;
+                break;
+            case Action.POP:
+                // ArgOffset slots are popped from the top of the pushed-args stack.
+                for (uint i = 0; i < ptrT.ArgOffset && depthSlots > 0; i++)
+                {
+                    int sp = -depthSlots * 4;
+                    pushedPtrs.Remove(sp);
+                    depthSlots--;
+                }
+                break;
+            case Action.KILL:
+                pushedPtrs.Clear();
+                depthSlots = 0;
+                break;
+        }
+    }
+
+    private static IEnumerable<RegMask> EnumerateSingleRegs()
+    {
+        yield return RegMask.EAX;
+        yield return RegMask.ECX;
+        yield return RegMask.EDX;
+        yield return RegMask.EBX;
+        yield return RegMask.EBP;
+        yield return RegMask.ESI;
+        yield return RegMask.EDI;
+        // ESP is intentionally excluded -- it's never a live GC ref holder.
+    }
 }
+
+/// <summary>
+/// An always-live GC frame slot (entry of the untracked-locals table).
+/// The slot is live for the entire method body (post-prolog, pre-epilog).
+/// </summary>
+/// <param name="StackOffset">Frame-relative byte offset of the slot.</param>
+/// <param name="IsEbpRelative">True if <see cref="StackOffset"/> is EBP-relative; false if ESP-relative.</param>
+/// <param name="LowBits">Raw flag bits from the encoded offset (0x1 = byref/interior, 0x2 = pinned).</param>
+public readonly record struct UntrackedSlot(int StackOffset, bool IsEbpRelative, uint LowBits);
+
+/// <summary>
+/// A tracked GC frame variable with a per-offset lifetime range (entry of the
+/// FrameVariableLifetime / VarPtr table). The slot is live while the executing
+/// instruction offset lies in <c>[BeginOffset, EndOffset)</c>.
+/// VarPtr-tracked variables only exist on EBP-based frames.
+/// </summary>
+/// <param name="BeginOffset">Inclusive code offset (relative to method start) at which the slot becomes live.</param>
+/// <param name="EndOffset">Exclusive code offset at which the slot becomes dead.</param>
+/// <param name="StackOffset">Frame-relative byte offset of the slot (EBP-relative on EBP frames, ESP-relative otherwise).</param>
+/// <param name="LowBits">
+/// Raw flag bits from the encoded offset (0x1 = byref/interior, 0x2 = "this" pointer -- note that for
+/// tracked locals the 0x2 bit means "this", not "pinned" as it does for untracked slots).
+/// </param>
+public readonly record struct VarPtrLifetime(uint BeginOffset, uint EndOffset, int StackOffset, uint LowBits);
diff --git a/src/native/managed/cdac/tests/DumpTests/DumpTests.targets b/src/native/managed/cdac/tests/DumpTests/DumpTests.targets
index cac9cc85219315..36ecbb466094e4 100644
--- a/src/native/managed/cdac/tests/DumpTests/DumpTests.targets
+++ b/src/native/managed/cdac/tests/DumpTests/DumpTests.targets
@@ -72,9 +72,12 @@
     <TestHostDir>$([MSBuild]::NormalizeDirectory('$(RepoRoot)', 'artifacts', 'bin', 'testhost', '$(NetCoreAppCurrent)-$(HostOS)-$(_TestHostConfig)-$(_HostArch)'))</TestHostDir>
   </PropertyGroup>
 
-  <!-- Auto-discover debuggee csproj files from the Debuggees/ subdirectory. -->
+  <!-- Auto-discover debuggee csproj files from the Debuggees/ subdirectory.
+       Pass /p:DebuggeeFilter=<Name> to restrict generation/build to a single debuggee
+       (useful for iterative local x86 work where some other debuggee's publish may fail). -->
   <ItemGroup>
-    <DebuggeeCsproj Include="$(DebuggeesDir)*\*.csproj" />
+    <DebuggeeCsproj Include="$(DebuggeesDir)*\*.csproj" Condition="'$(DebuggeeFilter)' == ''" />
+    <DebuggeeCsproj Include="$(DebuggeesDir)$(DebuggeeFilter)\$(DebuggeeFilter).csproj" Condition="'$(DebuggeeFilter)' != ''" />
   </ItemGroup>
 
   <!-- Runtime versions to create dumps for.
diff --git a/src/native/managed/cdac/tests/DumpTests/StackReferenceDumpTests.cs b/src/native/managed/cdac/tests/DumpTests/StackReferenceDumpTests.cs
index 0a849fc577e514..f4f77f2e0b2dd9 100644
--- a/src/native/managed/cdac/tests/DumpTests/StackReferenceDumpTests.cs
+++ b/src/native/managed/cdac/tests/DumpTests/StackReferenceDumpTests.cs
@@ -56,7 +56,6 @@ public void WalkStackReferences_RefsHaveValidSourceInfo(TestConfiguration config
     [ConditionalTheory]
     [MemberData(nameof(TestConfigurations))]
     [SkipOnVersion("net10.0", "InlinedCallFrame.Datum was added after net10.0")]
-    [SkipOnArch("x86", "GCInfo decoder does not support x86")]
     public void GCRoots_WalkStackReferences_FindsRefs(TestConfiguration config)
     {
         InitializeDumpTest(config, "GCRoots", "full");
@@ -73,7 +72,6 @@ public void GCRoots_WalkStackReferences_FindsRefs(TestConfiguration config)
     [ConditionalTheory]
     [MemberData(nameof(TestConfigurations))]
     [SkipOnVersion("net10.0", "InlinedCallFrame.Datum was added after net10.0")]
-    [SkipOnArch("x86", "GCInfo decoder does not support x86")]
     public void GCRoots_RefsPointToValidObjects(TestConfiguration config)
     {
         InitializeDumpTest(config, "GCRoots", "full");

From 687b4f65bea08dca80a68d25618f1b9d09b588e7 Mon Sep 17 00:00:00 2001
From: Max Charlamb <maxcharlamb@microsoft.com>
Date: Wed, 17 Jun 2026 19:03:53 -0400
Subject: [PATCH 2/4] docs: move GCInfo.md x86 details to dedicated section

The intro paragraph was getting wordy with the per-API status; pull that
content out into a new "x86 specifics" section at the end of the file
with a table covering supported/not-implemented APIs and a deferred-edges
list. Intro now just notes that x86 is partially supported and links to
the section.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 docs/design/datacontracts/GCInfo.md | 27 ++++++++++++++++++++++++++-
 1 file changed, 26 insertions(+), 1 deletion(-)

diff --git a/docs/design/datacontracts/GCInfo.md b/docs/design/datacontracts/GCInfo.md
index 871356c2ab9756..260f9f4c89e7d0 100644
--- a/docs/design/datacontracts/GCInfo.md
+++ b/docs/design/datacontracts/GCInfo.md
@@ -2,7 +2,7 @@
 
 This contract is for fetching information related to GCInfo associated with native code.
 
-The GCInfo contract has platform specific implementations as GCInfo differs per architecture. With the exception of x86, all platforms have a common encoding scheme with different encoding lengths and normalization functions for data. x86 uses an entirely different scheme which is partially supported by this contract: x86 currently implements `GetCodeLength`, `GetStackBaseRegister`, `GetSizeOfStackParameterArea`, `GetCalleePoppedArgumentsSize`, and `EnumerateLiveSlots` (sufficient for SOS code-size lookups and for `WalkStackReferences` GC-root scanning). `GetInterruptibleRanges` is not yet implemented on x86 -- x86 does not encode explicit interruptible ranges; per-offset transitions are used instead, and the only consumer (catch-handler PC override in `StackWalk_1`) has no x86-relevant scenarios today.
+The GCInfo contract has platform specific implementations as GCInfo differs per architecture. With the exception of x86, all platforms have a common encoding scheme with different encoding lengths and normalization functions for data. x86 uses an entirely different scheme which is partially supported by this contract; see [x86 specifics](#x86-specifics) below.
 
 ## APIs of contract
 
@@ -603,3 +603,28 @@ IReadOnlyList<LiveSlot> EnumerateLiveSlots(IGCInfoHandle handle,
     // Collect each live slot into a list and return it.
 }
 ```
+
+
+## x86 specifics
+
+x86 uses the legacy bit-packed `InfoHdr` byte-stream encoding (`src/coreclr/vm/gc_unwind_x86.inl`, `src/coreclr/inc/gcdecoder.cpp`) rather than the modern `GcInfoDecoder` shared by all other architectures. The cDAC decoder lives at `src/native/managed/cdac/Microsoft.Diagnostics.DataContractReader.Contracts/Contracts/GCInfo/X86/` and is shared with the x86 stack walker.
+
+### Supported APIs
+
+| API | Status |
+|---|---|
+| `GetCodeLength` | Implemented |
+| `GetStackBaseRegister` | Implemented |
+| `GetSizeOfStackParameterArea` | Implemented (always returns 0; x86 has no separate outgoing-argument scratch area) |
+| `GetCalleePoppedArgumentsSize` | Implemented (mirrors native `EECodeManager::GetStackParameterSize`) |
+| `EnumerateLiveSlots` | Implemented; supports untracked frame locals, VarPtr-tracked lifetimes, and live register / pushed pointer-arg state derived from the per-offset transition stream |
+| `GetInterruptibleRanges` | Not implemented -- x86 does not encode explicit interruptible ranges. The only consumer is the catch-handler PC override in `StackWalk_1`, which has no x86-relevant scenarios today. |
+
+### Deferred edges
+
+These do not affect the GC root scan / `WalkStackReferences` path used by SOS today, but are noted for future work:
+
+- "this"-pointer special-case reporting for synchronized methods (VarPtr `0x2` tracked-local bit is currently masked out -- on x86 it means "this", not pinned).
+- `IPtrMask` interior-pointer bitmaps for pushed args -- the decoder currently uses the simpler per-push `Iptr` flag instead of consuming the IPtrMask transitions.
+- Funclet handling beyond the existing `IsParentOfFuncletStackFrame` caller-side early-skip.
+- Finer `IsActiveFrame` register filter precision (currently emits live registers when the frame is active or when an active call-site transition was found).

From 4fdd75dd90659de188d283d1677f8c0e8c6bd1d5 Mon Sep 17 00:00:00 2001
From: Max Charlamb <maxcharlamb@microsoft.com>
Date: Thu, 18 Jun 2026 09:54:29 -0400
Subject: [PATCH 3/4] [cdac] x86 GetInterruptibleRanges: implement properly +
 correct doc

Context: x86 has used the funclet EH model since PR #115957 / #122872
(I had previously assumed otherwise and documented this API as
intentionally not implemented). Catch funclet unwinding does call into
`IGCInfo.GetInterruptibleRanges` via the parent-frame PC override
path in `StackWalk_1.WalkStackReferences`, so throwing
`NotSupportedException` is a real correctness gap (silently swallowed
by the per-frame try/catch and producing missed parent-frame GC roots).

Implementation
--------------

Match the semantics of the native x86 walker (`EnumGcRefsX86` in
`gc_unwind_x86.inl`):

* Fully interruptible (`Header.Interruptible == true`): emit one range
  per gap between the prolog end and each epilog start, plus a final
  range from the last epilog end to `MethodSize`. This mirrors the
  native walker's prolog/epilog short-circuit return at line 3091.
* Partially interruptible: walk `Transitions` and emit a single-byte
  `(offset, offset + 1)` range for each `GcTransitionCall`. Per the
  native partial-interrupt encoding doc (`gc_unwind_x86.inl:1066+`),
  call sites are the only GC-safe points in this mode -- the
  intervening `GcTransitionRegister` / `GcTransitionPointer` /
  `StackDepthTransition` / `IPtrMask` / `CalleeSavedRegister`
  events are all bookkeeping, not safe points.

Docs
----

Update `docs/design/datacontracts/GCInfo.md` x86 specifics:

* Move `GetInterruptibleRanges` from "Not implemented" to
  "Implemented" in the supported APIs table.
* Remove the false claim that x86 has no funclets / no x86-relevant
  scenarios for this API.
* Reference PR #115957 (Enable new exception handling on win-x86) for
  context on the EH model.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 docs/design/datacontracts/GCInfo.md           |  2 +-
 .../Contracts/GCInfo/X86/GCInfo.cs            | 52 ++++++++++++++++++-
 2 files changed, 52 insertions(+), 2 deletions(-)

diff --git a/docs/design/datacontracts/GCInfo.md b/docs/design/datacontracts/GCInfo.md
index 260f9f4c89e7d0..73ca200f3b31ce 100644
--- a/docs/design/datacontracts/GCInfo.md
+++ b/docs/design/datacontracts/GCInfo.md
@@ -618,7 +618,7 @@ x86 uses the legacy bit-packed `InfoHdr` byte-stream encoding (`src/coreclr/vm/g
 | `GetSizeOfStackParameterArea` | Implemented (always returns 0; x86 has no separate outgoing-argument scratch area) |
 | `GetCalleePoppedArgumentsSize` | Implemented (mirrors native `EECodeManager::GetStackParameterSize`) |
 | `EnumerateLiveSlots` | Implemented; supports untracked frame locals, VarPtr-tracked lifetimes, and live register / pushed pointer-arg state derived from the per-offset transition stream |
-| `GetInterruptibleRanges` | Not implemented -- x86 does not encode explicit interruptible ranges. The only consumer is the catch-handler PC override in `StackWalk_1`, which has no x86-relevant scenarios today. |
+| `GetInterruptibleRanges` | Implemented. Fully-interruptible methods report one range covering the post-prolog body; partially-interruptible methods emit each call site as a single-byte range. Used by `StackWalk_1.WalkStackReferences` when adjusting the GC-reporting PC for parent frames of catch funclets (x86 now uses the funclet EH model, see PR [#115957](https://github.com/dotnet/runtime/pull/115957)). |
 
 ### Deferred edges
 
diff --git a/src/native/managed/cdac/Microsoft.Diagnostics.DataContractReader.Contracts/Contracts/GCInfo/X86/GCInfo.cs b/src/native/managed/cdac/Microsoft.Diagnostics.DataContractReader.Contracts/Contracts/GCInfo/X86/GCInfo.cs
index 93e23ac9e47484..85fda80aef6884 100644
--- a/src/native/managed/cdac/Microsoft.Diagnostics.DataContractReader.Contracts/Contracts/GCInfo/X86/GCInfo.cs
+++ b/src/native/managed/cdac/Microsoft.Diagnostics.DataContractReader.Contracts/Contracts/GCInfo/X86/GCInfo.cs
@@ -423,7 +423,57 @@ uint IGCInfoDecoder.GetCalleePoppedArgumentsSize()
     }
 
     IReadOnlyList<InterruptibleRange> IGCInfoDecoder.GetInterruptibleRanges()
-        => throw new NotSupportedException("x86 GC info does not encode explicit interruptible ranges; per-offset transitions are used instead. Decoding for the cDAC IGCInfoDecoder consumers is not yet implemented.");
+    {
+        // The x86 GC info `interruptible` header bit divides methods into two encodings:
+        //
+        // * Fully interruptible (`Header.Interruptible == true`): every offset in the
+        //   method body (post-prolog, pre-epilog) is GC-safe. The C++ walker
+        //   (`EnumGcRefsX86` in gc_unwind_x86.inl) explicitly returns without
+        //   reporting refs when the queried offset falls inside the prolog or any
+        //   epilog, so we exclude those regions here too.
+        // * Partially interruptible (`Header.Interruptible == false`): only call sites
+        //   are GC-safe. Each call site appears as a `GcTransitionCall` at its code
+        //   offset. We surface each as a single-byte range so the only consumer
+        //   (the catch-handler PC override in `StackWalk_1.WalkStackReferences`) can
+        //   pick the first call-site offset at or after the clause start.
+        if (Header.Interruptible)
+        {
+            // Body minus prolog minus all epilogs. Epilogs are stored as code offsets
+            // (start of each epilog); each spans `EpilogSize` bytes.
+            uint cursor = Header.PrologSize;
+            uint methodSize = MethodSize;
+            List<InterruptibleRange> ranges = [];
+            foreach (int epilogStart in Header.Epilogs.OrderBy(e => e))
+            {
+                uint eStart = (uint)epilogStart;
+                uint eEnd = eStart + Header.EpilogSize;
+                if (eStart > cursor)
+                    ranges.Add(new InterruptibleRange(cursor, eStart));
+                cursor = Math.Max(cursor, eEnd);
+            }
+            if (cursor < methodSize)
+                ranges.Add(new InterruptibleRange(cursor, methodSize));
+            return ranges;
+        }
+
+        // Partially interruptible: emit each call-site offset as a (offset, offset+1) range.
+        List<InterruptibleRange> callRanges = [];
+        foreach (int offset in Transitions.Keys.OrderBy(o => o))
+        {
+            if ((uint)offset < Header.PrologSize)
+                continue;
+
+            foreach (BaseGcTransition transition in Transitions[offset])
+            {
+                if (transition is GcTransitionCall)
+                {
+                    callRanges.Add(new InterruptibleRange((uint)offset, (uint)offset + 1));
+                    break;
+                }
+            }
+        }
+        return callRanges;
+    }
 
     IReadOnlyList<LiveSlot> IGCInfoDecoder.EnumerateLiveSlots(uint instructionOffset, GcSlotEnumerationOptions options)
     {

From cb82b21d481d0e6d812337064b7e8be56841737b Mon Sep 17 00:00:00 2001
From: Max Charlamb <maxcharlamb@microsoft.com>
Date: Thu, 18 Jun 2026 09:55:59 -0400
Subject: [PATCH 4/4] [cdac] Rename x86 GCInfo.cs to X86GCInfo.cs to match the
 class name

Pure file rename (git mv) -- the class was renamed `GCInfo` -> `X86GCInfo`
in #129456 to avoid collision with the empty IGCInfo fallback struct, but
the file kept the old name. Bring the filename in line.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 .../Contracts/GCInfo/X86/{GCInfo.cs => X86GCInfo.cs}              | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename src/native/managed/cdac/Microsoft.Diagnostics.DataContractReader.Contracts/Contracts/GCInfo/X86/{GCInfo.cs => X86GCInfo.cs} (100%)

diff --git a/src/native/managed/cdac/Microsoft.Diagnostics.DataContractReader.Contracts/Contracts/GCInfo/X86/GCInfo.cs b/src/native/managed/cdac/Microsoft.Diagnostics.DataContractReader.Contracts/Contracts/GCInfo/X86/X86GCInfo.cs
similarity index 100%
rename from src/native/managed/cdac/Microsoft.Diagnostics.DataContractReader.Contracts/Contracts/GCInfo/X86/GCInfo.cs
rename to src/native/managed/cdac/Microsoft.Diagnostics.DataContractReader.Contracts/Contracts/GCInfo/X86/X86GCInfo.cs