Merge pull request #15087 from BruceForstall/FixJmpGsCheck

Fix RyuJIT/arm32 GS cookie check before JMP call

1 files changed, 9 insertions, 3 deletions

diff --git a/src/jit/codegencommon.cpp b/src/jit/codegencommon.cpp
index 54b0388fe4..53b1eb36c0 100644
--- a/src/jit/codegencommon.cpp
+++ b/src/jit/codegencommon.cpp
@@ -2647,7 +2647,7 @@ emitJumpKind CodeGen::genJumpKindForOper(genTreeOps cmp, CompareKind compareKind
 #ifdef _TARGET_ARMARCH_
 //------------------------------------------------------------------------
 // genEmitGSCookieCheck: Generate code to check that the GS cookie
-// wasn't thrashed by a buffer overrun. Coomon code for ARM32 and ARM64
+// wasn't thrashed by a buffer overrun. Common code for ARM32 and ARM64.
 //
 void CodeGen::genEmitGSCookieCheck(bool pushReg)
 {
@@ -2658,8 +2658,14 @@ void CodeGen::genEmitGSCookieCheck(bool pushReg)
     if (!pushReg && (compiler->info.compRetType == TYP_REF))
         gcInfo.gcRegGCrefSetCur |= RBM_INTRET;
 
-    regNumber regGSConst = REG_TMP_0;
-    regNumber regGSValue = REG_TMP_1;
+    // We need two temporary registers, to load the GS cookie values and compare them. We can't use
+    // any argument registers if 'pushReg' is true (meaning we have a JMP call). They should be
+    // callee-trash registers, which should not contain anything interesting at this point.
+    // We don't have any IR node representing this check, so LSRA can't communicate registers
+    // for us to use.
+
+    regNumber regGSConst = REG_GSCOOKIE_TMP_0;
+    regNumber regGSValue = REG_GSCOOKIE_TMP_1;
 
     if (compiler->gsGlobalSecurityCookieAddr == nullptr)
     {