From efafc277debebbeaa444b8d5d32b2b77420fa889 Mon Sep 17 00:00:00 2001
From: Carol Eidt <carol.eidt@microsoft.com>
Date: Thu, 13 Feb 2020 14:27:49 -0800
Subject: Port of dotnet/runtime#1059 to 3.1 branch (#27986)

This is the fix for #27924. This is a GC hole bug that was found externally, #27590.
The cause is that the JIT was using the target type of the subtract when it needed
to make a copy of the source, but it needs to use the source type.

## Customer Impact
Corruption of state that is non-deterministic and hard to track down.

## Regression?
Not a recent regression, but exposed by Unsafe.ByteOffset.

## Testing
The fix has been verified in the runtime repo.

## Risk
Low: The fix is straightfoward and only impacts 3 lines of code.
---
 src/jit/codegenxarch.cpp | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

(limited to 'src')

diff --git a/src/jit/codegenxarch.cpp b/src/jit/codegenxarch.cpp
index 521aaca407..a235e41922 100644
--- a/src/jit/codegenxarch.cpp
+++ b/src/jit/codegenxarch.cpp
@@ -954,9 +954,10 @@ void CodeGen::genCodeForBinary(GenTreeOp* treeNode)
     // reg3 = reg3 op reg2
     else
     {
-        inst_RV_RV(ins_Copy(targetType), targetReg, op1reg, targetType);
+        var_types op1Type = op1->TypeGet();
+        inst_RV_RV(ins_Copy(op1Type), targetReg, op1reg, op1Type);
         regSet.verifyRegUsed(targetReg);
-        gcInfo.gcMarkRegPtrVal(targetReg, targetType);
+        gcInfo.gcMarkRegPtrVal(targetReg, op1Type);
         dst = treeNode;
         src = op2;
     }
-- 
cgit v1.2.3