From c4771b9c642b434701ddae32769107c79cdde2f3 Mon Sep 17 00:00:00 2001
From: Jakob Botsch Nielsen <jakob.botsch.nielsen@gmail.com>
Date: Wed, 29 Oct 2025 12:28:29 +0100
Subject: [PATCH] JIT: Handle x86 gs cookie checks before tailcalls

---
 src/coreclr/jit/codegencommon.cpp | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/src/coreclr/jit/codegencommon.cpp b/src/coreclr/jit/codegencommon.cpp
index 27394d615167d6..78457cf6255e37 100644
--- a/src/coreclr/jit/codegencommon.cpp
+++ b/src/coreclr/jit/codegencommon.cpp
@@ -2529,8 +2529,16 @@ regMaskTP CodeGenInterface::genGetGSCookieTempRegs(bool tailCall)
     // Otherwise on x64 (win-x64, SysV and Swift) r9 is never used for return values
     return RBM_R9;
 #elif TARGET_X86
-    assert(!tailCall);
-    // On x86 it's more difficult: we have only eax, ecx and edx available as volatile
+    if (tailCall)
+    {
+        // For tailcall we may need ecx and edx for args. We could use eax, but
+        // leave it free in case the tailcall needs something for the target.
+        // Since this is only for explicit tailcalls or CEE_JMP we can just use
+        // a callee save.
+        return RBM_ESI;
+    }
+
+    // For regular calls we have only eax, ecx and edx available as volatile
     // registers, and all of them may be used for return values (longs + async continuation).
     if (compiler->compIsAsync())
     {