[ARM32] Eliminate red zone usage in runtime stubs

[cshung]

On ARM32 Linux, the area below SP is not guaranteed to be preserved across signal delivery. The runtime previously used the red zone (writing below SP without adjusting it) in several stubs, which can cause silent corruption or crashes when a signal is delivered at the wrong moment.

This PR eliminates all red zone usage in ARM32 runtime stubs by replacing sub-SP reads/writes with explicit stack adjustments (push/pop):

• NativeAOT interop thunks (ThunksMapping.cpp) — use ldr pc dispatch directly from r12, no stack intermediate. This also shrinks THUNK_SIZE from 20 to 12 bytes.
• NativeAOT UniversalTransition — caller pushes args onto stack before branching; prolog reads them from known stack offsets after saving argument registers.
• NativeAOT interface dispatch (DispatchResolve.S, StubDispatch.S) — PROLOG_PUSH/EPILOG_POP instead of red zone stores.
• CoreCLR VTableCallStub — pre-indexed str / post-indexed ldr (actual push/pop).

[dotnet-policy-service]

Tagging subscribers to this area: @agocke, @dotnet/ilc-contrib
See info in area-owners.md if you want to be subscribed.

[MichalPetryka]

Windows ARM32 has a well-defined red zone guarantee

Windows ARM32 is no longer supported.

[jkotas]

/azp run runtime-nativeaot-outerloop

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[jkotas]

Thanks!

[jkotas]

Segfaults in many linux arm32 NAOT tests

pushd .
chmod +rwx Microsoft.Extensions.Configuration.FileExtensions.Tests ^&^& ./Microsoft.Extensions.Configuration.FileExtensions.Tests -notrait category=IgnoreForCI -notrait category=OuterLoop -notrait category=failing -xml testResults.xml 
popd
===========================================================================================================
/root/helix/work/workitem/e /root/helix/work/workitem/e
DOTNET_DbgEnableMiniDump is set and the createdump binary does not exist: ./createdump
./RunTests.sh: line 173:    18 Segmentation fault      (core dumped) ./Microsoft.Extensions.Configuration.FileExtensions.Tests -notrait category=IgnoreForCI -notrait category=OuterLoop -notrait category=failing -xml testResults.xml $RSP_FILE
/root/helix/work/workitem/e
----- end Mon Jun 15 09:53:04 PM UTC 2026 ----- exit code 139 ----------------------------------------------------------

Could you please take a look?

[jkotas]

/azp run runtime-nativeaot-outerloop

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[jkotas]

@MichalStrehovsky PTLA

[Copilot]

Pull request overview

This PR updates several ARM32 stubs and NativeAOT transitions to avoid writing below sp (red zone) by switching to explicit stack adjustments (push/pop / stack alloc), and updates related thunk/transition conventions accordingly.

Changes:

• CoreCLR ARM32 interface/vtable-related stubs: replace red-zone saves/restores with stack-based sequences.
• NativeAOT ARM32 thunk and interop paths: shrink thunk stubs by branching via ldr pc while preserving r12 as the thunk data pointer, and adjust RhCommonStub accordingly.
• NativeAOT ARM32 universal transition: change extra-argument passing to caller-pushed stack args and update the corresponding stack frame layout and unwind helper logic.

Reviewed changes

Copilot reviewed 8 out of 8 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
src/coreclr/vm/arm/virtualcallstubcpu.hpp	Updates VTableCall stub encoding/size logic to use push/pop-style stack ops instead of red zone.
src/coreclr/runtime/arm/StubDispatch.S	Replaces red-zone register spills in cached interface dispatch stubs and adjusts slow-path arg passing to universal transition.
src/coreclr/nativeaot/Runtime/ThunksMapping.cpp	Changes ARM thunk stub shape and size to branch via ldr pc and keep r12 as data pointer.
src/coreclr/nativeaot/Runtime/StackFrameIterator.cpp	Updates ARM universal transition stack frame layout to account for caller-pushed extra args.
src/coreclr/nativeaot/Runtime/EHHelpers.cpp	Adjusts ARM unwind helper to compensate for new interface dispatch stack usage on null-this AV.
src/coreclr/nativeaot/Runtime/arm/UniversalTransition.S	Switches universal transition extra args from red zone to caller-pushed stack args and updates prolog/epilog accordingly.
src/coreclr/nativeaot/Runtime/arm/InteropThunksHelpers.S	Updates RhCommonStub to consume r12 directly (no red-zone load).
src/coreclr/nativeaot/Runtime/arm/DispatchResolve.S	Replaces red-zone spills with stack pushes and updates slow-path argument setup for universal transition.

[jkotas]

/azp run runtime-nativeaot-outerloop

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[jkotas]

/azp run runtime-nativeaot-outerloop

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[jkotas]

All Arm32 test failures are known

[MichalStrehovsky]

Does src/coreclr/nativeaot/Common/src/Internal/Runtime/TransitionBlock.cs need a matching ARM32 layout update?

[jkotas]

Hmmm, that would be a messy change with a lot of eventual fallout. It creates holes in structs.

@cshung Could please change the prolog of universal transition to create the same layout as before, and rever this change?

Something like:

        // Caller pushed 8 bytes: [sp]=extra arg, [sp+4]=target fn
        .pad #8
        PROLOG_PUSH  "{r0-r1}"
        ldr          r12, [sp, #20]         // Capture target function (caller's [sp+4], now at sp+16+4)  
        ldr          r1, [sp, #16]          // Capture extra arg (caller's [sp], now at sp+16)
        str          r3, [sp, #20]          // Now we can store remaining arg registers into the space used for the hidden args
        str          r2, [sp, #16]