Bug 1524257 - Work around apparent Intel CPU bug. r=tcampbell.
authorJason Orendorff <jorendorff@mozilla.com>
Tue, 14 Apr 2020 08:29:18 +0000
changeset 524828 cb00f09b615c7926ae07ea95d3a61c913216d26b
parent 524827 bef6ce79d8f66eaf9004e2e83d9d52deb3109f05
child 524829 e26977345e27cdd06ae8e80f34e2b55f64e86d34
push id113426
push userjorendorff@mozilla.com
push dateMon, 20 Apr 2020 14:32:39 +0000
treeherderautoland@cb00f09b615c [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerstcampbell
bugs1524257, 968683
milestone77.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1524257 - Work around apparent Intel CPU bug. r=tcampbell. In the week since 68.6.1esr and 74.0.1.shipped, crashes with this signature have spiked. They occur only on family 6 model 122 stepping 1 CPUs. This patch ports a workaround that landed in V8 to address what looks like the same CPU bug. In short, the crash happens only in functions that start on addresses that end with 10, 50, 90, or d0. Aligning the function to a 32-byte boundary rules out such addresses. See <https://crbug.com/968683> for more information. Differential Revision: https://phabricator.services.mozilla.com/D70218
js/src/frontend/NameOpEmitter.cpp
--- a/js/src/frontend/NameOpEmitter.cpp
+++ b/js/src/frontend/NameOpEmitter.cpp
@@ -219,16 +219,21 @@ bool NameOpEmitter::prepareForRhs() {
   }
 
 #ifdef DEBUG
   state_ = State::Rhs;
 #endif
   return true;
 }
 
+#if defined(__clang__) && defined(XP_WIN) && \
+    (defined(_M_X64) || defined(__x86_64__))
+// Work around a CPU bug. See bug 1524257.
+__attribute__((__aligned__(32)))
+#endif
 bool NameOpEmitter::emitAssignment() {
   MOZ_ASSERT(state_ == State::Rhs);
 
   switch (loc_.kind()) {
     case NameLocation::Kind::Dynamic:
     case NameLocation::Kind::Import:
     case NameLocation::Kind::DynamicAnnexBVar:
       if (!bce_->emitAtomOp(bce_->strictifySetNameOp(JSOp::SetName),