New issue
Advanced search Search tips

Issue 646028 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Sep 2016
Cc:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 3
Type: Bug



Sign in to add a comment

VS 2015 LTCG code-gen bug

Project Member Reported by brucedaw...@chromium.org, Sep 12 2016

Issue description

This is the Chrome side bug for tracking the VS 2015 code-gen bug described here:

https://connect.microsoft.com/VisualStudio/feedback/details/3102400

A crash dump from Chrome Canary 32-bit is attached. To see the problem you just have to load this crash dump, add Chrome's symbol server to the list of symbol sources, open the disassembly window, type "ProcessPowerCollector::HandleUpdateTimeout" into the address bar, and you will see this code which includes the mismatched movsd xmm0 and fstp st(0).

10C0F2F7  call        ProcessPowerCollector::RecordCpuUsageByOrigin (10C0F4C9h)  
10C0F2FC  movsd       xmm0,mmword ptr [esp+10h]  
10C0F302  pop         edi  
10C0F303  pop         esi  
10C0F304  mov         esp,ebp  
10C0F306  pop         ebp  
10C0F307  ret  
10C0F308  call        ProcessPowerCollector::UpdatePowerConsumption (10C0F2B7h)+0  
10C0F30D  fstp        st(0)  
10C0F30F  ret  

 
chrome_codegen.dmp
118 KB Download
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/764c7362bc01b0f1765f2f9043ca89b71a8d0c76

commit 764c7362bc01b0f1765f2f9043ca89b71a8d0c76
Author: brucedawson <brucedawson@chromium.org>
Date: Mon Sep 12 19:10:18 2016

Speculative workaround for VS 2015 code-gen bug

On PGO builds (but no others) a pair of functions in
process_power_collector.cc get compiled such that the callee returns a
floating-point value in xmm0 and the caller looks for it in st(0). The
details are in the bug, but if floating-point exceptions are enabled
(perhaps happening due to third-party injected software changing the FPU
state) then this can lead to crashes. Even without the crashes it is
clearly wrong.

Since the bug only reproes in PGO it is difficult to test a fix but
disabling optimizations around the two functions *should* do the trick.

BUG= 640588 

Review-Url: https://codereview.chromium.org/2329693002
Cr-Commit-Position: refs/heads/master@{#417994}

[modify] https://crrev.com/764c7362bc01b0f1765f2f9043ca89b71a8d0c76/chrome/browser/power/process_power_collector.cc
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/5c246eb9899a1d95594254b0db36a47e8f9763ae

commit 5c246eb9899a1d95594254b0db36a47e8f9763ae
Author: Bruce Dawson <brucedawson@chromium.org>
Date: Wed Sep 14 21:05:34 2016

Speculative workaround for VS 2015 code-gen bug

On PGO builds (but no others) a pair of functions in
process_power_collector.cc get compiled such that the callee returns a
floating-point value in xmm0 and the caller looks for it in st(0). The
details are in the bug, but if floating-point exceptions are enabled
(perhaps happening due to third-party injected software changing the FPU
state) then this can lead to crashes. Even without the crashes it is
clearly wrong.

Since the bug only reproes in PGO it is difficult to test a fix but
disabling optimizations around the two functions *should* do the trick.

BUG= 640588 

Review-Url: https://codereview.chromium.org/2329693002
Cr-Commit-Position: refs/heads/master@{#417994}
(cherry picked from commit 764c7362bc01b0f1765f2f9043ca89b71a8d0c76)

Review URL: https://codereview.chromium.org/2339303002 .

Cr-Commit-Position: refs/branch-heads/2840@{#367}
Cr-Branched-From: 1ae106dbab4bddd85132d5b75c670794311f4c57-refs/heads/master@{#414607}

[modify] https://crrev.com/5c246eb9899a1d95594254b0db36a47e8f9763ae/chrome/browser/power/process_power_collector.cc
Status: Fixed (was: Assigned)
Summary: VS 2015 LTCG code-gen bug (was: VS 2015 PGO code-gen bug)
It turns out this isn't actually a PGO bug, it's just a full LTCG bug and it can be triggered with these GN settings:

is_component_build = false
is_debug = false
is_official_build = true
target_cpu="x86"
full_wpo_on_official = true

The bug is now worked around on trunk and M54.

Sign in to add a comment