https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85216
--- Comment #15 from Bill Schmidt <wschmidt at gcc dot gnu.org> --- PHP's reliance on frequent indirect branches makes it essentially the worst case for this sort of thing. When Spectre v2 CVE mitigations are in place for user code, you will see performance issues on all architectures that rely on speculation for indirect branch performance. When user code is running in an "unsafe" configuration, you will not see those issues. (We have seen similar issues on x86 when retpoline is used for user code.)