I'm working on a very similar patch as we speak, so you found a knowledgeable reviewer. Your test diff is a lot smaller than my current one, so maybe you're on to something. Unfortunately, I'm about to leave for the day, so I won't be able to get you detailed feedback until at least tomorrow.

A couple of quick comments.

The code does disallow stride == 0 on the howManyLessThans path. The logic is explained in the !PositiveStride path, but the comments are really confusing, so let me explain again. For a non-positive exit, we require that this be the sole exit and the current condition control that exit. (Indirectly through NoWrap) As a result, if the stride was zero, then the loop must either a) be infinite, or b) exit on the first iteration. The !loopIsFiniteByAssumption check requires a zero stride to exit on the first iteration. (Ah, I think I see the issue you did now. The stride can be zero iff the exit is taken on first iteration. If this was your chain of thought, can you clarify submission comment?)

In D105216#2851010, @reames wrote:

Your test diff is a lot smaller than my current one, so maybe you're on to something.

I found that I needed a wide variety of heuristics to handle various cases in the regression tests. This is the source of most of the complexity in this patch.

(Ah, I think I see the issue you did now. The stride can be zero iff the exit is taken on first iteration. If this was your chain of thought, can you clarify submission comment?)

I'll clarify the commit message, sure.

How much worse does it become if we simply check that start <= MAX_INT - step and bail if we can't prove it?

In D105216#2858946, @mkazantsev wrote:

How much worse does it become if we simply check that start <= MAX_INT - step and bail if we can't prove it?

I assume that isn't the expression you meant to write?

Practically, I expect the most important cases to recognize are:

1. Power-of-two stride.
2. Post-increment loops: Start == Stride. (This is a special case of Start >= Stride - 1).

I'm not sure how well isLoopEntryGuardedByCond/isKnownViaNonRecursiveReasoning would do if I just throw Start >= Stride - 1 for unsigned, or the signed equivalent, at it. I can try, I guess.

Detailed comments inline. The two common issues running through are:

• The use of IsSigned confuses me. We should be computing an unsigned expression at this point, so why does the signedness of the end max expression matter? I think I finally figured it out but a change to the code structure and comments would really help. My current understanding is that IsSigned == true implies (End >=s Start) and !IsSigned implies (End >=u Start) as preconditions of the method. I'd just state that explicitly in comment form.
• We can have an exit which is dynamically dead, produces poison, and overflows in the computation. See the long explanation in the first comment. As far as I can tell, this only applies to the first case.

Sorry this took so long.

I’ve bisected a miscompilation on aarch64 down to this commit. I’ll follow up with a repro later…

Yeah, we also found issue on PowerPC target. Reducing a small case:

__attribute__((noinline))int foo(int *arr)
{
  int prime = 0, k = 0;

  for(int i = 0; i < 8191; i++) {
    prime = i + i + 1; 
    k = i + prime;
    for (int j = k; j < 8191; j += prime)
      arr[j] = 0;
  }
  return 0;
}
int main(void)
{
  int arr[8191];

  foo (arr);
  return 0;
}

$ clang -O2 t.cpp ; ./a.out
Segmentation fault (core dumped)

-fno-vectorize can make above case pass. Initial investigation shows that after this patch, the loop execution count for the vectorized loop now can be wrap, so generate unexpected behaviour.

Hi,

We see a miscompile as well.
It goes wrong for my out of tree target so I don't have a reproducer for an in tree target but maybe some info may help anyway.
I have a function containing the following two nested loops:

void foo()
{
    #define MAX 2048

    static unsigned a[MAX];

    unsigned count = 2;

    for (unsigned i = 0; i < MAX; ++i)
    {
        if (a[i] == 0)
        {
            unsigned p = i + i + 3;
            count++;
            for (unsigned j = i; j < MAX; j += p)
            {
                a[j] = 1;
            }
        }
    }
    assert(count == 565);
}

With some debug printouts from the compiler I see that before we got the following from SCEV for the inner loop:

Exit count: ({2047,+,-1}<%for.body> /u {3,+,2}<nuw><nsw><%for.body>)
Trip count: (1 + ({2047,+,-1}<%for.body> /u {3,+,2}<nuw><nsw><%for.body>))<nuw><nsw>
Trip count bound: 16 bits, [1,684)

and with the patch we get

Exit count: ((((-1 * (1 umin {2045,+,-3}<%for.body>))<nuw><nsw> + {2045,+,-3}<%for.body>) /u {3,+,2}<nuw><nsw><%for.body>) + (1 umin {2045,+,-3}<%for.body>))
Trip count: (1 + (((-1 * (1 umin {2045,+,-3}<%for.body>))<nuw><nsw> + {2045,+,-3}<%for.body>) /u {3,+,2}<nuw><nsw><%for.body>) + (1 umin {2045,+,-3}<%for.body>))
Trip count bound: 16 bits, [1,21848)

With some printouts in the outer and inner loop I also see that when i is 682, then something goes wrong for the inner loop and it executes for the following (way too many) j values:

outer. i: 682
  inner. j: 682
  inner. j: 2049
  inner. j: 3416
  inner. j: 4783
  inner. j: 6150
  [...]
  inner. j: 63564
  inner. j: 64931
  inner. j: 762
outer. i: 683

The case I'm observing is within this translation unit: https://martin.st/temp/gsmdec-preproc.c

There's some difference visible in the assembly generated by clang -target aarch64-linux-gnu -c -O3 gsmdec-preproc.c, I haven't exactly pinpointed what part of it is that breaks.

If you have access to aarch64 linux, the issue can be reproduced at runtime with these commands:

git clone git://source.ffmpeg.org/ffmpeg
cd ffmpeg
./configure --cc=clang --samples=/path/to/empty/dir
make fate-rsync # sync data samples for running tests, into the path specified above
make -j$(nproc) fate-g723_1-dec-1

The error in this case is in libavformat/gsmdec.o. There's also a couple other miscompilations in there, visible in make fate-sub-vplayer and make fate-wmavoice-7k, but I haven't pinpointed which translation unit those errors stem from.

I think the miscompile is the isLoopEntryGuardedByCond issue noted in https://reviews.llvm.org/D105216#2851010 . Looking.

I've glanced at this, and the refactor/new code seems very complicated to me. My LGTM no longer applies. I will try to take a closer look at the reasoning in the newly added parts, but I *strongly* request you look for ways to factor the code so that the reasoning is modular. If we can split this into two or more patches, that would be my strong preference.

but I *strongly* request you look for ways to factor the code so that the reasoning is modular

I really don't see any way to unify the two different proof strategies. The proofs are trying to reason about overflow on completely different operations.

If we can split this into two or more patches, that would be my strong preference.

I can split off the introduction of getUDivCeilSCEV() into a separate patch, and I can introduce the new isLoopEntryGuardedByCond(L, CondGT, Start, StartMinusStride) check in a separate patch. I'm not sure the result is easier to review, but I guess it would make it easier to figure out regressions.

Posted D105865 with just cleanup. Then I'll post a followup with the missing isLoopEntryGuardedByCond() checks. Then I'll rebase this (so at that point, we'll just be adding the MayAddOverflow checks). Let me know if that makes sense.

In D105216#2872827, @efriedma wrote:

but I *strongly* request you look for ways to factor the code so that the reasoning is modular

I really don't see any way to unify the two different proof strategies. The proofs are trying to reason about overflow on completely different operations.

So, I think this might be part of our problem. The code and comments to date have not made your last sentence here obvious to me as the reviewer.

To be clear, I have not seen a concise description of what the bug in the original patch *was*. That makes it hard to review a patch which is supposed to fix it.

If we can split this into two or more patches, that would be my strong preference.

I can split off the introduction of getUDivCeilSCEV() into a separate patch, and I can introduce the new isLoopEntryGuardedByCond(L, CondGT, Start, StartMinusStride) check in a separate patch. I'm not sure the result is easier to review, but I guess it would make it easier to figure out regressions.

Splitting patches to isolate regressions is good!

I went ahead and landed e4b43973. This handles only the constant bounds cases using the new ceiling operation. This is an easy sub-case because a) stride is known positive, b) it'll constant fold thus not changing the result at all, and c) it doesn't appear to be influenced by your most recent proof. If you rebase over that, it should help a bit to reduce complexity.

In D105216#2874452, @reames wrote:

In D105216#2872827, @efriedma wrote:

but I *strongly* request you look for ways to factor the code so that the reasoning is modular

I really don't see any way to unify the two different proof strategies. The proofs are trying to reason about overflow on completely different operations.

So, I think this might be part of our problem. The code and comments to date have not made your last sentence here obvious to me as the reviewer.

To be clear, I have not seen a concise description of what the bug in the original patch *was*. That makes it hard to review a patch which is supposed to fix it.

Oh, sorry, I thought you understood the issue since you sort of pointed it out originally. The issue is the case where End < Start.

If we prove RHS >= Start, this is impossible. If we use End = max(RHS, Start), this is also impossible. If we only proved RHS > Start - Stride, it's possible that Start - Stride < End < Start. In this case, the backedge-taken count should be zero. But RHS - Start overflows, so getUDivCeilSCEV treats it as a very large positive number.

So we never want to use getUDivCeilSCEV if we're optimizing an expression by proving RHS > Start - Stride. As I outline in the proof in this patch, in this case, we can show that the backedge-taken count is actually ((RHS - 1) - (Start - Stride)) /u Stride, which is equivalent to the expression we would produce without this patch.

In D105216#2874703, @efriedma wrote:

So we never want to use getUDivCeilSCEV if we're optimizing an expression by proving RHS > Start - Stride. As I outline in the proof in this patch, in this case, we can show that the backedge-taken count is actually ((RHS - 1) - (Start - Stride)) /u Stride, which is equivalent to the expression we would produce without this patch.

It's this last bit which is non-obvious from the patch. You're using an entirely different formula for the BTC in this case, you should say so in the comments!

Eli, I think I just had an "aha!" moment. Check my reasoning here, but I think we can greatly simplify the patch structure.

The most recent case you added, appears to simply be a specialization of ceiling(max(A,B)-A, C) where max(A,B) > A - C is known. I don't think we actually need to know anything about where A, B, and C come from for your lowering to be valid. I think we can also generalize this slightly into two pieces:

1. A general ceiling lowering when ceiling(X-A, C) where X > A - C
2. A pushdown rule for max(X,Y) > Z as X > Z && Y > Z ==> max(X,Y) > Z

This really tempts me to go back to the first version of your patch, and add another specialization of how to generate a faster ceiling.

What do you think?

The general formula for the backedge-taken count can be written, in arbitrary-precision arithmetic, as something like floor(max(End - Start + Stride - 1, 0) / Stride), I think. We could define a function to compute that, I guess, separate from howManyLessThans, and optimize based on that.

Granted, that's basically just taking this patch, and shoving the code into a different function. But it might be easier to reason about future changes.

Eli,

I went ahead and posted https://reviews.llvm.org/D105942 which splits this one step further, but in the process, I also convinced myself of the correctness of your revised patch. I'd be fine either landing the one I posted, then rebasing this into a smaller patch, or simply landing this one after rebase, and then posting a cleanup or two afterwards. Up to you.

I still like the idea of having all of this inside getUDivCeiling if possible, but doing that as cleanup once this lands seems reasonable.

Eli, I think we're out of things which can be reasonable split here. If you want to rebase your patch - preferably the form close to what you committed before - I think we're ready for the last big piece to go in. We probably should wait a day or two to make sure the previous bits stick, but assuming they do, I don't see any reason to delay this further.