This is an archive of the discontinued LLVM Phabricator instance.

Differential D104140

[SCEV] Allow negative steps for LT exit count computation for unsigned comparisons
ClosedPublic

Authored by reames on Jun 11 2021, 11:35 AM.

Details

Reviewers
nikic
mkazantsev
efriedma
Commits
rGeede4846a99b: [SCEV] Allow negative steps for LT exit count computation for unsigned…
Summary

This bit of code is incredibly suspicious. It allows fully unknown (but potentially negative) steps, but not steps known to be negative. The comment about scev flag inference is worrying, but also not correct to my knowledge.

At best, this might be covering up some related miscompile. However, there's no test in tree for it, the review history doesn't include obvious motivation, and the C++ example doesn't appear to give wrong results when hand translated to IR. I think it's time to remove this and see what falls out.

Diff Detail

Event Timeline

reames created this revision.Jun 11 2021, 11:35 AM
Herald added subscribers: javed.absar, bollu, hiraditya, mcrosier. · View Herald TranscriptJun 11 2021, 11:35 AM
reames requested review of this revision.Jun 11 2021, 11:35 AM
Herald added a project: Restricted Project. · View Herald TranscriptJun 11 2021, 11:35 AM
Harbormaster completed remote builds in B108862: Diff 351513.Jun 11 2021, 12:29 PM
efriedma added inline comments.Jun 13 2021, 6:56 PM
llvm/lib/Analysis/ScalarEvolution.cpp
11462

Does the logic here actually work correctly for step=0? It looks like we end up dividing by zero.

If we can prove the step is non-zero, loopIsFiniteByAssumption seems too aggressive; a lack of abnormal exits should be enough. We'll hit UB after a finite number of steps.

Using isKnownPositive doesn't really make sense in the unsigned case; an unsigned number can't be negative.

reames added inline comments.Jun 14 2021, 9:54 AM
llvm/lib/Analysis/ScalarEvolution.cpp
11462

Step can't be zero, or the loop would be infinite. Though, actually, writing that, I see a latent bug here. The loop could be finite *because we took another exit*, the step of this IV could still be zero, and we could still have a divide by zero along this path.

I don't think that has anything to do with this change though.

p.s. Yes, we can infer non-zero other ways. I even have one patch out to do that right now. :)

efriedma added inline comments.Jun 14 2021, 10:38 AM
llvm/lib/Analysis/ScalarEvolution.cpp
11462

I agree this patch makes sense, just saying it might expose other issues.

*because we took another exit*

Even if we take this exit. If the backedge-taken count is zero, the step doesn't matter.

reames added inline comments.Jun 15 2021, 8:58 AM
llvm/lib/Analysis/ScalarEvolution.cpp
11462

Eli, I think you're missing the point slightly. For the induction step to be zero, and for this to be the sole exit, then the loop must be infinite. Since mustprogress infinite loops are undefined, any result from this function is allowed. If there's a divide by zero which causes a compiler crash, that would be bad, but literally any result is legal at that point.

efriedma added inline comments.Jun 15 2021, 11:55 AM
llvm/lib/Analysis/ScalarEvolution.cpp
11462

If the induction step is zero, and this is the sole exit, the loop is either infinite, or has a backedge-taken count of zero. See, for example, https://godbolt.org/z/9djfj1Ycq .

reames added inline comments.Jun 15 2021, 12:15 PM
llvm/lib/Analysis/ScalarEvolution.cpp
11462

Gah, yeah, you're correct. No idea why I didn't see that the first time.

nikic mentioned this in D104066: [SCEV] Use knowledge of stride to prove loops finite for LT exit count computation.Jun 22 2021, 1:07 AM
reames added a parent revision: D105216: [ScalarEvolution] Fix overflow in computeBECount..Jul 15 2021, 2:21 PM
reames mentioned this in rG5c57600b934a: [tests] Precommit test for D104140.Jul 16 2021, 10:58 AM
reames updated this revision to Diff 359395.Jul 16 2021, 11:17 AM

Rebase over tests which actually exercise code and show difference.

The zero stride issue was fixed separately. This still depends on Eli's patch for overflow correctness. Once that's fixed, I think this will be safe.

It's worth noting that given a condition which dominates the latch, an IV which has either nsw or nuw, and a negative step, the exit backedge taken must be either 0 or 1. For it to be more than that, we must perform at least two adds of negative value which must by definition wrap. As a result, we could do much better in terms of formulas specific for negative strides, but I'm not really interested in bothering. The main value of this patch is in making it easier to exercise the general path via tests.

Herald added a subscriber: xgupta. · View Herald TranscriptJul 16 2021, 11:17 AM
Harbormaster completed remote builds in B114553: Diff 359395.Jul 16 2021, 11:17 AM
efriedma added inline comments.Jul 16 2021, 12:35 PM
llvm/lib/Analysis/ScalarEvolution.cpp
11382

Is the unconditional use of "smax" here going to cause issues?

11393

Instead of computing min(End, Limit) - Start, should we be using max(End, Start) - Start like we do elsewhere?

11458

This is inductive logic, right? If the first iteration doesn't the loop, the following iterations also can't exit the loop.

I think this logic requires that RHS is invariant? Not that we would compute BECount anyway in that case, but I think we might underestimate MaxBECount.

efriedma added inline comments.Jul 16 2021, 12:46 PM
llvm/lib/Analysis/ScalarEvolution.cpp
11382

Oh, also, if BitWidth is one, "One" is a negative number. isKnownNonPositive(Stride) guards against this, since it's always true for an i1 value. :)

efriedma added inline comments.Jul 16 2021, 1:03 PM
llvm/lib/Analysis/ScalarEvolution.cpp
11382

I'll write a patch for computeMaxBECountForLT.

efriedma mentioned this in D106197: [ScalarEvolution] Refine computeMaxBECountForLT to be accurate in more cases..Jul 16 2021, 4:26 PM
efriedma added a comment.Jul 16 2021, 4:29 PM

Posted D106197. That addresses all my review comments here except the one about the RHS being invariant.

reames updated this revision to Diff 359947.Jul 19 2021, 3:48 PM

Address Eli's review comment which isn't covered by D106197.

I'm going to land some tests for this case and probably split this patch since this appears to be a flaw in the existing logic for potentially zero strides.

Harbormaster completed remote builds in B114970: Diff 359947.Jul 19 2021, 3:49 PM
reames added a parent revision: D106197: [ScalarEvolution] Refine computeMaxBECountForLT to be accurate in more cases..Jul 19 2021, 3:50 PM
efriedma added inline comments.Jul 19 2021, 4:03 PM
llvm/lib/Analysis/ScalarEvolution.cpp
11454

I think this needs to be "if the stride is negative and rhs is invariant".

reames mentioned this in D106327: [SCEV] Fix bug involving zero step and non-invariant RHS in trip count logic.Jul 19 2021, 5:37 PM
reames planned changes to this revision.Jul 19 2021, 5:40 PM
reames added a parent revision: D106327: [SCEV] Fix bug involving zero step and non-invariant RHS in trip count logic.

Needs to be rebased over D106327 once landed.

reames mentioned this in rG4a3dc7dc9a03: [SCEV] Fix bug involving zero step and non-invariant RHS in trip count logic.Jul 23 2021, 3:19 PM
reames added inline comments.Jul 26 2021, 4:31 PM
llvm/lib/Analysis/ScalarEvolution.cpp
11454

I've given this a lot of thought and I don't believe this is true. Let me explain why I think the code is correct, and you can poke holes in my reasoning. :)

A negative stride must be greater than half of the addressable space. Thus, we can only add a negative stride once without producing poison.

We check that if IV becomes poison that the loop must execute UB. (This is the purpose of the ControlsExit check combined with the flag check.) Thus, we don't have to worry about IV being poison, but another exit being taken before the one we're analyzing. (This is important as it cuts off a *lot* of subtle edge case reasoning.)

As a result, we can infer that IV must add the step at most once. Given we must increment IV on each iteration, this implies the backedge is not taken.

Note that the value of RHS did not appear in any of that logic.

Chasing through the code for computeMaxBECountForLT, we appear to produce a correct/conservative result for a negative stride.

Do you have a particular counter example in mind?

p.s. The means by which we prove poison triggers immediate UB could be generalized easily here. Maybe something to explore in the future if we want to expand support for multiple exit loops.

efriedma added inline comments.Jul 26 2021, 5:30 PM
llvm/lib/Analysis/ScalarEvolution.cpp
11454

I was thinking of something like this:

int a(int *x) {
  int i = 0;
  do {
    i -= 2;
  } while (i < x[i]);
  return i;
}
int main() {
    int z[] = {-100000,0,0,0,};
    __builtin_printf("%d\n", a(z+4));
}

Am I missing some condition that excludes this?

reames added inline comments.Jul 27 2021, 5:45 PM
llvm/lib/Analysis/ScalarEvolution.cpp
11454

Quick answer: I'd gotten myself confused on nsw semantics of add w/negative RHS again. Long answer to follow once I've given it a bit more thought.

reames updated this revision to Diff 369813.Aug 31 2021, 3:59 PM
reames retitled this revision from [SCEV] Allow negative steps for LT exit count computation to [SCEV] Allow negative steps for LT exit count computation for unsigned comparisons.

Narrowing focus to unsigned comparisons.

The reasoning about signed cases makes my head hurt, and even after staring at it for a while, I'm neither sure the code is correct or incorrect for signed comparisons. Give my actual interest is unsigned IVs, I propose we just defer the signed cases until someone else has time, interest, and the ability to reason through it.

@efriedma Sorry for the silence on this for so long.

p.s. I'm going to mark this as dependent on D109029 as the diff is built on top of that patch and might be confusing otherwise, but there's no semantic connection between the two.

reames added a parent revision: D109029: [SCEV] Clarify requirements for zero-stride to be UB.Aug 31 2021, 3:59 PM
Harbormaster completed remote builds in B122009: Diff 369813.Aug 31 2021, 3:59 PM
reames added a comment.Sep 9 2021, 10:00 AM

@efriedma ping?

efriedma accepted this revision.Sep 9 2021, 12:37 PM

LGTM

This revision is now accepted and ready to land.Sep 9 2021, 12:37 PM
This revision was landed with ongoing or failed builds.Sep 9 2021, 2:30 PM
Closed by commit rGeede4846a99b: [SCEV] Allow negative steps for LT exit count computation for unsigned… (authored by reames). · Explain Why
This revision was automatically updated to reflect the committed changes.
reames added a commit: rGeede4846a99b: [SCEV] Allow negative steps for LT exit count computation for unsigned….

Revision Contents

PathSize
llvm/
lib/
Analysis/
15 lines
test/
Analysis/
ScalarEvolution/
40 lines

Diff 351513

llvm/lib/Analysis/ScalarEvolution.cpp

  • This file is larger than 256 KB, so syntax highlighting is disabled by default.
Show First 20 LinesShow All 11,373 Lines▼ Show 20 Lines APInt StrideForMaxBECount =
IsSigned ? getSignedRangeMin(Stride) : getUnsignedRangeMin(Stride); IsSigned ? getSignedRangeMin(Stride) : getUnsignedRangeMin(Stride);
// We already know that the stride is positive, so we paper over conservatism // We already know that the stride is positive, so we paper over conservatism
// in our range computation by forcing StrideForMaxBECount to be at least one. // in our range computation by forcing StrideForMaxBECount to be at least one.
// In theory this is unnecessary, but we expect MaxBECount to be a // In theory this is unnecessary, but we expect MaxBECount to be a
// SCEVConstant, and (udiv <constant> 0) is not constant folded by SCEV (there // SCEVConstant, and (udiv <constant> 0) is not constant folded by SCEV (there
// is nothing to constant fold it to). // is nothing to constant fold it to).
APInt One(BitWidth, 1, IsSigned); APInt One(BitWidth, 1, IsSigned);
StrideForMaxBECount = APIntOps::smax(One, StrideForMaxBECount); StrideForMaxBECount = APIntOps::smax(One, StrideForMaxBECount);
efriedmaUnsubmitted
Not Done
ReplyInline Actions

Is the unconditional use of "smax" here going to cause issues?

efriedma: Is the unconditional use of "smax" here going to cause issues?
efriedmaUnsubmitted
Not Done
ReplyInline Actions

Oh, also, if BitWidth is one, "One" is a negative number. isKnownNonPositive(Stride) guards against this, since it's always true for an i1 value. :)

efriedma: Oh, also, if BitWidth is one, "One" is a negative number. `isKnownNonPositive(Stride)` guards…
efriedmaUnsubmitted
Not Done
ReplyInline Actions

I'll write a patch for computeMaxBECountForLT.

efriedma: I'll write a patch for computeMaxBECountForLT.
APInt MaxValue = IsSigned ? APInt::getSignedMaxValue(BitWidth) APInt MaxValue = IsSigned ? APInt::getSignedMaxValue(BitWidth)
: APInt::getMaxValue(BitWidth); : APInt::getMaxValue(BitWidth);
APInt Limit = MaxValue - (StrideForMaxBECount - 1); APInt Limit = MaxValue - (StrideForMaxBECount - 1);
// Although End can be a MAX expression we estimate MaxEnd considering only // Although End can be a MAX expression we estimate MaxEnd considering only
// the case End = RHS of the loop termination condition. This is safe because // the case End = RHS of the loop termination condition. This is safe because
// in the other case (End - Start) is zero, leading to a zero maximum backedge // in the other case (End - Start) is zero, leading to a zero maximum backedge
// taken count. // taken count.
APInt MaxEnd = IsSigned ? APIntOps::smin(getSignedRangeMax(End), Limit) APInt MaxEnd = IsSigned ? APIntOps::smin(getSignedRangeMax(End), Limit)
: APIntOps::umin(getUnsignedRangeMax(End), Limit); : APIntOps::umin(getUnsignedRangeMax(End), Limit);
efriedmaUnsubmitted
Not Done
ReplyInline Actions

Instead of computing min(End, Limit) - Start, should we be using max(End, Start) - Start like we do elsewhere?

efriedma: Instead of computing `min(End, Limit) - Start`, should we be using `max(End, Start) - Start`…
MaxBECount = computeBECount(getConstant(MaxEnd - MinStart) /* Delta */, MaxBECount = computeBECount(getConstant(MaxEnd - MinStart) /* Delta */,
getConstant(StrideForMaxBECount) /* Step */); getConstant(StrideForMaxBECount) /* Step */);
return MaxBECount; return MaxBECount;
} }
ScalarEvolution::ExitLimit ScalarEvolution::ExitLimit
▲ Show 20 LinesShow All 44 Lines▼ Show 20 Lines if (!PositiveStride) {
// of the above formula is as follows - // of the above formula is as follows -
// //
// a) IV is either nuw or nsw depending upon signedness (indicated by the // a) IV is either nuw or nsw depending upon signedness (indicated by the
// NoWrap flag). // NoWrap flag).
// b) loop is single exit with no side effects. // b) loop is single exit with no side effects.
// //
// //
// Precondition a) implies that if the stride is negative, this is a single // Precondition a) implies that if the stride is negative, this is a single
// trip loop. The backedge taken count formula reduces to zero in this case. // trip loop. The backedge taken count formula reduces to zero in this case.
efriedmaUnsubmitted
Not Done
ReplyInline Actions

I think this needs to be "if the stride is negative and rhs is invariant".

efriedma: I think this needs to be "if the stride is negative and rhs is invariant".
reamesAuthorUnsubmitted
Done
ReplyInline Actions

I've given this a lot of thought and I don't believe this is true. Let me explain why I think the code is correct, and you can poke holes in my reasoning. :)

A negative stride must be greater than half of the addressable space. Thus, we can only add a negative stride once without producing poison.

We check that if IV becomes poison that the loop must execute UB. (This is the purpose of the ControlsExit check combined with the flag check.) Thus, we don't have to worry about IV being poison, but another exit being taken before the one we're analyzing. (This is important as it cuts off a *lot* of subtle edge case reasoning.)

As a result, we can infer that IV must add the step at most once. Given we must increment IV on each iteration, this implies the backedge is not taken.

Note that the value of RHS did not appear in any of that logic.

Chasing through the code for computeMaxBECountForLT, we appear to produce a correct/conservative result for a negative stride.

Do you have a particular counter example in mind?

p.s. The means by which we prove poison triggers immediate UB could be generalized easily here. Maybe something to explore in the future if we want to expand support for multiple exit loops.

reames: I've given this a lot of thought and I don't believe this is true. Let me explain why I think…
efriedmaUnsubmitted
Not Done
ReplyInline Actions

I was thinking of something like this:

int a(int *x) {
  int i = 0;
  do {
    i -= 2;
  } while (i < x[i]);
  return i;
}
int main() {
    int z[] = {-100000,0,0,0,};
    __builtin_printf("%d\n", a(z+4));
}

Am I missing some condition that excludes this?

efriedma: I was thinking of something like this: ``` int a(int *x) { int i = 0; do { i -= 2; }…
reamesAuthorUnsubmitted
Done
ReplyInline Actions

Quick answer: I'd gotten myself confused on nsw semantics of add w/negative RHS again. Long answer to follow once I've given it a bit more thought.

reames: Quick answer: I'd gotten myself confused on nsw semantics of add w/negative RHS again. Long…
// //
// Precondition b) implies that the unknown stride cannot be zero otherwise // Precondition b) implies that the unknown stride cannot be zero otherwise
// we have UB. // we have UB.
// //
efriedmaUnsubmitted
Not Done
ReplyInline Actions

This is inductive logic, right? If the first iteration doesn't the loop, the following iterations also can't exit the loop.

I think this logic requires that RHS is invariant? Not that we would compute BECount anyway in that case, but I think we might underestimate MaxBECount.

efriedma: This is inductive logic, right? If the first iteration doesn't the loop, the following…
// The positive stride case is the same as isKnownPositive(Stride) returning // The positive stride case is the same as isKnownPositive(Stride) returning
// true (original behavior of the function). // true (original behavior of the function).
// //
// We want to make sure that the stride is truly unknown as there are edge if (PredicatedIV || !NoWrap || !loopIsFiniteByAssumption(L))
efriedmaUnsubmitted
Not Done
ReplyInline Actions

Does the logic here actually work correctly for step=0? It looks like we end up dividing by zero.

If we can prove the step is non-zero, loopIsFiniteByAssumption seems too aggressive; a lack of abnormal exits should be enough. We'll hit UB after a finite number of steps.

Using isKnownPositive doesn't really make sense in the unsigned case; an unsigned number can't be negative.

efriedma: Does the logic here actually work correctly for step=0? It looks like we end up dividing by…
reamesAuthorUnsubmitted
Done
ReplyInline Actions

Step can't be zero, or the loop would be infinite. Though, actually, writing that, I see a latent bug here. The loop could be finite *because we took another exit*, the step of this IV could still be zero, and we could still have a divide by zero along this path.

I don't think that has anything to do with this change though.

p.s. Yes, we can infer non-zero other ways. I even have one patch out to do that right now. :)

reames: Step can't be zero, or the loop would be infinite. Though, actually, writing that, I see a…
efriedmaUnsubmitted
Not Done
ReplyInline Actions

I agree this patch makes sense, just saying it might expose other issues.

*because we took another exit*

Even if we take this exit. If the backedge-taken count is zero, the step doesn't matter.

efriedma: I agree this patch makes sense, just saying it might expose other issues. > *because we took…
reamesAuthorUnsubmitted
Done
ReplyInline Actions

Eli, I think you're missing the point slightly. For the induction step to be zero, and for this to be the sole exit, then the loop must be infinite. Since mustprogress infinite loops are undefined, any result from this function is allowed. If there's a divide by zero which causes a compiler crash, that would be bad, but literally any result is legal at that point.

reames: Eli, I think you're missing the point slightly. For the induction step to be zero, and for…
efriedmaUnsubmitted
Not Done
ReplyInline Actions

If the induction step is zero, and this is the sole exit, the loop is either infinite, or has a backedge-taken count of zero. See, for example, https://godbolt.org/z/9djfj1Ycq .

efriedma: If the induction step is zero, and this is the sole exit, the loop is either infinite, or has a…
reamesAuthorUnsubmitted
Done
ReplyInline Actions

Gah, yeah, you're correct. No idea why I didn't see that the first time.

reames: Gah, yeah, you're correct. No idea why I didn't see that the first time.
// cases where ScalarEvolution propagates no wrap flags to the
// post-increment/decrement IV even though the increment/decrement operation
// itself is wrapping. The computed backedge taken count may be wrong in
// such cases. This is prevented by checking that the stride is not known to
// be either positive or non-positive. For example, no wrap flags are
// propagated to the post-increment IV of this loop with a trip count of 2 -
//
// unsigned char i;
// for(i=127; i<128; i+=129)
// A[i] = i;
//
if (PredicatedIV || !NoWrap || isKnownNonPositive(Stride) ||
!loopIsFiniteByAssumption(L))
return getCouldNotCompute(); return getCouldNotCompute();
} else if (!Stride->isOne() && !NoWrap) { } else if (!Stride->isOne() && !NoWrap) {
auto isUBOnWrap = [&]() { auto isUBOnWrap = [&]() {
// Can we prove this loop *must* be UB if overflow of IV occurs? // Can we prove this loop *must* be UB if overflow of IV occurs?
// Reasoning goes as follows: // Reasoning goes as follows:
// * Suppose the IV did self wrap. // * Suppose the IV did self wrap.
// * If Stride evenly divides the iteration space, then once wrap // * If Stride evenly divides the iteration space, then once wrap
// occurs, the loop must revisit the same values. // occurs, the loop must revisit the same values.
▲ Show 20 LinesShow All 2,191 LinesShow Last 20 Lines

llvm/test/Analysis/ScalarEvolution/trip-count-unknown-stride.ll

Show First 20 LinesShow All 100 Lines▼ Show 20 Linesfor.body: ; preds = %entry, %for.body
%add = add nsw i32 %i.05, %s %add = add nsw i32 %i.05, %s
%cmp = icmp slt i32 %add, %n %cmp = icmp slt i32 %add, %n
br i1 %cmp, label %for.body, label %for.end, !llvm.loop !8 br i1 %cmp, label %for.body, label %for.end, !llvm.loop !8
for.end: ; preds = %for.body, %entry for.end: ; preds = %for.body, %entry
ret void ret void
} }
; In this example, we branch on poison on the first iteration, so the
; loop is undefined, and thus any answer is valid.
; CHECK: Determining loop execution counts for: @foo5
; CHECK: Loop %for.body: backedge-taken count is 1
; CHECK: Loop %for.body: max backedge-taken count is 1
define void @foo5(i32* nocapture %A, i32 %n, i32 %s) {
entry:
br label %for.body
for.body: ; preds = %entry, %for.body
%i.05 = phi i8 [ %add, %for.body ], [ 127, %entry ]
%add = add nsw nuw i8 %i.05, 129
%cmp = icmp ult i8 %add, 128
br i1 %cmp, label %for.body, label %for.end, !llvm.loop !8
for.end: ; preds = %for.body, %entry
ret void
}
; Defined version of foo5, in this case 1 is the correct answer
; CHECK: Determining loop execution counts for: @foo6
; CHECK: Loop %for.body: backedge-taken count is 1
; CHECK: Loop %for.body: max backedge-taken count is 1
define void @foo6(i32* nocapture %A, i32 %n, i32 %s) {
entry:
br label %for.body
for.body: ; preds = %entry, %for.body
%i.05 = phi i8 [ %add, %for.body ], [ 127, %entry ]
%add = add nsw nuw i8 %i.05, 129
%cmp = icmp ult i8 %add, 128
br i1 %cmp, label %for.body, label %for.end, !llvm.loop !8
for.end: ; preds = %for.body, %entry
ret void
}
!8 = distinct !{!8, !9} !8 = distinct !{!8, !9}
!9 = !{!"llvm.loop.mustprogress"} !9 = !{!"llvm.loop.mustprogress"}