This is an archive of the discontinued LLVM Phabricator instance.

Differential D133999

[SelectOpti] Restrict load sinking
ClosedPublic

Authored by apostolakis on Sep 15 2022, 5:28 PM.

Details

Reviewers
davidxl
Commits
rGb827e7c60074: [SelectOpti] Restrict load sinking
Summary

This is a follow-up to D133777, which resolved a use-after-free case but
did not cover all possible memory bugs due to misplacement of loads.

In short, the overall problem was that sinked loads could be moved after
state-modifying instructions leading to memory bugs.

The solution is to restrict load sinking unless it is found to be sound.
i) Within a basic block (to-be-sinked load and select-user are in the same BB),
loads can be sinked only if there is no intervening state-modifying instruction.
This is a conservative approach to avoid resorting to alias analysis to detect
potential memory overlap.
ii) Across basic blocks, sinking of loads is avoided. This is because going over
multiple basic blocks looking for memory conflicts could be computationally
expensive and also unlikely to allow loads to sink. Further, experiments showed
that not sinking these loads has a slight positive performance effect.
Maybe for some of these loads, having some separation allows enough time
for the load to be executed in time for its user. This is not the case for
floating point operations that benefit more from sinking.

The solution in D133777 was essentially undone in this patch,
since the latter is a complete solution to the observed problem.

Overall, the performance impact of this patch is minimal.
Tested on two internal Google workloads with instrPGO.
Search application showed <0.05% perf difference,
while the database one showed a slight improvement,
but not statistically significant.

Diff Detail

Unit TestsFailed

TimeTest
60,050 msx64 debian > MLIR.Examples/standalone::test.toy
60,050 msx64 debian > libFuzzer.libFuzzer::fuzzer-leak.test
60,040 msx64 debian > libFuzzer.libFuzzer::minimize_crash.test
60,040 msx64 debian > libFuzzer.libFuzzer::value-profile-load.test

Event Timeline

apostolakis created this revision.Sep 15 2022, 5:28 PM
Herald added a project: Restricted Project. · View Herald TranscriptSep 15 2022, 5:28 PM
Herald added subscribers: pengfei, hiraditya. · View Herald Transcript
apostolakis requested review of this revision.Sep 15 2022, 5:28 PM
Herald added a project: Restricted Project. · View Herald TranscriptSep 15 2022, 5:28 PM
Herald added a subscriber: llvm-commits. · View Herald Transcript
apostolakis edited the summary of this revision. (Show Details)Sep 15 2022, 5:58 PM
Herald added a subscriber: wenlei. · View Herald TranscriptSep 15 2022, 5:58 PM
apostolakis edited the summary of this revision. (Show Details)Sep 15 2022, 6:03 PM
apostolakis updated this revision to Diff 460585.Sep 15 2022, 6:04 PM
apostolakis edited the summary of this revision. (Show Details)

Typo in comment

apostolakis added a reviewer: davidxl.Sep 15 2022, 6:04 PM
Harbormaster completed remote builds in B187008: Diff 460585.Sep 15 2022, 7:03 PM
apostolakis edited the summary of this revision. (Show Details)Sep 15 2022, 7:40 PM
davidxl added inline comments.Sep 15 2022, 9:19 PM
llvm/test/CodeGen/X86/select-optimize.ll
314

why is this unsafe to sink?

apostolakis added inline comments.Sep 15 2022, 9:34 PM
llvm/test/CodeGen/X86/select-optimize.ll
314

it is not unsafe to sink this load but the current version of the transformation does not check for sink-safety if such loads from other basic blocks and thus they should not be sunk.
See patch description for why cross-basic-block load moves were avoided, even though there might be cases such as this one where sinking would have been safe.

davidxl added inline comments.Sep 16 2022, 8:28 AM
llvm/lib/CodeGen/SelectOptimize.cpp
712

In most of the cases, the load and sinkpt are not in the same bb right -- as the case in the test case I commented.

apostolakis added inline comments.Sep 16 2022, 11:31 AM
llvm/lib/CodeGen/SelectOptimize.cpp
712

Actually, most of the sinkable loads are in the same basic block.
For a search workload, only 2.8% of the sinkable loads were in a different BB, while the rest (i.e., the vast majority, 97.2%) were in the same BB as the sinkpt.
The intuition here is that sinkable loads, as defined in this optimization, are loads that have a single-use (only used for the purpose of computing the select operand). Thus, it is expected that they will be close-by in the same BB as the select, i.e., their use.
If they are not in the same BB, there might be a good reason for that. Either there is a state-modifying and aliasing instruction in-between that prevents them for moving, or due to some other optimization (e.g., for both reported bugs, the loaded stack objects were freed early).

Note also that for the search workload, out of all the sinkable loads in the same BB, only 3 load-sinks (0.06% of sinkable loads) were conservatively skipped due to the check for potential (although non-aliasing in these cased) state-modifying instructions in line 717. So, even for same-BB loads, the impact of this transformation seems minimal. This also explains how rare it was for an actual memory bug to occur.

These statistics also justify the small perf impact of this patch

apostolakis added inline comments.Sep 16 2022, 11:38 AM
llvm/lib/CodeGen/SelectOptimize.cpp
712

Oh I now realized that your comment was on this check within isSafeToSinkLoad, and not about skipping cross-BB load sinks in line 760, although the provided statistics should provide more clarity overall.

Regarding this specific check: isSafeToSinkLoad function is only called for cases where both LoadI and SinkPt are in the same BB (see callsite in line 762). Additionally, the iteration here will only work properly for intra-BB searches, so to prevent any misuse it returns conservatively false.

Actually, re-reading this check I could have just called this function and avoid the if-statement in line 760

davidxl added a comment.Sep 16 2022, 12:43 PM

Ok -- my confusion was the naming of the SinkPt variable -- it should actually be named 'SI'. I through the sinkpt is the actual bb after select is expanded into branch.

apostolakis added a comment.Sep 16 2022, 12:45 PM
In D133999#3796300, @davidxl wrote:

Ok -- my confusion was the naming of the SinkPt variable -- it should actually be named 'SI'. I through the sinkpt is the actual bb after select is expanded into branch.

Oh I see. Naming it as sink-point was indeed confusing. I will change it.

davidxl added inline comments.Sep 16 2022, 12:52 PM
llvm/test/CodeGen/X86/select-optimize.ll
245

For sunkable loads, should the lifetime marker still be preserved?

apostolakis added inline comments.Sep 16 2022, 12:56 PM
llvm/test/CodeGen/X86/select-optimize.ll
245

The lifetime-marker intrinsic writes to memory and thus there will not be any sunk loads bypassing lifetime markers.
This is why this patch also covers the use-after-free resolved by D133777.

davidxl added inline comments.Sep 16 2022, 1:02 PM
llvm/test/CodeGen/X86/select-optimize.ll
245

Can you add another case with lifemarker and check if it is not sunk?

apostolakis added inline comments.Sep 16 2022, 1:03 PM
llvm/test/CodeGen/X86/select-optimize.ll
245

Sure.

apostolakis updated this revision to Diff 460876.Sep 16 2022, 1:20 PM

Add test with lifetime-marker, rename SinktPt to SI to avoid
confusion, and remove redundant check for same/different BB.

davidxl accepted this revision.Sep 16 2022, 1:32 PM

lgtm

This revision is now accepted and ready to land.Sep 16 2022, 1:32 PM
This revision was landed with ongoing or failed builds.Sep 16 2022, 1:55 PM
Closed by commit rGb827e7c60074: [SelectOpti] Restrict load sinking (authored by apostolakis). · Explain Why
This revision was automatically updated to reflect the committed changes.
apostolakis added a commit: rGb827e7c60074: [SelectOpti] Restrict load sinking.
Harbormaster completed remote builds in B187230: Diff 460876.Sep 16 2022, 3:36 PM

Revision Contents

PathSize
llvm/
lib/
CodeGen/
50 lines
test/
CodeGen/
X86/
75 lines

Diff 460876

llvm/lib/CodeGen/SelectOptimize.cpp

Show All 23 Lines
#include "llvm/CodeGen/TargetPassConfig.h" #include "llvm/CodeGen/TargetPassConfig.h"
#include "llvm/CodeGen/TargetSchedule.h" #include "llvm/CodeGen/TargetSchedule.h"
#include "llvm/CodeGen/TargetSubtargetInfo.h" #include "llvm/CodeGen/TargetSubtargetInfo.h"
#include "llvm/IR/BasicBlock.h" #include "llvm/IR/BasicBlock.h"
#include "llvm/IR/Dominators.h" #include "llvm/IR/Dominators.h"
#include "llvm/IR/Function.h" #include "llvm/IR/Function.h"
#include "llvm/IR/IRBuilder.h" #include "llvm/IR/IRBuilder.h"
#include "llvm/IR/Instruction.h" #include "llvm/IR/Instruction.h"
#include "llvm/IR/IntrinsicInst.h"
#include "llvm/IR/ProfDataUtils.h" #include "llvm/IR/ProfDataUtils.h"
#include "llvm/InitializePasses.h" #include "llvm/InitializePasses.h"
#include "llvm/Pass.h" #include "llvm/Pass.h"
#include "llvm/Support/ScaledNumber.h" #include "llvm/Support/ScaledNumber.h"
#include "llvm/Target/TargetMachine.h" #include "llvm/Target/TargetMachine.h"
#include "llvm/Transforms/Utils/SizeOpts.h" #include "llvm/Transforms/Utils/SizeOpts.h"
#include <algorithm> #include <algorithm>
#include <memory> #include <memory>
▲ Show 20 LinesShow All 136 Lines▼ Show 20 Linesprivate:
// operand's (if any) dependence slice of any of the selects of the given // operand's (if any) dependence slice of any of the selects of the given
// group. // group.
bool hasExpensiveColdOperand(const SmallVector<SelectInst *, 2> &ASI); bool hasExpensiveColdOperand(const SmallVector<SelectInst *, 2> &ASI);
// For a given source instruction, collect its backwards dependence slice // For a given source instruction, collect its backwards dependence slice
// consisting of instructions exclusively computed for producing the operands // consisting of instructions exclusively computed for producing the operands
// of the source instruction. // of the source instruction.
void getExclBackwardsSlice(Instruction *I, std::stack<Instruction *> &Slice, void getExclBackwardsSlice(Instruction *I, std::stack<Instruction *> &Slice,
bool ForSinking = false); Instruction *SI, bool ForSinking = false);
// Returns true if the condition of the select is highly predictable. // Returns true if the condition of the select is highly predictable.
bool isSelectHighlyPredictable(const SelectInst *SI); bool isSelectHighlyPredictable(const SelectInst *SI);
// Loop-level checks to determine if a non-predicated version (with branches) // Loop-level checks to determine if a non-predicated version (with branches)
// of the given loop is more profitable than its predicated version. // of the given loop is more profitable than its predicated version.
bool checkLoopHeuristics(const Loop *L, const CostInfo LoopDepth[2]); bool checkLoopHeuristics(const Loop *L, const CostInfo LoopDepth[2]);
▲ Show 20 LinesShow All 178 Lines▼ Show 20 Lines for (SelectGroup &ASI : ProfSIGroups) {
SmallVector<std::stack<Instruction *>, 2> TrueSlices, FalseSlices; SmallVector<std::stack<Instruction *>, 2> TrueSlices, FalseSlices;
typedef std::stack<Instruction *>::size_type StackSizeType; typedef std::stack<Instruction *>::size_type StackSizeType;
StackSizeType maxTrueSliceLen = 0, maxFalseSliceLen = 0; StackSizeType maxTrueSliceLen = 0, maxFalseSliceLen = 0;
for (SelectInst *SI : ASI) { for (SelectInst *SI : ASI) {
// For each select, compute the sinkable dependence chains of the true and // For each select, compute the sinkable dependence chains of the true and
// false operands. // false operands.
if (auto *TI = dyn_cast<Instruction>(SI->getTrueValue())) { if (auto *TI = dyn_cast<Instruction>(SI->getTrueValue())) {
std::stack<Instruction *> TrueSlice; std::stack<Instruction *> TrueSlice;
getExclBackwardsSlice(TI, TrueSlice, true); getExclBackwardsSlice(TI, TrueSlice, SI, true);
maxTrueSliceLen = std::max(maxTrueSliceLen, TrueSlice.size()); maxTrueSliceLen = std::max(maxTrueSliceLen, TrueSlice.size());
TrueSlices.push_back(TrueSlice); TrueSlices.push_back(TrueSlice);
} }
if (auto *FI = dyn_cast<Instruction>(SI->getFalseValue())) { if (auto *FI = dyn_cast<Instruction>(SI->getFalseValue())) {
std::stack<Instruction *> FalseSlice; std::stack<Instruction *> FalseSlice;
getExclBackwardsSlice(FI, FalseSlice, true); getExclBackwardsSlice(FI, FalseSlice, SI, true);
maxFalseSliceLen = std::max(maxFalseSliceLen, FalseSlice.size()); maxFalseSliceLen = std::max(maxFalseSliceLen, FalseSlice.size());
FalseSlices.push_back(FalseSlice); FalseSlices.push_back(FalseSlice);
} }
} }
// In the case of multiple select instructions in the same group, the order // In the case of multiple select instructions in the same group, the order
// of non-dependent instructions (instructions of different dependence // of non-dependent instructions (instructions of different dependence
// slices) in the true/false blocks appears to affect performance. // slices) in the true/false blocks appears to affect performance.
// Interleaving the slices seems to experimentally be the optimal approach. // Interleaving the slices seems to experimentally be the optimal approach.
▲ Show 20 LinesShow All 70 Lines▼ Show 20 Lines if (TrueBlock == FalseBlock) {
assert(TrueBlock == nullptr && assert(TrueBlock == nullptr &&
"Unexpected basic block transform while optimizing select"); "Unexpected basic block transform while optimizing select");
FalseBlock = BasicBlock::Create(SI->getContext(), "select.false", FalseBlock = BasicBlock::Create(SI->getContext(), "select.false",
EndBlock->getParent(), EndBlock); EndBlock->getParent(), EndBlock);
auto *FalseBranch = BranchInst::Create(EndBlock, FalseBlock); auto *FalseBranch = BranchInst::Create(EndBlock, FalseBlock);
FalseBranch->setDebugLoc(SI->getDebugLoc()); FalseBranch->setDebugLoc(SI->getDebugLoc());
} }
// If there was sinking, move any lifetime-end intrinsic calls found in the
// StartBlock to the newly-created end block to ensure sound lifetime info
// after sinking (in case any use is sinked).
else {
SmallVector<Instruction *, 2> EndLifetimeCalls;
for (Instruction &I : *StartBlock) {
if (IntrinsicInst *II = dyn_cast<IntrinsicInst>(&I)) {
if (II->getIntrinsicID() == Intrinsic::lifetime_end) {
EndLifetimeCalls.push_back(&I);
}
}
}
for (auto *LC : EndLifetimeCalls) {
LC->moveBefore(&*EndBlock->getFirstInsertionPt());
}
}
// Insert the real conditional branch based on the original condition. // Insert the real conditional branch based on the original condition.
// If we did not create a new block for one of the 'true' or 'false' paths // If we did not create a new block for one of the 'true' or 'false' paths
// of the condition, it means that side of the branch goes to the end block // of the condition, it means that side of the branch goes to the end block
// directly and the path originates from the start block from the point of // directly and the path originates from the start block from the point of
// view of the new PHI. // view of the new PHI.
BasicBlock *TT, *FT; BasicBlock *TT, *FT;
if (TrueBlock == nullptr) { if (TrueBlock == nullptr) {
▲ Show 20 LinesShow All 198 Lines▼ Show 20 Lines if (TrueWeight < FalseWeight) {
ColdI = dyn_cast<Instruction>(SI->getTrueValue()); ColdI = dyn_cast<Instruction>(SI->getTrueValue());
HotWeight = FalseWeight; HotWeight = FalseWeight;
} else { } else {
ColdI = dyn_cast<Instruction>(SI->getFalseValue()); ColdI = dyn_cast<Instruction>(SI->getFalseValue());
HotWeight = TrueWeight; HotWeight = TrueWeight;
} }
if (ColdI) { if (ColdI) {
std::stack<Instruction *> ColdSlice; std::stack<Instruction *> ColdSlice;
getExclBackwardsSlice(ColdI, ColdSlice); getExclBackwardsSlice(ColdI, ColdSlice, SI);
InstructionCost SliceCost = 0; InstructionCost SliceCost = 0;
while (!ColdSlice.empty()) { while (!ColdSlice.empty()) {
SliceCost += TTI->getInstructionCost(ColdSlice.top(), SliceCost += TTI->getInstructionCost(ColdSlice.top(),
TargetTransformInfo::TCK_Latency); TargetTransformInfo::TCK_Latency);
ColdSlice.pop(); ColdSlice.pop();
} }
// The colder the cold value operand of the select is the more expensive // The colder the cold value operand of the select is the more expensive
// the cmov becomes for computing the cold value operand every time. Thus, // the cmov becomes for computing the cold value operand every time. Thus,
// the colder the cold operand is the more its cost counts. // the colder the cold operand is the more its cost counts.
// Get nearest integer cost adjusted for coldness. // Get nearest integer cost adjusted for coldness.
InstructionCost AdjSliceCost = InstructionCost AdjSliceCost =
divideNearest(SliceCost * HotWeight, TotalWeight); divideNearest(SliceCost * HotWeight, TotalWeight);
if (AdjSliceCost >= if (AdjSliceCost >=
ColdOperandMaxCostMultiplier * TargetTransformInfo::TCC_Expensive) ColdOperandMaxCostMultiplier * TargetTransformInfo::TCC_Expensive)
return true; return true;
} }
} }
return false; return false;
} }
// Check if it is safe to move LoadI next to the SI.
// Conservatively assume it is safe only if there is no instruction
// modifying memory in-between the load and the select instruction.
static bool isSafeToSinkLoad(Instruction *LoadI, Instruction *SI) {
// Assume loads from different basic blocks are unsafe to move.
if (LoadI->getParent() != SI->getParent())
davidxlUnsubmitted
Not Done
ReplyInline Actions

In most of the cases, the load and sinkpt are not in the same bb right -- as the case in the test case I commented.

davidxl: In most of the cases, the load and sinkpt are not in the same bb right -- as the case in the…
apostolakisAuthorUnsubmitted
Done
ReplyInline Actions

Actually, most of the sinkable loads are in the same basic block.
For a search workload, only 2.8% of the sinkable loads were in a different BB, while the rest (i.e., the vast majority, 97.2%) were in the same BB as the sinkpt.
The intuition here is that sinkable loads, as defined in this optimization, are loads that have a single-use (only used for the purpose of computing the select operand). Thus, it is expected that they will be close-by in the same BB as the select, i.e., their use.
If they are not in the same BB, there might be a good reason for that. Either there is a state-modifying and aliasing instruction in-between that prevents them for moving, or due to some other optimization (e.g., for both reported bugs, the loaded stack objects were freed early).

Note also that for the search workload, out of all the sinkable loads in the same BB, only 3 load-sinks (0.06% of sinkable loads) were conservatively skipped due to the check for potential (although non-aliasing in these cased) state-modifying instructions in line 717. So, even for same-BB loads, the impact of this transformation seems minimal. This also explains how rare it was for an actual memory bug to occur.

These statistics also justify the small perf impact of this patch

apostolakis: Actually, most of the sinkable loads are in the same basic block. For a search workload, only 2.
apostolakisAuthorUnsubmitted
Done
ReplyInline Actions

Oh I now realized that your comment was on this check within isSafeToSinkLoad, and not about skipping cross-BB load sinks in line 760, although the provided statistics should provide more clarity overall.

Regarding this specific check: isSafeToSinkLoad function is only called for cases where both LoadI and SinkPt are in the same BB (see callsite in line 762). Additionally, the iteration here will only work properly for intra-BB searches, so to prevent any misuse it returns conservatively false.

Actually, re-reading this check I could have just called this function and avoid the if-statement in line 760

apostolakis: Oh I now realized that your comment was on this check within isSafeToSinkLoad, and not about…
return false;
auto It = LoadI->getIterator();
while (&*It != SI) {
if (It->mayWriteToMemory())
return false;
It++;
}
return true;
}
// For a given source instruction, collect its backwards dependence slice // For a given source instruction, collect its backwards dependence slice
// consisting of instructions exclusively computed for the purpose of producing // consisting of instructions exclusively computed for the purpose of producing
// the operands of the source instruction. As an approximation // the operands of the source instruction. As an approximation
// (sufficiently-accurate in practice), we populate this set with the // (sufficiently-accurate in practice), we populate this set with the
// instructions of the backwards dependence slice that only have one-use and // instructions of the backwards dependence slice that only have one-use and
// form an one-use chain that leads to the source instruction. // form an one-use chain that leads to the source instruction.
void SelectOptimize::getExclBackwardsSlice(Instruction *I, void SelectOptimize::getExclBackwardsSlice(Instruction *I,
std::stack<Instruction *> &Slice, std::stack<Instruction *> &Slice,
bool ForSinking) { Instruction *SI, bool ForSinking) {
SmallPtrSet<Instruction *, 2> Visited; SmallPtrSet<Instruction *, 2> Visited;
std::queue<Instruction *> Worklist; std::queue<Instruction *> Worklist;
Worklist.push(I); Worklist.push(I);
while (!Worklist.empty()) { while (!Worklist.empty()) {
Instruction *II = Worklist.front(); Instruction *II = Worklist.front();
Worklist.pop(); Worklist.pop();
// Avoid cycles. // Avoid cycles.
if (!Visited.insert(II).second) if (!Visited.insert(II).second)
continue; continue;
if (!II->hasOneUse()) if (!II->hasOneUse())
continue; continue;
// Cannot soundly sink instructions with side-effects. // Cannot soundly sink instructions with side-effects.
// Terminator or phi instructions cannot be sunk. // Terminator or phi instructions cannot be sunk.
// Avoid sinking other select instructions (should be handled separetely). // Avoid sinking other select instructions (should be handled separetely).
if (ForSinking && (II->isTerminator() || II->mayHaveSideEffects() || if (ForSinking && (II->isTerminator() || II->mayHaveSideEffects() ||
isa<SelectInst>(II) || isa<PHINode>(II))) isa<SelectInst>(II) || isa<PHINode>(II)))
continue; continue;
// Avoid sinking loads in order not to skip state-modifying instructions,
// that may alias with the loaded address.
// Only allow sinking of loads within the same basic block that are
// conservatively proven to be safe.
if (ForSinking && II->mayReadFromMemory() && !isSafeToSinkLoad(II, SI))
continue;
// Avoid considering instructions with less frequency than the source // Avoid considering instructions with less frequency than the source
// instruction (i.e., avoid colder code regions of the dependence slice). // instruction (i.e., avoid colder code regions of the dependence slice).
if (BFI->getBlockFreq(II->getParent()) < BFI->getBlockFreq(I->getParent())) if (BFI->getBlockFreq(II->getParent()) < BFI->getBlockFreq(I->getParent()))
continue; continue;
// Eligible one-use instruction added to the dependence slice. // Eligible one-use instruction added to the dependence slice.
Slice.push(II); Slice.push(II);
▲ Show 20 LinesShow All 246 LinesShow Last 20 Lines

llvm/test/CodeGen/X86/select-optimize.ll

Show First 20 LinesShow All 179 Lines▼ Show 20 Lines
; CHECK-NEXT: [[SEL:%.*]] = select i1 [[CMP:%.*]], i32 [[X:%.*]], i32 [[LOAD]], !prof [[PROF18]] ; CHECK-NEXT: [[SEL:%.*]] = select i1 [[CMP:%.*]], i32 [[X:%.*]], i32 [[LOAD]], !prof [[PROF18]]
; CHECK-NEXT: ret i32 [[SEL]] ; CHECK-NEXT: ret i32 [[SEL]]
; ;
%load = load i32, ptr %a, align 8 %load = load i32, ptr %a, align 8
%sel = select i1 %cmp, i32 %x, i32 %load, !prof !17 %sel = select i1 %cmp, i32 %x, i32 %load, !prof !17
ret i32 %sel ret i32 %sel
} }
; Cold value operand with load in its one-use dependence slice shoud result ; Cold value operand with load in its one-use dependence slice should result
; into a branch with sinked dependence slice. ; into a branch with sinked dependence slice.
; The lifetime-end intrinsics should be soundly preserved.
define i32 @expensive_val_operand3(ptr nocapture %a, i32 %b, i32 %y, i1 %cmp) { define i32 @expensive_val_operand3(ptr nocapture %a, i32 %b, i32 %y, i1 %cmp) {
; CHECK-LABEL: @expensive_val_operand3( ; CHECK-LABEL: @expensive_val_operand3(
; CHECK-NEXT: [[SEL_FROZEN:%.*]] = freeze i1 [[CMP:%.*]] ; CHECK-NEXT: [[SEL_FROZEN:%.*]] = freeze i1 [[CMP:%.*]]
; CHECK-NEXT: br i1 [[SEL_FROZEN]], label [[SELECT_TRUE_SINK:%.*]], label [[SELECT_END:%.*]], !prof [[PROF18]] ; CHECK-NEXT: br i1 [[SEL_FROZEN]], label [[SELECT_TRUE_SINK:%.*]], label [[SELECT_END:%.*]], !prof [[PROF18]]
; CHECK: select.true.sink: ; CHECK: select.true.sink:
; CHECK-NEXT: [[LOAD:%.*]] = load i32, ptr [[A:%.*]], align 8 ; CHECK-NEXT: [[LOAD:%.*]] = load i32, ptr [[A:%.*]], align 8
; CHECK-NEXT: [[X:%.*]] = add i32 [[LOAD]], [[B:%.*]] ; CHECK-NEXT: [[X:%.*]] = add i32 [[LOAD]], [[B:%.*]]
; CHECK-NEXT: br label [[SELECT_END]] ; CHECK-NEXT: br label [[SELECT_END]]
; CHECK: select.end: ; CHECK: select.end:
; CHECK-NEXT: [[SEL:%.*]] = phi i32 [ [[X]], [[SELECT_TRUE_SINK]] ], [ [[Y:%.*]], [[TMP0:%.*]] ] ; CHECK-NEXT: [[SEL:%.*]] = phi i32 [ [[X]], [[SELECT_TRUE_SINK]] ], [ [[Y:%.*]], [[TMP0:%.*]] ]
; CHECK-NEXT: ret i32 [[SEL]]
;
%load = load i32, ptr %a, align 8
%x = add i32 %load, %b
%sel = select i1 %cmp, i32 %x, i32 %y, !prof !17
ret i32 %sel
}
; Expensive cold value operand with unsafe-to-sink (due to func call) load (partial slice sinking).
define i32 @expensive_val_operand4(ptr nocapture %a, i32 %b, i32 %y, i1 %cmp) {
; CHECK-LABEL: @expensive_val_operand4(
; CHECK-NEXT: [[LOAD:%.*]] = load i32, ptr [[A:%.*]], align 8
; CHECK-NEXT: call void @free(ptr [[A]])
; CHECK-NEXT: [[SEL_FROZEN:%.*]] = freeze i1 [[CMP:%.*]]
; CHECK-NEXT: br i1 [[SEL_FROZEN]], label [[SELECT_TRUE_SINK:%.*]], label [[SELECT_END:%.*]], !prof [[PROF18]]
; CHECK: select.true.sink:
; CHECK-NEXT: [[X:%.*]] = add i32 [[LOAD]], [[B:%.*]]
; CHECK-NEXT: br label [[SELECT_END]]
; CHECK: select.end:
; CHECK-NEXT: [[SEL:%.*]] = phi i32 [ [[X]], [[SELECT_TRUE_SINK]] ], [ [[Y:%.*]], [[TMP0:%.*]] ]
; CHECK-NEXT: ret i32 [[SEL]]
;
%load = load i32, ptr %a, align 8
call void @free(ptr %a)
%x = add i32 %load, %b
%sel = select i1 %cmp, i32 %x, i32 %y, !prof !17
ret i32 %sel
}
; Expensive cold value operand with unsafe-to-sink (due to lifetime-end marker) load (partial slice sinking).
define i32 @expensive_val_operand5(ptr nocapture %a, i32 %b, i32 %y, i1 %cmp) {
; CHECK-LABEL: @expensive_val_operand5(
; CHECK-NEXT: [[LOAD:%.*]] = load i32, ptr [[A:%.*]], align 8
; CHECK-NEXT: call void @llvm.lifetime.end.p0(i64 2, ptr nonnull [[A]]) ; CHECK-NEXT: call void @llvm.lifetime.end.p0(i64 2, ptr nonnull [[A]])
; CHECK-NEXT: [[SEL_FROZEN:%.*]] = freeze i1 [[CMP:%.*]]
; CHECK-NEXT: br i1 [[SEL_FROZEN]], label [[SELECT_TRUE_SINK:%.*]], label [[SELECT_END:%.*]], !prof [[PROF18]]
; CHECK: select.true.sink:
; CHECK-NEXT: [[X:%.*]] = add i32 [[LOAD]], [[B:%.*]]
; CHECK-NEXT: br label [[SELECT_END]]
; CHECK: select.end:
; CHECK-NEXT: [[SEL:%.*]] = phi i32 [ [[X]], [[SELECT_TRUE_SINK]] ], [ [[Y:%.*]], [[TMP0:%.*]] ]
; CHECK-NEXT: ret i32 [[SEL]] ; CHECK-NEXT: ret i32 [[SEL]]
; ;
%load = load i32, ptr %a, align 8 %load = load i32, ptr %a, align 8
call void @llvm.lifetime.end.p0(i64 2, ptr nonnull %a) call void @llvm.lifetime.end.p0(i64 2, ptr nonnull %a)
%x = add i32 %load, %b %x = add i32 %load, %b
davidxlUnsubmitted
Not Done
ReplyInline Actions

For sunkable loads, should the lifetime marker still be preserved?

davidxl: For sunkable loads, should the lifetime marker still be preserved?
apostolakisAuthorUnsubmitted
Done
ReplyInline Actions

The lifetime-marker intrinsic writes to memory and thus there will not be any sunk loads bypassing lifetime markers.
This is why this patch also covers the use-after-free resolved by D133777.

apostolakis: The lifetime-marker intrinsic writes to memory and thus there will not be any sunk loads…
davidxlUnsubmitted
Not Done
ReplyInline Actions

Can you add another case with lifemarker and check if it is not sunk?

davidxl: Can you add another case with lifemarker and check if it is not sunk?
apostolakisAuthorUnsubmitted
Done
ReplyInline Actions

Sure.

apostolakis: Sure.
%sel = select i1 %cmp, i32 %x, i32 %y, !prof !17 %sel = select i1 %cmp, i32 %x, i32 %y, !prof !17
ret i32 %sel ret i32 %sel
} }
; Expensive cold value operand with potentially-unsafe-to-sink load (located
; in a different basic block and thus unchecked for sinkability).
define i32 @expensive_val_operand6(ptr nocapture %a, i32 %b, i32 %y, i1 %cmp) {
; CHECK-LABEL: @expensive_val_operand6(
; CHECK-NEXT: entry:
; CHECK-NEXT: [[LOAD:%.*]] = load i32, ptr [[A:%.*]], align 8
; CHECK-NEXT: br label [[BB1:%.*]]
; CHECK: bb1:
; CHECK-NEXT: [[SEL_FROZEN:%.*]] = freeze i1 [[CMP:%.*]]
; CHECK-NEXT: br i1 [[SEL_FROZEN]], label [[SELECT_TRUE_SINK:%.*]], label [[SELECT_END:%.*]], !prof [[PROF18]]
; CHECK: select.true.sink:
; CHECK-NEXT: [[X:%.*]] = add i32 [[LOAD]], [[B:%.*]]
; CHECK-NEXT: br label [[SELECT_END]]
; CHECK: select.end:
; CHECK-NEXT: [[SEL:%.*]] = phi i32 [ [[X]], [[SELECT_TRUE_SINK]] ], [ [[Y:%.*]], [[BB1]] ]
; CHECK-NEXT: ret i32 [[SEL]]
;
entry:
%load = load i32, ptr %a, align 8
br label %bb1
bb1: ; preds = %entry
%x = add i32 %load, %b
%sel = select i1 %cmp, i32 %x, i32 %y, !prof !17
ret i32 %sel
}
; Multiple uses of the load value operand. ; Multiple uses of the load value operand.
define i32 @expensive_val_operand4(i32 %a, ptr nocapture %b, i32 %x, i1 %cmp) { define i32 @expensive_val_operand7(i32 %a, ptr nocapture %b, i32 %x, i1 %cmp) {
; CHECK-LABEL: @expensive_val_operand4( ; CHECK-LABEL: @expensive_val_operand7(
; CHECK-NEXT: [[LOAD:%.*]] = load i32, ptr [[B:%.*]], align 4 ; CHECK-NEXT: [[LOAD:%.*]] = load i32, ptr [[B:%.*]], align 4
; CHECK-NEXT: [[SEL:%.*]] = select i1 [[CMP:%.*]], i32 [[X:%.*]], i32 [[LOAD]] ; CHECK-NEXT: [[SEL:%.*]] = select i1 [[CMP:%.*]], i32 [[X:%.*]], i32 [[LOAD]]
; CHECK-NEXT: [[ADD:%.*]] = add i32 [[SEL]], [[LOAD]] ; CHECK-NEXT: [[ADD:%.*]] = add i32 [[SEL]], [[LOAD]]
; CHECK-NEXT: ret i32 [[ADD]] ; CHECK-NEXT: ret i32 [[ADD]]
; ;
%load = load i32, ptr %b, align 4 %load = load i32, ptr %b, align 4
%sel = select i1 %cmp, i32 %x, i32 %load %sel = select i1 %cmp, i32 %x, i32 %load
%add = add i32 %sel, %load %add = add i32 %sel, %load
Show All 19 Lines
define double @cmov_on_critical_path(i32 %n, double %x, ptr nocapture %a) { define double @cmov_on_critical_path(i32 %n, double %x, ptr nocapture %a) {
; CHECK-LABEL: @cmov_on_critical_path( ; CHECK-LABEL: @cmov_on_critical_path(
; CHECK-NEXT: entry: ; CHECK-NEXT: entry:
; CHECK-NEXT: [[CMP1:%.*]] = icmp sgt i32 [[N:%.*]], 0 ; CHECK-NEXT: [[CMP1:%.*]] = icmp sgt i32 [[N:%.*]], 0
; CHECK-NEXT: br i1 [[CMP1]], label [[FOR_BODY_PREHEADER:%.*]], label [[FOR_COND_CLEANUP:%.*]] ; CHECK-NEXT: br i1 [[CMP1]], label [[FOR_BODY_PREHEADER:%.*]], label [[FOR_COND_CLEANUP:%.*]]
; CHECK: for.cond.cleanup: ; CHECK: for.cond.cleanup:
; CHECK-NEXT: ret double [[X:%.*]] ; CHECK-NEXT: ret double [[X:%.*]]
; CHECK: for.body.preheader: ; CHECK: for.body.preheader:
; CHECK-NEXT: [[WIDE_TRIP_COUNT:%.*]] = zext i32 [[N]] to i64 ; CHECK-NEXT: [[WIDE_TRIP_COUNT:%.*]] = zext i32 [[N]] to i64
davidxlUnsubmitted
Not Done
ReplyInline Actions

why is this unsafe to sink?

davidxl: why is this unsafe to sink?
apostolakisAuthorUnsubmitted
Done
ReplyInline Actions

it is not unsafe to sink this load but the current version of the transformation does not check for sink-safety if such loads from other basic blocks and thus they should not be sunk.
See patch description for why cross-basic-block load moves were avoided, even though there might be cases such as this one where sinking would have been safe.

apostolakis: it is not unsafe to sink this load but the current version of the transformation does not check…
; CHECK-NEXT: br label [[FOR_BODY:%.*]] ; CHECK-NEXT: br label [[FOR_BODY:%.*]]
; CHECK: for.body: ; CHECK: for.body:
; CHECK-NEXT: [[INDVARS_IV:%.*]] = phi i64 [ [[INDVARS_IV_NEXT:%.*]], [[SELECT_END:%.*]] ], [ 0, [[FOR_BODY_PREHEADER]] ] ; CHECK-NEXT: [[INDVARS_IV:%.*]] = phi i64 [ [[INDVARS_IV_NEXT:%.*]], [[SELECT_END:%.*]] ], [ 0, [[FOR_BODY_PREHEADER]] ]
; CHECK-NEXT: [[X1:%.*]] = phi double [ [[X2:%.*]], [[SELECT_END]] ], [ [[X]], [[FOR_BODY_PREHEADER]] ] ; CHECK-NEXT: [[X1:%.*]] = phi double [ [[X2:%.*]], [[SELECT_END]] ], [ [[X]], [[FOR_BODY_PREHEADER]] ]
; CHECK-NEXT: [[ARRAYIDX:%.*]] = getelementptr inbounds double, ptr [[A:%.*]], i64 [[INDVARS_IV]] ; CHECK-NEXT: [[ARRAYIDX:%.*]] = getelementptr inbounds double, ptr [[A:%.*]], i64 [[INDVARS_IV]]
; CHECK-NEXT: [[R:%.*]] = load double, ptr [[ARRAYIDX]], align 8 ; CHECK-NEXT: [[R:%.*]] = load double, ptr [[ARRAYIDX]], align 8
; CHECK-NEXT: [[CMP2:%.*]] = fcmp ogt double [[X1]], [[R]] ; CHECK-NEXT: [[CMP2:%.*]] = fcmp ogt double [[X1]], [[R]]
; CHECK-NEXT: [[X2_FROZEN:%.*]] = freeze i1 [[CMP2]] ; CHECK-NEXT: [[X2_FROZEN:%.*]] = freeze i1 [[CMP2]]
▲ Show 20 LinesShow All 190 Lines▼ Show 20 Lines
} }
; Function Attrs: nounwind readnone speculatable willreturn ; Function Attrs: nounwind readnone speculatable willreturn
declare void @llvm.dbg.value(metadata, metadata, metadata) declare void @llvm.dbg.value(metadata, metadata, metadata)
; Function Attrs: argmemonly mustprogress nocallback nofree nosync nounwind willreturn ; Function Attrs: argmemonly mustprogress nocallback nofree nosync nounwind willreturn
declare void @llvm.lifetime.end.p0(i64 immarg, ptr nocapture) declare void @llvm.lifetime.end.p0(i64 immarg, ptr nocapture)
declare void @free(ptr nocapture)
!llvm.module.flags = !{!0, !26, !27} !llvm.module.flags = !{!0, !26, !27}
!0 = !{i32 1, !"ProfileSummary", !1} !0 = !{i32 1, !"ProfileSummary", !1}
!1 = !{!2, !3, !4, !5, !6, !7, !8, !9} !1 = !{!2, !3, !4, !5, !6, !7, !8, !9}
!2 = !{!"ProfileFormat", !"InstrProf"} !2 = !{!"ProfileFormat", !"InstrProf"}
!3 = !{!"TotalCount", i64 10000} !3 = !{!"TotalCount", i64 10000}
!4 = !{!"MaxCount", i64 10} !4 = !{!"MaxCount", i64 10}
!5 = !{!"MaxInternalCount", i64 1} !5 = !{!"MaxInternalCount", i64 1}
!6 = !{!"MaxFunctionCount", i64 1000} !6 = !{!"MaxFunctionCount", i64 1000}
Show All 22 Lines