sorry for the slow response

looking at the test case, this looks more like an issue with inlining heuristics. the branch_weights says that we almost never call longname in rec_call_to_longname but we still end up inlining it, presumably due to the devirtualization bonus as you've said? removing the !prof from the branch makes this test case ok which is odd

Interesting -- I've dug into the cost modelling, and I think you're correct that there's an issue, but it's even less enjoyable. It looks like the effect of the branch-weights successfully suppresses longname being inlined into rec_call_to_longname because it's a cold callsite, in the first instance. However, once rec_call_to_longname is inlined into a, the same computations round all the frequencies to zero, and inlining starts to happen repeatedly through both rec_call_to_longname and longname, giving the exponential behaviour. Without the branch weights, inlining longname into rec_call_to_longname creates a directly recursive function that never gets inlined again.

My understanding of inlining is that if we've rejecting inlining at a call site because of the cost, it would be very unexpected if inlining the call-site to somewhere else lowered the cost. Thus the cost-modelling changing it's mind is the most surprising behaviour and is most likely to be wrong. It's another area I'm unfamiliar with that I'll try digging into, the relevant function is InlineCostCallAnalyzer::isColdCallSite [0]. I'll probably be able to work it out, but here's a dump of the relevant state just in case someone else knows a graceful solution -- in the first instance on the linked line,

• ColdProb is a fixed-point representation of 0.02f,
• CallSiteFreq is integer value 8,
• CallerEntryFreq is integer value 450,
• Return-value of CallerEntryFreq * ColdProb is 9

I assume others can interpret the following branch probability summary:

block-frequency: rec_call_to_longname
=====================================
reverse-post-order-traversal
 - 0: 
 - 1: 
 - 2: 
loop-detection
compute-mass-in-function
 - node: 
  => [ local  ] weight = 38171822, succ = 
  => [ local  ] weight = 2109311826, succ = 
  => mass:  ffffffffffffffff
  => assign 048ce95bffffffff (fb7316a400000000) to 
  => assign fb7316a400000000 (0000000000000000) to 
 - node: 
  => [ local  ] weight = 2147483648, succ = 
  => mass:  048ce95bffffffff
  => assign 048ce95bffffffff (0000000000000000) to 
 - node: 
  => mass:  ffffffffffffffff
float-to-int: min = 0.01777513977, max = 1.0, factor = 450.0667844
 - : float = 1.0, scaled = 450.0667844, int = 450
 - : float = 0.01777513977, scaled = 8.0, int = 8
 - : float = 1.0, scaled = 450.0667844, int = 450
block-frequency-info: rec_call_to_longname
 - : float = 1.0, int = 450
 - : float = 0.017775, int = 8
 - : float = 1.0, int = 450

Wheras in the second instance, the function looks like this:

define internal void @a() {
  store ptr @extern, ptr @e, align 8
  br i1 undef, label %1, label %rec_call_to_longname.exit, !prof !0

1:                                                ; preds = %0
  call void @longname(ptr @rec_call_to_longname, ptr undef, ptr undef)
  br label %rec_call_to_longname.exit

rec_call_to_longname.exit:                        ; preds = %0, %1
  ret void
}

The branch-frequency dump is:

block-frequency: a                                                                                       
==================        
reverse-post-order-traversal
 - 0:                                                                                                                                                                                                              
loop-detection                                                                                           
compute-mass-in-function
 - node:   
  => mass:  ffffffffffffffff                  
float-to-int: min = 1.0, max = 1.0, factor = 8.0
 - : float = 1.0, scaled = 8.0, int = 8                                                                                                                                                                            
block-frequency-info: a                       
 - : float = 1.0, int = 8

The variable valuations:

• ColdProb is a fixed-point representation of 0.02f,
• CallSiteFreq is integer value 0,
• CallerEntryFreq is integer value 8,
• Return-value of CallerEntryFreq * ColdProb is 0

And zero not being less than zero, it's not judged to be cold.

[0] https://github.com/llvm/llvm-project/blob/96118f1b0ab7a18999a4f2199ba1ecd546c68cb8/llvm/lib/Analysis/InlineCost.cpp#L1795

(Oh looks, Phab posts when you hit control+enter; I've edited more data into the earlier comment)

Gentle ping here; this still might not be the right solution, but given the non-inline-cost based reproducer would you agree this is more of a design-of-the-inliner issue than just a costing problem? I suspect it's very rare, but it does cause a large downstream codebase to take near-infinite compile-time on an LTO + PGO configuration.

apologies, was out on vacation for a while

Splitting out the inline comments,

but negative costs are very common for inlining because it's cheaper to not setup a call, so I don't think this change makes sense

Hrrmmm -- removing the floor on Cost causes the too-much-inlining behaviour in the added test. It looks like, at the point where the function-inline-cost-multiplier is added,

• With the floor added, Cost is 5, and is eventually multiplied to be larger than the threshold,
• Without the floor Cost is -50, the multiplier can't stop it being negative, so the inlining always succeeds.

This strays even further outside of my comfort zone, but it seems that:

• If the cost is permitted to be negative at any point then there'll inevitably be an input where the cost-multiplier isn't able to suppress inlining,
• The cost needs to be transiently negative sometimes to correctly sum the costs and benefits of different parts of a function.

Perhaps the solution is a fail-safe upper bound on the function-inline-cost-multiplier past which inlining is disallowed, i.e. "we've inlined through this SCC ten times now in this context, quit inlining it"?

ah that makes sense. what about on top of multiplying the multiplier, we also add a fixed cost every time function-inline-cost-addend/-extra (or some better name)

the inline cost multiplier looks good (could even be split out)

but I just realized that this will apply to all devirtualization, which can't be good for performance. we only want to penalize devirtualization that can cause mutually recursive inlining. it's pretty tricky figuring out what conditions this inlining explosion can arise from

I believe something along the lines of "F has a ref edge to NewCallee and NewCallee has a ref edge to itself (or maybe is in a non-trivial RefSCC?)", then this can occur? we want to be as precise as possible limiting when we add the inline cost penalty

I believe something along the lines of "F has a ref edge to NewCallee and NewCallee has a ref edge to itself (or maybe is in a non-trivial RefSCC?)", then this can occur? we want to be as precise as possible limiting when we add the inline cost penalty

I think that can be defeated by adding even more indirection to the calls such as the below, although a solution to some cases is better than none, consider:

define internal void @rec_call_to_longname(ptr %longname, ptr %other) {
  call void %longname(ptr %other, ptr %longname)
  ret void
}

define internal void @longname(ptr %0, ptr %1) {
  call void @extern1()
  call void @extern1()
  call void @extern1()
  call void %0(ptr %1, ptr %0)  ; Exponential growth occurs between these two devirt calls.
  call void %0(ptr %1, ptr %0)
  ret void
}

define internal void @a() {
  call void @rec_call_to_longname(ptr @longname, ptr @rec_call_to_longname)
  ret void
}

[... rest of reproducer...]

This too is over-inlined and gets the multiplier added with the patch as it is.

I'm starting to get the feeling that we can't actually identify / distinguish these recursive cases because LLVM currently tracks whether an edge is a Call, a Ref, but not both. Specifically:

1. Every function vulnerable to the recursion must contain a ref to the recursive function, otherwise the recursion happens at some other stage of inlining,
2. The recursive-function must be devirtualised, directly called and inlined,
3. But leave a reference to the recursive-function in the vulnerable function.

Retaining the reference to the recursive-function is necessary for the function to be vulnerable, so that more calls to the recursive-function can be generated, devirtualised and inlined. Wheras general devirtualisation Should (TM) eliminate the reference. Here's the callgraph for the reproducer:

Edges in function: extern1
                                                 
Edges in function: rec_call_to_longname                 
  ref  -> rec_call_to_longname                            
                                                               
Edges in function: longname                      
  ref  -> longname  
                                                 
Edges in function: e                             
  call -> d                                              
                                                 
Edges in function: d                                      
  call -> c                                                    
                                                 
Edges in function: c                  
  call -> b                                      
                                                 
Edges in function: b                                     
  call -> a                                      
                                                 
Edges in function: a                                    
  call -> rec_call_to_longname                            
  ref  -> longname                                             
                                                 
RefSCC with 1 call SCCs:                         
  SCC with 1 functions:                          
    rec_call_to_longname                         
                                                         
RefSCC with 1 call SCCs:                      
  SCC with 1 functions:                          
    longname                                            
                                                 
RefSCC with 1 call SCCs:                                  
  SCC with 1 functions:                                        
    a                                            
                                                 
[repeated similar RefSCC the same for b c d e]

If you compute a new callgraph while inlining is in progress and print it after every inline, there don't appear to be any RefSCCs with more than one, single, SCC. Instead, each function [a-e) switches from having a call to rec_call_to_longname and ref to longname, to having calls to both because the ref gets devirtualised, and finally the function gets fully inlined into the caller. I think in an ideal world I'd like to identify the above scenario and then annotate further calls in the devirtualised+inlined function with a cost multiplier.

I'm not quite sure how to implement that right now, but does the above rationale make sense? (I can dig further if it's sound).

actually I think the inline history feature is relevant here. normally we'll detect this sort of issue with the inline history and bail out when we try to inline rec_call_to_longname again from longname, and in fact -debug shows a lot of Skipping inlining due to history. but that's per-inline invocation, and due to the multiple callers, that gets forgotten every time we go up to the next caller. I think marking the call with noinline should allow us to remember this across inline invocations.

diff --git a/llvm/lib/Transforms/IPO/Inliner.cpp b/llvm/lib/Transforms/IPO/Inliner.cpp
index 01808b3d14fe..a50147f07f68 100644
--- a/llvm/lib/Transforms/IPO/Inliner.cpp
+++ b/llvm/lib/Transforms/IPO/Inliner.cpp
@@ -333,6 +333,7 @@ PreservedAnalyses InlinerPass::run(LazyCallGraph::SCC &InitialC,
         LLVM_DEBUG(dbgs() << "Skipping inlining due to history: " << F.getName()
                           << " -> " << Callee.getName() << "\n");
         setInlineRemark(*CB, "recursive");
+        CB->setIsNoInline();
         continue;
       }

this is fairly similar to "inlining through a child SCC" problem that was mitigated with function-inline-cost-multiplier. I think that this noinline patch will take care of many cases that function-inline-cost-multiplier initially set out fix (and the first iteration of that patch was to add noinline instead of a cost multiplier), but function-inline-cost-multiplier isn't completely redundant because this noinline will only kick in if we see that we've revisited a callee, but function-inline-cost-multiplier will still work with inlining through larger SCCs if we don't revisit the first callee quickly

https://reviews.llvm.org/D150989

does that solve the issue you're seeing?

Thanks for cooking up an alternative, that certainly sounds like it's a more precise fix -- I'll test D150989 on the reproducer we have to confirm that it fixes the problem.