Nuno Lopes via llvm-dev
2017-May-23 10:16 UTC
[llvm-dev] [poison] is select-of-select to logic+select allowed?
Hi, Let me try to give a bit more context on why select is so tricky. First thing to consider is which transformations we would like to support: 1) Control-flow -> select (SimplifyCFG) if (c) a = x else a = y => %a = select %c, %x, %y 2) select -> control-flow; reverse of 1) Not sure if this is done at IR level, or only later at SDAG. 3) select -> arithmetic %a = select %c, true, %y => %a = or %c, %y 4) select removal %c = icmp eq %x, C %r = select %c, C, %x => %r = %x 5) select hoisting past binops %a = udiv %x, %y %b = udiv %x, %z %r = select %c, %a, %b => %t = select %c, %y, %z %r = udiv %x, %t 6) Bonus: easy to move select instructions around. Should be possible to hoist selects out of loops easily. Ideally we want semantics for select that allow all transformations 1-6. It's hard because: 1) %a can only be poison conditionally on %c, i.e., %a is poison if %c=true and %x is poison, or %c=false and %y is poison 2) since we introduce a branch on %c, select on poison has to be UB like branch on poison 3) with arithmetic all operands are always evaluated, so conditional poison like in 1) doesn’t work 4) the example provided replaces C with %x in case %x=C. C is never poison, but %x might be. 5) We cannot introduce a division by poison if %y and %z are not poison 6) Making select trigger UB for some cases makes movement harder because then we need to prove that it won’t trigger UB before e.g. hoisting it out of loops. Summary table of what each transformation allows for %z = select %c, %x, %y. Each column is a different alternative of semantics for select: UB if %c poison + conditional poison UB if %c poison + poison if either %x/%y poison Conditional poison + non-det choice if %c poison Conditional poison + poison if %c poison** Poison if any of %c/%x/%y are poison SimplifyCFG ✓ ✓ ✓ Select->control-flow ✓ ✓ Select->arithmetic ✓ ✓ Select removal ✓ ✓ ✓ ✓ Select hoist ✓ ✓ ✓ Easy movement ✓ ✓ ✓ Modulo bugs in the table, you can see there’s no single column with all rows with a ✓. That means there’s no way (that I’m aware of) to make all transformations that we are interested in doing to be correct. A solution is to introduce something like the freeze instruction that can land a ✓ on any cell you want. So unless someone has a clever idea and proposes a new column that has ticks in all rows, we are left with picking a trade-off: either we disable some optimizations, or we introduce something like freeze to continue doing them. BTW, this table assumes that branch on poison is UB, otherwise optimizations like GVN are wrong (for more details see our paper: http://www.cs.utah.edu/~regehr/papers/undef-pldi17.pdf). The column marked with ** is the one that Alive currently implements. Regarding SDAG: it has undef, and I believe there was some discussion regarding introducing poison there as well. I don’t recall if it was introduce already, but I believe there’s already nsw/nuw there. If that’s the case, the (il)legality of transformations should be exactly the same as in LLVM IR. Otherwise some transformations may be easier. Sorry for the longish email; just wanted to give some background about the problem so that we can reach some consensus at some point. Nuno -----Original Message----- From: John Regehr Sent: 22 de maio de 2017 21:45 Subject: Re: [poison] is select-of-select to logic+select allowed? Nuno and I have been looking through the results of experiments like the one reported here: <https://blog.regehr.org/archives/1510> https://blog.regehr.org/archives/1510 Indeed there are some select-related transformations in LLVM that are illegal in terms of Alive's semantics. As far as we know, they cannot be made legal (by adjusting the semantics of instructions) without breaking a bunch of other optimizations. The optimizations currently in LLVM are not only inconsistent but they can lead to end-to-end miscompilations. Sorting this out is going to require (1) figuring out what select means WRT poison/undef and (2) backing out some optimizations. This is going to be slightly painful but it is the only way forward. John On 5/22/17 2:32 PM, Sanjay Patel wrote:> Some InstCombine transforms for select-of-select were added here:> <https://reviews.llvm.org/rL228409> https://reviews.llvm.org/rL228409>> But Alive says this is more poisonous:>> Name: selsel> %s1 = select i1 %cond1, i8 C1, i8 C2> %s2 = select i1 %cond2, i8 %s1, i8 C2> =>> %andcond = and i1 %cond1, %cond2> %s2 = select i1 %andcond, i8 C1, i8 C2>> <http://rise4fun.com/Alive/JT6> http://rise4fun.com/Alive/JT6>> Are those transforms legal?-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.llvm.org/pipermail/llvm-dev/attachments/20170523/f98ceab6/attachment.html>
Sanjay Patel via llvm-dev
2017-May-23 13:25 UTC
[llvm-dev] [poison] is select-of-select to logic+select allowed?
The examples and table are great! That at least makes it clear what we need to think about and fix (and just how complex the problem is). Are there known limitations/objections to the freeze instruction patches that John listed? Or are we just being cautious and/or waiting for more people to review those? I can answer some of the DAG questions: (a) Yes, we have nsw/nuw/exact down there. They've been around since: https://reviews.llvm.org/rL210467 . (b) Yes, we use those bits to enable transforms, but it's not nearly as common as in IR. It's also likely that we'll drop those bits during transforms. (c) Yes, we do all kinds of select transforms without regard for poison. (d) AFAIK, there is no accounting for poison in the DAG for any transforms, but it's possible that I just didn't find it in the source. On Tue, May 23, 2017 at 4:16 AM, Nuno Lopes <nuno.lopes at ist.utl.pt> wrote:> Hi, > > > > Let me try to give a bit more context on why select is so tricky. > > > > First thing to consider is which transformations we would like to support: > > > > *1) Control-flow -> select (SimplifyCFG)* > > if (c) > > a = x > > else > > a = y > > > > => > > %a = select %c, %x, %y > > > > > > *2) select -> control-flow*; reverse of 1) > > Not sure if this is done at IR level, or only later at SDAG. > > > > > > *3) select -> arithmetic* > > %a = select %c, true, %y > > => > > %a = or %c, %y > > > > > > *4) select removal* > > %c = icmp eq %x, C > > %r = select %c, C, %x > > => > > %r = %x > > > > > > *5) select hoisting past binops* > > %a = udiv %x, %y > > %b = udiv %x, %z > > %r = select %c, %a, %b > > => > > %t = select %c, %y, %z > > %r = udiv %x, %t > > > > > > *6) Bonus: easy to move* select instructions around. Should be possible > to hoist selects out of loops easily. > > > > > > Ideally we want semantics for select that allow all transformations 1-6. > It's hard because: > > 1) %a can only be poison conditionally on %c, i.e., %a is poison if > %c=true and %x is poison, or %c=false and %y is poison > > 2) since we introduce a branch on %c, select on poison has to be UB like > branch on poison > > 3) with arithmetic all operands are always evaluated, so conditional > poison like in 1) doesn’t work > > 4) the example provided replaces C with %x in case %x=C. C is never > poison, but %x might be. > > 5) We cannot introduce a division by poison if %y and %z are not poison > > 6) Making select trigger UB for some cases makes movement harder because > then we need to prove that it won’t trigger UB before e.g. hoisting it out > of loops. > > > > > > Summary table of what each transformation allows for %z = select %c, %x, > %y. Each column is a different alternative of semantics for select: > > > > > > UB if %c poison > > + conditional poison > > UB if %c poison + poison if either > %x/%y poison > > Conditional poison > > + non-det choice if %c poison > > Conditional poison + poison if %c poison** > > Poison if any of > %c/%x/%y are poison > > SimplifyCFG > > ✓ > > > > ✓ > > ✓ > > > > Select->control-flow > > ✓ > > ✓ > > > > > > > > Select->arithmetic > > > > ✓ > > > > > > ✓ > > Select removal > > ✓ > > ✓ > > > > ✓ > > ✓ > > Select hoist > > ✓ > > ✓ > > ✓ > > > > > > Easy movement > > > > > > ✓ > > ✓ > > ✓ > > > > Modulo bugs in the table, you can see there’s no single column with all > rows with a ✓. That means there’s no way (that I’m aware of) to make all > transformations that we are interested in doing to be correct. A solution > is to introduce something like the freeze instruction that can land a ✓ > on any cell you want. > > > > So unless someone has a clever idea and proposes a new column that has > ticks in all rows, we are left with picking a trade-off: either we disable > some optimizations, or we introduce something like freeze to continue doing > them. > > > > BTW, this table assumes that branch on poison is UB, otherwise > optimizations like GVN are wrong (for more details see our paper: > http://www.cs.utah.edu/~regehr/papers/undef-pldi17.pdf). The column > marked with ** is the one that Alive currently implements. > > > > Regarding SDAG: it has undef, and I believe there was some discussion > regarding introducing poison there as well. I don’t recall if it was > introduce already, but I believe there’s already nsw/nuw there. If that’s > the case, the (il)legality of transformations should be exactly the same as > in LLVM IR. Otherwise some transformations may be easier. > > > > Sorry for the longish email; just wanted to give some background about the > problem so that we can reach some consensus at some point. > > > > Nuno > > > > > > -----Original Message----- > From: John Regehr > Sent: 22 de maio de 2017 21:45 > Subject: Re: [poison] is select-of-select to logic+select allowed? > > > > Nuno and I have been looking through the results of experiments like the > one reported here: > > > > https://blog.regehr.org/archives/1510 > > > > Indeed there are some select-related transformations in LLVM that are > illegal in terms of Alive's semantics. As far as we know, they cannot be > made legal (by adjusting the semantics of instructions) without breaking a > bunch of other optimizations. > > > > The optimizations currently in LLVM are not only inconsistent but they can > lead to end-to-end miscompilations. Sorting this out is going to require > (1) figuring out what select means WRT poison/undef and (2) backing out > some optimizations. This is going to be slightly painful but it is the only > way forward. > > > > John > > > > > > > > On 5/22/17 2:32 PM, Sanjay Patel wrote: > > > Some InstCombine transforms for select-of-select were added here: > > > https://reviews.llvm.org/rL228409 > > > > > > But Alive says this is more poisonous: > > > > > > Name: selsel > > > %s1 = select i1 %cond1, i8 C1, i8 C2 > > > %s2 = select i1 %cond2, i8 %s1, i8 C2 > > > => > > > %andcond = and i1 %cond1, %cond2 > > > %s2 = select i1 %andcond, i8 C1, i8 C2 > > > > > > http://rise4fun.com/Alive/JT6 > > > > > > Are those transforms legal? >-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.llvm.org/pipermail/llvm-dev/attachments/20170523/fe08d60a/attachment-0001.html>
Nuno Lopes via llvm-dev
2017-May-23 16:16 UTC
[llvm-dev] [poison] is select-of-select to logic+select allowed?
Regarding the patches, there are two concerns AFAICT: 1. It’s a new instruction and as usual when introducing a new instruction it will require work for some time until most optimizations know about it, and to get rid of any potential perf regression. No big deal; we just need to do the work (and we have already done some of it). 2. The patch was written by a student, which may not have time to support it properly going forward. That means that someone needs to step in and take ownership. Of course we will be here to help, but none of us at the moment can commit to own this. The blog post that John mentioned below describes our machinery to find bugs in optimizations and in new semantics, and we will put it to use to test LLVM periodically. On the plus side, freeze can helps us get rid of a bunch of miscompilations, which no one enjoys. The usage of freeze can be incremental; we can try out with a few things to see how it goes. We have more radical ideas down the road, like replace undef with poison, but one thing at a time :) Regarding SDAG, and given that poison is already there, we would need to adopt a similar solution to the IR. Maybe right now we can get away with it because nsw is not exploited significantly (as you say). Just because there’s no explicit poison in SDAG, just having nsw is sufficient to cause miscompilations when combined with other transformations. See, for example, this bug report for InstCombine regarding select+nsw: https://bugs.llvm.org/show_bug.cgi?id=31633 Nuno From: Sanjay Patel [mailto:spatel at rotateright.com] Sent: 23 de maio de 2017 14:25 To: Nuno Lopes <nuno.lopes at ist.utl.pt> Cc: John Regehr <regehr at cs.utah.edu>; llvm-dev <llvm-dev at lists.llvm.org>; Matthias Braun <mbraun at apple.com>; Sanjoy Das <sanjoy at playingwithpointers.com>; David Majnemer <david.majnemer at gmail.com>; Hal Finkel <hfinkel at anl.gov>; Friedman, Eli <efriedma at codeaurora.org> Subject: Re: [poison] is select-of-select to logic+select allowed? The examples and table are great! That at least makes it clear what we need to think about and fix (and just how complex the problem is). Are there known limitations/objections to the freeze instruction patches that John listed? Or are we just being cautious and/or waiting for more people to review those? I can answer some of the DAG questions: (a) Yes, we have nsw/nuw/exact down there. They've been around since: https://reviews.llvm.org/rL210467 . (b) Yes, we use those bits to enable transforms, but it's not nearly as common as in IR. It's also likely that we'll drop those bits during transforms. (c) Yes, we do all kinds of select transforms without regard for poison. (d) AFAIK, there is no accounting for poison in the DAG for any transforms, but it's possible that I just didn't find it in the source. On Tue, May 23, 2017 at 4:16 AM, Nuno Lopes <nuno.lopes at ist.utl.pt <mailto:nuno.lopes at ist.utl.pt> > wrote: Hi, Let me try to give a bit more context on why select is so tricky. First thing to consider is which transformations we would like to support: 1) Control-flow -> select (SimplifyCFG) if (c) a = x else a = y => %a = select %c, %x, %y 2) select -> control-flow; reverse of 1) Not sure if this is done at IR level, or only later at SDAG. 3) select -> arithmetic %a = select %c, true, %y => %a = or %c, %y 4) select removal %c = icmp eq %x, C %r = select %c, C, %x => %r = %x 5) select hoisting past binops %a = udiv %x, %y %b = udiv %x, %z %r = select %c, %a, %b => %t = select %c, %y, %z %r = udiv %x, %t 6) Bonus: easy to move select instructions around. Should be possible to hoist selects out of loops easily. Ideally we want semantics for select that allow all transformations 1-6. It's hard because: 1) %a can only be poison conditionally on %c, i.e., %a is poison if %c=true and %x is poison, or %c=false and %y is poison 2) since we introduce a branch on %c, select on poison has to be UB like branch on poison 3) with arithmetic all operands are always evaluated, so conditional poison like in 1) doesn’t work 4) the example provided replaces C with %x in case %x=C. C is never poison, but %x might be. 5) We cannot introduce a division by poison if %y and %z are not poison 6) Making select trigger UB for some cases makes movement harder because then we need to prove that it won’t trigger UB before e.g. hoisting it out of loops. Summary table of what each transformation allows for %z = select %c, %x, %y. Each column is a different alternative of semantics for select: UB if %c poison + conditional poison UB if %c poison + poison if either %x/%y poison Conditional poison + non-det choice if %c poison Conditional poison + poison if %c poison** Poison if any of %c/%x/%y are poison SimplifyCFG ✓ ✓ ✓ Select->control-flow ✓ ✓ Select->arithmetic ✓ ✓ Select removal ✓ ✓ ✓ ✓ Select hoist ✓ ✓ ✓ Easy movement ✓ ✓ ✓ Modulo bugs in the table, you can see there’s no single column with all rows with a ✓. That means there’s no way (that I’m aware of) to make all transformations that we are interested in doing to be correct. A solution is to introduce something like the freeze instruction that can land a ✓ on any cell you want. So unless someone has a clever idea and proposes a new column that has ticks in all rows, we are left with picking a trade-off: either we disable some optimizations, or we introduce something like freeze to continue doing them. BTW, this table assumes that branch on poison is UB, otherwise optimizations like GVN are wrong (for more details see our paper: http://www.cs.utah.edu/~regehr/papers/undef-pldi17.pdf). The column marked with ** is the one that Alive currently implements. Regarding SDAG: it has undef, and I believe there was some discussion regarding introducing poison there as well. I don’t recall if it was introduce already, but I believe there’s already nsw/nuw there. If that’s the case, the (il)legality of transformations should be exactly the same as in LLVM IR. Otherwise some transformations may be easier. Sorry for the longish email; just wanted to give some background about the problem so that we can reach some consensus at some point. Nuno -----Original Message----- From: John Regehr Sent: 22 de maio de 2017 21:45 Subject: Re: [poison] is select-of-select to logic+select allowed? Nuno and I have been looking through the results of experiments like the one reported here: <https://blog.regehr.org/archives/1510> https://blog.regehr.org/archives/1510 Indeed there are some select-related transformations in LLVM that are illegal in terms of Alive's semantics. As far as we know, they cannot be made legal (by adjusting the semantics of instructions) without breaking a bunch of other optimizations. The optimizations currently in LLVM are not only inconsistent but they can lead to end-to-end miscompilations. Sorting this out is going to require (1) figuring out what select means WRT poison/undef and (2) backing out some optimizations. This is going to be slightly painful but it is the only way forward. John On 5/22/17 2:32 PM, Sanjay Patel wrote:> Some InstCombine transforms for select-of-select were added here:> <https://reviews.llvm.org/rL228409> https://reviews.llvm.org/rL228409>> But Alive says this is more poisonous:>> Name: selsel> %s1 = select i1 %cond1, i8 C1, i8 C2> %s2 = select i1 %cond2, i8 %s1, i8 C2> =>> %andcond = and i1 %cond1, %cond2> %s2 = select i1 %andcond, i8 C1, i8 C2>> <http://rise4fun.com/Alive/JT6> http://rise4fun.com/Alive/JT6>> Are those transforms legal?-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.llvm.org/pipermail/llvm-dev/attachments/20170523/00f3185c/attachment.html>
David Menendez via llvm-dev
2017-May-23 19:27 UTC
[llvm-dev] [poison] is select-of-select to logic+select allowed?
On May 23, 2017, at 6:16 AM, Nuno Lopes via llvm-dev <llvm-dev at lists.llvm.org<mailto:llvm-dev at lists.llvm.org>> wrote: 4) select removal %c = icmp eq %x, C %r = select %c, C, %x => %r = %x <snip> 4) the example provided replaces C with %x in case %x=C. C is never poison, but %x might be. <snip> Summary table of what each transformation allows for %z = select %c, %x, %y. Each column is a different alternative of semantics for select: UB if %c poison + conditional poison UB if %c poison + poison if either %x/%y poison Conditional poison + non-det choice if %c poison Conditional poison + poison if %c poison** Poison if any of %c/%x/%y are poison SimplifyCFG ✓ ✓ ✓ Select->control-flow ✓ ✓ Select->arithmetic ✓ ✓ Select removal ✓ ✓ ✓ ✓ Select hoist ✓ ✓ ✓ Easy movement ✓ ✓ ✓ Why doesn’t select removal work with the "Conditional poison + non-det choice if %c poison" case? If %x is not poison, then %r is always equal to %x. If %x is poison, then %c is poison and %r is a non-deterministic choice between C (not poison) and %x (poison). So, I would think we can still replace %r with %x because poison is one of its possible behaviors. -- Dave Menendez -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.llvm.org/pipermail/llvm-dev/attachments/20170523/ba374099/attachment.html>
Nuno Lopes via llvm-dev
2017-May-24 17:55 UTC
[llvm-dev] [poison] is select-of-select to logic+select allowed?
Thanks David for pointing out a mistake in the table! I implemented most of the semantics shown in the table in Alive to test these things, but the bug still slipped through, sorry.. I’ve updated the table: Summary table of what each transformation allows for %z = select %c, %x, %y. Each column is a different alternative of semantics for select: UB if %c poison + conditional poison UB if %c poison + poison if either %x/%y poison Conditional poison + non-det choice if %c poison Conditional poison + poison if %c poison** Poison if any of %c/%x/%y are poison SimplifyCFG ✓ ✓ ✓ Select->control-flow ✓ ✓ Select->arithmetic ✓ partially ✓ Select removal ✓ ✓ ✓ ✓ ✓ Select hoist ✓ ✓ ✓ Easy movement ✓ ✓ ✓ IMHO, the 3rd and 4th options are the ones that work best. Instructions with UB are usually a pain (for e.g. hoisting out of loops). An advantage of the 4th option is that can partially do select->arithmetic, while the 3rd can’t. For example, this is valid with the 4th option: %13 = mul nuw i2 %0, -1 %14 = srem i2 %13, -1 %15 = select i1 %1, i2 1, i2 %14 => %15 = zext i1 %1 to i2 The 4th option, however, can’t do the select->and/or transformations (neither the 3rd can). That said, I’m inclined to choose the 4th option (marked with ** in the table). That’s the one that the online version of Alive implements BTW. Nuno -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.llvm.org/pipermail/llvm-dev/attachments/20170524/502d4e71/attachment.html>