<div dir="ltr">Thanks Nicolai. I'll try to take a look at the review.<div><br></div><div>The user is the one calling _mm_lfence on a particular path. Would we need some IR transform to turn it into the IR you showed if it is used on two paths?<br><div><br clear="all"><div><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature">~Craig</div></div><br></div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sun, Aug 9, 2020 at 8:15 AM Nicolai Hähnle <<a href="mailto:nhaehnle@gmail.com">nhaehnle@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi Craig,<br>
<br>
The review for the similar GPU problem is now up here:<br>
<a href="https://reviews.llvm.org/D85603" rel="noreferrer" target="_blank">https://reviews.llvm.org/D85603</a> (+ some other patches on the<br>
Phabricator stack).<br>
<br>
>From a pragmatic perspective, the constraints added to program<br>
transforms there are sufficient for what you need. You'd produce IR<br>
such as:<br>
<br>
%token = call token @llvm.experimental.convergence.anchor()<br>
br i1 %c, label %then, label %else<br>
<br>
then:<br>
call void @llvm.x86.sse2.lfence() convergent [<br>
"convergencectrl"(token%token) ]<br>
...<br>
<br>
else:<br>
call void @llvm.x86.sse2.lfence() convergent [<br>
"convergencectrl"(token %token) ]<br>
...<br>
<br>
... and this would prevent the hoisting of the lfences.<br>
<br>
The puzzle to me is whether one can justify this use of the<br>
convergence tokens from a theoretical point of view. We describe<br>
convergence control in terms of threads that communicate, which is a<br>
faithful description of what's happening in the GPU use case. I wonder<br>
whether for the speculative execution problem, one could justify the<br>
use of the same convergence control machinery by arguing about the<br>
existence of "potential speculative threads of execution" and<br>
communication between them. Basically, the argument would be somewhere<br>
along the lines that the lfence can only proceed execution once all<br>
speculative threads of execution that it _cannot_ communicate with<br>
according to the convergence token are killed off. I suspect that<br>
somebody would have to go off and do some deep thinking for a while to<br>
figure out whether that really makes sense.<br>
<br>
Cheers,<br>
Nicolai<br>
<br>
On Wed, Jul 29, 2020 at 11:14 AM Nicolai Hähnle <<a href="mailto:nhaehnle@gmail.com" target="_blank">nhaehnle@gmail.com</a>> wrote:<br>
><br>
> Hi Craig,<br>
><br>
> that's an interesting problem.<br>
><br>
> We have a superficially similar problem in GPU programming models<br>
> where there are cross-thread communication operations that are<br>
> sensitive to control flow, as in:<br>
><br>
> if (c) {<br>
> b = subgroupAdd(a);<br>
> bar(b);<br>
> } else {<br>
> b = subgroupAdd(a);<br>
> baz(b);<br>
> }<br>
><br>
> LLVM will merge those, even though it changes the behavior<br>
> (potentially summing over a larger set of threads than in the original<br>
> program). Merging them is inherently correct for LLVM's semantics.<br>
> It's the same underlying problem as what you describe: LLVM IR simply<br>
> doesn't have a way of describing these semantics that fall somewhat<br>
> outside of a purely deterministic single-threaded execution model. For<br>
> our needs, we're currently working around this by essentially adding a<br>
> unique ID to each of these operations so that they all appear<br>
> different to LLVM. I suspect that the same could work for you.<br>
><br>
> Still, it's a bit of an awkward workaround and a better solution would<br>
> be great. I've been wondering whether we could perhaps have token<br>
> values produced by branch instructions to express certain kinds of<br>
> dependencies. In your case, you'd end up with something like:<br>
><br>
> %token = br i1 %c, label %then, label %else<br>
><br>
> then:<br>
> call void @llvm.x86.sse2.lfence() [ "some-bundle"(%token) ]<br>
> ...<br>
><br>
> else:<br>
> call void @llvm.x86.sse2.lfence() [ "some-bundle"(%token) ]<br>
> ...<br>
><br>
> The token indicates an essential control dependency on the branch<br>
> instruction. I've previously rejected this idea as too invasive, and<br>
> there are alternatives for our particular use case, but if there are<br>
> multiple use cases for this kind of dependency -- and it kind of looks<br>
> like it from where I stand -- then perhaps this is something to<br>
> consider more seriously?<br>
><br>
> Cheers,<br>
> Nicolai<br>
><br>
> On Wed, Jul 29, 2020 at 1:30 AM Craig Topper via llvm-dev<br>
> <<a href="mailto:llvm-dev@lists.llvm.org" target="_blank">llvm-dev@lists.llvm.org</a>> wrote:<br>
> ><br>
> > _mm_lfence was originally documented as a load fence. But in light of speculative execution vulnerabilities it has started being advertised as a way to prevent speculative execution. Current Intel Software Development Manual documents it as "Specifically, LFENCE does not execute until all prior instructions have completed locally, and no later instruction begins execution until LFENCE completes".<br>
> ><br>
> > For the following test, my intention was to ensure that the body of either the if or the else would not proceed until any speculation of the branch had resolved. But SimplifyCFG saw that both control paths started with an lfence so hoisted it into a single lfence intrinsic before the branch. <a href="https://godbolt.org/z/qMc446" rel="noreferrer" target="_blank">https://godbolt.org/z/qMc446</a> The intrinsic in IR has no properties so it should be assumed to read/write any memory. But that's not enough to specify this control flow dependency. gcc also exhibits a similar behavior.<br>
> ><br>
> > #include <x86intrin.h><br>
> ><br>
> > void bar();<br>
> > void baz();<br>
> ><br>
> > void foo(int c) {<br>
> > if (c) {<br>
> > _mm_lfence();<br>
> > bar();<br>
> > } else {<br>
> > _mm_lfence();<br>
> > baz();<br>
> > }<br>
> > }<br>
> ><br>
> ><br>
> > Alternatively, I also tried replacing the intrinsics with inline assembly. SimplifyCFG still merged those. But gcc did not. <a href="https://godbolt.org/z/acnPxY" rel="noreferrer" target="_blank">https://godbolt.org/z/acnPxY</a><br>
> ><br>
> > void bar();<br>
> > void baz();<br>
> ><br>
> > void foo(int c) {<br>
> > if (c) {<br>
> > __asm__ __volatile ("lfence");<br>
> > bar();<br>
> > } else {<br>
> > __asm__ __volatile ("lfence");<br>
> > baz();<br>
> > }<br>
> > }<br>
> ><br>
> > I believe the [[clang::nomerge]] attribute was recently extended to inline assembly which can be used to prevent the inline assembly from being hoisted by SimplifyCFG <a href="https://reviews.llvm.org/D84225" rel="noreferrer" target="_blank">https://reviews.llvm.org/D84225</a> It also appears to work for intrinsic version, but I think its limited to C++ only.<br>
> ><br>
> > Is there some existing property we can put on the intrinsic to prevent SimplifyCFG from hoisting like this? Are we more aggressive than we should be about hoisting inline assembly?<br>
> ><br>
> > Thanks,<br>
> > ~Craig<br>
> > _______________________________________________<br>
> > LLVM Developers mailing list<br>
> > <a href="mailto:llvm-dev@lists.llvm.org" target="_blank">llvm-dev@lists.llvm.org</a><br>
> > <a href="https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-dev" rel="noreferrer" target="_blank">https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-dev</a><br>
><br>
><br>
><br>
> --<br>
> Lerne, wie die Welt wirklich ist,<br>
> aber vergiss niemals, wie sie sein sollte.<br>
<br>
<br>
<br>
-- <br>
Lerne, wie die Welt wirklich ist,<br>
aber vergiss niemals, wie sie sein sollte.<br>
</blockquote></div>