[PATCH] D54653: Remove branch from CreateAlignmentAssumption
James Y Knight via Phabricator via llvm-commits
llvm-commits at lists.llvm.org
Tue Dec 4 13:22:37 PST 2018
jyknight added inline comments.
================
Comment at: include/llvm/IR/IRBuilder.h:2201-2203
+ Value *IsPositive = CreateICmp(
+ Sign == AlignmentSign::Signed ? CmpInst::ICMP_SGT : CmpInst::ICMP_UGT,
+ Alignment, ConstantInt::get(Alignment->getType(), 0), "ispositive");
----------------
hfinkel wrote:
> hfinkel wrote:
> > hfinkel wrote:
> > > jyknight wrote:
> > > > erichkeane wrote:
> > > > > hfinkel wrote:
> > > > > > jyknight wrote:
> > > > > > > hfinkel wrote:
> > > > > > > > jyknight wrote:
> > > > > > > > > erichkeane wrote:
> > > > > > > > > > lebedev.ri wrote:
> > > > > > > > > > > lebedev.ri wrote:
> > > > > > > > > > > > erichkeane wrote:
> > > > > > > > > > > > > lebedev.ri wrote:
> > > > > > > > > > > > > > Would it be better to only keep the predicate change, and leave the power-of-two as UB?
> > > > > > > > > > > > > We already have that before this change, though it has a mis-signedness. However, there isn't really issue treating it as signed always, since values outside of the range of a signed value are illegal/UB anyway. IMO, this would be the 'don't change things' opinion.
> > > > > > > > > > > > Replied to the wrong comment maybe?
> > > > > > > > > > > > The question was - do we really want to do `@llvm.assume()` if the requested alignment
> > > > > > > > > > > > is really power-of-two at the run time? That will somewhat confuse the middle-end,
> > > > > > > > > > > > and is UB in any case, as @hfinkel said.
> > > > > > > > > > > err
> > > > > > > > > > >
> > > > > > > > > > > The question was - do we really want to ONLY do `@llvm.assume()` if the requested alignment
> > > > > > > > > > > is REALLY power-of-two at the run time? That will somewhat confuse the middle-end,
> > > > > > > > > > > and is UB in any case, as @hfinkel said.
> > > > > > > > > > Perhaps I'm missing something (it IS monday :) ), but I would presume that the cost of a branch/more BBs to determine that (rather than a select) would be more harmful than just doing a no-op assume.
> > > > > > > > > The point of this attribute is to allow the optimizer to make an assumption about the alignment of the pointer returned by a call such as (but not limited to) aligned_alloc. I believe that in almost all relevant situations where this will at all help optimization, the alignment will (eventually, after inlining and simplification) be a constant. At that point, it doesn't matter how complex the expression is, it all folds away.
> > > > > > > > >
> > > > > > > > > The attribute shouldn't cause the compiler to emit UB, because the function it's attached to may in fact have defined behavior in the face of such an argument (e.g., returning NULL, or using the next higher power-of-2 alignment).
> > > > > > > > >
> > > > > > > > > ... At that point, it doesn't matter how complex the expression is, it all folds away.
> > > > > > > >
> > > > > > > > I agree that in nearly all cases where we can use this the alignment ends up being constant (although this is not strictly necessary should we know that the number is greater than some value). Nevertheless, it is also desirable to minimize the cost when we can't use the information, and having multiple basic blocks that we can't eliminate until we hit CodeGen will interfere with optimization more than just having some extra instructions in a single basic block.
> > > > > > > >
> > > > > > > I agree, we shouldn't introduce multiple basic blocks here. This patch doesn't seem to, however. That is, I think what's here seems good -- not creating additional UB, and not introducing new basic blocks.
> > > > > > >
> > > > > > > Perhaps I'm misunderstanding something?
> > > > > > This is still adding the IsPowerOf2 check, and I don't see why that's necessary. If it's not a power of 2, that's UB. Also, that's a separate change from allowing the caller to choose whether to treat the alignment as signed or unsigned.
> > > > > >
> > > > > > To be fair and consistent, I'm not sure why we're checking IsPositive either. It looks like @erichkeane added that in r298643 (D29598). I don't see any discussion of this during the review, but it seems also somewhat unfortunate. If the formula used for the alignment assumptions are in any way non-trivial, then utilities like computeKnownBits are far less likely to say useful things based on them.
> > > > > >
> > > > > I'm not terribly sure why I added the 'IsPositive' check here in the beginning to be honest, perhaps it was simply because the fixed-version did so.
> > > > >
> > > > > If we think that returning negative numbers to UB is acceptable, I can definitely revert all checking here and just emit the assumption instead.
> > > > >
> > > > > I guess the gist of the question we need to ask is UB vs branches? That question is perhaps made easier by @lebedev.ri and his efforts to add these alignment assumptions to UBSan.
> > > > You say that it's UB -- but based on what? The alloc_align attribute and __builtin_assume_aligned call aren't part of the standard. The former could be attached to any function the user desires. Such function may well decide to define the behavior in the face of the error condition, rather than cause UB.
> > > >
> > > > Of course, we can decide that the attribute should cause the compiler to generate UB in such a case, but that's not preordained. And IMO, we should not generate UB where doing so is unnecessary.
> > > >
> > > > So, that gets back to the question before -- what goes wrong (will it ruin the ability to optimize) if we check the value before making an invalid assumption? I'm still not seeing why it would -- AFAICT, either the alignment will be eventually constant (in which case everything folds away), or else we can't really determine anything at all (in which case there are extra IR instructions, which eventually get dropped).
> > > >
> > > > Also, FWIW, I just checked GCC's behavior, which is as close to a spec as we can get here: it does not create UB from passing an invalid alignment. It just ignores the information (as this patch also causes to be the case).
> > > >
> > > > I'm not terribly sure why I added the 'IsPositive' check here in the beginning to be honest, perhaps it was simply because the fixed-version did so.
> > >
> > > Ah, indeed. That's a perfectly reasonable answer :-)
> > >
> > > > If we think that returning negative numbers to UB is acceptable, I can definitely revert all checking here and just emit the assumption instead.
> > >
> > > I'd prefer we not have the extra code. It's UB it it's negative, and we should let UBSan detect that. As a user, I'd rather UBSan tell me that I'm accidentally passing -2 as the alignment (instead of it silently being changed to zero and disappearing). In the mean time, if we get into a mode where we're emitting a lot of these alignment assumptions (which we might if users start sprinkling attributes around liberally) then there's a cost to the extra IR and it's harder for the optimizer to understand.
> > > > I'm not terribly sure why I added the 'IsPositive' check here in the beginning to be honest, perhaps it was simply because the fixed-version did so.
> > > Ah, indeed. That's a perfectly reasonable answer :-)
> >
> > Also, we might change the fixed version to an assert for consistency if we do so.
> > You say that it's UB -- but based on what?
>
> Fair point. I did a lot of the underlying implementation and my comments are based on my impressions of the intent of the functionality combined with our best practices in this space.
>
> > The former could be attached to any function the user desires. Such function may well decide to define the behavior in the face of the error condition, rather than cause UB.
> >
> > Of course, we can decide that the attribute should cause the compiler to generate UB in such a case, but that's not preordained. And IMO, we should not generate UB where doing so is unnecessary.
>
> I definitely disagree. Silently hiding errors, which is what defining this behavior does, is not the best option here. UB isn't bad, and is in fact desirable, when it does at least one of the following: 1) Makes it easier to create tools to catch user errors and 2) Assists with optimizations. In this case, the UB does both.
>
> > So, that gets back to the question before -- what goes wrong (will it ruin the ability to optimize) if we check the value before making an invalid assumption? I'm still not seeing why it would -- AFAICT, either the alignment will be eventually constant (in which case everything folds away), or else we can't really determine anything at all (in which case there are extra IR instructions, which eventually get dropped).
>
> I understand what you're saying, and I agree that in most cases where you get information from the assumptions will be where the alignment ends up being constant. However: 1) This is not the only case where the optimizer can extract useful information (but it seems far less likely for this to be true if the conditions are not a simple expression) and 2) There's a cost to the extra IR. There are compile time costs, and this can be a concern should we start generating a lot of these assumptions.
>
> Thus, to me, all factors point toward using a simpler expression that might exhibit UB, but those are more useful and allow for more error checking.
>
> > Also, FWIW, I just checked GCC's behavior, which is as close to a spec as we can get here: it does not create UB from passing an invalid alignment. It just ignores the information (as this patch also causes to be the case).
>
> If compatibility with a particular language extension requires stronger semantics, then the frontend should add those checks. They don't belong in the underlying utility function. It would be helpful to indicate that you mean: What did you check and what did you see?
>
Regarding the alloc_align attribute, an error certainly isn't silently hidden -- it is, instead, passed on to the library function such as aligned_alloc to deal with as it pleases. That may report an error by returning a null pointer, for example.
And, actually -- while I previously thought I was only speaking of user-defined functions which may use this attribute, as it turns out, C11 aligned_alloc actually _doesn't_ allow for UB anymore. It was modified in a DR, post C11, to require that it return a null pointer.
C11 DR 460 <http://www.open-std.org/jtc1/sc22/wg14/www/docs/summary.htm#dr_460> modifies the requirements on the function as follows:
The aligned_alloc function allocates space for an object whose
alignment is specified by 'alignment', whose size is specified by 'size',
and whose value is indeterminate. If the value of 'alignment' is not
a valid alignment supported by the implementation the function shall
fail by returning a null pointer.
(That's also in the C2x draft).
As the function which is the primary use-case for this attribute requires that invalid alignments not generate UB, it follows that the attribute must not, for it to be useful.
I suppose the case for __builtin_assume_aligned to not generate UB is not as clear cut, but I'd still argue that it should have the same semantics, and thus also not UB, for simplicity.
Here's the code in GCC handling the attribute:
https://github.com/gcc-mirror/gcc/blob/master/gcc/tree-ssa-ccp.c#L1718
(Note that it only has to understand values which have already folded to a constant in this code, since it has a different architecture which allows this to work even when the value is only constant post-inlining.)
CHANGES SINCE LAST ACTION
https://reviews.llvm.org/D54653/new/
https://reviews.llvm.org/D54653
More information about the llvm-commits
mailing list