[RyuJIT] The "reuse flags" optimization handles compares incorrectly

[mikedn]

dotnet/coreclr#14027 enabled all relops to reuse flags set by a previous ALU operation. This is incorrect for unsigned LT/LE/GT/GE relops:

static bool Test(uint x) => ((x - 42) < 0);

returns true when x is 42 but it should always return false.

Generated code:

       83C1D6               add      ecx, -42
       0F92C0               setb     al ; checking CF here tells you that an overflow occurred
                                        ; not that the result is < 0, it never is
       0FB6C0               movzx    rax, al

Same for ARM64:

        7100A800          subs    w0, w0, dotnet/coreclr#42
        9A9F27E0          cset    x0, lo

For unsigned relops the optimization should be limited to EQ/NE. For others:

• x LT 0 - always false; the entire relop should be removed together with the subsequent SETCC/JCC but it's a rare case so it's not worth the trouble
• x LE 0 - equivalent to x EQ 0. Morph does this transform already.
• x GT 0 - equivalent to x NE 0. Morph handles this too.
• x GE 0 - always true; like LT, this should be removed but it's not worth the trouble.

[mikedn]

cc @CarolEidt @sdmaclea I'll have a fix for this later today.

[mikedn]

Unfortunately it looks like signed LT/LE/GT/GE relops are broken as well due to overflow:

static bool Test(int x) => (x + 42) > 0;

returns true when x == int.MaxValue. But it should return false because due to integer overflow x + 42 is actually negative.

This is a valid optimization in the C/C++ world of "undefined behavior" but it is likely not valid in the .NET world. I've yet to find anything in the ECMA spec that clearly states this is not valid but I'm going to assume that it is not valid anyway.

The optimization is valid for AND/OR/XOR (they never overflow) but it's pointless. It's not very likely that someone will write code like (x & y) < 0.

The optimization can be made to work for ADD/SUB + LT/GE but requires generating JS/JNS/SETS/SETNS instead of JL/JGE/SETL/SETLE like we do now. Unfortunately we don't currently have means to generate JS & co. (from lowering, the emitter does support these instructions).

There's no way to get this work for ADD/SUB + LE/GT. That would require instructions like JSE/JNSE which do not exist.

Unfortunately it looks like we'll have to go back to supporting only EQ/NE.

[sdmaclea]

I will need to think about this some more, but it is not immediately obvious why this would be difficult/impossible.

Are we losing information by not knowing how the flags were produced?
Would it be easier if the compare contained the subtract et. all.?

[mikedn]

Are we losing information by not knowing how the flags were produced?

Hmm, more like the opposite. We're using information (flags) that that was previously (correctly) ignored and that results in a change in behavior. Consider the x + 42 > 0 example, without this optimization it generates something like:

add w0, w1 w2
tst w0, w0
cset w0, gt

The gt condition code means Z == 0 && N == V so it involves both N and V flags. After tst V is always 0 and N contains the sign bit of w0. So the result solely dependeds on the sign of the result.

If we eliminate tst we'll be using the flags set by add. N will again contain the sign bit of w0 but V will contain 1 if signed addition overflowed. This time the result depends on the result sign and on whether the addition operation overflow or not. If the operation doesn't overflow we get the same result as before. If it does overflow we get a different result.

Would it be easier if the compare contained the subtract et. all.?

I'm not sure what you mean. I don't think there's any way to fix this particular example.

x + 42 >= 0 can be fixed by generating cset w0, pl instead of cset w0, ge but we don't have a way to encode conditions such as pl and mi. Well, I actually do have a change that allows such conditions on JCC/SETCC but I'm not sure it's worth the trouble.

[sdmaclea]

Well, I actually do have a change that allows such conditions on JCC/SETCC but I'm not sure it's worth the trouble.

Why wouldn't it be worth the trouble? Isn't that what a C++ compiler would do?

[mikedn]

C++ compilers have more freedom and they can "optimize" all signed relops. For example GCC generates

cmn     w0, dotnet/coreclr#41
cset    w0, ge

for

int foo(int x) {
    return (x + 42) > 0;
}

It's different from what the JIT tried to do but it has the exact same behavior when it comes to overflow, foo(int.MaxValue) returns true instead of false.

And then this kind of pattern matching done by the JIT is easily defeated by the presence of lclvars that prevent the JIT from "seeing" the arithmetic operation that sets the flags. That means that cases where this optimization is likely to be most useful - loops - won't be recognized anyway. See for loop example in #6794.

So the number of cases where a corrected optimization would kick in is likely to pretty low. Oh well, since I already have most of the work done I could give it a try and see how it looks.