ConstraintAnalysis: Add conditional propagation

[kripken]

When we see an if, br_if, etc., we can propagate the condition along the
true branch, and its negation along the other.

[tlively]

Comments on code.

[tlively]

I just realized that there is probably a bug with constraints that compare two locals, e.g. x == y. When there is a set to x, that constraint will be removed and possibly replaced with a new constraint. But when there is a set to y, I believe we still keep the x == y constraint even though it may no longer be correct.

[tlively]

It would be even better if we propagated values when we have inferred equality constraints. Then follow-on optimizations would be able to handle not just ref.is_null, but also things like casts.

[kripken]

I'm not sure what you mean here, can you elaborate?

I think we can add cast support later in a simple way, using a new abstract operation "is subtype of". (Though I am not sure how important this is)

[tlively]

If we have an x == null constraint, then instead of optimizing (ref.is_null (local.get x)) => (i32.const 1), we can optimize (local.get x) => (ref.null none).

Then follow-up optimization in other passes will be able to optimize much more than just a parent ref.is_null.

[tlively]

Another idea: in traps-never-happen mode, we could actually propagate constraints backward from conditions where one arm is post-dominated by an (unreachable).

[kripken]

I just realized that there is probably a bug with constraints that compare two locals

Correct, all inter-local operations are not quite right yet. That's on my list of next PRs here.

[kripken]

Another idea: in traps-never-happen mode, we could actually propagate constraints backward from conditions where one arm is post-dominated by an (unreachable).

Interesting... we can only do it one branch back, but that might be useful already. I'll add a TODO

[tlively]

Not just one branch back!

log(x <= 10 && x >= 0) ;; optimizable to log(1) in TNH
... arbitrary stuff that doesn't modify x ...
if c
  if x > 10:
    unreachable
else
  if x < 0:
    unreachable

[kripken]

Not sure that works:

;; counterexample values
x = 100
c = 0

;; rest of testcase is unchanged
log(x <= 10 && x >= 0)
if c
  if x > 10:
    unreachable
else
  if x < 0:
    unreachable

Execution here goes into the else if the first if. x == 100, so we don't trap. And that proves x >= 0 earlier. But nothing proves x <= 10, which is in fact false. We therefore cannot infer that 1 is logged.

(TNH only applies on paths the code actually traverses: the guarantee is "the program, in practice, does not trap")

[tlively]

Oh yeah, sorry, that example was bogus. Here's one that isn't bogus.

log(x) ;; Optimizable to log(1) in TNH
if x < 1:
  unreachable
if x > 1:
  unreachable

[kripken]

That one works, yeah, but it is not easy to prove that. It depends on how the conditions relate:

log(x)
if y:        ;; these two lines changed
  return     ;;
if x > 1:
  unreachable

Now nothing can be inferred for the x in log(x), not even that x <= 1.

[tlively]

The backward flow you need is similar to the forward flow. The initial state is bottom for each block ending in unreachable (or at which a contradiction is discovered during the forward flow) and top at the end of other exit blocks (if you are not interleaving it with the forward flow). Then you flow backward. Branch conditions are OR'd into the predecessor blocks instead of AND'd into successor blocks. If we follow the C/C++ model, some care needs to be taken around calls and atomic operations because they are allowed to happen in loops that may be followed by unreachables.

[kripken]

Yes, that sounds right. Though the ORing will in generally stop working after one branch, unless we get lucky...

[tlively]

I see, we can model uninitialized non-nullable locals as having any value instead of having no value because they will always be initialized before they are used anyway; their initial value is moot.

And modeling them that way lets us say that a block is unreachable iff any of the local constraints is bottom. Makes sense!

[tlively]

Let's just make this the default state for BasicBlockConstraintMap so we don't need to initialize it separately.

[tlively]

Suggested change

	auto iter = other.map.find(local);
	if (iter == other.map.end()) {
	// When an entry is missing in one of the two, it means we can prove
	// nothing there, which means we can prove nothing in the result.
	constraints.setProvesNothing();
	} else {
	// This local appears in both. OR it.
	constraints.approximateOr(iter->second);
	}
	constraints.approximateOr(other.get(local))

[tlively]

This can just be an assert(!combined.provesNothing()), since anything AND'd with a single constraint must not be an empty constraint set.

[tlively]

Please add a comment here about how we are counterintuitively modeling non-nullable locals as having any value instead of no value.

[tlively]

We wouldn't need to calculate the index like this if we just started with an indexed for loop instead of a range-based for loop over the successors when we process work list items.

[tlively]

We can drop the else and just assert(succIndex < 2) at the beginning.

[tlively]

The nittiest of nits, but I would have expected the index to be the second argument for these functions, not the first.

[tlively]

I don't think this function is adding much anymore. Let's inline it into its callers. (This will simplify getContraintsFromBreak in particular.)

[tlively]

If we have an x == null constraint, then instead of optimizing (ref.is_null (local.get x)) => (i32.const 1), we can optimize (local.get x) => (ref.null none).

Then follow-up optimization in other passes will be able to optimize much more than just a parent ref.is_null.