Skip to content

RemoveUnusedBrs: optimize unreachable control flow mixed with side-effecting branches #7639

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 11 commits into
base: main
Choose a base branch
from
Open

RemoveUnusedBrs: optimize unreachable control flow mixed with side-effecting branches #7639

wants to merge 11 commits into from

Conversation

xuruiyang2002
Copy link
Contributor

Currently wasm-opt cannot optimize unused branch complexed with side-effect operations, such as

 (func $_start
  (local $0 i32)
  (block $block
   (br_if $block
    (local.tee $0
     (i32.const 1)
    )
   )
   (br_if $block
    (i32.load
     (i32.const 0)
    )
   )
   (local.set $0
    (i32.const 0)
   )
  )
  (i32.store
   (i32.const 0)
   (local.get $0)
  )
 )

Actually, the whole block can be removed. However, O3 cannot optimize it (while O2 could).

Fixes: #7637

kripken
kripken reviewed Jun 4, 2025
View reviewed changes
@xuruiyang2002
Copy link
Contributor Author

The fuzzer found a bug here:

(module
  (type (;0;) (func (param i64)))
  (type (;1;) (func))
  (import "fuzzing-support" "log-i64" (func (;0;) (type 0)))
  (func (;1;) (type 1)
    (local i64 i32)
    block  ;; label = @1
      block  ;; label = @2
        global.get 0
        if  ;; label = @3
          i32.const 1
          local.tee 1
          if  ;; label = @4
            br 3 (;@1;)
          else
            br 2 (;@2;)
          end
          unreachable
        else
          unreachable
        end
        unreachable
      end
      local.get 0
      call 0
    end)
  (global (;0;) (mut i32) (i32.const 0)))
$ bin/wasm-opt b.wat -O1 -S -o -
wasm-opt: SimplifyLocals.cpp:666: void wasm::SimplifyLocals<allowTee, allowStructure, allowNesting>::optimizeIfElseReturn(wasm::If*, wasm::Expression**, Sinkables&) [with bool allowTee = true; bool allowStructure = true; bool allowNesting = true; Sinkables = std::map<unsigned int, wasm::SimplifyLocals<true, true>::SinkableInfo, std::less<unsigned int>, std::allocator<std::pair<const unsigned int, wasm::SimplifyLocals<true, true>::SinkableInfo> > >]: 
Assertion `iff->ifFalse->type != Type::unreachable' failed.
Aborted (core dumped)

xuruiyang2002
xuruiyang2002 commented Jun 5, 2025
View reviewed changes
xuruiyang2002
xuruiyang2002 commented Jun 5, 2025
View reviewed changes
src/passes/RemoveUnusedBrs.cpp
if (c->value.geti32()) {
// the branch is always taken, make it unconditional
curr->condition = nullptr;
curr->type = Type::unreachable;
Copy link
Contributor Author

@xuruiyang2002 xuruiyang2002 Jun 5, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Because of this line curr->type = Type::unreachable; (which fixes type mismatch after transforming br_if to br)

As for the case found by the fuzzer, it transforms code from

    block  ;; label = @1
      global.get 0
      if  ;; label = @2
        i32.const 1
        br_if 1 (;@1;)
      else
        unreachable
      end
      local.get 0
      call 0
    end

to

    block  ;; label = @1
      global.get 0
      if  ;; label = @2
        br 1 (;@1;)
      else
        unreachable
      end
      local.get 0
      call 0
    end

which in SimplifyLocals triggers the assertion:

binaryen/src/passes/SimplifyLocals.cpp

Lines 659 to 666 in 700fa15

if (iff->ifTrue->type == Type::unreachable) {
// since the if type is none
assert(iff->ifFalse->type != Type::unreachable);
if (!ifFalse.empty()) {
goodIndex = ifFalse.begin()->first;
found = true;
}
} else if (iff->ifFalse->type == Type::unreachable) {

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this assertion always hold true?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes. If an if has two branches of unreachable then the if should be unreachable: logically, if neither if arm returns, neither does the if itself.

So we need to figure out how things got to that situation, and prevent it. Likely a refinalize() call is missing somewhere (which updates the types of expression after changes - that would update an if to unreachable if it needs to be, etc.)

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Probably the issue is that turning a br_if into a br makes it unreachable, when it wasn't before. Setting refinalize = true; in that case should fix things.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Got it, and I've updated.

And I've also fuzzing for about one hour; all is well.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kripken kripken kripken left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Significant optimization regression due to failing remove unused branch
2 participants
@xuruiyang2002 @kripken