Should isnan be optimized out in fast-math mode?

Hi all,

One of the purposes of llvm::isnan was to help preserve the check made by isnan if fast-math mode is
specified (https://reviews.llvm.org/D104854). I’d like to describe reason for that and propose to use the behavior
implemented in that patch.

The option -ffast-math is often used when performance is important, as it allows a compiler to generate faster code.This option itself is a collection of different optimization techniques, each having its own option. For this topic only the
option -ffinite-math-only is of interest. With it the compiler treats floating point numbers as mathematical real numbers,
so transformations like 0 * x -> 0 become valid.

In clang documentation (https://clang.llvm.org/docs/UsersManual.html#cmdoption-ffast-math) this option is described as:

“Allow floating-point optimizations that assume arguments and results are not NaNs or ±Inf.”

GCC documentation (https://gcc.gnu.org/onlinedocs/gcc/Optimize-Options.html) is a bit more concrete:

“Allow optimizations for floating-point arithmetic that assume that arguments and results are not NaNs or ±Infs.”

What is the issue?

C standard defines a macro isnan, which can be mapped to an intrinsic function provided by the compiler. For both
clang and gcc it is __builtin_isnan. How should this function behave if -ffinite-math-only is specified? Should it make a
real check or the compiler can assume that it always returns false?

GCC optimizes out isnan. It follows from the viewpoint that (https://gcc.gnu.org/bugzilla/show_bug.cgi?id=50724#c1):

“With -ffinite-math-only you are telling that there are no NaNs and thus GCC optimizes isnan (x) to 0.”

Such treatment of -ffinite-math-only has sufficient drawbacks. In particular it makes it impossible to check validity of
data: a user cannot write

assert(!isnan(x));

because the compiler replaces the actual function call with its expected value. There are many complaints in GCC bug
tracker (for instance https://gcc.gnu.org/bugzilla/show_bug.cgi?id=84949 or https://gcc.gnu.org/bugzilla/show_bug.cgi?id=50724)
as well as in forums (https://stackoverflow.com/questions/47703436/isnan-does-not-work-correctly-with-ofast-flags or
https://stackoverflow.com/questions/22931147/stdisinf-does-not-work-with-ffast-math-how-to-check-for-infinity). Proposed
solutions are using integer operations to make the check, to turn off -ffinite-math-only in some parts of the code or to
ensure that libc function is called. It clearly demonstrates that isnan in this case is useless, but users need its functionality
and do not have a proper tool to make required checks. The similar direction was criticized in llvm as well (https://reviews.llvm.org/D18513#387418).

Why imposing restrictions on floating types is bad?

If -ffinite-math-only modifies properties of double type, several issues arise, for instance:

  • What should return std::numeric_limits<double>::has_quiet_NaN()?
  • What body should have this function if it is used in a program where some functions are compiled with fast-math and some without?
  • Should inlining of a function compiled with fast-math to a function compiled without it be prohibited in inliner?
  • Should std::isnan(std::numeric_limits<float>::quiet_NaN()) be true?

If the type double cannot have NaN value, it means that double and double under -ffinite-math-only are different types
(https://gcc.gnu.org/pipermail/gcc-patches/2020-April/544641.html). Such a way can solve these problems but it is so expensive
that hardly it has a chance to be realized.

The solution

Instead of modifying properties of floating point types, the effect of -ffinite-math-only can be expressed as a restriction on
operation usage. Actually clang and gcc documentation already follows this way. Fast-math flags in llvm IR also are attributes
of instructions. The only question is whether isnan and similar functions are floating-point arithmetic.

From a practical viewpoint, treating non-computational functions as arithmetic does not add any advantage. If a code extensively
uses isnan (so could profit by their removal), it is likely it is not suitable for -ffinite-math-only. This interpretation however creates
the problems described above. So it is profitable to consider isnan and similar functions as non-arithmetical.

Why is it safe to leave isnan?

The probable concern of this solution is deviation from gcc behavior. There are several reasons why this is not an issue.

  1. -ffinite-math-only is an optimization option. A correct program compiled with -ffinite-math-only and without it should behave
    identically, if conditions for using -ffinite-math-only are fulfilled. So making the check cannot break functionality.
  2. isnan is implemented by libc, which can map it to a compiler builtin or use its own implementation, depending on
    configuration options. isnan implemented in libc obviously always does the real check.
  3. ICC and MSVC preserve isnan in fast-math mode.

The proposal is to not consider isnan and other such functions as arithmetic operations and do not optimize them out
just because -ffinite-math-only is specified. Of course, there are cases when isnan may be optimized out, for instance,
isnan(a + b) may be optimized if -ffinite-math-only is in effect due to the assumption (result of arithmetic operation is not NaN).

What are your opinions?

As a developer (who always reads the docs and generally makes good life choices), if I turn on -ffast-math, I want the compiler to produce the fastest possible floating point math code possible, floating point semantics be darned. Given this viewpoint, my opinion on this topic is that the compiler should do whatever it wants, given the constraints of the documented behavior of NaN. I think the clang docs for -ffast-math are pretty clear on this subject:


Enable fast-math mode. This option lets the compiler make aggressive, potentially-lossy assumptions about floating-point math. These include:

...

- Operands to floating-point operations are not equal to NaN and Inf ...

The compiler may assume that operands to floating point operations are not NaN or infinity. So:

  • What should return std::numeric_limits<double>::has_quiet_NaN()? : It should return true if it would have returned true with fast math disabled. Clang is not required to pretend NaN doesn’t exist, it’s allowed to pretend arguments cannot be NaN if that is convenient.

  • What body should have this function if it is used in a program where some functions are compiled with fast-math and some without? : This function should be allowed to act as if NaN exists in all cases.

  • Should inlining of a function compiled with fast-math to a function compiled without it be prohibited in inliner? No. The author of the function that uses fast-math made their choices, and the user of that function should have vetted their dependencies better. In my view, this is no different than if somebody wrote if (x == y/z) ...; it’s a bug on the user. It’s not clang’s fault that this code doesn’t work as the author wanted.

  • Should std::isnan(std::numeric_limits<float>::quiet_NaN()) be true? : No. quiet_NaN() can return whatever it wants, but the call to std::isnan can be replaced with false since it may assume it’s argument is not NaN.

Of course, this all sounds fine and well, but the reality is that people don’t read docs and don’t make good life choices. They turn on fast math because they want it to reduce x * 0 to 0, and are surprised when their NaN handling code fails. This is unfortunate, but I don’t think we should reduce the effectiveness of fast-math because of this human issue. Other flags exist for these users, and when they complain they should be told about them. Really this is an issue of poor developer discipline, and if we really want to solve this, perhaps some sort of “fast math sanitizer” can be created. It can statically analyze code and complain when it sees things like if (isnan(foo)) not guarded by __FAST_MATH__ with mast math enabled. Or, maybe the compiler can just issue a warning unconditionally in this case.

Thanks,

Chris Tetreault

There is a huge different between optimisations that assume NaN is not
present and breaking checks for them. I'm not convinced at all that
constant-folding isnan to false will actually speed up real world code.

Joerg

Maybe not, but it will simplify the implementation of clang, and eliminating even 1 instruction is technically a speedup. If the check is in an assert, then it would ideally be removed in a release build and not matter anyways. If the check is in a branch, then that's a whole branch that can get eliminated as dead code, which may be huge if it's deep in the hot render loop.

But really, "a check for NaN" is an operation, so by the documented behavior of -ffast-math, it should assume that it does not receive NaN as an argument. Absent a compelling use case, I think consistent behavior is a very valuable thing to have. By turning on fast math, as a developer you are saying "My code doesn't have NaN, so feel free to optimizing assuming this". To then go ahead and have code that expects checks for NaN to work is kind of silly. If the user wants this behavior, they should pass -funsafe-math-optimizations (or whatever subset of the flags of fast math that they really wanted). After all, what is the point of checking for NaN if "you don't have NaN"?

Really, the problem is that `-ffast-math` is the flag that everybody knows about, so they use it and get upset when it doesn't do what they want. This is a problem of education, not something the compiler should be working around. Now, if we want to issue warnings about misuse of things like isnan or isfinite in the presence of fast math, then that would be great.

Thanks,
   Chris Tetreault

Constant folding away isnan() has already been mentioned as something that surprises people when it eliminates useful things like assert(!isnan(x)). This can be worked around by using integer operations, of course. But having isnan() ignore fast math flags will produce instructions that will frequently be faster than the integer operations.

Are fast math flags _required_ to make assumptions? Or simply _allowed_? The difference is key here.

I expressed my strong support for this on the previous thread, but I’ll just repost the most important piece…

I believe the proposed semantics from the Clang level ought to be:
The -ffinite-math-only and -fno-signed-zeros options do not impact the ability to accurately load, store, copy, or pass or return such values from general function calls. They also do not impact any of the “non-computational” and “quiet-computational” IEEE-754 operations, which includes classification functions (fpclassify, signbit, isinf/isnan/etc), sign-modification (copysign, fabs, and negation -(x)), as well as the totalorder and totalordermag functions. Those correctly handle NaN, Inf, and signed zeros even when the flags are in effect. These flags do affect the behavior of other expressions and math standard-library calls, as well as comparison operations.

I would not expect this to have an actual negative impact on the performance benefit of those flags, since the optimization benefits mainly arise from comparisons and the general computation instructions which are unchanged.

In further support of this position, I note that the previous thread uncovered at least one vendor – Apple (https://opensource.apple.com/source/Libm/Libm-2026/Source/Intel/math.h.auto.html) – going out of their way to cause isnan and friends to function properly with -ffast-math enabled.

I expressed my strong support for this on the previous thread, but I’ll just repost the most important piece…

I believe the proposed semantics from the Clang level ought to be:
The -ffinite-math-only and -fno-signed-zeros options do not impact the ability to accurately load, store, copy, or pass or return such values from general function calls. They also do not impact any of the “non-computational” and “quiet-computational” IEEE-754 operations, which includes classification functions (fpclassify, signbit, isinf/isnan/etc), sign-modification (copysign, fabs, and negation -(x)), as well as the totalorder and totalordermag functions. Those correctly handle NaN, Inf, and signed zeros even when the flags are in effect. These flags do affect the behavior of other expressions and math standard-library calls, as well as comparison operations.

FWIW, I completely agree - these flags are about enabling optimizations that the presence of nans otherwise prohibits. We shouldn’t take a literal interpretation of an old GCC manual, as that would not be useful.

If we converge on this definition, I think it should be documented. This is a source of confusion that comes up periodically.

-Chris

If we say that the fast-math flags are “enabling optimizations that the presence of nans otherwise prohibits”, then there is no reason for clang to keep calls to “isnan” around, or to keep checks like “fpclassify(x) == it’s_a_nan” unfolded. These are exactly the types of optimizations that the presence of NaNs would prohibit.

I understand the need for having some NaN-handling preserved in an otherwise finite-math code. We already have fast-math-related attributes attached to each function in the LLVM IR, so we could introduce a source-level attribute for enabling/disabling these flags per function.

Not sure which way to go, but I agree that we need to improve the docs/user experience either way.
Let’s try to iron this out with an example (this is based on https://llvm.org/PR51775 ):

#include <math.h>
#include <stdlib.h>
int main() {
const double d = strtod(“1E+1000000”, NULL);
return d == HUGE_VAL;
}

What should this program return when compiled with -ffinite-math-only? Should this trigger a clang warning?

https://godbolt.org/z/MY73Tf3ee

The proposed documentation text isn’t clear to me. Should clang apply “nnan ninf” to the IR call for “strtod”?
“strtod” is not in the enumerated list of functions where we would block fast-math-flags, but it is a standard lib call, so “nnan ninf” would seem to apply…but we also don’t want “-ffinite-math-only” to alter the ability to return an INF from a “general function call”?

Not sure which way to go, but I agree that we need to improve the docs/user experience either way.
Let’s try to iron this out with an example (this is based on https://llvm.org/PR51775 ):

#include <math.h>
#include <stdlib.h>
int main() {
const double d = strtod(“1E+1000000”, NULL);
return d == HUGE_VAL;
}

What should this program return when compiled with -ffinite-math-only? Should this trigger a clang warning?

https://godbolt.org/z/MY73Tf3ee

Comparison d == HUGE_VAL is an arithmetic operation, so requirements for using -ffinite-math-only are broken. Both compilers are right.

If we say that the fast-math flags are “enabling optimizations that the presence of nans otherwise prohibits”, then there is no reason for clang to keep calls to “isnan” around, or to keep checks like “fpclassify(x) == it’s_a_nan” unfolded. These are exactly the types of optimizations that the presence of NaNs would prohibit.

Transformation ‘x * 0 → 0’ is an optimization allowed in the absence of nans as arguments, because it produces a program that behaves identically under the given restrictions. Replacement of isnan(x + x) is also an optimization under the same restrictions. Replacement of isnan(x) in general case is not, because we cannot assume that x cannot be a NaN.

I understand the need for having some NaN-handling preserved in an otherwise finite-math code. We already have fast-math-related attributes attached to each function in the LLVM IR, so we could introduce a source-level attribute for enabling/disabling these flags per function.

GCC allows using #pragma GCC optimize ("finite-math-only") or #pragma GCC optimize ("no-finite-math-only") to enable/disable optimization per function basis. Clang could support this pragmf or maybe #pragma clang fp can be extended to support similar functionality.

This goes back to what these options actually imply. The interpretation that I favor is “this code will never see a NaN”, or “the program can assume that no floating point expression will evaluate to a NaN”. The benefit of that is that it’s intuitively clear. In that case “isnan(x)” is false, because x cannot be a NaN. There is no distinction between “isnan(x+x)” and “isnan(x)”. If the user wants to preserve “isnan(x)”, they can apply some pragma (which clang may actually have already).

To be honest, I’m not sure that I understand your argument. Are you saying that under your interpretation we could optimize “isnan(x+x) → false”, but not “isnan(x) → false”?

This goes back to what these options actually imply. The interpretation that I favor is “this code will never see a NaN”, or “the program can assume that no floating point expression will evaluate to a NaN”. The benefit of that is that it’s intuitively clear. In that case “isnan(x)” is false, because x cannot be a NaN. There is no distinction between “isnan(x+x)” and “isnan(x)”. If the user wants to preserve “isnan(x)”, they can apply some pragma (which clang may actually have already).

It is apparent simplicity. As the discussion in gcc mail list demonstrated (https://gcc.gnu.org/pipermail/gcc-patches/2020-April/544641.html) this is actually an impromissing way. From a practical viewpoint it is also a bad solution as users cannot even check the assertions.

To be honest, I’m not sure that I understand your argument. Are you saying that under your interpretation we could optimize “isnan(x+x) → false”, but not “isnan(x) → false”?

Argument of isnan(x+x) is a result of arithmetic operation. According to the meaning of -ffinite-math-only it cannot produce NaN. So this call can be optimized out. In the general case isnan(x) value may be, say, loaded from memory. Load is not an arithmetic operation, so nothing prevents from loading NaN. Optimizing the call out is dangerous in this case.

If the issue is that users want their asserts to fire, then they should be encouraged to only enable fast math in release builds.

It is apparent simplicity. As the discussion in gcc mail list demonstrated (https://gcc.gnu.org/pipermail/gcc-patches/2020-April/544641.html) this is actually an impromissing way. From a practical viewpoint it is also a bad solution as users cannot even check the assertions.

The intent here is that users can preserve the NaN behavior by annotating the code with either attributes or pragmas. I don’t think that the linked discussion actually shows that the “no NaNs ever” interpretation is any worse than the “arithmetic operations do not produce NaNs”. A large part of was what happens to __builtin_nan, but if your code explicitly produces NaNs and you compile it finite-math, you shouldn’t expect anything meaningful. IMO it’s much better to have a flag with a clarity of what it does, even if it leads to potentially unexpected results, than having an option whose description is open to interpretation. At least the users will know what caused the issue, rather than wonder if they had found a compiler bug or not.

I agree that there may be issues with multiple definitions of functions compiled with different settings, although that is not strictly limited to FP flags. There should be some unified approach to that, and I don’t know what the right thing to do it off the top of my head.

Argument of isnan(x+x) is a result of arithmetic operation. According to the meaning of -ffinite-math-only it cannot produce NaN. So this call can be optimized out. In the general case isnan(x) value may be, say, loaded from memory. Load is not an arithmetic operation, so nothing prevents from loading NaN. Optimizing the call out is dangerous in this case.

x is not a load, it’s an expression. Also, even in the presence of NaNs, x+0 preserves the value type (i.e. normal/subnormal/infinity/NaN), except signaling NaNs perhaps. I’m not sure whether we even consider signaling NaNs, so let’s forget them for a moment. If x+0 is a NaN iff x is a NaN, then the compiler should be able to rewrite x → x+0 regardless of any flags. But then, given that x+0 is now “arithmetic”, isnan(x+0) could become false. This is fundamentally counterintuitive.

Furthermore, if we had a = isnan(x), we couldn’t fold it to false, but if we had a = isnan(x); b = isnan(x+x), then we could fold both to false. This is, again, unintuitive.

Let me describe a real life example.

There is a realtime program that processes float values from a huge array. Calculations do not produce NaNs and do not expect them. Using -ffinite-math-only substantially speeds up the program, so it is highly desirable to use it. The problem is that the array contains NaNs, they mark elements that should not be processed.

An obvious solution is to check an element for NaN, and if it is not, process it. Now there is no clean way to do so. Only workarounds, like using integer arithmetics. The function ‘isnan’ became useless. And there are many cases when users complain of this optimization.

Thanks,

It is apparent simplicity. As the discussion in gcc mail list demonstrated (https://gcc.gnu.org/pipermail/gcc-patches/2020-April/544641.html) this is actually an impromissing way. From a practical viewpoint it is also a bad solution as users cannot even check the assertions.

The intent here is that users can preserve the NaN behavior by annotating the code with either attributes or pragmas. I don’t think that the linked discussion actually shows that the “no NaNs ever” interpretation is any worse than the “arithmetic operations do not produce NaNs”. A large part of was what happens to __builtin_nan, but if your code explicitly produces NaNs and you compile it finite-math, you shouldn’t expect anything meaningful.

The purpose of -ffinite-math-only was to make calculations faster by excluding corner cases when the user is sure that they do not occur. Why should it prohibit all operations on NaNs, like reading, writing and checking? Does prohibiting them make programs faster or otherwise better?

IMO it’s much better to have a flag with a clarity of what it does, even if it leads to potentially unexpected results, than having an option whose description is open to interpretation. At least the users will know what caused the issue, rather than wonder if they had found a compiler bug or not.

This solution seems overcomplicated, - a new flag with probably complex meaning. If the effect of -ffinite-math-only is limited to the cases where this restriction indeed gives benefits, it would be a solution without multiplying entities.

In this case, I think it’s perfectly reasonable to reinterpret_cast the floats to uint32_t, and then inspect the bit pattern. Since NaN is being used as a sentinel value, I assume it’s a known bit pattern, and not just any old NaN.

I think it’s fine that fast-math renders isnan useless. As far as I know, the C++ standard wasn’t written to account for compilers providing fast-math flags. fast-math is itself a workaround for “IEEE floats do not behave like actual real numbers”, so working around a workaround seems reasonable to me.

In this case, I think it’s perfectly reasonable to reinterpret_cast the floats to uint32_t, and then inspect the bit pattern. Since NaN is being used as a sentinel value, I assume it’s a known bit pattern, and not just any old NaN.

C standard defines a function to determine if a value is NaN. The fact that it does not work in this case demonstrates that the optimization is incorrect. Again, if isnan comes from libc implementation, it will work, but if it is provided by the compiler, it does not. Users expect consistent behavior.

If NaNs are not prohibited at all in -ffinite-math-only mode, isnan must work as specified in the standard.

I think it’s fine that fast-math renders isnan useless. As far as I know, the C++ standard wasn’t written to account for compilers providing fast-math flags. fast-math is itself a workaround for “IEEE floats do not behave like actual real numbers”, so working around a workaround seems reasonable to me.

I feel you are right with fast-math as a workaround, but the compiler is a practical tool and it must be convenient and suitable for a wide set of tasks. The situation when a user has to invent workarounds because some optimization changes semantics of a standard function is not good.

As for ffinite-math-only, it is actually more or less a safe mode. When we use integer division, we know that the divisor must not be zero. The case of ffinite-math-only is similar.

I personally would separate the “pre-processing” of the input in a compilation unit that isn’t compiled with -ffinite-math-only and isolate the perf-critical routines to be compiled with this flag if needed (I’d also like a sanitizer to have a build mode that validate that no NaNs are ever seen in this routines).

In general, Krzysztof’s reasoning in this thread makes sense to me, in particular in terms of being consistent with how we treat isnan(x) vs isnan(x+0) for example.