`697a46b`

Wire array bounds checks end to end

Authored by mfwolffe <wolffemf@dukes.jmu.edu> 1 month ago

SHA: 697a46b9a8a02ba57710b7b99cc18199b18ca026
Parents: 74a593b
Tree: 838b7e4

7 changed files

Status	File	+	-
M	`runtime/src/array.rs`	14	1
M	`src/ir/lower.rs`	18	11
M	`src/opt/bce.rs`	462	45
M	`src/opt/pipeline.rs`	4	0
A	`test_programs/bounds_check_loop.f90`	14	0
A	`tests/bounds_checks.rs`	82	0
A	`tests/fixtures/bounds_check_oob.f90`	7	0

runtime/src/array.rsmodified

  use crate::descriptor::*;
  use std::ptr;
++// ---- BOUNDS CHECKS ----
++
++/// Abort if an array subscript is outside the legal closed interval.
++#[no_mangle]
++pub extern "C" fn afs_check_bounds(index: i64, lower: i64, upper: i64) {
++    if index < lower || index > upper {
++        eprintln!(
++            "Bounds check failed: index {} outside [{}, {}]",
++            index, lower, upper
++        );
++        std::process::exit(1);
++    }
++}
++
  // ---- ALLOCATE ----
  /// Allocate an array described by the given dimensions.
+     }
      dot
+ }
--

src/ir/lower.rsmodified

      b.load(elem_ptr)
+ }
++fn emit_bounds_check(
++    b: &mut FuncBuilder,
++    index: ValueId,
++    lower: ValueId,
++    upper: ValueId,
++) {
++    b.runtime_call(RuntimeFunc::CheckBounds, vec![index, lower, upper], IrType::Void);
++}
++
  /// Compute the column-major flat ELEMENT offset (i64) for an array
  /// subscript expression, returning a value suitable for `b.gep` (which
  /// scales by the GEP result element size).
              let p_up = b.gep(info.addr, vec![off_up], IrType::Int(IntWidth::I8));
              let lo = b.load_typed(p_lo, IrType::Int(IntWidth::I64));
              let up = b.load_typed(p_up, IrType::Int(IntWidth::I64));
++            emit_bounds_check(b, sub, lo, up);
              let adjusted = b.isub(sub, lo);
              crate::ast::expr::SectionSubscript::Element(e) => lower_expr(b, locals, e, st),
              _ => b.const_i32(0),
          };
++        let subscript64 = widen_idx_to_i64(b, subscript);
          let (lower, extent) = if dim_idx < info.dims.len() {
              info.dims[dim_idx]
          } else {
              (1, 1)
          };
--
++        let upper = lower + extent - 1;
--        let lower_val = b.const_i32(lower as i32);
++        let lower_val = b.const_i64(lower);
--        let adjusted = b.isub(subscript, lower_val);
++        let upper_val = b.const_i64(upper);
++        emit_bounds_check(b, subscript64, lower_val, upper_val);
++        let adjusted = b.isub(subscript64, lower_val);
          let dim_offset = if stride == 1 {
              adjusted
          } else {
--            let stride_val = b.const_i32(stride as i32);
++            let stride_val = b.const_i64(stride);
              b.imul(adjusted, stride_val)
          };
          stride *= extent;
+     }
--    let idx = flat_offset.unwrap_or_else(|| b.const_i32(0));
++    flat_offset.unwrap_or_else(|| b.const_i64(0))
--    // Widen index to i64 for pointer arithmetic. ARM64 GEP lowering
--    // needs an i64 subscript so the codegen `mul` lands as
--    // `mul x, x, x` instead of `mul x, w, x` (which the assembler
--    // rejects). Applies to BOTH stack and allocatable arrays —
--    // gating on `info.allocatable` was the audit's CRITICAL-1.
--    widen_idx_to_i64(b, idx)
+ }
  /// Widen an i32 (or smaller) index value to i64 for pointer

src/opt/bce.rsmodified

  //!   and hi <= upper
  //! - Constant index within [lower, upper]
  //!
--//! Note: Bounds check INSERTION (the lowerer adding CheckBounds calls
++//! Bounds checks are inserted during lowering for scalar array
--//! at array access sites) is deferred. This pass provides the
++//! element accesses. This pass removes the checks when the index is
--//! elimination framework for when insertion lands.
++//! provably safe.
--use std::collections::HashSet;
  use crate::ir::inst::*;
--use crate::ir::walk::find_natural_loops;
++use crate::ir::walk::{find_natural_loops, predecessors};
--use super::loop_utils::{resolve_const_int, loop_defined_values};
++use super::loop_utils::{find_preheader, resolve_const_int};
  use super::pass::Pass;
  pub struct Bce;
  fn bce_function(func: &mut Function) -> bool {
      let loops = find_natural_loops(func);
++    let preds = predecessors(func);
      let mut to_remove: Vec<(BlockId, usize)> = Vec::new();
      for block in &func.blocks {
                      let lower = args[1];
                      let upper = args[2];
--                    if is_provably_safe(func, &loops, index, lower, upper) {
++                    if is_provably_safe(func, &loops, &preds, index, lower, upper) {
                          to_remove.push((block.id, inst_idx));
+                     }
+                 }
  fn is_provably_safe(
      func: &Function,
      loops: &[crate::ir::walk::NaturalLoop],
++    preds: &std::collections::HashMap<BlockId, Vec<BlockId>>,
      index: ValueId,
      lower: ValueId,
      upper: ValueId,
  ) -> bool {
++    let index = strip_int_casts(func, index);
++
      // Case 1: constant index, constant bounds.
      if let (Some(idx), Some(lo), Some(hi)) = (
--        resolve_const_int(func, index),
++        resolve_int_scalar(func, index),
--        resolve_const_int(func, lower),
++        resolve_int_scalar(func, lower),
--        resolve_const_int(func, upper),
++        resolve_int_scalar(func, upper),
      ) {
          return idx >= lo && idx <= hi;
+     }
--    // Case 2: index is a loop IV, bounds are constants matching loop bounds.
++    // Case 2: index is a canonical loop IV, and the loop's closed range
--    // Check if the index is a block param of a loop header, and the loop's
++    // stays within the checked bounds.
--    // init/bound encompass [lower, upper].
++    let Some(lo_const) = resolve_int_scalar(func, lower) else { return false; };
++    let Some(hi_const) = resolve_int_scalar(func, upper) else { return false; };
      for lp in loops {
--        let hdr = func.block(lp.header);
++        let Some((range_lo, range_hi)) = loop_index_range(func, lp, preds, index) else {
--        if hdr.params.len() != 1 { continue; }
++            continue;
--        let iv = hdr.params[0].id;
++        };
--        if iv != index { continue; }
++        if range_lo >= lo_const && range_hi <= hi_const {
--
++            return true;
--        // The IV is in-bounds if the loop's init >= lower and bound <= upper.
++        }
--        // Find init (from preheader's branch arg) and bound (from cmp block).
++    }
--        // For now, conservative: only eliminate if both lower and upper are
++
--        // constants and the loop is a standard counted loop.
++    false
--        let loop_defs = loop_defined_values(func, lp);
++}
--
++
--        // Find bound from comparison.
++fn loop_index_range(
--        for &bid in &lp.body {
++    func: &Function,
--            let block = func.block(bid);
++    lp: &crate::ir::walk::NaturalLoop,
--            for inst in &block.insts {
++    preds: &std::collections::HashMap<BlockId, Vec<BlockId>>,
--                if let InstKind::ICmp(CmpOp::Le, a, b) = &inst.kind {
++    index: ValueId,
--                    if *a == iv {
++) -> Option<(i64, i64)> {
--                        // IV <= b → loop upper = b
++    let header = func.block(lp.header);
--                        if let (Some(lo_const), Some(hi_const), Some(bound_const)) = (
++    let param_idx = header.params.iter().position(|param| param.id == index)?;
--                            resolve_const_int(func, lower),
++    let init = loop_init_const(func, lp, preds, param_idx)?;
--                            resolve_const_int(func, upper),
++    let (bound, dir) = loop_bound_const(func, lp.header, index)?;
--                            resolve_const_int(func, *b),
++    let step = loop_step_const(func, lp, param_idx, index)?;
--                        ) {
++
--                            // If loop runs from some init to bound_const,
++    match (dir, step.signum()) {
--                            // and lo_const <= init and bound_const <= hi_const,
++        (LoopDir::Ascending, 1) | (LoopDir::Descending, -1) => {
--                            // the access is safe.
++            Some((init.min(bound), init.max(bound)))
--                            if bound_const <= hi_const && lo_const <= 1 {
++        }
--                                return true;
++        _ => None,
--                            }
++    }
--                        }
++}
--                    }
++
++fn loop_init_const(
++    func: &Function,
++    lp: &crate::ir::walk::NaturalLoop,
++    preds: &std::collections::HashMap<BlockId, Vec<BlockId>>,
++    param_idx: usize,
++) -> Option<i64> {
++    let preheader = find_preheader(func, lp, preds)?;
++    match &func.block(preheader).terminator {
++        Some(Terminator::Branch(dest, args))
++            if *dest == lp.header && param_idx < args.len() =>
++        {
++            resolve_int_scalar(func, args[param_idx])
++        }
++        _ => None,
++    }
++}
++
++#[derive(Clone, Copy, Debug, PartialEq, Eq)]
++enum LoopDir {
++    Ascending,
++    Descending,
++}
++
++fn loop_bound_const(
++    func: &Function,
++    header: BlockId,
++    index: ValueId,
++) -> Option<(i64, LoopDir)> {
++    for inst in &func.block(header).insts {
++        let InstKind::ICmp(op, lhs, rhs) = &inst.kind else { continue };
++        match op {
++            CmpOp::Le => {
++                if *lhs == index {
++                    return resolve_int_scalar(func, *rhs)
++                        .map(|bound| (bound, LoopDir::Ascending));
++                }
++                if *rhs == index {
++                    return resolve_int_scalar(func, *lhs)
++                        .map(|bound| (bound, LoopDir::Descending));
+                 }
+             }
++            CmpOp::Ge => {
++                if *lhs == index {
++                    return resolve_int_scalar(func, *rhs)
++                        .map(|bound| (bound, LoopDir::Descending));
++                }
++                if *rhs == index {
++                    return resolve_int_scalar(func, *lhs)
++                        .map(|bound| (bound, LoopDir::Ascending));
++                }
++            }
++            _ => {}
+         }
+     }
++    None
++}
--    false
++fn loop_step_const(
++    func: &Function,
++    lp: &crate::ir::walk::NaturalLoop,
++    param_idx: usize,
++    index: ValueId,
++) -> Option<i64> {
++    let mut step: Option<i64> = None;
++    for &latch in &lp.latches {
++        let next =
++            edge_arg_value(func.block(latch).terminator.as_ref()?, lp.header, param_idx)?;
++        let latch_step = update_step_const(func, index, next)?;
++        if latch_step == 0 {
++            return None;
++        }
++        match step {
++            Some(prev) if prev != latch_step => return None,
++            Some(_) => {}
++            None => step = Some(latch_step),
++        }
++    }
++    step
++}
++
++fn edge_arg_value(term: &Terminator, target: BlockId, param_idx: usize) -> Option<ValueId> {
++    match term {
++        Terminator::Branch(dest, args) if *dest == target => args.get(param_idx).copied(),
++        Terminator::CondBranch {
++            true_dest,
++            true_args,
++            false_dest,
++            false_args,
++            ..
++        } => {
++            if *true_dest == target {
++                true_args.get(param_idx).copied()
++            } else if *false_dest == target {
++                false_args.get(param_idx).copied()
++            } else {
++                None
++            }
++        }
++        _ => None,
++    }
++}
++
++fn update_step_const(func: &Function, index: ValueId, next: ValueId) -> Option<i64> {
++    let next = strip_int_casts(func, next);
++    if next == index {
++        return Some(0);
++    }
++
++    let kind = find_inst_kind(func, next)?;
++    match kind {
++        InstKind::IAdd(lhs, rhs) => {
++            if *lhs == index {
++                resolve_int_scalar(func, *rhs)
++            } else if *rhs == index {
++                resolve_int_scalar(func, *lhs)
++            } else {
++                None
++            }
++        }
++        InstKind::ISub(lhs, rhs) if *lhs == index => {
++            resolve_int_scalar(func, *rhs).map(|step| -step)
++        }
++        _ => None,
++    }
++}
++
++fn resolve_int_scalar(func: &Function, value: ValueId) -> Option<i64> {
++    let kind = find_inst_kind(func, value)?;
++    match kind {
++        InstKind::ConstInt(v, _) => Some(*v),
++        InstKind::IntExtend(src, _, _) | InstKind::IntTrunc(src, _) => {
++            resolve_int_scalar(func, *src)
++        }
++        _ => resolve_const_int(func, value),
++    }
++}
++
++fn strip_int_casts(func: &Function, mut value: ValueId) -> ValueId {
++    loop {
++        let Some(kind) = find_inst_kind(func, value) else { return value };
++        match kind {
++            InstKind::IntExtend(src, _, _) | InstKind::IntTrunc(src, _) => value = *src,
++            _ => return value,
++        }
++    }
++}
++
++fn find_inst_kind<'a>(func: &'a Function, value: ValueId) -> Option<&'a InstKind> {
++    for block in &func.blocks {
++        for inst in &block.insts {
++            if inst.id == value {
++                return Some(&inst.kind);
++            }
++        }
++    }
++    None
+ }
  #[cfg(test)]
              .any(|i| matches!(i.kind, InstKind::RuntimeCall(RuntimeFunc::CheckBounds, _)));
          assert!(!has_check, "CheckBounds should be removed");
+     }
++
++    #[test]
++    fn bce_removes_canonical_loop_iv_check() {
++        let mut m = Module::new("test".into());
++        let mut f = Function::new("test".into(), vec![], IrType::Void);
++        let span = crate::lexer::Span {
++            file_id: 0,
++            start: crate::lexer::Position { line: 0, col: 0 },
++            end: crate::lexer::Position { line: 0, col: 0 },
++        };
++
++        let header = f.create_block("header");
++        let body = f.create_block("body");
++        let exit = f.create_block("exit");
++
++        let init = f.next_value_id();
++        f.register_type(init, IrType::Int(IntWidth::I32));
++        f.block_mut(f.entry).insts.push(Inst {
++            id: init,
++            ty: IrType::Int(IntWidth::I32),
++            span,
++            kind: InstKind::ConstInt(1, IntWidth::I32),
++        });
++        let zero = f.next_value_id();
++        f.register_type(zero, IrType::Int(IntWidth::I32));
++        f.block_mut(f.entry).insts.push(Inst {
++            id: zero,
++            ty: IrType::Int(IntWidth::I32),
++            span,
++            kind: InstKind::ConstInt(0, IntWidth::I32),
++        });
++        f.block_mut(f.entry).terminator = Some(Terminator::Branch(header, vec![init, zero]));
++
++        let iv = f.next_value_id();
++        f.register_type(iv, IrType::Int(IntWidth::I32));
++        let sum = f.next_value_id();
++        f.register_type(sum, IrType::Int(IntWidth::I32));
++        f.block_mut(header).params.push(BlockParam { id: iv, ty: IrType::Int(IntWidth::I32) });
++        f.block_mut(header).params.push(BlockParam { id: sum, ty: IrType::Int(IntWidth::I32) });
++
++        let bound = f.next_value_id();
++        f.register_type(bound, IrType::Int(IntWidth::I32));
++        f.block_mut(header).insts.push(Inst {
++            id: bound,
++            ty: IrType::Int(IntWidth::I32),
++            span,
++            kind: InstKind::ConstInt(4, IntWidth::I32),
++        });
++        let cond = f.next_value_id();
++        f.register_type(cond, IrType::Bool);
++        f.block_mut(header).insts.push(Inst {
++            id: cond,
++            ty: IrType::Bool,
++            span,
++            kind: InstKind::ICmp(CmpOp::Le, iv, bound),
++        });
++        f.block_mut(header).terminator = Some(Terminator::CondBranch {
++            cond,
++            true_dest: body,
++            true_args: vec![],
++            false_dest: exit,
++            false_args: vec![],
++        });
++
++        let iv64 = f.next_value_id();
++        f.register_type(iv64, IrType::Int(IntWidth::I64));
++        f.block_mut(body).insts.push(Inst {
++            id: iv64,
++            ty: IrType::Int(IntWidth::I64),
++            span,
++            kind: InstKind::IntExtend(iv, IntWidth::I64, true),
++        });
++        let lo = f.next_value_id();
++        f.register_type(lo, IrType::Int(IntWidth::I64));
++        f.block_mut(body).insts.push(Inst {
++            id: lo,
++            ty: IrType::Int(IntWidth::I64),
++            span,
++            kind: InstKind::ConstInt(1, IntWidth::I64),
++        });
++        let hi = f.next_value_id();
++        f.register_type(hi, IrType::Int(IntWidth::I64));
++        f.block_mut(body).insts.push(Inst {
++            id: hi,
++            ty: IrType::Int(IntWidth::I64),
++            span,
++            kind: InstKind::ConstInt(4, IntWidth::I64),
++        });
++        let check = f.next_value_id();
++        f.register_type(check, IrType::Void);
++        f.block_mut(body).insts.push(Inst {
++            id: check,
++            ty: IrType::Void,
++            span,
++            kind: InstKind::RuntimeCall(RuntimeFunc::CheckBounds, vec![iv64, lo, hi]),
++        });
++        let step = f.next_value_id();
++        f.register_type(step, IrType::Int(IntWidth::I32));
++        f.block_mut(body).insts.push(Inst {
++            id: step,
++            ty: IrType::Int(IntWidth::I32),
++            span,
++            kind: InstKind::ConstInt(1, IntWidth::I32),
++        });
++        let next_iv = f.next_value_id();
++        f.register_type(next_iv, IrType::Int(IntWidth::I32));
++        f.block_mut(body).insts.push(Inst {
++            id: next_iv,
++            ty: IrType::Int(IntWidth::I32),
++            span,
++            kind: InstKind::IAdd(iv, step),
++        });
++        let next_sum = f.next_value_id();
++        f.register_type(next_sum, IrType::Int(IntWidth::I32));
++        f.block_mut(body).insts.push(Inst {
++            id: next_sum,
++            ty: IrType::Int(IntWidth::I32),
++            span,
++            kind: InstKind::IAdd(sum, step),
++        });
++        f.block_mut(body).terminator =
++            Some(Terminator::Branch(header, vec![next_iv, next_sum]));
++        f.block_mut(exit).terminator = Some(Terminator::Return(None));
++        m.add_function(f);
++
++        let pass = Bce;
++        assert!(pass.run(&mut m), "canonical counted-loop bounds check should be removed");
++        let has_check = m.functions[0].block(body).insts.iter().any(|inst| {
++            matches!(inst.kind, InstKind::RuntimeCall(RuntimeFunc::CheckBounds, _))
++        });
++        assert!(!has_check, "loop body should no longer contain CheckBounds");
++    }
++
++    #[test]
++    fn bce_keeps_loop_check_when_bounds_are_tighter_than_trip_range() {
++        let mut m = Module::new("test".into());
++        let mut f = Function::new("test".into(), vec![], IrType::Void);
++        let span = crate::lexer::Span {
++            file_id: 0,
++            start: crate::lexer::Position { line: 0, col: 0 },
++            end: crate::lexer::Position { line: 0, col: 0 },
++        };
++
++        let header = f.create_block("header");
++        let body = f.create_block("body");
++        let exit = f.create_block("exit");
++
++        let init = f.next_value_id();
++        f.register_type(init, IrType::Int(IntWidth::I32));
++        f.block_mut(f.entry).insts.push(Inst {
++            id: init,
++            ty: IrType::Int(IntWidth::I32),
++            span,
++            kind: InstKind::ConstInt(1, IntWidth::I32),
++        });
++        let zero = f.next_value_id();
++        f.register_type(zero, IrType::Int(IntWidth::I32));
++        f.block_mut(f.entry).insts.push(Inst {
++            id: zero,
++            ty: IrType::Int(IntWidth::I32),
++            span,
++            kind: InstKind::ConstInt(0, IntWidth::I32),
++        });
++        f.block_mut(f.entry).terminator = Some(Terminator::Branch(header, vec![init, zero]));
++
++        let iv = f.next_value_id();
++        f.register_type(iv, IrType::Int(IntWidth::I32));
++        let sum = f.next_value_id();
++        f.register_type(sum, IrType::Int(IntWidth::I32));
++        f.block_mut(header).params.push(BlockParam { id: iv, ty: IrType::Int(IntWidth::I32) });
++        f.block_mut(header).params.push(BlockParam { id: sum, ty: IrType::Int(IntWidth::I32) });
++
++        let bound = f.next_value_id();
++        f.register_type(bound, IrType::Int(IntWidth::I32));
++        f.block_mut(header).insts.push(Inst {
++            id: bound,
++            ty: IrType::Int(IntWidth::I32),
++            span,
++            kind: InstKind::ConstInt(4, IntWidth::I32),
++        });
++        let cond = f.next_value_id();
++        f.register_type(cond, IrType::Bool);
++        f.block_mut(header).insts.push(Inst {
++            id: cond,
++            ty: IrType::Bool,
++            span,
++            kind: InstKind::ICmp(CmpOp::Le, iv, bound),
++        });
++        f.block_mut(header).terminator = Some(Terminator::CondBranch {
++            cond,
++            true_dest: body,
++            true_args: vec![],
++            false_dest: exit,
++            false_args: vec![],
++        });
++
++        let iv64 = f.next_value_id();
++        f.register_type(iv64, IrType::Int(IntWidth::I64));
++        f.block_mut(body).insts.push(Inst {
++            id: iv64,
++            ty: IrType::Int(IntWidth::I64),
++            span,
++            kind: InstKind::IntExtend(iv, IntWidth::I64, true),
++        });
++        let lo = f.next_value_id();
++        f.register_type(lo, IrType::Int(IntWidth::I64));
++        f.block_mut(body).insts.push(Inst {
++            id: lo,
++            ty: IrType::Int(IntWidth::I64),
++            span,
++            kind: InstKind::ConstInt(1, IntWidth::I64),
++        });
++        let hi = f.next_value_id();
++        f.register_type(hi, IrType::Int(IntWidth::I64));
++        f.block_mut(body).insts.push(Inst {
++            id: hi,
++            ty: IrType::Int(IntWidth::I64),
++            span,
++            kind: InstKind::ConstInt(3, IntWidth::I64),
++        });
++        let check = f.next_value_id();
++        f.register_type(check, IrType::Void);
++        f.block_mut(body).insts.push(Inst {
++            id: check,
++            ty: IrType::Void,
++            span,
++            kind: InstKind::RuntimeCall(RuntimeFunc::CheckBounds, vec![iv64, lo, hi]),
++        });
++        let step = f.next_value_id();
++        f.register_type(step, IrType::Int(IntWidth::I32));
++        f.block_mut(body).insts.push(Inst {
++            id: step,
++            ty: IrType::Int(IntWidth::I32),
++            span,
++            kind: InstKind::ConstInt(1, IntWidth::I32),
++        });
++        let next_iv = f.next_value_id();
++        f.register_type(next_iv, IrType::Int(IntWidth::I32));
++        f.block_mut(body).insts.push(Inst {
++            id: next_iv,
++            ty: IrType::Int(IntWidth::I32),
++            span,
++            kind: InstKind::IAdd(iv, step),
++        });
++        let next_sum = f.next_value_id();
++        f.register_type(next_sum, IrType::Int(IntWidth::I32));
++        f.block_mut(body).insts.push(Inst {
++            id: next_sum,
++            ty: IrType::Int(IntWidth::I32),
++            span,
++            kind: InstKind::IAdd(sum, step),
++        });
++        f.block_mut(body).terminator =
++            Some(Terminator::Branch(header, vec![next_iv, next_sum]));
++        f.block_mut(exit).terminator = Some(Terminator::Return(None));
++        m.add_function(f);
++
++        let pass = Bce;
++        assert!(
++            !pass.run(&mut m),
++            "loop trip range 1..4 exceeds checked upper bound 3, so CheckBounds must remain"
++        );
++    }
+ }

src/opt/pipeline.rsmodified

  use super::sroa::Sroa;
  use super::gvn::Gvn;
  use super::global_lsf::GlobalLsf;
++use super::bce::Bce;
  use super::fission::LoopFission;
  use super::fusion::LoopFusion;
              pm.add(Box::new(Inline::for_level(OptLevel::O2)));
              pm.add(Box::new(SimplifyCfg));
              pm.add(Box::new(DeadFuncElim));
++            pm.add(Box::new(Bce));
              pm.add(Box::new(StrengthReduce));
              pm.add(Box::new(LocalLsf));
              pm.add(Box::new(GlobalLsf));
              pm.add(Box::new(Inline::for_level(OptLevel::Os)));
              pm.add(Box::new(SimplifyCfg));
              pm.add(Box::new(DeadFuncElim));
++            pm.add(Box::new(Bce));
              pm.add(Box::new(StrengthReduce));
              pm.add(Box::new(LocalLsf));
              pm.add(Box::new(GlobalLsf));
              pm.add(Box::new(Inline::for_level(OptLevel::O3)));
              pm.add(Box::new(SimplifyCfg));
              pm.add(Box::new(DeadFuncElim));
++            pm.add(Box::new(Bce));
              pm.add(Box::new(StrengthReduce));
              pm.add(Box::new(LocalLsf));
              pm.add(Box::new(GlobalLsf));

test_programs/bounds_check_loop.f90added

++program bounds_check_loop
++  implicit none
++  integer :: i, a(4), s
++
++  a = [1, 2, 3, 4]
++  s = 0
++  do i = 1, 4
++    s = s + a(i)
++  end do
++
++  print *, s
++end program bounds_check_loop
++! CHECK: 10
++! IR_CHECK: rt_call @__afs_check_bounds

tests/bounds_checks.rsadded

++use std::collections::BTreeSet;
++use std::path::PathBuf;
++
++use armfortas::driver::OptLevel;
++use armfortas::testing::{capture_from_path, CaptureRequest, CapturedStage, RunCapture, Stage};
++
++fn fixture(path: &str) -> PathBuf {
++    let path = PathBuf::from(path);
++    assert!(path.exists(), "missing test fixture {}", path.display());
++    path
++}
++
++fn capture_text(request: CaptureRequest, stage: Stage) -> String {
++    let result = capture_from_path(&request).expect("capture should succeed");
++    match result.get(stage) {
++        Some(CapturedStage::Text(text)) => text.clone(),
++        Some(CapturedStage::Run(_)) => panic!("expected text stage for {}", stage.as_str()),
++        None => panic!("missing requested stage {}", stage.as_str()),
++    }
++}
++
++fn capture_run(request: CaptureRequest) -> RunCapture {
++    let result = capture_from_path(&request).expect("capture should succeed");
++    match result.get(Stage::Run) {
++        Some(CapturedStage::Run(run)) => run.clone(),
++        Some(CapturedStage::Text(_)) => panic!("expected run stage"),
++        None => panic!("missing requested stage {}", Stage::Run.as_str()),
++    }
++}
++
++#[test]
++fn lowering_inserts_bounds_checks_at_o0() {
++    let ir = capture_text(
++        CaptureRequest {
++            input: fixture("test_programs/bounds_check_loop.f90"),
++            requested: BTreeSet::from([Stage::Ir]),
++            opt_level: OptLevel::O0,
++        },
++        Stage::Ir,
++    );
++
++    assert!(
++        ir.contains("rt_call @__afs_check_bounds"),
++        "lowered IR should contain runtime bounds checks before optimization"
++    );
++}
++
++#[test]
++fn bce_removes_canonical_loop_bounds_checks_at_o2() {
++    let opt_ir = capture_text(
++        CaptureRequest {
++            input: fixture("test_programs/bounds_check_loop.f90"),
++            requested: BTreeSet::from([Stage::OptIr]),
++            opt_level: OptLevel::O2,
++        },
++        Stage::OptIr,
++    );
++
++    assert!(
++        !opt_ir.contains("rt_call @__afs_check_bounds"),
++        "O2 optimized IR should eliminate provably-safe loop bounds checks"
++    );
++}
++
++#[test]
++fn runtime_bounds_checks_trap_out_of_range_accesses() {
++    let run = capture_run(CaptureRequest {
++        input: fixture("tests/fixtures/bounds_check_oob.f90"),
++        requested: BTreeSet::from([Stage::Run]),
++        opt_level: OptLevel::O0,
++    });
++
++    assert_ne!(
++        run.exit_code, 0,
++        "out-of-range access should fail at runtime"
++    );
++    assert!(
++        run.stderr.contains("Bounds check failed"),
++        "runtime trap should explain the out-of-range access, stderr was:\n{}",
++        run.stderr
++    );
++}

tests/fixtures/bounds_check_oob.f90added

++program bounds_check_oob
++  implicit none
++  integer :: a(4)
++
++  a = [1, 2, 3, 4]
++  print *, a(5)
++end program bounds_check_oob