1 //===- Miscompilation.cpp - Debug program miscompilations -----------------===//
2 //
3 // The LLVM Compiler Infrastructure
4 //
5 // This file is distributed under the University of Illinois Open Source
6 // License. See LICENSE.TXT for details.
7 //
8 //===----------------------------------------------------------------------===//
9 //
10 // This file implements optimizer and code generation miscompilation debugging
11 // support.
12 //
13 //===----------------------------------------------------------------------===//
14
15 #include "BugDriver.h"
16 #include "ListReducer.h"
17 #include "ToolRunner.h"
18 #include "llvm/Config/config.h" // for HAVE_LINK_R
19 #include "llvm/IR/Constants.h"
20 #include "llvm/IR/DerivedTypes.h"
21 #include "llvm/IR/Instructions.h"
22 #include "llvm/IR/Module.h"
23 #include "llvm/IR/Verifier.h"
24 #include "llvm/Linker/Linker.h"
25 #include "llvm/Pass.h"
26 #include "llvm/Support/CommandLine.h"
27 #include "llvm/Support/FileUtilities.h"
28 #include "llvm/Transforms/Utils/Cloning.h"
29 using namespace llvm;
30
31 namespace llvm {
32 extern cl::opt<std::string> OutputPrefix;
33 extern cl::list<std::string> InputArgv;
34 }
35
36 namespace {
37 static llvm::cl::opt<bool>
38 DisableLoopExtraction("disable-loop-extraction",
39 cl::desc("Don't extract loops when searching for miscompilations"),
40 cl::init(false));
41 static llvm::cl::opt<bool>
42 DisableBlockExtraction("disable-block-extraction",
43 cl::desc("Don't extract blocks when searching for miscompilations"),
44 cl::init(false));
45
46 class ReduceMiscompilingPasses : public ListReducer<std::string> {
47 BugDriver &BD;
48 public:
ReduceMiscompilingPasses(BugDriver & bd)49 ReduceMiscompilingPasses(BugDriver &bd) : BD(bd) {}
50
51 TestResult doTest(std::vector<std::string> &Prefix,
52 std::vector<std::string> &Suffix,
53 std::string &Error) override;
54 };
55 }
56
57 /// TestResult - After passes have been split into a test group and a control
58 /// group, see if they still break the program.
59 ///
60 ReduceMiscompilingPasses::TestResult
doTest(std::vector<std::string> & Prefix,std::vector<std::string> & Suffix,std::string & Error)61 ReduceMiscompilingPasses::doTest(std::vector<std::string> &Prefix,
62 std::vector<std::string> &Suffix,
63 std::string &Error) {
64 // First, run the program with just the Suffix passes. If it is still broken
65 // with JUST the kept passes, discard the prefix passes.
66 outs() << "Checking to see if '" << getPassesString(Suffix)
67 << "' compiles correctly: ";
68
69 std::string BitcodeResult;
70 if (BD.runPasses(BD.getProgram(), Suffix, BitcodeResult, false/*delete*/,
71 true/*quiet*/)) {
72 errs() << " Error running this sequence of passes"
73 << " on the input program!\n";
74 BD.setPassesToRun(Suffix);
75 BD.EmitProgressBitcode(BD.getProgram(), "pass-error", false);
76 exit(BD.debugOptimizerCrash());
77 }
78
79 // Check to see if the finished program matches the reference output...
80 bool Diff = BD.diffProgram(BD.getProgram(), BitcodeResult, "",
81 true /*delete bitcode*/, &Error);
82 if (!Error.empty())
83 return InternalError;
84 if (Diff) {
85 outs() << " nope.\n";
86 if (Suffix.empty()) {
87 errs() << BD.getToolName() << ": I'm confused: the test fails when "
88 << "no passes are run, nondeterministic program?\n";
89 exit(1);
90 }
91 return KeepSuffix; // Miscompilation detected!
92 }
93 outs() << " yup.\n"; // No miscompilation!
94
95 if (Prefix.empty()) return NoFailure;
96
97 // Next, see if the program is broken if we run the "prefix" passes first,
98 // then separately run the "kept" passes.
99 outs() << "Checking to see if '" << getPassesString(Prefix)
100 << "' compiles correctly: ";
101
102 // If it is not broken with the kept passes, it's possible that the prefix
103 // passes must be run before the kept passes to break it. If the program
104 // WORKS after the prefix passes, but then fails if running the prefix AND
105 // kept passes, we can update our bitcode file to include the result of the
106 // prefix passes, then discard the prefix passes.
107 //
108 if (BD.runPasses(BD.getProgram(), Prefix, BitcodeResult, false/*delete*/,
109 true/*quiet*/)) {
110 errs() << " Error running this sequence of passes"
111 << " on the input program!\n";
112 BD.setPassesToRun(Prefix);
113 BD.EmitProgressBitcode(BD.getProgram(), "pass-error", false);
114 exit(BD.debugOptimizerCrash());
115 }
116
117 // If the prefix maintains the predicate by itself, only keep the prefix!
118 Diff = BD.diffProgram(BD.getProgram(), BitcodeResult, "", false, &Error);
119 if (!Error.empty())
120 return InternalError;
121 if (Diff) {
122 outs() << " nope.\n";
123 sys::fs::remove(BitcodeResult);
124 return KeepPrefix;
125 }
126 outs() << " yup.\n"; // No miscompilation!
127
128 // Ok, so now we know that the prefix passes work, try running the suffix
129 // passes on the result of the prefix passes.
130 //
131 std::unique_ptr<Module> PrefixOutput =
132 parseInputFile(BitcodeResult, BD.getContext());
133 if (!PrefixOutput) {
134 errs() << BD.getToolName() << ": Error reading bitcode file '"
135 << BitcodeResult << "'!\n";
136 exit(1);
137 }
138 sys::fs::remove(BitcodeResult);
139
140 // Don't check if there are no passes in the suffix.
141 if (Suffix.empty())
142 return NoFailure;
143
144 outs() << "Checking to see if '" << getPassesString(Suffix)
145 << "' passes compile correctly after the '"
146 << getPassesString(Prefix) << "' passes: ";
147
148 std::unique_ptr<Module> OriginalInput(
149 BD.swapProgramIn(PrefixOutput.release()));
150 if (BD.runPasses(BD.getProgram(), Suffix, BitcodeResult, false/*delete*/,
151 true/*quiet*/)) {
152 errs() << " Error running this sequence of passes"
153 << " on the input program!\n";
154 BD.setPassesToRun(Suffix);
155 BD.EmitProgressBitcode(BD.getProgram(), "pass-error", false);
156 exit(BD.debugOptimizerCrash());
157 }
158
159 // Run the result...
160 Diff = BD.diffProgram(BD.getProgram(), BitcodeResult, "",
161 true /*delete bitcode*/, &Error);
162 if (!Error.empty())
163 return InternalError;
164 if (Diff) {
165 outs() << " nope.\n";
166 return KeepSuffix;
167 }
168
169 // Otherwise, we must not be running the bad pass anymore.
170 outs() << " yup.\n"; // No miscompilation!
171 // Restore orig program & free test.
172 delete BD.swapProgramIn(OriginalInput.release());
173 return NoFailure;
174 }
175
176 namespace {
177 class ReduceMiscompilingFunctions : public ListReducer<Function*> {
178 BugDriver &BD;
179 bool (*TestFn)(BugDriver &, std::unique_ptr<Module>,
180 std::unique_ptr<Module>, std::string &);
181
182 public:
ReduceMiscompilingFunctions(BugDriver & bd,bool (* F)(BugDriver &,std::unique_ptr<Module>,std::unique_ptr<Module>,std::string &))183 ReduceMiscompilingFunctions(BugDriver &bd,
184 bool (*F)(BugDriver &, std::unique_ptr<Module>,
185 std::unique_ptr<Module>,
186 std::string &))
187 : BD(bd), TestFn(F) {}
188
doTest(std::vector<Function * > & Prefix,std::vector<Function * > & Suffix,std::string & Error)189 TestResult doTest(std::vector<Function*> &Prefix,
190 std::vector<Function*> &Suffix,
191 std::string &Error) override {
192 if (!Suffix.empty()) {
193 bool Ret = TestFuncs(Suffix, Error);
194 if (!Error.empty())
195 return InternalError;
196 if (Ret)
197 return KeepSuffix;
198 }
199 if (!Prefix.empty()) {
200 bool Ret = TestFuncs(Prefix, Error);
201 if (!Error.empty())
202 return InternalError;
203 if (Ret)
204 return KeepPrefix;
205 }
206 return NoFailure;
207 }
208
209 bool TestFuncs(const std::vector<Function*> &Prefix, std::string &Error);
210 };
211 }
212
213 /// Given two modules, link them together and run the program, checking to see
214 /// if the program matches the diff. If there is an error, return NULL. If not,
215 /// return the merged module. The Broken argument will be set to true if the
216 /// output is different. If the DeleteInputs argument is set to true then this
217 /// function deletes both input modules before it returns.
218 ///
testMergedProgram(const BugDriver & BD,std::unique_ptr<Module> M1,std::unique_ptr<Module> M2,std::string & Error,bool & Broken)219 static std::unique_ptr<Module> testMergedProgram(const BugDriver &BD,
220 std::unique_ptr<Module> M1,
221 std::unique_ptr<Module> M2,
222 std::string &Error,
223 bool &Broken) {
224 if (Linker::linkModules(*M1, std::move(M2)))
225 exit(1);
226
227 // Execute the program.
228 Broken = BD.diffProgram(M1.get(), "", "", false, &Error);
229 if (!Error.empty())
230 return nullptr;
231 return M1;
232 }
233
234 /// TestFuncs - split functions in a Module into two groups: those that are
235 /// under consideration for miscompilation vs. those that are not, and test
236 /// accordingly. Each group of functions becomes a separate Module.
237 ///
TestFuncs(const std::vector<Function * > & Funcs,std::string & Error)238 bool ReduceMiscompilingFunctions::TestFuncs(const std::vector<Function*> &Funcs,
239 std::string &Error) {
240 // Test to see if the function is misoptimized if we ONLY run it on the
241 // functions listed in Funcs.
242 outs() << "Checking to see if the program is misoptimized when "
243 << (Funcs.size()==1 ? "this function is" : "these functions are")
244 << " run through the pass"
245 << (BD.getPassesToRun().size() == 1 ? "" : "es") << ":";
246 PrintFunctionList(Funcs);
247 outs() << '\n';
248
249 // Create a clone for two reasons:
250 // * If the optimization passes delete any function, the deleted function
251 // will be in the clone and Funcs will still point to valid memory
252 // * If the optimization passes use interprocedural information to break
253 // a function, we want to continue with the original function. Otherwise
254 // we can conclude that a function triggers the bug when in fact one
255 // needs a larger set of original functions to do so.
256 ValueToValueMapTy VMap;
257 Module *Clone = CloneModule(BD.getProgram(), VMap).release();
258 Module *Orig = BD.swapProgramIn(Clone);
259
260 std::vector<Function*> FuncsOnClone;
261 for (unsigned i = 0, e = Funcs.size(); i != e; ++i) {
262 Function *F = cast<Function>(VMap[Funcs[i]]);
263 FuncsOnClone.push_back(F);
264 }
265
266 // Split the module into the two halves of the program we want.
267 VMap.clear();
268 std::unique_ptr<Module> ToNotOptimize = CloneModule(BD.getProgram(), VMap);
269 std::unique_ptr<Module> ToOptimize =
270 SplitFunctionsOutOfModule(ToNotOptimize.get(), FuncsOnClone, VMap);
271
272 bool Broken =
273 TestFn(BD, std::move(ToOptimize), std::move(ToNotOptimize), Error);
274
275 delete BD.swapProgramIn(Orig);
276
277 return Broken;
278 }
279
280 /// DisambiguateGlobalSymbols - Give anonymous global values names.
281 ///
DisambiguateGlobalSymbols(Module * M)282 static void DisambiguateGlobalSymbols(Module *M) {
283 for (Module::global_iterator I = M->global_begin(), E = M->global_end();
284 I != E; ++I)
285 if (!I->hasName())
286 I->setName("anon_global");
287 for (Module::iterator I = M->begin(), E = M->end(); I != E; ++I)
288 if (!I->hasName())
289 I->setName("anon_fn");
290 }
291
292 /// Given a reduced list of functions that still exposed the bug, check to see
293 /// if we can extract the loops in the region without obscuring the bug. If so,
294 /// it reduces the amount of code identified.
295 ///
ExtractLoops(BugDriver & BD,bool (* TestFn)(BugDriver &,std::unique_ptr<Module>,std::unique_ptr<Module>,std::string &),std::vector<Function * > & MiscompiledFunctions,std::string & Error)296 static bool ExtractLoops(BugDriver &BD,
297 bool (*TestFn)(BugDriver &, std::unique_ptr<Module>,
298 std::unique_ptr<Module>, std::string &),
299 std::vector<Function *> &MiscompiledFunctions,
300 std::string &Error) {
301 bool MadeChange = false;
302 while (1) {
303 if (BugpointIsInterrupted) return MadeChange;
304
305 ValueToValueMapTy VMap;
306 std::unique_ptr<Module> ToNotOptimize = CloneModule(BD.getProgram(), VMap);
307 Module *ToOptimize = SplitFunctionsOutOfModule(ToNotOptimize.get(),
308 MiscompiledFunctions, VMap)
309 .release();
310 std::unique_ptr<Module> ToOptimizeLoopExtracted =
311 BD.extractLoop(ToOptimize);
312 if (!ToOptimizeLoopExtracted) {
313 // If the loop extractor crashed or if there were no extractible loops,
314 // then this chapter of our odyssey is over with.
315 delete ToOptimize;
316 return MadeChange;
317 }
318
319 errs() << "Extracted a loop from the breaking portion of the program.\n";
320
321 // Bugpoint is intentionally not very trusting of LLVM transformations. In
322 // particular, we're not going to assume that the loop extractor works, so
323 // we're going to test the newly loop extracted program to make sure nothing
324 // has broken. If something broke, then we'll inform the user and stop
325 // extraction.
326 AbstractInterpreter *AI = BD.switchToSafeInterpreter();
327 bool Failure;
328 std::unique_ptr<Module> New =
329 testMergedProgram(BD, std::move(ToOptimizeLoopExtracted),
330 std::move(ToNotOptimize), Error, Failure);
331 if (!New)
332 return false;
333
334 // Delete the original and set the new program.
335 Module *Old = BD.swapProgramIn(New.release());
336 for (unsigned i = 0, e = MiscompiledFunctions.size(); i != e; ++i)
337 MiscompiledFunctions[i] = cast<Function>(VMap[MiscompiledFunctions[i]]);
338 delete Old;
339
340 if (Failure) {
341 BD.switchToInterpreter(AI);
342
343 // Merged program doesn't work anymore!
344 errs() << " *** ERROR: Loop extraction broke the program. :("
345 << " Please report a bug!\n";
346 errs() << " Continuing on with un-loop-extracted version.\n";
347
348 BD.writeProgramToFile(OutputPrefix + "-loop-extract-fail-tno.bc",
349 ToNotOptimize.get());
350 BD.writeProgramToFile(OutputPrefix + "-loop-extract-fail-to.bc",
351 ToOptimize);
352 BD.writeProgramToFile(OutputPrefix + "-loop-extract-fail-to-le.bc",
353 ToOptimizeLoopExtracted.get());
354
355 errs() << "Please submit the "
356 << OutputPrefix << "-loop-extract-fail-*.bc files.\n";
357 delete ToOptimize;
358 return MadeChange;
359 }
360 delete ToOptimize;
361 BD.switchToInterpreter(AI);
362
363 outs() << " Testing after loop extraction:\n";
364 // Clone modules, the tester function will free them.
365 std::unique_ptr<Module> TOLEBackup =
366 CloneModule(ToOptimizeLoopExtracted.get(), VMap);
367 std::unique_ptr<Module> TNOBackup = CloneModule(ToNotOptimize.get(), VMap);
368
369 for (unsigned i = 0, e = MiscompiledFunctions.size(); i != e; ++i)
370 MiscompiledFunctions[i] = cast<Function>(VMap[MiscompiledFunctions[i]]);
371
372 Failure = TestFn(BD, std::move(ToOptimizeLoopExtracted),
373 std::move(ToNotOptimize), Error);
374 if (!Error.empty())
375 return false;
376
377 ToOptimizeLoopExtracted = std::move(TOLEBackup);
378 ToNotOptimize = std::move(TNOBackup);
379
380 if (!Failure) {
381 outs() << "*** Loop extraction masked the problem. Undoing.\n";
382 // If the program is not still broken, then loop extraction did something
383 // that masked the error. Stop loop extraction now.
384
385 std::vector<std::pair<std::string, FunctionType*> > MisCompFunctions;
386 for (Function *F : MiscompiledFunctions) {
387 MisCompFunctions.emplace_back(F->getName(), F->getFunctionType());
388 }
389
390 if (Linker::linkModules(*ToNotOptimize,
391 std::move(ToOptimizeLoopExtracted)))
392 exit(1);
393
394 MiscompiledFunctions.clear();
395 for (unsigned i = 0, e = MisCompFunctions.size(); i != e; ++i) {
396 Function *NewF = ToNotOptimize->getFunction(MisCompFunctions[i].first);
397
398 assert(NewF && "Function not found??");
399 MiscompiledFunctions.push_back(NewF);
400 }
401
402 BD.setNewProgram(ToNotOptimize.release());
403 return MadeChange;
404 }
405
406 outs() << "*** Loop extraction successful!\n";
407
408 std::vector<std::pair<std::string, FunctionType*> > MisCompFunctions;
409 for (Module::iterator I = ToOptimizeLoopExtracted->begin(),
410 E = ToOptimizeLoopExtracted->end(); I != E; ++I)
411 if (!I->isDeclaration())
412 MisCompFunctions.emplace_back(I->getName(), I->getFunctionType());
413
414 // Okay, great! Now we know that we extracted a loop and that loop
415 // extraction both didn't break the program, and didn't mask the problem.
416 // Replace the current program with the loop extracted version, and try to
417 // extract another loop.
418 if (Linker::linkModules(*ToNotOptimize, std::move(ToOptimizeLoopExtracted)))
419 exit(1);
420
421 // All of the Function*'s in the MiscompiledFunctions list are in the old
422 // module. Update this list to include all of the functions in the
423 // optimized and loop extracted module.
424 MiscompiledFunctions.clear();
425 for (unsigned i = 0, e = MisCompFunctions.size(); i != e; ++i) {
426 Function *NewF = ToNotOptimize->getFunction(MisCompFunctions[i].first);
427
428 assert(NewF && "Function not found??");
429 MiscompiledFunctions.push_back(NewF);
430 }
431
432 BD.setNewProgram(ToNotOptimize.release());
433 MadeChange = true;
434 }
435 }
436
437 namespace {
438 class ReduceMiscompiledBlocks : public ListReducer<BasicBlock*> {
439 BugDriver &BD;
440 bool (*TestFn)(BugDriver &, std::unique_ptr<Module>,
441 std::unique_ptr<Module>, std::string &);
442 std::vector<Function*> FunctionsBeingTested;
443 public:
ReduceMiscompiledBlocks(BugDriver & bd,bool (* F)(BugDriver &,std::unique_ptr<Module>,std::unique_ptr<Module>,std::string &),const std::vector<Function * > & Fns)444 ReduceMiscompiledBlocks(BugDriver &bd,
445 bool (*F)(BugDriver &, std::unique_ptr<Module>,
446 std::unique_ptr<Module>, std::string &),
447 const std::vector<Function *> &Fns)
448 : BD(bd), TestFn(F), FunctionsBeingTested(Fns) {}
449
doTest(std::vector<BasicBlock * > & Prefix,std::vector<BasicBlock * > & Suffix,std::string & Error)450 TestResult doTest(std::vector<BasicBlock*> &Prefix,
451 std::vector<BasicBlock*> &Suffix,
452 std::string &Error) override {
453 if (!Suffix.empty()) {
454 bool Ret = TestFuncs(Suffix, Error);
455 if (!Error.empty())
456 return InternalError;
457 if (Ret)
458 return KeepSuffix;
459 }
460 if (!Prefix.empty()) {
461 bool Ret = TestFuncs(Prefix, Error);
462 if (!Error.empty())
463 return InternalError;
464 if (Ret)
465 return KeepPrefix;
466 }
467 return NoFailure;
468 }
469
470 bool TestFuncs(const std::vector<BasicBlock*> &BBs, std::string &Error);
471 };
472 }
473
474 /// TestFuncs - Extract all blocks for the miscompiled functions except for the
475 /// specified blocks. If the problem still exists, return true.
476 ///
TestFuncs(const std::vector<BasicBlock * > & BBs,std::string & Error)477 bool ReduceMiscompiledBlocks::TestFuncs(const std::vector<BasicBlock*> &BBs,
478 std::string &Error) {
479 // Test to see if the function is misoptimized if we ONLY run it on the
480 // functions listed in Funcs.
481 outs() << "Checking to see if the program is misoptimized when all ";
482 if (!BBs.empty()) {
483 outs() << "but these " << BBs.size() << " blocks are extracted: ";
484 for (unsigned i = 0, e = BBs.size() < 10 ? BBs.size() : 10; i != e; ++i)
485 outs() << BBs[i]->getName() << " ";
486 if (BBs.size() > 10) outs() << "...";
487 } else {
488 outs() << "blocks are extracted.";
489 }
490 outs() << '\n';
491
492 // Split the module into the two halves of the program we want.
493 ValueToValueMapTy VMap;
494 Module *Clone = CloneModule(BD.getProgram(), VMap).release();
495 Module *Orig = BD.swapProgramIn(Clone);
496 std::vector<Function*> FuncsOnClone;
497 std::vector<BasicBlock*> BBsOnClone;
498 for (unsigned i = 0, e = FunctionsBeingTested.size(); i != e; ++i) {
499 Function *F = cast<Function>(VMap[FunctionsBeingTested[i]]);
500 FuncsOnClone.push_back(F);
501 }
502 for (unsigned i = 0, e = BBs.size(); i != e; ++i) {
503 BasicBlock *BB = cast<BasicBlock>(VMap[BBs[i]]);
504 BBsOnClone.push_back(BB);
505 }
506 VMap.clear();
507
508 std::unique_ptr<Module> ToNotOptimize = CloneModule(BD.getProgram(), VMap);
509 std::unique_ptr<Module> ToOptimize =
510 SplitFunctionsOutOfModule(ToNotOptimize.get(), FuncsOnClone, VMap);
511
512 // Try the extraction. If it doesn't work, then the block extractor crashed
513 // or something, in which case bugpoint can't chase down this possibility.
514 if (std::unique_ptr<Module> New =
515 BD.extractMappedBlocksFromModule(BBsOnClone, ToOptimize.get())) {
516 bool Ret = TestFn(BD, std::move(New), std::move(ToNotOptimize), Error);
517 delete BD.swapProgramIn(Orig);
518 return Ret;
519 }
520 delete BD.swapProgramIn(Orig);
521 return false;
522 }
523
524 /// Given a reduced list of functions that still expose the bug, extract as many
525 /// basic blocks from the region as possible without obscuring the bug.
526 ///
ExtractBlocks(BugDriver & BD,bool (* TestFn)(BugDriver &,std::unique_ptr<Module>,std::unique_ptr<Module>,std::string &),std::vector<Function * > & MiscompiledFunctions,std::string & Error)527 static bool ExtractBlocks(BugDriver &BD,
528 bool (*TestFn)(BugDriver &, std::unique_ptr<Module>,
529 std::unique_ptr<Module>,
530 std::string &),
531 std::vector<Function *> &MiscompiledFunctions,
532 std::string &Error) {
533 if (BugpointIsInterrupted) return false;
534
535 std::vector<BasicBlock*> Blocks;
536 for (unsigned i = 0, e = MiscompiledFunctions.size(); i != e; ++i)
537 for (BasicBlock &BB : *MiscompiledFunctions[i])
538 Blocks.push_back(&BB);
539
540 // Use the list reducer to identify blocks that can be extracted without
541 // obscuring the bug. The Blocks list will end up containing blocks that must
542 // be retained from the original program.
543 unsigned OldSize = Blocks.size();
544
545 // Check to see if all blocks are extractible first.
546 bool Ret = ReduceMiscompiledBlocks(BD, TestFn, MiscompiledFunctions)
547 .TestFuncs(std::vector<BasicBlock*>(), Error);
548 if (!Error.empty())
549 return false;
550 if (Ret) {
551 Blocks.clear();
552 } else {
553 ReduceMiscompiledBlocks(BD, TestFn,
554 MiscompiledFunctions).reduceList(Blocks, Error);
555 if (!Error.empty())
556 return false;
557 if (Blocks.size() == OldSize)
558 return false;
559 }
560
561 ValueToValueMapTy VMap;
562 Module *ProgClone = CloneModule(BD.getProgram(), VMap).release();
563 Module *ToExtract =
564 SplitFunctionsOutOfModule(ProgClone, MiscompiledFunctions, VMap)
565 .release();
566 std::unique_ptr<Module> Extracted =
567 BD.extractMappedBlocksFromModule(Blocks, ToExtract);
568 if (!Extracted) {
569 // Weird, extraction should have worked.
570 errs() << "Nondeterministic problem extracting blocks??\n";
571 delete ProgClone;
572 delete ToExtract;
573 return false;
574 }
575
576 // Otherwise, block extraction succeeded. Link the two program fragments back
577 // together.
578 delete ToExtract;
579
580 std::vector<std::pair<std::string, FunctionType*> > MisCompFunctions;
581 for (Module::iterator I = Extracted->begin(), E = Extracted->end();
582 I != E; ++I)
583 if (!I->isDeclaration())
584 MisCompFunctions.emplace_back(I->getName(), I->getFunctionType());
585
586 if (Linker::linkModules(*ProgClone, std::move(Extracted)))
587 exit(1);
588
589 // Set the new program and delete the old one.
590 BD.setNewProgram(ProgClone);
591
592 // Update the list of miscompiled functions.
593 MiscompiledFunctions.clear();
594
595 for (unsigned i = 0, e = MisCompFunctions.size(); i != e; ++i) {
596 Function *NewF = ProgClone->getFunction(MisCompFunctions[i].first);
597 assert(NewF && "Function not found??");
598 MiscompiledFunctions.push_back(NewF);
599 }
600
601 return true;
602 }
603
604 /// This is a generic driver to narrow down miscompilations, either in an
605 /// optimization or a code generator.
606 ///
607 static std::vector<Function *>
DebugAMiscompilation(BugDriver & BD,bool (* TestFn)(BugDriver &,std::unique_ptr<Module>,std::unique_ptr<Module>,std::string &),std::string & Error)608 DebugAMiscompilation(BugDriver &BD,
609 bool (*TestFn)(BugDriver &, std::unique_ptr<Module>,
610 std::unique_ptr<Module>, std::string &),
611 std::string &Error) {
612 // Okay, now that we have reduced the list of passes which are causing the
613 // failure, see if we can pin down which functions are being
614 // miscompiled... first build a list of all of the non-external functions in
615 // the program.
616 std::vector<Function*> MiscompiledFunctions;
617 Module *Prog = BD.getProgram();
618 for (Function &F : *Prog)
619 if (!F.isDeclaration())
620 MiscompiledFunctions.push_back(&F);
621
622 // Do the reduction...
623 if (!BugpointIsInterrupted)
624 ReduceMiscompilingFunctions(BD, TestFn).reduceList(MiscompiledFunctions,
625 Error);
626 if (!Error.empty()) {
627 errs() << "\n***Cannot reduce functions: ";
628 return MiscompiledFunctions;
629 }
630 outs() << "\n*** The following function"
631 << (MiscompiledFunctions.size() == 1 ? " is" : "s are")
632 << " being miscompiled: ";
633 PrintFunctionList(MiscompiledFunctions);
634 outs() << '\n';
635
636 // See if we can rip any loops out of the miscompiled functions and still
637 // trigger the problem.
638
639 if (!BugpointIsInterrupted && !DisableLoopExtraction) {
640 bool Ret = ExtractLoops(BD, TestFn, MiscompiledFunctions, Error);
641 if (!Error.empty())
642 return MiscompiledFunctions;
643 if (Ret) {
644 // Okay, we extracted some loops and the problem still appears. See if
645 // we can eliminate some of the created functions from being candidates.
646 DisambiguateGlobalSymbols(BD.getProgram());
647
648 // Do the reduction...
649 if (!BugpointIsInterrupted)
650 ReduceMiscompilingFunctions(BD, TestFn).reduceList(MiscompiledFunctions,
651 Error);
652 if (!Error.empty())
653 return MiscompiledFunctions;
654
655 outs() << "\n*** The following function"
656 << (MiscompiledFunctions.size() == 1 ? " is" : "s are")
657 << " being miscompiled: ";
658 PrintFunctionList(MiscompiledFunctions);
659 outs() << '\n';
660 }
661 }
662
663 if (!BugpointIsInterrupted && !DisableBlockExtraction) {
664 bool Ret = ExtractBlocks(BD, TestFn, MiscompiledFunctions, Error);
665 if (!Error.empty())
666 return MiscompiledFunctions;
667 if (Ret) {
668 // Okay, we extracted some blocks and the problem still appears. See if
669 // we can eliminate some of the created functions from being candidates.
670 DisambiguateGlobalSymbols(BD.getProgram());
671
672 // Do the reduction...
673 ReduceMiscompilingFunctions(BD, TestFn).reduceList(MiscompiledFunctions,
674 Error);
675 if (!Error.empty())
676 return MiscompiledFunctions;
677
678 outs() << "\n*** The following function"
679 << (MiscompiledFunctions.size() == 1 ? " is" : "s are")
680 << " being miscompiled: ";
681 PrintFunctionList(MiscompiledFunctions);
682 outs() << '\n';
683 }
684 }
685
686 return MiscompiledFunctions;
687 }
688
689 /// This is the predicate function used to check to see if the "Test" portion of
690 /// the program is misoptimized. If so, return true. In any case, both module
691 /// arguments are deleted.
692 ///
TestOptimizer(BugDriver & BD,std::unique_ptr<Module> Test,std::unique_ptr<Module> Safe,std::string & Error)693 static bool TestOptimizer(BugDriver &BD, std::unique_ptr<Module> Test,
694 std::unique_ptr<Module> Safe, std::string &Error) {
695 // Run the optimization passes on ToOptimize, producing a transformed version
696 // of the functions being tested.
697 outs() << " Optimizing functions being tested: ";
698 std::unique_ptr<Module> Optimized =
699 BD.runPassesOn(Test.get(), BD.getPassesToRun(),
700 /*AutoDebugCrashes*/ true);
701 outs() << "done.\n";
702
703 outs() << " Checking to see if the merged program executes correctly: ";
704 bool Broken;
705 std::unique_ptr<Module> New = testMergedProgram(
706 BD, std::move(Optimized), std::move(Safe), Error, Broken);
707 if (New) {
708 outs() << (Broken ? " nope.\n" : " yup.\n");
709 // Delete the original and set the new program.
710 delete BD.swapProgramIn(New.release());
711 }
712 return Broken;
713 }
714
715
716 /// debugMiscompilation - This method is used when the passes selected are not
717 /// crashing, but the generated output is semantically different from the
718 /// input.
719 ///
debugMiscompilation(std::string * Error)720 void BugDriver::debugMiscompilation(std::string *Error) {
721 // Make sure something was miscompiled...
722 if (!BugpointIsInterrupted)
723 if (!ReduceMiscompilingPasses(*this).reduceList(PassesToRun, *Error)) {
724 if (Error->empty())
725 errs() << "*** Optimized program matches reference output! No problem"
726 << " detected...\nbugpoint can't help you with your problem!\n";
727 return;
728 }
729
730 outs() << "\n*** Found miscompiling pass"
731 << (getPassesToRun().size() == 1 ? "" : "es") << ": "
732 << getPassesString(getPassesToRun()) << '\n';
733 EmitProgressBitcode(Program, "passinput");
734
735 std::vector<Function *> MiscompiledFunctions =
736 DebugAMiscompilation(*this, TestOptimizer, *Error);
737 if (!Error->empty())
738 return;
739
740 // Output a bunch of bitcode files for the user...
741 outs() << "Outputting reduced bitcode files which expose the problem:\n";
742 ValueToValueMapTy VMap;
743 Module *ToNotOptimize = CloneModule(getProgram(), VMap).release();
744 Module *ToOptimize =
745 SplitFunctionsOutOfModule(ToNotOptimize, MiscompiledFunctions, VMap)
746 .release();
747
748 outs() << " Non-optimized portion: ";
749 EmitProgressBitcode(ToNotOptimize, "tonotoptimize", true);
750 delete ToNotOptimize; // Delete hacked module.
751
752 outs() << " Portion that is input to optimizer: ";
753 EmitProgressBitcode(ToOptimize, "tooptimize");
754 delete ToOptimize; // Delete hacked module.
755
756 return;
757 }
758
759 /// Get the specified modules ready for code generator testing.
760 ///
CleanupAndPrepareModules(BugDriver & BD,std::unique_ptr<Module> & Test,Module * Safe)761 static void CleanupAndPrepareModules(BugDriver &BD,
762 std::unique_ptr<Module> &Test,
763 Module *Safe) {
764 // Clean up the modules, removing extra cruft that we don't need anymore...
765 Test = BD.performFinalCleanups(Test.get());
766
767 // If we are executing the JIT, we have several nasty issues to take care of.
768 if (!BD.isExecutingJIT()) return;
769
770 // First, if the main function is in the Safe module, we must add a stub to
771 // the Test module to call into it. Thus, we create a new function `main'
772 // which just calls the old one.
773 if (Function *oldMain = Safe->getFunction("main"))
774 if (!oldMain->isDeclaration()) {
775 // Rename it
776 oldMain->setName("llvm_bugpoint_old_main");
777 // Create a NEW `main' function with same type in the test module.
778 Function *newMain =
779 Function::Create(oldMain->getFunctionType(),
780 GlobalValue::ExternalLinkage, "main", Test.get());
781 // Create an `oldmain' prototype in the test module, which will
782 // corresponds to the real main function in the same module.
783 Function *oldMainProto = Function::Create(oldMain->getFunctionType(),
784 GlobalValue::ExternalLinkage,
785 oldMain->getName(), Test.get());
786 // Set up and remember the argument list for the main function.
787 std::vector<Value*> args;
788 for (Function::arg_iterator
789 I = newMain->arg_begin(), E = newMain->arg_end(),
790 OI = oldMain->arg_begin(); I != E; ++I, ++OI) {
791 I->setName(OI->getName()); // Copy argument names from oldMain
792 args.push_back(&*I);
793 }
794
795 // Call the old main function and return its result
796 BasicBlock *BB = BasicBlock::Create(Safe->getContext(), "entry", newMain);
797 CallInst *call = CallInst::Create(oldMainProto, args, "", BB);
798
799 // If the type of old function wasn't void, return value of call
800 ReturnInst::Create(Safe->getContext(), call, BB);
801 }
802
803 // The second nasty issue we must deal with in the JIT is that the Safe
804 // module cannot directly reference any functions defined in the test
805 // module. Instead, we use a JIT API call to dynamically resolve the
806 // symbol.
807
808 // Add the resolver to the Safe module.
809 // Prototype: void *getPointerToNamedFunction(const char* Name)
810 Constant *resolverFunc =
811 Safe->getOrInsertFunction("getPointerToNamedFunction",
812 Type::getInt8PtrTy(Safe->getContext()),
813 Type::getInt8PtrTy(Safe->getContext()),
814 (Type *)nullptr);
815
816 // Use the function we just added to get addresses of functions we need.
817 for (Module::iterator F = Safe->begin(), E = Safe->end(); F != E; ++F) {
818 if (F->isDeclaration() && !F->use_empty() && &*F != resolverFunc &&
819 !F->isIntrinsic() /* ignore intrinsics */) {
820 Function *TestFn = Test->getFunction(F->getName());
821
822 // Don't forward functions which are external in the test module too.
823 if (TestFn && !TestFn->isDeclaration()) {
824 // 1. Add a string constant with its name to the global file
825 Constant *InitArray =
826 ConstantDataArray::getString(F->getContext(), F->getName());
827 GlobalVariable *funcName =
828 new GlobalVariable(*Safe, InitArray->getType(), true /*isConstant*/,
829 GlobalValue::InternalLinkage, InitArray,
830 F->getName() + "_name");
831
832 // 2. Use `GetElementPtr *funcName, 0, 0' to convert the string to an
833 // sbyte* so it matches the signature of the resolver function.
834
835 // GetElementPtr *funcName, ulong 0, ulong 0
836 std::vector<Constant*> GEPargs(2,
837 Constant::getNullValue(Type::getInt32Ty(F->getContext())));
838 Value *GEP = ConstantExpr::getGetElementPtr(InitArray->getType(),
839 funcName, GEPargs);
840 std::vector<Value*> ResolverArgs;
841 ResolverArgs.push_back(GEP);
842
843 // Rewrite uses of F in global initializers, etc. to uses of a wrapper
844 // function that dynamically resolves the calls to F via our JIT API
845 if (!F->use_empty()) {
846 // Create a new global to hold the cached function pointer.
847 Constant *NullPtr = ConstantPointerNull::get(F->getType());
848 GlobalVariable *Cache =
849 new GlobalVariable(*F->getParent(), F->getType(),
850 false, GlobalValue::InternalLinkage,
851 NullPtr,F->getName()+".fpcache");
852
853 // Construct a new stub function that will re-route calls to F
854 FunctionType *FuncTy = F->getFunctionType();
855 Function *FuncWrapper = Function::Create(FuncTy,
856 GlobalValue::InternalLinkage,
857 F->getName() + "_wrapper",
858 F->getParent());
859 BasicBlock *EntryBB = BasicBlock::Create(F->getContext(),
860 "entry", FuncWrapper);
861 BasicBlock *DoCallBB = BasicBlock::Create(F->getContext(),
862 "usecache", FuncWrapper);
863 BasicBlock *LookupBB = BasicBlock::Create(F->getContext(),
864 "lookupfp", FuncWrapper);
865
866 // Check to see if we already looked up the value.
867 Value *CachedVal = new LoadInst(Cache, "fpcache", EntryBB);
868 Value *IsNull = new ICmpInst(*EntryBB, ICmpInst::ICMP_EQ, CachedVal,
869 NullPtr, "isNull");
870 BranchInst::Create(LookupBB, DoCallBB, IsNull, EntryBB);
871
872 // Resolve the call to function F via the JIT API:
873 //
874 // call resolver(GetElementPtr...)
875 CallInst *Resolver =
876 CallInst::Create(resolverFunc, ResolverArgs, "resolver", LookupBB);
877
878 // Cast the result from the resolver to correctly-typed function.
879 CastInst *CastedResolver =
880 new BitCastInst(Resolver,
881 PointerType::getUnqual(F->getFunctionType()),
882 "resolverCast", LookupBB);
883
884 // Save the value in our cache.
885 new StoreInst(CastedResolver, Cache, LookupBB);
886 BranchInst::Create(DoCallBB, LookupBB);
887
888 PHINode *FuncPtr = PHINode::Create(NullPtr->getType(), 2,
889 "fp", DoCallBB);
890 FuncPtr->addIncoming(CastedResolver, LookupBB);
891 FuncPtr->addIncoming(CachedVal, EntryBB);
892
893 // Save the argument list.
894 std::vector<Value*> Args;
895 for (Argument &A : FuncWrapper->args())
896 Args.push_back(&A);
897
898 // Pass on the arguments to the real function, return its result
899 if (F->getReturnType()->isVoidTy()) {
900 CallInst::Create(FuncPtr, Args, "", DoCallBB);
901 ReturnInst::Create(F->getContext(), DoCallBB);
902 } else {
903 CallInst *Call = CallInst::Create(FuncPtr, Args,
904 "retval", DoCallBB);
905 ReturnInst::Create(F->getContext(),Call, DoCallBB);
906 }
907
908 // Use the wrapper function instead of the old function
909 F->replaceAllUsesWith(FuncWrapper);
910 }
911 }
912 }
913 }
914
915 if (verifyModule(*Test) || verifyModule(*Safe)) {
916 errs() << "Bugpoint has a bug, which corrupted a module!!\n";
917 abort();
918 }
919 }
920
921 /// This is the predicate function used to check to see if the "Test" portion of
922 /// the program is miscompiled by the code generator under test. If so, return
923 /// true. In any case, both module arguments are deleted.
924 ///
TestCodeGenerator(BugDriver & BD,std::unique_ptr<Module> Test,std::unique_ptr<Module> Safe,std::string & Error)925 static bool TestCodeGenerator(BugDriver &BD, std::unique_ptr<Module> Test,
926 std::unique_ptr<Module> Safe,
927 std::string &Error) {
928 CleanupAndPrepareModules(BD, Test, Safe.get());
929
930 SmallString<128> TestModuleBC;
931 int TestModuleFD;
932 std::error_code EC = sys::fs::createTemporaryFile("bugpoint.test", "bc",
933 TestModuleFD, TestModuleBC);
934 if (EC) {
935 errs() << BD.getToolName() << "Error making unique filename: "
936 << EC.message() << "\n";
937 exit(1);
938 }
939 if (BD.writeProgramToFile(TestModuleBC.str(), TestModuleFD, Test.get())) {
940 errs() << "Error writing bitcode to `" << TestModuleBC.str()
941 << "'\nExiting.";
942 exit(1);
943 }
944
945 FileRemover TestModuleBCRemover(TestModuleBC.str(), !SaveTemps);
946
947 // Make the shared library
948 SmallString<128> SafeModuleBC;
949 int SafeModuleFD;
950 EC = sys::fs::createTemporaryFile("bugpoint.safe", "bc", SafeModuleFD,
951 SafeModuleBC);
952 if (EC) {
953 errs() << BD.getToolName() << "Error making unique filename: "
954 << EC.message() << "\n";
955 exit(1);
956 }
957
958 if (BD.writeProgramToFile(SafeModuleBC.str(), SafeModuleFD, Safe.get())) {
959 errs() << "Error writing bitcode to `" << SafeModuleBC
960 << "'\nExiting.";
961 exit(1);
962 }
963
964 FileRemover SafeModuleBCRemover(SafeModuleBC.str(), !SaveTemps);
965
966 std::string SharedObject = BD.compileSharedObject(SafeModuleBC.str(), Error);
967 if (!Error.empty())
968 return false;
969
970 FileRemover SharedObjectRemover(SharedObject, !SaveTemps);
971
972 // Run the code generator on the `Test' code, loading the shared library.
973 // The function returns whether or not the new output differs from reference.
974 bool Result = BD.diffProgram(BD.getProgram(), TestModuleBC.str(),
975 SharedObject, false, &Error);
976 if (!Error.empty())
977 return false;
978
979 if (Result)
980 errs() << ": still failing!\n";
981 else
982 errs() << ": didn't fail.\n";
983
984 return Result;
985 }
986
987
988 /// debugCodeGenerator - debug errors in LLC, LLI, or CBE.
989 ///
debugCodeGenerator(std::string * Error)990 bool BugDriver::debugCodeGenerator(std::string *Error) {
991 if ((void*)SafeInterpreter == (void*)Interpreter) {
992 std::string Result = executeProgramSafely(Program, "bugpoint.safe.out",
993 Error);
994 if (Error->empty()) {
995 outs() << "\n*** The \"safe\" i.e. 'known good' backend cannot match "
996 << "the reference diff. This may be due to a\n front-end "
997 << "bug or a bug in the original program, but this can also "
998 << "happen if bugpoint isn't running the program with the "
999 << "right flags or input.\n I left the result of executing "
1000 << "the program with the \"safe\" backend in this file for "
1001 << "you: '"
1002 << Result << "'.\n";
1003 }
1004 return true;
1005 }
1006
1007 DisambiguateGlobalSymbols(Program);
1008
1009 std::vector<Function*> Funcs = DebugAMiscompilation(*this, TestCodeGenerator,
1010 *Error);
1011 if (!Error->empty())
1012 return true;
1013
1014 // Split the module into the two halves of the program we want.
1015 ValueToValueMapTy VMap;
1016 std::unique_ptr<Module> ToNotCodeGen = CloneModule(getProgram(), VMap);
1017 std::unique_ptr<Module> ToCodeGen =
1018 SplitFunctionsOutOfModule(ToNotCodeGen.get(), Funcs, VMap);
1019
1020 // Condition the modules
1021 CleanupAndPrepareModules(*this, ToCodeGen, ToNotCodeGen.get());
1022
1023 SmallString<128> TestModuleBC;
1024 int TestModuleFD;
1025 std::error_code EC = sys::fs::createTemporaryFile("bugpoint.test", "bc",
1026 TestModuleFD, TestModuleBC);
1027 if (EC) {
1028 errs() << getToolName() << "Error making unique filename: "
1029 << EC.message() << "\n";
1030 exit(1);
1031 }
1032
1033 if (writeProgramToFile(TestModuleBC.str(), TestModuleFD, ToCodeGen.get())) {
1034 errs() << "Error writing bitcode to `" << TestModuleBC
1035 << "'\nExiting.";
1036 exit(1);
1037 }
1038
1039 // Make the shared library
1040 SmallString<128> SafeModuleBC;
1041 int SafeModuleFD;
1042 EC = sys::fs::createTemporaryFile("bugpoint.safe", "bc", SafeModuleFD,
1043 SafeModuleBC);
1044 if (EC) {
1045 errs() << getToolName() << "Error making unique filename: "
1046 << EC.message() << "\n";
1047 exit(1);
1048 }
1049
1050 if (writeProgramToFile(SafeModuleBC.str(), SafeModuleFD,
1051 ToNotCodeGen.get())) {
1052 errs() << "Error writing bitcode to `" << SafeModuleBC
1053 << "'\nExiting.";
1054 exit(1);
1055 }
1056 std::string SharedObject = compileSharedObject(SafeModuleBC.str(), *Error);
1057 if (!Error->empty())
1058 return true;
1059
1060 outs() << "You can reproduce the problem with the command line: \n";
1061 if (isExecutingJIT()) {
1062 outs() << " lli -load " << SharedObject << " " << TestModuleBC;
1063 } else {
1064 outs() << " llc " << TestModuleBC << " -o " << TestModuleBC
1065 << ".s\n";
1066 outs() << " cc " << SharedObject << " " << TestModuleBC.str()
1067 << ".s -o " << TestModuleBC << ".exe";
1068 #if defined (HAVE_LINK_R)
1069 outs() << " -Wl,-R.";
1070 #endif
1071 outs() << "\n";
1072 outs() << " " << TestModuleBC << ".exe";
1073 }
1074 for (unsigned i = 0, e = InputArgv.size(); i != e; ++i)
1075 outs() << " " << InputArgv[i];
1076 outs() << '\n';
1077 outs() << "The shared object was created with:\n llc -march=c "
1078 << SafeModuleBC.str() << " -o temporary.c\n"
1079 << " cc -xc temporary.c -O2 -o " << SharedObject;
1080 if (TargetTriple.getArch() == Triple::sparc)
1081 outs() << " -G"; // Compile a shared library, `-G' for Sparc
1082 else
1083 outs() << " -fPIC -shared"; // `-shared' for Linux/X86, maybe others
1084
1085 outs() << " -fno-strict-aliasing\n";
1086
1087 return false;
1088 }
1089