1 //===- Miscompilation.cpp - Debug program miscompilations -----------------===// 2 // 3 // The LLVM Compiler Infrastructure 4 // 5 // This file is distributed under the University of Illinois Open Source 6 // License. See LICENSE.TXT for details. 7 // 8 //===----------------------------------------------------------------------===// 9 // 10 // This file implements optimizer and code generation miscompilation debugging 11 // support. 12 // 13 //===----------------------------------------------------------------------===// 14 15 #include "BugDriver.h" 16 #include "ListReducer.h" 17 #include "ToolRunner.h" 18 #include "llvm/Config/config.h" // for HAVE_LINK_R 19 #include "llvm/IR/Constants.h" 20 #include "llvm/IR/DerivedTypes.h" 21 #include "llvm/IR/Instructions.h" 22 #include "llvm/IR/Module.h" 23 #include "llvm/IR/Verifier.h" 24 #include "llvm/Linker/Linker.h" 25 #include "llvm/Pass.h" 26 #include "llvm/Support/CommandLine.h" 27 #include "llvm/Support/FileUtilities.h" 28 #include "llvm/Transforms/Utils/Cloning.h" 29 using namespace llvm; 30 31 namespace llvm { 32 extern cl::opt<std::string> OutputPrefix; 33 extern cl::list<std::string> InputArgv; 34 } 35 36 namespace { 37 static llvm::cl::opt<bool> 38 DisableLoopExtraction("disable-loop-extraction", 39 cl::desc("Don't extract loops when searching for miscompilations"), 40 cl::init(false)); 41 static llvm::cl::opt<bool> 42 DisableBlockExtraction("disable-block-extraction", 43 cl::desc("Don't extract blocks when searching for miscompilations"), 44 cl::init(false)); 45 46 class ReduceMiscompilingPasses : public ListReducer<std::string> { 47 BugDriver &BD; 48 public: ReduceMiscompilingPasses(BugDriver & bd)49 ReduceMiscompilingPasses(BugDriver &bd) : BD(bd) {} 50 51 TestResult doTest(std::vector<std::string> &Prefix, 52 std::vector<std::string> &Suffix, 53 std::string &Error) override; 54 }; 55 } 56 57 /// TestResult - After passes have been split into a test group and a control 58 /// group, see if they still break the program. 59 /// 60 ReduceMiscompilingPasses::TestResult doTest(std::vector<std::string> & Prefix,std::vector<std::string> & Suffix,std::string & Error)61 ReduceMiscompilingPasses::doTest(std::vector<std::string> &Prefix, 62 std::vector<std::string> &Suffix, 63 std::string &Error) { 64 // First, run the program with just the Suffix passes. If it is still broken 65 // with JUST the kept passes, discard the prefix passes. 66 outs() << "Checking to see if '" << getPassesString(Suffix) 67 << "' compiles correctly: "; 68 69 std::string BitcodeResult; 70 if (BD.runPasses(BD.getProgram(), Suffix, BitcodeResult, false/*delete*/, 71 true/*quiet*/)) { 72 errs() << " Error running this sequence of passes" 73 << " on the input program!\n"; 74 BD.setPassesToRun(Suffix); 75 BD.EmitProgressBitcode(BD.getProgram(), "pass-error", false); 76 exit(BD.debugOptimizerCrash()); 77 } 78 79 // Check to see if the finished program matches the reference output... 80 bool Diff = BD.diffProgram(BD.getProgram(), BitcodeResult, "", 81 true /*delete bitcode*/, &Error); 82 if (!Error.empty()) 83 return InternalError; 84 if (Diff) { 85 outs() << " nope.\n"; 86 if (Suffix.empty()) { 87 errs() << BD.getToolName() << ": I'm confused: the test fails when " 88 << "no passes are run, nondeterministic program?\n"; 89 exit(1); 90 } 91 return KeepSuffix; // Miscompilation detected! 92 } 93 outs() << " yup.\n"; // No miscompilation! 94 95 if (Prefix.empty()) return NoFailure; 96 97 // Next, see if the program is broken if we run the "prefix" passes first, 98 // then separately run the "kept" passes. 99 outs() << "Checking to see if '" << getPassesString(Prefix) 100 << "' compiles correctly: "; 101 102 // If it is not broken with the kept passes, it's possible that the prefix 103 // passes must be run before the kept passes to break it. If the program 104 // WORKS after the prefix passes, but then fails if running the prefix AND 105 // kept passes, we can update our bitcode file to include the result of the 106 // prefix passes, then discard the prefix passes. 107 // 108 if (BD.runPasses(BD.getProgram(), Prefix, BitcodeResult, false/*delete*/, 109 true/*quiet*/)) { 110 errs() << " Error running this sequence of passes" 111 << " on the input program!\n"; 112 BD.setPassesToRun(Prefix); 113 BD.EmitProgressBitcode(BD.getProgram(), "pass-error", false); 114 exit(BD.debugOptimizerCrash()); 115 } 116 117 // If the prefix maintains the predicate by itself, only keep the prefix! 118 Diff = BD.diffProgram(BD.getProgram(), BitcodeResult, "", false, &Error); 119 if (!Error.empty()) 120 return InternalError; 121 if (Diff) { 122 outs() << " nope.\n"; 123 sys::fs::remove(BitcodeResult); 124 return KeepPrefix; 125 } 126 outs() << " yup.\n"; // No miscompilation! 127 128 // Ok, so now we know that the prefix passes work, try running the suffix 129 // passes on the result of the prefix passes. 130 // 131 std::unique_ptr<Module> PrefixOutput = 132 parseInputFile(BitcodeResult, BD.getContext()); 133 if (!PrefixOutput) { 134 errs() << BD.getToolName() << ": Error reading bitcode file '" 135 << BitcodeResult << "'!\n"; 136 exit(1); 137 } 138 sys::fs::remove(BitcodeResult); 139 140 // Don't check if there are no passes in the suffix. 141 if (Suffix.empty()) 142 return NoFailure; 143 144 outs() << "Checking to see if '" << getPassesString(Suffix) 145 << "' passes compile correctly after the '" 146 << getPassesString(Prefix) << "' passes: "; 147 148 std::unique_ptr<Module> OriginalInput( 149 BD.swapProgramIn(PrefixOutput.release())); 150 if (BD.runPasses(BD.getProgram(), Suffix, BitcodeResult, false/*delete*/, 151 true/*quiet*/)) { 152 errs() << " Error running this sequence of passes" 153 << " on the input program!\n"; 154 BD.setPassesToRun(Suffix); 155 BD.EmitProgressBitcode(BD.getProgram(), "pass-error", false); 156 exit(BD.debugOptimizerCrash()); 157 } 158 159 // Run the result... 160 Diff = BD.diffProgram(BD.getProgram(), BitcodeResult, "", 161 true /*delete bitcode*/, &Error); 162 if (!Error.empty()) 163 return InternalError; 164 if (Diff) { 165 outs() << " nope.\n"; 166 return KeepSuffix; 167 } 168 169 // Otherwise, we must not be running the bad pass anymore. 170 outs() << " yup.\n"; // No miscompilation! 171 // Restore orig program & free test. 172 delete BD.swapProgramIn(OriginalInput.release()); 173 return NoFailure; 174 } 175 176 namespace { 177 class ReduceMiscompilingFunctions : public ListReducer<Function*> { 178 BugDriver &BD; 179 bool (*TestFn)(BugDriver &, std::unique_ptr<Module>, 180 std::unique_ptr<Module>, std::string &); 181 182 public: ReduceMiscompilingFunctions(BugDriver & bd,bool (* F)(BugDriver &,std::unique_ptr<Module>,std::unique_ptr<Module>,std::string &))183 ReduceMiscompilingFunctions(BugDriver &bd, 184 bool (*F)(BugDriver &, std::unique_ptr<Module>, 185 std::unique_ptr<Module>, 186 std::string &)) 187 : BD(bd), TestFn(F) {} 188 doTest(std::vector<Function * > & Prefix,std::vector<Function * > & Suffix,std::string & Error)189 TestResult doTest(std::vector<Function*> &Prefix, 190 std::vector<Function*> &Suffix, 191 std::string &Error) override { 192 if (!Suffix.empty()) { 193 bool Ret = TestFuncs(Suffix, Error); 194 if (!Error.empty()) 195 return InternalError; 196 if (Ret) 197 return KeepSuffix; 198 } 199 if (!Prefix.empty()) { 200 bool Ret = TestFuncs(Prefix, Error); 201 if (!Error.empty()) 202 return InternalError; 203 if (Ret) 204 return KeepPrefix; 205 } 206 return NoFailure; 207 } 208 209 bool TestFuncs(const std::vector<Function*> &Prefix, std::string &Error); 210 }; 211 } 212 213 /// Given two modules, link them together and run the program, checking to see 214 /// if the program matches the diff. If there is an error, return NULL. If not, 215 /// return the merged module. The Broken argument will be set to true if the 216 /// output is different. If the DeleteInputs argument is set to true then this 217 /// function deletes both input modules before it returns. 218 /// testMergedProgram(const BugDriver & BD,std::unique_ptr<Module> M1,std::unique_ptr<Module> M2,std::string & Error,bool & Broken)219 static std::unique_ptr<Module> testMergedProgram(const BugDriver &BD, 220 std::unique_ptr<Module> M1, 221 std::unique_ptr<Module> M2, 222 std::string &Error, 223 bool &Broken) { 224 if (Linker::linkModules(*M1, std::move(M2))) 225 exit(1); 226 227 // Execute the program. 228 Broken = BD.diffProgram(M1.get(), "", "", false, &Error); 229 if (!Error.empty()) 230 return nullptr; 231 return M1; 232 } 233 234 /// TestFuncs - split functions in a Module into two groups: those that are 235 /// under consideration for miscompilation vs. those that are not, and test 236 /// accordingly. Each group of functions becomes a separate Module. 237 /// TestFuncs(const std::vector<Function * > & Funcs,std::string & Error)238 bool ReduceMiscompilingFunctions::TestFuncs(const std::vector<Function*> &Funcs, 239 std::string &Error) { 240 // Test to see if the function is misoptimized if we ONLY run it on the 241 // functions listed in Funcs. 242 outs() << "Checking to see if the program is misoptimized when " 243 << (Funcs.size()==1 ? "this function is" : "these functions are") 244 << " run through the pass" 245 << (BD.getPassesToRun().size() == 1 ? "" : "es") << ":"; 246 PrintFunctionList(Funcs); 247 outs() << '\n'; 248 249 // Create a clone for two reasons: 250 // * If the optimization passes delete any function, the deleted function 251 // will be in the clone and Funcs will still point to valid memory 252 // * If the optimization passes use interprocedural information to break 253 // a function, we want to continue with the original function. Otherwise 254 // we can conclude that a function triggers the bug when in fact one 255 // needs a larger set of original functions to do so. 256 ValueToValueMapTy VMap; 257 Module *Clone = CloneModule(BD.getProgram(), VMap).release(); 258 Module *Orig = BD.swapProgramIn(Clone); 259 260 std::vector<Function*> FuncsOnClone; 261 for (unsigned i = 0, e = Funcs.size(); i != e; ++i) { 262 Function *F = cast<Function>(VMap[Funcs[i]]); 263 FuncsOnClone.push_back(F); 264 } 265 266 // Split the module into the two halves of the program we want. 267 VMap.clear(); 268 std::unique_ptr<Module> ToNotOptimize = CloneModule(BD.getProgram(), VMap); 269 std::unique_ptr<Module> ToOptimize = 270 SplitFunctionsOutOfModule(ToNotOptimize.get(), FuncsOnClone, VMap); 271 272 bool Broken = 273 TestFn(BD, std::move(ToOptimize), std::move(ToNotOptimize), Error); 274 275 delete BD.swapProgramIn(Orig); 276 277 return Broken; 278 } 279 280 /// DisambiguateGlobalSymbols - Give anonymous global values names. 281 /// DisambiguateGlobalSymbols(Module * M)282 static void DisambiguateGlobalSymbols(Module *M) { 283 for (Module::global_iterator I = M->global_begin(), E = M->global_end(); 284 I != E; ++I) 285 if (!I->hasName()) 286 I->setName("anon_global"); 287 for (Module::iterator I = M->begin(), E = M->end(); I != E; ++I) 288 if (!I->hasName()) 289 I->setName("anon_fn"); 290 } 291 292 /// Given a reduced list of functions that still exposed the bug, check to see 293 /// if we can extract the loops in the region without obscuring the bug. If so, 294 /// it reduces the amount of code identified. 295 /// ExtractLoops(BugDriver & BD,bool (* TestFn)(BugDriver &,std::unique_ptr<Module>,std::unique_ptr<Module>,std::string &),std::vector<Function * > & MiscompiledFunctions,std::string & Error)296 static bool ExtractLoops(BugDriver &BD, 297 bool (*TestFn)(BugDriver &, std::unique_ptr<Module>, 298 std::unique_ptr<Module>, std::string &), 299 std::vector<Function *> &MiscompiledFunctions, 300 std::string &Error) { 301 bool MadeChange = false; 302 while (1) { 303 if (BugpointIsInterrupted) return MadeChange; 304 305 ValueToValueMapTy VMap; 306 std::unique_ptr<Module> ToNotOptimize = CloneModule(BD.getProgram(), VMap); 307 Module *ToOptimize = SplitFunctionsOutOfModule(ToNotOptimize.get(), 308 MiscompiledFunctions, VMap) 309 .release(); 310 std::unique_ptr<Module> ToOptimizeLoopExtracted = 311 BD.extractLoop(ToOptimize); 312 if (!ToOptimizeLoopExtracted) { 313 // If the loop extractor crashed or if there were no extractible loops, 314 // then this chapter of our odyssey is over with. 315 delete ToOptimize; 316 return MadeChange; 317 } 318 319 errs() << "Extracted a loop from the breaking portion of the program.\n"; 320 321 // Bugpoint is intentionally not very trusting of LLVM transformations. In 322 // particular, we're not going to assume that the loop extractor works, so 323 // we're going to test the newly loop extracted program to make sure nothing 324 // has broken. If something broke, then we'll inform the user and stop 325 // extraction. 326 AbstractInterpreter *AI = BD.switchToSafeInterpreter(); 327 bool Failure; 328 std::unique_ptr<Module> New = 329 testMergedProgram(BD, std::move(ToOptimizeLoopExtracted), 330 std::move(ToNotOptimize), Error, Failure); 331 if (!New) 332 return false; 333 334 // Delete the original and set the new program. 335 Module *Old = BD.swapProgramIn(New.release()); 336 for (unsigned i = 0, e = MiscompiledFunctions.size(); i != e; ++i) 337 MiscompiledFunctions[i] = cast<Function>(VMap[MiscompiledFunctions[i]]); 338 delete Old; 339 340 if (Failure) { 341 BD.switchToInterpreter(AI); 342 343 // Merged program doesn't work anymore! 344 errs() << " *** ERROR: Loop extraction broke the program. :(" 345 << " Please report a bug!\n"; 346 errs() << " Continuing on with un-loop-extracted version.\n"; 347 348 BD.writeProgramToFile(OutputPrefix + "-loop-extract-fail-tno.bc", 349 ToNotOptimize.get()); 350 BD.writeProgramToFile(OutputPrefix + "-loop-extract-fail-to.bc", 351 ToOptimize); 352 BD.writeProgramToFile(OutputPrefix + "-loop-extract-fail-to-le.bc", 353 ToOptimizeLoopExtracted.get()); 354 355 errs() << "Please submit the " 356 << OutputPrefix << "-loop-extract-fail-*.bc files.\n"; 357 delete ToOptimize; 358 return MadeChange; 359 } 360 delete ToOptimize; 361 BD.switchToInterpreter(AI); 362 363 outs() << " Testing after loop extraction:\n"; 364 // Clone modules, the tester function will free them. 365 std::unique_ptr<Module> TOLEBackup = 366 CloneModule(ToOptimizeLoopExtracted.get(), VMap); 367 std::unique_ptr<Module> TNOBackup = CloneModule(ToNotOptimize.get(), VMap); 368 369 for (unsigned i = 0, e = MiscompiledFunctions.size(); i != e; ++i) 370 MiscompiledFunctions[i] = cast<Function>(VMap[MiscompiledFunctions[i]]); 371 372 Failure = TestFn(BD, std::move(ToOptimizeLoopExtracted), 373 std::move(ToNotOptimize), Error); 374 if (!Error.empty()) 375 return false; 376 377 ToOptimizeLoopExtracted = std::move(TOLEBackup); 378 ToNotOptimize = std::move(TNOBackup); 379 380 if (!Failure) { 381 outs() << "*** Loop extraction masked the problem. Undoing.\n"; 382 // If the program is not still broken, then loop extraction did something 383 // that masked the error. Stop loop extraction now. 384 385 std::vector<std::pair<std::string, FunctionType*> > MisCompFunctions; 386 for (Function *F : MiscompiledFunctions) { 387 MisCompFunctions.emplace_back(F->getName(), F->getFunctionType()); 388 } 389 390 if (Linker::linkModules(*ToNotOptimize, 391 std::move(ToOptimizeLoopExtracted))) 392 exit(1); 393 394 MiscompiledFunctions.clear(); 395 for (unsigned i = 0, e = MisCompFunctions.size(); i != e; ++i) { 396 Function *NewF = ToNotOptimize->getFunction(MisCompFunctions[i].first); 397 398 assert(NewF && "Function not found??"); 399 MiscompiledFunctions.push_back(NewF); 400 } 401 402 BD.setNewProgram(ToNotOptimize.release()); 403 return MadeChange; 404 } 405 406 outs() << "*** Loop extraction successful!\n"; 407 408 std::vector<std::pair<std::string, FunctionType*> > MisCompFunctions; 409 for (Module::iterator I = ToOptimizeLoopExtracted->begin(), 410 E = ToOptimizeLoopExtracted->end(); I != E; ++I) 411 if (!I->isDeclaration()) 412 MisCompFunctions.emplace_back(I->getName(), I->getFunctionType()); 413 414 // Okay, great! Now we know that we extracted a loop and that loop 415 // extraction both didn't break the program, and didn't mask the problem. 416 // Replace the current program with the loop extracted version, and try to 417 // extract another loop. 418 if (Linker::linkModules(*ToNotOptimize, std::move(ToOptimizeLoopExtracted))) 419 exit(1); 420 421 // All of the Function*'s in the MiscompiledFunctions list are in the old 422 // module. Update this list to include all of the functions in the 423 // optimized and loop extracted module. 424 MiscompiledFunctions.clear(); 425 for (unsigned i = 0, e = MisCompFunctions.size(); i != e; ++i) { 426 Function *NewF = ToNotOptimize->getFunction(MisCompFunctions[i].first); 427 428 assert(NewF && "Function not found??"); 429 MiscompiledFunctions.push_back(NewF); 430 } 431 432 BD.setNewProgram(ToNotOptimize.release()); 433 MadeChange = true; 434 } 435 } 436 437 namespace { 438 class ReduceMiscompiledBlocks : public ListReducer<BasicBlock*> { 439 BugDriver &BD; 440 bool (*TestFn)(BugDriver &, std::unique_ptr<Module>, 441 std::unique_ptr<Module>, std::string &); 442 std::vector<Function*> FunctionsBeingTested; 443 public: ReduceMiscompiledBlocks(BugDriver & bd,bool (* F)(BugDriver &,std::unique_ptr<Module>,std::unique_ptr<Module>,std::string &),const std::vector<Function * > & Fns)444 ReduceMiscompiledBlocks(BugDriver &bd, 445 bool (*F)(BugDriver &, std::unique_ptr<Module>, 446 std::unique_ptr<Module>, std::string &), 447 const std::vector<Function *> &Fns) 448 : BD(bd), TestFn(F), FunctionsBeingTested(Fns) {} 449 doTest(std::vector<BasicBlock * > & Prefix,std::vector<BasicBlock * > & Suffix,std::string & Error)450 TestResult doTest(std::vector<BasicBlock*> &Prefix, 451 std::vector<BasicBlock*> &Suffix, 452 std::string &Error) override { 453 if (!Suffix.empty()) { 454 bool Ret = TestFuncs(Suffix, Error); 455 if (!Error.empty()) 456 return InternalError; 457 if (Ret) 458 return KeepSuffix; 459 } 460 if (!Prefix.empty()) { 461 bool Ret = TestFuncs(Prefix, Error); 462 if (!Error.empty()) 463 return InternalError; 464 if (Ret) 465 return KeepPrefix; 466 } 467 return NoFailure; 468 } 469 470 bool TestFuncs(const std::vector<BasicBlock*> &BBs, std::string &Error); 471 }; 472 } 473 474 /// TestFuncs - Extract all blocks for the miscompiled functions except for the 475 /// specified blocks. If the problem still exists, return true. 476 /// TestFuncs(const std::vector<BasicBlock * > & BBs,std::string & Error)477 bool ReduceMiscompiledBlocks::TestFuncs(const std::vector<BasicBlock*> &BBs, 478 std::string &Error) { 479 // Test to see if the function is misoptimized if we ONLY run it on the 480 // functions listed in Funcs. 481 outs() << "Checking to see if the program is misoptimized when all "; 482 if (!BBs.empty()) { 483 outs() << "but these " << BBs.size() << " blocks are extracted: "; 484 for (unsigned i = 0, e = BBs.size() < 10 ? BBs.size() : 10; i != e; ++i) 485 outs() << BBs[i]->getName() << " "; 486 if (BBs.size() > 10) outs() << "..."; 487 } else { 488 outs() << "blocks are extracted."; 489 } 490 outs() << '\n'; 491 492 // Split the module into the two halves of the program we want. 493 ValueToValueMapTy VMap; 494 Module *Clone = CloneModule(BD.getProgram(), VMap).release(); 495 Module *Orig = BD.swapProgramIn(Clone); 496 std::vector<Function*> FuncsOnClone; 497 std::vector<BasicBlock*> BBsOnClone; 498 for (unsigned i = 0, e = FunctionsBeingTested.size(); i != e; ++i) { 499 Function *F = cast<Function>(VMap[FunctionsBeingTested[i]]); 500 FuncsOnClone.push_back(F); 501 } 502 for (unsigned i = 0, e = BBs.size(); i != e; ++i) { 503 BasicBlock *BB = cast<BasicBlock>(VMap[BBs[i]]); 504 BBsOnClone.push_back(BB); 505 } 506 VMap.clear(); 507 508 std::unique_ptr<Module> ToNotOptimize = CloneModule(BD.getProgram(), VMap); 509 std::unique_ptr<Module> ToOptimize = 510 SplitFunctionsOutOfModule(ToNotOptimize.get(), FuncsOnClone, VMap); 511 512 // Try the extraction. If it doesn't work, then the block extractor crashed 513 // or something, in which case bugpoint can't chase down this possibility. 514 if (std::unique_ptr<Module> New = 515 BD.extractMappedBlocksFromModule(BBsOnClone, ToOptimize.get())) { 516 bool Ret = TestFn(BD, std::move(New), std::move(ToNotOptimize), Error); 517 delete BD.swapProgramIn(Orig); 518 return Ret; 519 } 520 delete BD.swapProgramIn(Orig); 521 return false; 522 } 523 524 /// Given a reduced list of functions that still expose the bug, extract as many 525 /// basic blocks from the region as possible without obscuring the bug. 526 /// ExtractBlocks(BugDriver & BD,bool (* TestFn)(BugDriver &,std::unique_ptr<Module>,std::unique_ptr<Module>,std::string &),std::vector<Function * > & MiscompiledFunctions,std::string & Error)527 static bool ExtractBlocks(BugDriver &BD, 528 bool (*TestFn)(BugDriver &, std::unique_ptr<Module>, 529 std::unique_ptr<Module>, 530 std::string &), 531 std::vector<Function *> &MiscompiledFunctions, 532 std::string &Error) { 533 if (BugpointIsInterrupted) return false; 534 535 std::vector<BasicBlock*> Blocks; 536 for (unsigned i = 0, e = MiscompiledFunctions.size(); i != e; ++i) 537 for (BasicBlock &BB : *MiscompiledFunctions[i]) 538 Blocks.push_back(&BB); 539 540 // Use the list reducer to identify blocks that can be extracted without 541 // obscuring the bug. The Blocks list will end up containing blocks that must 542 // be retained from the original program. 543 unsigned OldSize = Blocks.size(); 544 545 // Check to see if all blocks are extractible first. 546 bool Ret = ReduceMiscompiledBlocks(BD, TestFn, MiscompiledFunctions) 547 .TestFuncs(std::vector<BasicBlock*>(), Error); 548 if (!Error.empty()) 549 return false; 550 if (Ret) { 551 Blocks.clear(); 552 } else { 553 ReduceMiscompiledBlocks(BD, TestFn, 554 MiscompiledFunctions).reduceList(Blocks, Error); 555 if (!Error.empty()) 556 return false; 557 if (Blocks.size() == OldSize) 558 return false; 559 } 560 561 ValueToValueMapTy VMap; 562 Module *ProgClone = CloneModule(BD.getProgram(), VMap).release(); 563 Module *ToExtract = 564 SplitFunctionsOutOfModule(ProgClone, MiscompiledFunctions, VMap) 565 .release(); 566 std::unique_ptr<Module> Extracted = 567 BD.extractMappedBlocksFromModule(Blocks, ToExtract); 568 if (!Extracted) { 569 // Weird, extraction should have worked. 570 errs() << "Nondeterministic problem extracting blocks??\n"; 571 delete ProgClone; 572 delete ToExtract; 573 return false; 574 } 575 576 // Otherwise, block extraction succeeded. Link the two program fragments back 577 // together. 578 delete ToExtract; 579 580 std::vector<std::pair<std::string, FunctionType*> > MisCompFunctions; 581 for (Module::iterator I = Extracted->begin(), E = Extracted->end(); 582 I != E; ++I) 583 if (!I->isDeclaration()) 584 MisCompFunctions.emplace_back(I->getName(), I->getFunctionType()); 585 586 if (Linker::linkModules(*ProgClone, std::move(Extracted))) 587 exit(1); 588 589 // Set the new program and delete the old one. 590 BD.setNewProgram(ProgClone); 591 592 // Update the list of miscompiled functions. 593 MiscompiledFunctions.clear(); 594 595 for (unsigned i = 0, e = MisCompFunctions.size(); i != e; ++i) { 596 Function *NewF = ProgClone->getFunction(MisCompFunctions[i].first); 597 assert(NewF && "Function not found??"); 598 MiscompiledFunctions.push_back(NewF); 599 } 600 601 return true; 602 } 603 604 /// This is a generic driver to narrow down miscompilations, either in an 605 /// optimization or a code generator. 606 /// 607 static std::vector<Function *> DebugAMiscompilation(BugDriver & BD,bool (* TestFn)(BugDriver &,std::unique_ptr<Module>,std::unique_ptr<Module>,std::string &),std::string & Error)608 DebugAMiscompilation(BugDriver &BD, 609 bool (*TestFn)(BugDriver &, std::unique_ptr<Module>, 610 std::unique_ptr<Module>, std::string &), 611 std::string &Error) { 612 // Okay, now that we have reduced the list of passes which are causing the 613 // failure, see if we can pin down which functions are being 614 // miscompiled... first build a list of all of the non-external functions in 615 // the program. 616 std::vector<Function*> MiscompiledFunctions; 617 Module *Prog = BD.getProgram(); 618 for (Function &F : *Prog) 619 if (!F.isDeclaration()) 620 MiscompiledFunctions.push_back(&F); 621 622 // Do the reduction... 623 if (!BugpointIsInterrupted) 624 ReduceMiscompilingFunctions(BD, TestFn).reduceList(MiscompiledFunctions, 625 Error); 626 if (!Error.empty()) { 627 errs() << "\n***Cannot reduce functions: "; 628 return MiscompiledFunctions; 629 } 630 outs() << "\n*** The following function" 631 << (MiscompiledFunctions.size() == 1 ? " is" : "s are") 632 << " being miscompiled: "; 633 PrintFunctionList(MiscompiledFunctions); 634 outs() << '\n'; 635 636 // See if we can rip any loops out of the miscompiled functions and still 637 // trigger the problem. 638 639 if (!BugpointIsInterrupted && !DisableLoopExtraction) { 640 bool Ret = ExtractLoops(BD, TestFn, MiscompiledFunctions, Error); 641 if (!Error.empty()) 642 return MiscompiledFunctions; 643 if (Ret) { 644 // Okay, we extracted some loops and the problem still appears. See if 645 // we can eliminate some of the created functions from being candidates. 646 DisambiguateGlobalSymbols(BD.getProgram()); 647 648 // Do the reduction... 649 if (!BugpointIsInterrupted) 650 ReduceMiscompilingFunctions(BD, TestFn).reduceList(MiscompiledFunctions, 651 Error); 652 if (!Error.empty()) 653 return MiscompiledFunctions; 654 655 outs() << "\n*** The following function" 656 << (MiscompiledFunctions.size() == 1 ? " is" : "s are") 657 << " being miscompiled: "; 658 PrintFunctionList(MiscompiledFunctions); 659 outs() << '\n'; 660 } 661 } 662 663 if (!BugpointIsInterrupted && !DisableBlockExtraction) { 664 bool Ret = ExtractBlocks(BD, TestFn, MiscompiledFunctions, Error); 665 if (!Error.empty()) 666 return MiscompiledFunctions; 667 if (Ret) { 668 // Okay, we extracted some blocks and the problem still appears. See if 669 // we can eliminate some of the created functions from being candidates. 670 DisambiguateGlobalSymbols(BD.getProgram()); 671 672 // Do the reduction... 673 ReduceMiscompilingFunctions(BD, TestFn).reduceList(MiscompiledFunctions, 674 Error); 675 if (!Error.empty()) 676 return MiscompiledFunctions; 677 678 outs() << "\n*** The following function" 679 << (MiscompiledFunctions.size() == 1 ? " is" : "s are") 680 << " being miscompiled: "; 681 PrintFunctionList(MiscompiledFunctions); 682 outs() << '\n'; 683 } 684 } 685 686 return MiscompiledFunctions; 687 } 688 689 /// This is the predicate function used to check to see if the "Test" portion of 690 /// the program is misoptimized. If so, return true. In any case, both module 691 /// arguments are deleted. 692 /// TestOptimizer(BugDriver & BD,std::unique_ptr<Module> Test,std::unique_ptr<Module> Safe,std::string & Error)693 static bool TestOptimizer(BugDriver &BD, std::unique_ptr<Module> Test, 694 std::unique_ptr<Module> Safe, std::string &Error) { 695 // Run the optimization passes on ToOptimize, producing a transformed version 696 // of the functions being tested. 697 outs() << " Optimizing functions being tested: "; 698 std::unique_ptr<Module> Optimized = 699 BD.runPassesOn(Test.get(), BD.getPassesToRun(), 700 /*AutoDebugCrashes*/ true); 701 outs() << "done.\n"; 702 703 outs() << " Checking to see if the merged program executes correctly: "; 704 bool Broken; 705 std::unique_ptr<Module> New = testMergedProgram( 706 BD, std::move(Optimized), std::move(Safe), Error, Broken); 707 if (New) { 708 outs() << (Broken ? " nope.\n" : " yup.\n"); 709 // Delete the original and set the new program. 710 delete BD.swapProgramIn(New.release()); 711 } 712 return Broken; 713 } 714 715 716 /// debugMiscompilation - This method is used when the passes selected are not 717 /// crashing, but the generated output is semantically different from the 718 /// input. 719 /// debugMiscompilation(std::string * Error)720 void BugDriver::debugMiscompilation(std::string *Error) { 721 // Make sure something was miscompiled... 722 if (!BugpointIsInterrupted) 723 if (!ReduceMiscompilingPasses(*this).reduceList(PassesToRun, *Error)) { 724 if (Error->empty()) 725 errs() << "*** Optimized program matches reference output! No problem" 726 << " detected...\nbugpoint can't help you with your problem!\n"; 727 return; 728 } 729 730 outs() << "\n*** Found miscompiling pass" 731 << (getPassesToRun().size() == 1 ? "" : "es") << ": " 732 << getPassesString(getPassesToRun()) << '\n'; 733 EmitProgressBitcode(Program, "passinput"); 734 735 std::vector<Function *> MiscompiledFunctions = 736 DebugAMiscompilation(*this, TestOptimizer, *Error); 737 if (!Error->empty()) 738 return; 739 740 // Output a bunch of bitcode files for the user... 741 outs() << "Outputting reduced bitcode files which expose the problem:\n"; 742 ValueToValueMapTy VMap; 743 Module *ToNotOptimize = CloneModule(getProgram(), VMap).release(); 744 Module *ToOptimize = 745 SplitFunctionsOutOfModule(ToNotOptimize, MiscompiledFunctions, VMap) 746 .release(); 747 748 outs() << " Non-optimized portion: "; 749 EmitProgressBitcode(ToNotOptimize, "tonotoptimize", true); 750 delete ToNotOptimize; // Delete hacked module. 751 752 outs() << " Portion that is input to optimizer: "; 753 EmitProgressBitcode(ToOptimize, "tooptimize"); 754 delete ToOptimize; // Delete hacked module. 755 756 return; 757 } 758 759 /// Get the specified modules ready for code generator testing. 760 /// CleanupAndPrepareModules(BugDriver & BD,std::unique_ptr<Module> & Test,Module * Safe)761 static void CleanupAndPrepareModules(BugDriver &BD, 762 std::unique_ptr<Module> &Test, 763 Module *Safe) { 764 // Clean up the modules, removing extra cruft that we don't need anymore... 765 Test = BD.performFinalCleanups(Test.get()); 766 767 // If we are executing the JIT, we have several nasty issues to take care of. 768 if (!BD.isExecutingJIT()) return; 769 770 // First, if the main function is in the Safe module, we must add a stub to 771 // the Test module to call into it. Thus, we create a new function `main' 772 // which just calls the old one. 773 if (Function *oldMain = Safe->getFunction("main")) 774 if (!oldMain->isDeclaration()) { 775 // Rename it 776 oldMain->setName("llvm_bugpoint_old_main"); 777 // Create a NEW `main' function with same type in the test module. 778 Function *newMain = 779 Function::Create(oldMain->getFunctionType(), 780 GlobalValue::ExternalLinkage, "main", Test.get()); 781 // Create an `oldmain' prototype in the test module, which will 782 // corresponds to the real main function in the same module. 783 Function *oldMainProto = Function::Create(oldMain->getFunctionType(), 784 GlobalValue::ExternalLinkage, 785 oldMain->getName(), Test.get()); 786 // Set up and remember the argument list for the main function. 787 std::vector<Value*> args; 788 for (Function::arg_iterator 789 I = newMain->arg_begin(), E = newMain->arg_end(), 790 OI = oldMain->arg_begin(); I != E; ++I, ++OI) { 791 I->setName(OI->getName()); // Copy argument names from oldMain 792 args.push_back(&*I); 793 } 794 795 // Call the old main function and return its result 796 BasicBlock *BB = BasicBlock::Create(Safe->getContext(), "entry", newMain); 797 CallInst *call = CallInst::Create(oldMainProto, args, "", BB); 798 799 // If the type of old function wasn't void, return value of call 800 ReturnInst::Create(Safe->getContext(), call, BB); 801 } 802 803 // The second nasty issue we must deal with in the JIT is that the Safe 804 // module cannot directly reference any functions defined in the test 805 // module. Instead, we use a JIT API call to dynamically resolve the 806 // symbol. 807 808 // Add the resolver to the Safe module. 809 // Prototype: void *getPointerToNamedFunction(const char* Name) 810 Constant *resolverFunc = 811 Safe->getOrInsertFunction("getPointerToNamedFunction", 812 Type::getInt8PtrTy(Safe->getContext()), 813 Type::getInt8PtrTy(Safe->getContext()), 814 (Type *)nullptr); 815 816 // Use the function we just added to get addresses of functions we need. 817 for (Module::iterator F = Safe->begin(), E = Safe->end(); F != E; ++F) { 818 if (F->isDeclaration() && !F->use_empty() && &*F != resolverFunc && 819 !F->isIntrinsic() /* ignore intrinsics */) { 820 Function *TestFn = Test->getFunction(F->getName()); 821 822 // Don't forward functions which are external in the test module too. 823 if (TestFn && !TestFn->isDeclaration()) { 824 // 1. Add a string constant with its name to the global file 825 Constant *InitArray = 826 ConstantDataArray::getString(F->getContext(), F->getName()); 827 GlobalVariable *funcName = 828 new GlobalVariable(*Safe, InitArray->getType(), true /*isConstant*/, 829 GlobalValue::InternalLinkage, InitArray, 830 F->getName() + "_name"); 831 832 // 2. Use `GetElementPtr *funcName, 0, 0' to convert the string to an 833 // sbyte* so it matches the signature of the resolver function. 834 835 // GetElementPtr *funcName, ulong 0, ulong 0 836 std::vector<Constant*> GEPargs(2, 837 Constant::getNullValue(Type::getInt32Ty(F->getContext()))); 838 Value *GEP = ConstantExpr::getGetElementPtr(InitArray->getType(), 839 funcName, GEPargs); 840 std::vector<Value*> ResolverArgs; 841 ResolverArgs.push_back(GEP); 842 843 // Rewrite uses of F in global initializers, etc. to uses of a wrapper 844 // function that dynamically resolves the calls to F via our JIT API 845 if (!F->use_empty()) { 846 // Create a new global to hold the cached function pointer. 847 Constant *NullPtr = ConstantPointerNull::get(F->getType()); 848 GlobalVariable *Cache = 849 new GlobalVariable(*F->getParent(), F->getType(), 850 false, GlobalValue::InternalLinkage, 851 NullPtr,F->getName()+".fpcache"); 852 853 // Construct a new stub function that will re-route calls to F 854 FunctionType *FuncTy = F->getFunctionType(); 855 Function *FuncWrapper = Function::Create(FuncTy, 856 GlobalValue::InternalLinkage, 857 F->getName() + "_wrapper", 858 F->getParent()); 859 BasicBlock *EntryBB = BasicBlock::Create(F->getContext(), 860 "entry", FuncWrapper); 861 BasicBlock *DoCallBB = BasicBlock::Create(F->getContext(), 862 "usecache", FuncWrapper); 863 BasicBlock *LookupBB = BasicBlock::Create(F->getContext(), 864 "lookupfp", FuncWrapper); 865 866 // Check to see if we already looked up the value. 867 Value *CachedVal = new LoadInst(Cache, "fpcache", EntryBB); 868 Value *IsNull = new ICmpInst(*EntryBB, ICmpInst::ICMP_EQ, CachedVal, 869 NullPtr, "isNull"); 870 BranchInst::Create(LookupBB, DoCallBB, IsNull, EntryBB); 871 872 // Resolve the call to function F via the JIT API: 873 // 874 // call resolver(GetElementPtr...) 875 CallInst *Resolver = 876 CallInst::Create(resolverFunc, ResolverArgs, "resolver", LookupBB); 877 878 // Cast the result from the resolver to correctly-typed function. 879 CastInst *CastedResolver = 880 new BitCastInst(Resolver, 881 PointerType::getUnqual(F->getFunctionType()), 882 "resolverCast", LookupBB); 883 884 // Save the value in our cache. 885 new StoreInst(CastedResolver, Cache, LookupBB); 886 BranchInst::Create(DoCallBB, LookupBB); 887 888 PHINode *FuncPtr = PHINode::Create(NullPtr->getType(), 2, 889 "fp", DoCallBB); 890 FuncPtr->addIncoming(CastedResolver, LookupBB); 891 FuncPtr->addIncoming(CachedVal, EntryBB); 892 893 // Save the argument list. 894 std::vector<Value*> Args; 895 for (Argument &A : FuncWrapper->args()) 896 Args.push_back(&A); 897 898 // Pass on the arguments to the real function, return its result 899 if (F->getReturnType()->isVoidTy()) { 900 CallInst::Create(FuncPtr, Args, "", DoCallBB); 901 ReturnInst::Create(F->getContext(), DoCallBB); 902 } else { 903 CallInst *Call = CallInst::Create(FuncPtr, Args, 904 "retval", DoCallBB); 905 ReturnInst::Create(F->getContext(),Call, DoCallBB); 906 } 907 908 // Use the wrapper function instead of the old function 909 F->replaceAllUsesWith(FuncWrapper); 910 } 911 } 912 } 913 } 914 915 if (verifyModule(*Test) || verifyModule(*Safe)) { 916 errs() << "Bugpoint has a bug, which corrupted a module!!\n"; 917 abort(); 918 } 919 } 920 921 /// This is the predicate function used to check to see if the "Test" portion of 922 /// the program is miscompiled by the code generator under test. If so, return 923 /// true. In any case, both module arguments are deleted. 924 /// TestCodeGenerator(BugDriver & BD,std::unique_ptr<Module> Test,std::unique_ptr<Module> Safe,std::string & Error)925 static bool TestCodeGenerator(BugDriver &BD, std::unique_ptr<Module> Test, 926 std::unique_ptr<Module> Safe, 927 std::string &Error) { 928 CleanupAndPrepareModules(BD, Test, Safe.get()); 929 930 SmallString<128> TestModuleBC; 931 int TestModuleFD; 932 std::error_code EC = sys::fs::createTemporaryFile("bugpoint.test", "bc", 933 TestModuleFD, TestModuleBC); 934 if (EC) { 935 errs() << BD.getToolName() << "Error making unique filename: " 936 << EC.message() << "\n"; 937 exit(1); 938 } 939 if (BD.writeProgramToFile(TestModuleBC.str(), TestModuleFD, Test.get())) { 940 errs() << "Error writing bitcode to `" << TestModuleBC.str() 941 << "'\nExiting."; 942 exit(1); 943 } 944 945 FileRemover TestModuleBCRemover(TestModuleBC.str(), !SaveTemps); 946 947 // Make the shared library 948 SmallString<128> SafeModuleBC; 949 int SafeModuleFD; 950 EC = sys::fs::createTemporaryFile("bugpoint.safe", "bc", SafeModuleFD, 951 SafeModuleBC); 952 if (EC) { 953 errs() << BD.getToolName() << "Error making unique filename: " 954 << EC.message() << "\n"; 955 exit(1); 956 } 957 958 if (BD.writeProgramToFile(SafeModuleBC.str(), SafeModuleFD, Safe.get())) { 959 errs() << "Error writing bitcode to `" << SafeModuleBC 960 << "'\nExiting."; 961 exit(1); 962 } 963 964 FileRemover SafeModuleBCRemover(SafeModuleBC.str(), !SaveTemps); 965 966 std::string SharedObject = BD.compileSharedObject(SafeModuleBC.str(), Error); 967 if (!Error.empty()) 968 return false; 969 970 FileRemover SharedObjectRemover(SharedObject, !SaveTemps); 971 972 // Run the code generator on the `Test' code, loading the shared library. 973 // The function returns whether or not the new output differs from reference. 974 bool Result = BD.diffProgram(BD.getProgram(), TestModuleBC.str(), 975 SharedObject, false, &Error); 976 if (!Error.empty()) 977 return false; 978 979 if (Result) 980 errs() << ": still failing!\n"; 981 else 982 errs() << ": didn't fail.\n"; 983 984 return Result; 985 } 986 987 988 /// debugCodeGenerator - debug errors in LLC, LLI, or CBE. 989 /// debugCodeGenerator(std::string * Error)990 bool BugDriver::debugCodeGenerator(std::string *Error) { 991 if ((void*)SafeInterpreter == (void*)Interpreter) { 992 std::string Result = executeProgramSafely(Program, "bugpoint.safe.out", 993 Error); 994 if (Error->empty()) { 995 outs() << "\n*** The \"safe\" i.e. 'known good' backend cannot match " 996 << "the reference diff. This may be due to a\n front-end " 997 << "bug or a bug in the original program, but this can also " 998 << "happen if bugpoint isn't running the program with the " 999 << "right flags or input.\n I left the result of executing " 1000 << "the program with the \"safe\" backend in this file for " 1001 << "you: '" 1002 << Result << "'.\n"; 1003 } 1004 return true; 1005 } 1006 1007 DisambiguateGlobalSymbols(Program); 1008 1009 std::vector<Function*> Funcs = DebugAMiscompilation(*this, TestCodeGenerator, 1010 *Error); 1011 if (!Error->empty()) 1012 return true; 1013 1014 // Split the module into the two halves of the program we want. 1015 ValueToValueMapTy VMap; 1016 std::unique_ptr<Module> ToNotCodeGen = CloneModule(getProgram(), VMap); 1017 std::unique_ptr<Module> ToCodeGen = 1018 SplitFunctionsOutOfModule(ToNotCodeGen.get(), Funcs, VMap); 1019 1020 // Condition the modules 1021 CleanupAndPrepareModules(*this, ToCodeGen, ToNotCodeGen.get()); 1022 1023 SmallString<128> TestModuleBC; 1024 int TestModuleFD; 1025 std::error_code EC = sys::fs::createTemporaryFile("bugpoint.test", "bc", 1026 TestModuleFD, TestModuleBC); 1027 if (EC) { 1028 errs() << getToolName() << "Error making unique filename: " 1029 << EC.message() << "\n"; 1030 exit(1); 1031 } 1032 1033 if (writeProgramToFile(TestModuleBC.str(), TestModuleFD, ToCodeGen.get())) { 1034 errs() << "Error writing bitcode to `" << TestModuleBC 1035 << "'\nExiting."; 1036 exit(1); 1037 } 1038 1039 // Make the shared library 1040 SmallString<128> SafeModuleBC; 1041 int SafeModuleFD; 1042 EC = sys::fs::createTemporaryFile("bugpoint.safe", "bc", SafeModuleFD, 1043 SafeModuleBC); 1044 if (EC) { 1045 errs() << getToolName() << "Error making unique filename: " 1046 << EC.message() << "\n"; 1047 exit(1); 1048 } 1049 1050 if (writeProgramToFile(SafeModuleBC.str(), SafeModuleFD, 1051 ToNotCodeGen.get())) { 1052 errs() << "Error writing bitcode to `" << SafeModuleBC 1053 << "'\nExiting."; 1054 exit(1); 1055 } 1056 std::string SharedObject = compileSharedObject(SafeModuleBC.str(), *Error); 1057 if (!Error->empty()) 1058 return true; 1059 1060 outs() << "You can reproduce the problem with the command line: \n"; 1061 if (isExecutingJIT()) { 1062 outs() << " lli -load " << SharedObject << " " << TestModuleBC; 1063 } else { 1064 outs() << " llc " << TestModuleBC << " -o " << TestModuleBC 1065 << ".s\n"; 1066 outs() << " cc " << SharedObject << " " << TestModuleBC.str() 1067 << ".s -o " << TestModuleBC << ".exe"; 1068 #if defined (HAVE_LINK_R) 1069 outs() << " -Wl,-R."; 1070 #endif 1071 outs() << "\n"; 1072 outs() << " " << TestModuleBC << ".exe"; 1073 } 1074 for (unsigned i = 0, e = InputArgv.size(); i != e; ++i) 1075 outs() << " " << InputArgv[i]; 1076 outs() << '\n'; 1077 outs() << "The shared object was created with:\n llc -march=c " 1078 << SafeModuleBC.str() << " -o temporary.c\n" 1079 << " cc -xc temporary.c -O2 -o " << SharedObject; 1080 if (TargetTriple.getArch() == Triple::sparc) 1081 outs() << " -G"; // Compile a shared library, `-G' for Sparc 1082 else 1083 outs() << " -fPIC -shared"; // `-shared' for Linux/X86, maybe others 1084 1085 outs() << " -fno-strict-aliasing\n"; 1086 1087 return false; 1088 } 1089