1//===- Miscompilation.cpp - Debug program miscompilations -----------------===//
2//
3//                     The LLVM Compiler Infrastructure
4//
5// This file is distributed under the University of Illinois Open Source
6// License. See LICENSE.TXT for details.
7//
8//===----------------------------------------------------------------------===//
9//
10// This file implements optimizer and code generation miscompilation debugging
11// support.
12//
13//===----------------------------------------------------------------------===//
14
15#include "BugDriver.h"
16#include "ListReducer.h"
17#include "ToolRunner.h"
18#include "llvm/Config/config.h"   // for HAVE_LINK_R
19#include "llvm/IR/Constants.h"
20#include "llvm/IR/DerivedTypes.h"
21#include "llvm/IR/Instructions.h"
22#include "llvm/IR/Module.h"
23#include "llvm/IR/Verifier.h"
24#include "llvm/Linker/Linker.h"
25#include "llvm/Pass.h"
26#include "llvm/Support/CommandLine.h"
27#include "llvm/Support/FileUtilities.h"
28#include "llvm/Transforms/Utils/Cloning.h"
29using namespace llvm;
30
31namespace llvm {
32  extern cl::opt<std::string> OutputPrefix;
33  extern cl::list<std::string> InputArgv;
34}
35
36namespace {
37  static llvm::cl::opt<bool>
38    DisableLoopExtraction("disable-loop-extraction",
39        cl::desc("Don't extract loops when searching for miscompilations"),
40        cl::init(false));
41  static llvm::cl::opt<bool>
42    DisableBlockExtraction("disable-block-extraction",
43        cl::desc("Don't extract blocks when searching for miscompilations"),
44        cl::init(false));
45
46  class ReduceMiscompilingPasses : public ListReducer<std::string> {
47    BugDriver &BD;
48  public:
49    ReduceMiscompilingPasses(BugDriver &bd) : BD(bd) {}
50
51    TestResult doTest(std::vector<std::string> &Prefix,
52                      std::vector<std::string> &Suffix,
53                      std::string &Error) override;
54  };
55}
56
57/// TestResult - After passes have been split into a test group and a control
58/// group, see if they still break the program.
59///
60ReduceMiscompilingPasses::TestResult
61ReduceMiscompilingPasses::doTest(std::vector<std::string> &Prefix,
62                                 std::vector<std::string> &Suffix,
63                                 std::string &Error) {
64  // First, run the program with just the Suffix passes.  If it is still broken
65  // with JUST the kept passes, discard the prefix passes.
66  outs() << "Checking to see if '" << getPassesString(Suffix)
67         << "' compiles correctly: ";
68
69  std::string BitcodeResult;
70  if (BD.runPasses(BD.getProgram(), Suffix, BitcodeResult, false/*delete*/,
71                   true/*quiet*/)) {
72    errs() << " Error running this sequence of passes"
73           << " on the input program!\n";
74    BD.setPassesToRun(Suffix);
75    BD.EmitProgressBitcode(BD.getProgram(), "pass-error",  false);
76    exit(BD.debugOptimizerCrash());
77  }
78
79  // Check to see if the finished program matches the reference output...
80  bool Diff = BD.diffProgram(BD.getProgram(), BitcodeResult, "",
81                             true /*delete bitcode*/, &Error);
82  if (!Error.empty())
83    return InternalError;
84  if (Diff) {
85    outs() << " nope.\n";
86    if (Suffix.empty()) {
87      errs() << BD.getToolName() << ": I'm confused: the test fails when "
88             << "no passes are run, nondeterministic program?\n";
89      exit(1);
90    }
91    return KeepSuffix;         // Miscompilation detected!
92  }
93  outs() << " yup.\n";      // No miscompilation!
94
95  if (Prefix.empty()) return NoFailure;
96
97  // Next, see if the program is broken if we run the "prefix" passes first,
98  // then separately run the "kept" passes.
99  outs() << "Checking to see if '" << getPassesString(Prefix)
100         << "' compiles correctly: ";
101
102  // If it is not broken with the kept passes, it's possible that the prefix
103  // passes must be run before the kept passes to break it.  If the program
104  // WORKS after the prefix passes, but then fails if running the prefix AND
105  // kept passes, we can update our bitcode file to include the result of the
106  // prefix passes, then discard the prefix passes.
107  //
108  if (BD.runPasses(BD.getProgram(), Prefix, BitcodeResult, false/*delete*/,
109                   true/*quiet*/)) {
110    errs() << " Error running this sequence of passes"
111           << " on the input program!\n";
112    BD.setPassesToRun(Prefix);
113    BD.EmitProgressBitcode(BD.getProgram(), "pass-error",  false);
114    exit(BD.debugOptimizerCrash());
115  }
116
117  // If the prefix maintains the predicate by itself, only keep the prefix!
118  Diff = BD.diffProgram(BD.getProgram(), BitcodeResult, "", false, &Error);
119  if (!Error.empty())
120    return InternalError;
121  if (Diff) {
122    outs() << " nope.\n";
123    sys::fs::remove(BitcodeResult);
124    return KeepPrefix;
125  }
126  outs() << " yup.\n";      // No miscompilation!
127
128  // Ok, so now we know that the prefix passes work, try running the suffix
129  // passes on the result of the prefix passes.
130  //
131  std::unique_ptr<Module> PrefixOutput =
132      parseInputFile(BitcodeResult, BD.getContext());
133  if (!PrefixOutput) {
134    errs() << BD.getToolName() << ": Error reading bitcode file '"
135           << BitcodeResult << "'!\n";
136    exit(1);
137  }
138  sys::fs::remove(BitcodeResult);
139
140  // Don't check if there are no passes in the suffix.
141  if (Suffix.empty())
142    return NoFailure;
143
144  outs() << "Checking to see if '" << getPassesString(Suffix)
145            << "' passes compile correctly after the '"
146            << getPassesString(Prefix) << "' passes: ";
147
148  std::unique_ptr<Module> OriginalInput(
149      BD.swapProgramIn(PrefixOutput.release()));
150  if (BD.runPasses(BD.getProgram(), Suffix, BitcodeResult, false/*delete*/,
151                   true/*quiet*/)) {
152    errs() << " Error running this sequence of passes"
153           << " on the input program!\n";
154    BD.setPassesToRun(Suffix);
155    BD.EmitProgressBitcode(BD.getProgram(), "pass-error",  false);
156    exit(BD.debugOptimizerCrash());
157  }
158
159  // Run the result...
160  Diff = BD.diffProgram(BD.getProgram(), BitcodeResult, "",
161                        true /*delete bitcode*/, &Error);
162  if (!Error.empty())
163    return InternalError;
164  if (Diff) {
165    outs() << " nope.\n";
166    return KeepSuffix;
167  }
168
169  // Otherwise, we must not be running the bad pass anymore.
170  outs() << " yup.\n";      // No miscompilation!
171  // Restore orig program & free test.
172  delete BD.swapProgramIn(OriginalInput.release());
173  return NoFailure;
174}
175
176namespace {
177  class ReduceMiscompilingFunctions : public ListReducer<Function*> {
178    BugDriver &BD;
179    bool (*TestFn)(BugDriver &, std::unique_ptr<Module>,
180                   std::unique_ptr<Module>, std::string &);
181
182  public:
183    ReduceMiscompilingFunctions(BugDriver &bd,
184                                bool (*F)(BugDriver &, std::unique_ptr<Module>,
185                                          std::unique_ptr<Module>,
186                                          std::string &))
187        : BD(bd), TestFn(F) {}
188
189    TestResult doTest(std::vector<Function*> &Prefix,
190                      std::vector<Function*> &Suffix,
191                      std::string &Error) override {
192      if (!Suffix.empty()) {
193        bool Ret = TestFuncs(Suffix, Error);
194        if (!Error.empty())
195          return InternalError;
196        if (Ret)
197          return KeepSuffix;
198      }
199      if (!Prefix.empty()) {
200        bool Ret = TestFuncs(Prefix, Error);
201        if (!Error.empty())
202          return InternalError;
203        if (Ret)
204          return KeepPrefix;
205      }
206      return NoFailure;
207    }
208
209    bool TestFuncs(const std::vector<Function*> &Prefix, std::string &Error);
210  };
211}
212
213/// Given two modules, link them together and run the program, checking to see
214/// if the program matches the diff. If there is an error, return NULL. If not,
215/// return the merged module. The Broken argument will be set to true if the
216/// output is different. If the DeleteInputs argument is set to true then this
217/// function deletes both input modules before it returns.
218///
219static std::unique_ptr<Module> testMergedProgram(const BugDriver &BD,
220                                                 std::unique_ptr<Module> M1,
221                                                 std::unique_ptr<Module> M2,
222                                                 std::string &Error,
223                                                 bool &Broken) {
224  if (Linker::linkModules(*M1, std::move(M2)))
225    exit(1);
226
227  // Execute the program.
228  Broken = BD.diffProgram(M1.get(), "", "", false, &Error);
229  if (!Error.empty())
230    return nullptr;
231  return M1;
232}
233
234/// TestFuncs - split functions in a Module into two groups: those that are
235/// under consideration for miscompilation vs. those that are not, and test
236/// accordingly. Each group of functions becomes a separate Module.
237///
238bool ReduceMiscompilingFunctions::TestFuncs(const std::vector<Function*> &Funcs,
239                                            std::string &Error) {
240  // Test to see if the function is misoptimized if we ONLY run it on the
241  // functions listed in Funcs.
242  outs() << "Checking to see if the program is misoptimized when "
243         << (Funcs.size()==1 ? "this function is" : "these functions are")
244         << " run through the pass"
245         << (BD.getPassesToRun().size() == 1 ? "" : "es") << ":";
246  PrintFunctionList(Funcs);
247  outs() << '\n';
248
249  // Create a clone for two reasons:
250  // * If the optimization passes delete any function, the deleted function
251  //   will be in the clone and Funcs will still point to valid memory
252  // * If the optimization passes use interprocedural information to break
253  //   a function, we want to continue with the original function. Otherwise
254  //   we can conclude that a function triggers the bug when in fact one
255  //   needs a larger set of original functions to do so.
256  ValueToValueMapTy VMap;
257  Module *Clone = CloneModule(BD.getProgram(), VMap).release();
258  Module *Orig = BD.swapProgramIn(Clone);
259
260  std::vector<Function*> FuncsOnClone;
261  for (unsigned i = 0, e = Funcs.size(); i != e; ++i) {
262    Function *F = cast<Function>(VMap[Funcs[i]]);
263    FuncsOnClone.push_back(F);
264  }
265
266  // Split the module into the two halves of the program we want.
267  VMap.clear();
268  std::unique_ptr<Module> ToNotOptimize = CloneModule(BD.getProgram(), VMap);
269  std::unique_ptr<Module> ToOptimize =
270      SplitFunctionsOutOfModule(ToNotOptimize.get(), FuncsOnClone, VMap);
271
272  bool Broken =
273      TestFn(BD, std::move(ToOptimize), std::move(ToNotOptimize), Error);
274
275  delete BD.swapProgramIn(Orig);
276
277  return Broken;
278}
279
280/// DisambiguateGlobalSymbols - Give anonymous global values names.
281///
282static void DisambiguateGlobalSymbols(Module *M) {
283  for (Module::global_iterator I = M->global_begin(), E = M->global_end();
284       I != E; ++I)
285    if (!I->hasName())
286      I->setName("anon_global");
287  for (Module::iterator I = M->begin(), E = M->end(); I != E; ++I)
288    if (!I->hasName())
289      I->setName("anon_fn");
290}
291
292/// Given a reduced list of functions that still exposed the bug, check to see
293/// if we can extract the loops in the region without obscuring the bug.  If so,
294/// it reduces the amount of code identified.
295///
296static bool ExtractLoops(BugDriver &BD,
297                         bool (*TestFn)(BugDriver &, std::unique_ptr<Module>,
298                                        std::unique_ptr<Module>, std::string &),
299                         std::vector<Function *> &MiscompiledFunctions,
300                         std::string &Error) {
301  bool MadeChange = false;
302  while (1) {
303    if (BugpointIsInterrupted) return MadeChange;
304
305    ValueToValueMapTy VMap;
306    std::unique_ptr<Module> ToNotOptimize = CloneModule(BD.getProgram(), VMap);
307    Module *ToOptimize = SplitFunctionsOutOfModule(ToNotOptimize.get(),
308                                                   MiscompiledFunctions, VMap)
309                             .release();
310    std::unique_ptr<Module> ToOptimizeLoopExtracted =
311        BD.extractLoop(ToOptimize);
312    if (!ToOptimizeLoopExtracted) {
313      // If the loop extractor crashed or if there were no extractible loops,
314      // then this chapter of our odyssey is over with.
315      delete ToOptimize;
316      return MadeChange;
317    }
318
319    errs() << "Extracted a loop from the breaking portion of the program.\n";
320
321    // Bugpoint is intentionally not very trusting of LLVM transformations.  In
322    // particular, we're not going to assume that the loop extractor works, so
323    // we're going to test the newly loop extracted program to make sure nothing
324    // has broken.  If something broke, then we'll inform the user and stop
325    // extraction.
326    AbstractInterpreter *AI = BD.switchToSafeInterpreter();
327    bool Failure;
328    std::unique_ptr<Module> New =
329        testMergedProgram(BD, std::move(ToOptimizeLoopExtracted),
330                          std::move(ToNotOptimize), Error, Failure);
331    if (!New)
332      return false;
333
334    // Delete the original and set the new program.
335    Module *Old = BD.swapProgramIn(New.release());
336    for (unsigned i = 0, e = MiscompiledFunctions.size(); i != e; ++i)
337      MiscompiledFunctions[i] = cast<Function>(VMap[MiscompiledFunctions[i]]);
338    delete Old;
339
340    if (Failure) {
341      BD.switchToInterpreter(AI);
342
343      // Merged program doesn't work anymore!
344      errs() << "  *** ERROR: Loop extraction broke the program. :("
345             << " Please report a bug!\n";
346      errs() << "      Continuing on with un-loop-extracted version.\n";
347
348      BD.writeProgramToFile(OutputPrefix + "-loop-extract-fail-tno.bc",
349                            ToNotOptimize.get());
350      BD.writeProgramToFile(OutputPrefix + "-loop-extract-fail-to.bc",
351                            ToOptimize);
352      BD.writeProgramToFile(OutputPrefix + "-loop-extract-fail-to-le.bc",
353                            ToOptimizeLoopExtracted.get());
354
355      errs() << "Please submit the "
356             << OutputPrefix << "-loop-extract-fail-*.bc files.\n";
357      delete ToOptimize;
358      return MadeChange;
359    }
360    delete ToOptimize;
361    BD.switchToInterpreter(AI);
362
363    outs() << "  Testing after loop extraction:\n";
364    // Clone modules, the tester function will free them.
365    std::unique_ptr<Module> TOLEBackup =
366        CloneModule(ToOptimizeLoopExtracted.get(), VMap);
367    std::unique_ptr<Module> TNOBackup = CloneModule(ToNotOptimize.get(), VMap);
368
369    for (unsigned i = 0, e = MiscompiledFunctions.size(); i != e; ++i)
370      MiscompiledFunctions[i] = cast<Function>(VMap[MiscompiledFunctions[i]]);
371
372    Failure = TestFn(BD, std::move(ToOptimizeLoopExtracted),
373                     std::move(ToNotOptimize), Error);
374    if (!Error.empty())
375      return false;
376
377    ToOptimizeLoopExtracted = std::move(TOLEBackup);
378    ToNotOptimize = std::move(TNOBackup);
379
380    if (!Failure) {
381      outs() << "*** Loop extraction masked the problem.  Undoing.\n";
382      // If the program is not still broken, then loop extraction did something
383      // that masked the error.  Stop loop extraction now.
384
385      std::vector<std::pair<std::string, FunctionType*> > MisCompFunctions;
386      for (Function *F : MiscompiledFunctions) {
387        MisCompFunctions.emplace_back(F->getName(), F->getFunctionType());
388      }
389
390      if (Linker::linkModules(*ToNotOptimize,
391                              std::move(ToOptimizeLoopExtracted)))
392        exit(1);
393
394      MiscompiledFunctions.clear();
395      for (unsigned i = 0, e = MisCompFunctions.size(); i != e; ++i) {
396        Function *NewF = ToNotOptimize->getFunction(MisCompFunctions[i].first);
397
398        assert(NewF && "Function not found??");
399        MiscompiledFunctions.push_back(NewF);
400      }
401
402      BD.setNewProgram(ToNotOptimize.release());
403      return MadeChange;
404    }
405
406    outs() << "*** Loop extraction successful!\n";
407
408    std::vector<std::pair<std::string, FunctionType*> > MisCompFunctions;
409    for (Module::iterator I = ToOptimizeLoopExtracted->begin(),
410           E = ToOptimizeLoopExtracted->end(); I != E; ++I)
411      if (!I->isDeclaration())
412        MisCompFunctions.emplace_back(I->getName(), I->getFunctionType());
413
414    // Okay, great!  Now we know that we extracted a loop and that loop
415    // extraction both didn't break the program, and didn't mask the problem.
416    // Replace the current program with the loop extracted version, and try to
417    // extract another loop.
418    if (Linker::linkModules(*ToNotOptimize, std::move(ToOptimizeLoopExtracted)))
419      exit(1);
420
421    // All of the Function*'s in the MiscompiledFunctions list are in the old
422    // module.  Update this list to include all of the functions in the
423    // optimized and loop extracted module.
424    MiscompiledFunctions.clear();
425    for (unsigned i = 0, e = MisCompFunctions.size(); i != e; ++i) {
426      Function *NewF = ToNotOptimize->getFunction(MisCompFunctions[i].first);
427
428      assert(NewF && "Function not found??");
429      MiscompiledFunctions.push_back(NewF);
430    }
431
432    BD.setNewProgram(ToNotOptimize.release());
433    MadeChange = true;
434  }
435}
436
437namespace {
438  class ReduceMiscompiledBlocks : public ListReducer<BasicBlock*> {
439    BugDriver &BD;
440    bool (*TestFn)(BugDriver &, std::unique_ptr<Module>,
441                   std::unique_ptr<Module>, std::string &);
442    std::vector<Function*> FunctionsBeingTested;
443  public:
444    ReduceMiscompiledBlocks(BugDriver &bd,
445                            bool (*F)(BugDriver &, std::unique_ptr<Module>,
446                                      std::unique_ptr<Module>, std::string &),
447                            const std::vector<Function *> &Fns)
448        : BD(bd), TestFn(F), FunctionsBeingTested(Fns) {}
449
450    TestResult doTest(std::vector<BasicBlock*> &Prefix,
451                      std::vector<BasicBlock*> &Suffix,
452                      std::string &Error) override {
453      if (!Suffix.empty()) {
454        bool Ret = TestFuncs(Suffix, Error);
455        if (!Error.empty())
456          return InternalError;
457        if (Ret)
458          return KeepSuffix;
459      }
460      if (!Prefix.empty()) {
461        bool Ret = TestFuncs(Prefix, Error);
462        if (!Error.empty())
463          return InternalError;
464        if (Ret)
465          return KeepPrefix;
466      }
467      return NoFailure;
468    }
469
470    bool TestFuncs(const std::vector<BasicBlock*> &BBs, std::string &Error);
471  };
472}
473
474/// TestFuncs - Extract all blocks for the miscompiled functions except for the
475/// specified blocks.  If the problem still exists, return true.
476///
477bool ReduceMiscompiledBlocks::TestFuncs(const std::vector<BasicBlock*> &BBs,
478                                        std::string &Error) {
479  // Test to see if the function is misoptimized if we ONLY run it on the
480  // functions listed in Funcs.
481  outs() << "Checking to see if the program is misoptimized when all ";
482  if (!BBs.empty()) {
483    outs() << "but these " << BBs.size() << " blocks are extracted: ";
484    for (unsigned i = 0, e = BBs.size() < 10 ? BBs.size() : 10; i != e; ++i)
485      outs() << BBs[i]->getName() << " ";
486    if (BBs.size() > 10) outs() << "...";
487  } else {
488    outs() << "blocks are extracted.";
489  }
490  outs() << '\n';
491
492  // Split the module into the two halves of the program we want.
493  ValueToValueMapTy VMap;
494  Module *Clone = CloneModule(BD.getProgram(), VMap).release();
495  Module *Orig = BD.swapProgramIn(Clone);
496  std::vector<Function*> FuncsOnClone;
497  std::vector<BasicBlock*> BBsOnClone;
498  for (unsigned i = 0, e = FunctionsBeingTested.size(); i != e; ++i) {
499    Function *F = cast<Function>(VMap[FunctionsBeingTested[i]]);
500    FuncsOnClone.push_back(F);
501  }
502  for (unsigned i = 0, e = BBs.size(); i != e; ++i) {
503    BasicBlock *BB = cast<BasicBlock>(VMap[BBs[i]]);
504    BBsOnClone.push_back(BB);
505  }
506  VMap.clear();
507
508  std::unique_ptr<Module> ToNotOptimize = CloneModule(BD.getProgram(), VMap);
509  std::unique_ptr<Module> ToOptimize =
510      SplitFunctionsOutOfModule(ToNotOptimize.get(), FuncsOnClone, VMap);
511
512  // Try the extraction.  If it doesn't work, then the block extractor crashed
513  // or something, in which case bugpoint can't chase down this possibility.
514  if (std::unique_ptr<Module> New =
515          BD.extractMappedBlocksFromModule(BBsOnClone, ToOptimize.get())) {
516    bool Ret = TestFn(BD, std::move(New), std::move(ToNotOptimize), Error);
517    delete BD.swapProgramIn(Orig);
518    return Ret;
519  }
520  delete BD.swapProgramIn(Orig);
521  return false;
522}
523
524/// Given a reduced list of functions that still expose the bug, extract as many
525/// basic blocks from the region as possible without obscuring the bug.
526///
527static bool ExtractBlocks(BugDriver &BD,
528                          bool (*TestFn)(BugDriver &, std::unique_ptr<Module>,
529                                         std::unique_ptr<Module>,
530                                         std::string &),
531                          std::vector<Function *> &MiscompiledFunctions,
532                          std::string &Error) {
533  if (BugpointIsInterrupted) return false;
534
535  std::vector<BasicBlock*> Blocks;
536  for (unsigned i = 0, e = MiscompiledFunctions.size(); i != e; ++i)
537    for (BasicBlock &BB : *MiscompiledFunctions[i])
538      Blocks.push_back(&BB);
539
540  // Use the list reducer to identify blocks that can be extracted without
541  // obscuring the bug.  The Blocks list will end up containing blocks that must
542  // be retained from the original program.
543  unsigned OldSize = Blocks.size();
544
545  // Check to see if all blocks are extractible first.
546  bool Ret = ReduceMiscompiledBlocks(BD, TestFn, MiscompiledFunctions)
547                                  .TestFuncs(std::vector<BasicBlock*>(), Error);
548  if (!Error.empty())
549    return false;
550  if (Ret) {
551    Blocks.clear();
552  } else {
553    ReduceMiscompiledBlocks(BD, TestFn,
554                            MiscompiledFunctions).reduceList(Blocks, Error);
555    if (!Error.empty())
556      return false;
557    if (Blocks.size() == OldSize)
558      return false;
559  }
560
561  ValueToValueMapTy VMap;
562  Module *ProgClone = CloneModule(BD.getProgram(), VMap).release();
563  Module *ToExtract =
564      SplitFunctionsOutOfModule(ProgClone, MiscompiledFunctions, VMap)
565          .release();
566  std::unique_ptr<Module> Extracted =
567      BD.extractMappedBlocksFromModule(Blocks, ToExtract);
568  if (!Extracted) {
569    // Weird, extraction should have worked.
570    errs() << "Nondeterministic problem extracting blocks??\n";
571    delete ProgClone;
572    delete ToExtract;
573    return false;
574  }
575
576  // Otherwise, block extraction succeeded.  Link the two program fragments back
577  // together.
578  delete ToExtract;
579
580  std::vector<std::pair<std::string, FunctionType*> > MisCompFunctions;
581  for (Module::iterator I = Extracted->begin(), E = Extracted->end();
582       I != E; ++I)
583    if (!I->isDeclaration())
584      MisCompFunctions.emplace_back(I->getName(), I->getFunctionType());
585
586  if (Linker::linkModules(*ProgClone, std::move(Extracted)))
587    exit(1);
588
589  // Set the new program and delete the old one.
590  BD.setNewProgram(ProgClone);
591
592  // Update the list of miscompiled functions.
593  MiscompiledFunctions.clear();
594
595  for (unsigned i = 0, e = MisCompFunctions.size(); i != e; ++i) {
596    Function *NewF = ProgClone->getFunction(MisCompFunctions[i].first);
597    assert(NewF && "Function not found??");
598    MiscompiledFunctions.push_back(NewF);
599  }
600
601  return true;
602}
603
604/// This is a generic driver to narrow down miscompilations, either in an
605/// optimization or a code generator.
606///
607static std::vector<Function *>
608DebugAMiscompilation(BugDriver &BD,
609                     bool (*TestFn)(BugDriver &, std::unique_ptr<Module>,
610                                    std::unique_ptr<Module>, std::string &),
611                     std::string &Error) {
612  // Okay, now that we have reduced the list of passes which are causing the
613  // failure, see if we can pin down which functions are being
614  // miscompiled... first build a list of all of the non-external functions in
615  // the program.
616  std::vector<Function*> MiscompiledFunctions;
617  Module *Prog = BD.getProgram();
618  for (Function &F : *Prog)
619    if (!F.isDeclaration())
620      MiscompiledFunctions.push_back(&F);
621
622  // Do the reduction...
623  if (!BugpointIsInterrupted)
624    ReduceMiscompilingFunctions(BD, TestFn).reduceList(MiscompiledFunctions,
625                                                       Error);
626  if (!Error.empty()) {
627    errs() << "\n***Cannot reduce functions: ";
628    return MiscompiledFunctions;
629  }
630  outs() << "\n*** The following function"
631         << (MiscompiledFunctions.size() == 1 ? " is" : "s are")
632         << " being miscompiled: ";
633  PrintFunctionList(MiscompiledFunctions);
634  outs() << '\n';
635
636  // See if we can rip any loops out of the miscompiled functions and still
637  // trigger the problem.
638
639  if (!BugpointIsInterrupted && !DisableLoopExtraction) {
640    bool Ret = ExtractLoops(BD, TestFn, MiscompiledFunctions, Error);
641    if (!Error.empty())
642      return MiscompiledFunctions;
643    if (Ret) {
644      // Okay, we extracted some loops and the problem still appears.  See if
645      // we can eliminate some of the created functions from being candidates.
646      DisambiguateGlobalSymbols(BD.getProgram());
647
648      // Do the reduction...
649      if (!BugpointIsInterrupted)
650        ReduceMiscompilingFunctions(BD, TestFn).reduceList(MiscompiledFunctions,
651                                                           Error);
652      if (!Error.empty())
653        return MiscompiledFunctions;
654
655      outs() << "\n*** The following function"
656             << (MiscompiledFunctions.size() == 1 ? " is" : "s are")
657             << " being miscompiled: ";
658      PrintFunctionList(MiscompiledFunctions);
659      outs() << '\n';
660    }
661  }
662
663  if (!BugpointIsInterrupted && !DisableBlockExtraction) {
664    bool Ret = ExtractBlocks(BD, TestFn, MiscompiledFunctions, Error);
665    if (!Error.empty())
666      return MiscompiledFunctions;
667    if (Ret) {
668      // Okay, we extracted some blocks and the problem still appears.  See if
669      // we can eliminate some of the created functions from being candidates.
670      DisambiguateGlobalSymbols(BD.getProgram());
671
672      // Do the reduction...
673      ReduceMiscompilingFunctions(BD, TestFn).reduceList(MiscompiledFunctions,
674                                                         Error);
675      if (!Error.empty())
676        return MiscompiledFunctions;
677
678      outs() << "\n*** The following function"
679             << (MiscompiledFunctions.size() == 1 ? " is" : "s are")
680             << " being miscompiled: ";
681      PrintFunctionList(MiscompiledFunctions);
682      outs() << '\n';
683    }
684  }
685
686  return MiscompiledFunctions;
687}
688
689/// This is the predicate function used to check to see if the "Test" portion of
690/// the program is misoptimized.  If so, return true.  In any case, both module
691/// arguments are deleted.
692///
693static bool TestOptimizer(BugDriver &BD, std::unique_ptr<Module> Test,
694                          std::unique_ptr<Module> Safe, std::string &Error) {
695  // Run the optimization passes on ToOptimize, producing a transformed version
696  // of the functions being tested.
697  outs() << "  Optimizing functions being tested: ";
698  std::unique_ptr<Module> Optimized =
699      BD.runPassesOn(Test.get(), BD.getPassesToRun(),
700                     /*AutoDebugCrashes*/ true);
701  outs() << "done.\n";
702
703  outs() << "  Checking to see if the merged program executes correctly: ";
704  bool Broken;
705  std::unique_ptr<Module> New = testMergedProgram(
706      BD, std::move(Optimized), std::move(Safe), Error, Broken);
707  if (New) {
708    outs() << (Broken ? " nope.\n" : " yup.\n");
709    // Delete the original and set the new program.
710    delete BD.swapProgramIn(New.release());
711  }
712  return Broken;
713}
714
715
716/// debugMiscompilation - This method is used when the passes selected are not
717/// crashing, but the generated output is semantically different from the
718/// input.
719///
720void BugDriver::debugMiscompilation(std::string *Error) {
721  // Make sure something was miscompiled...
722  if (!BugpointIsInterrupted)
723    if (!ReduceMiscompilingPasses(*this).reduceList(PassesToRun, *Error)) {
724      if (Error->empty())
725        errs() << "*** Optimized program matches reference output!  No problem"
726               << " detected...\nbugpoint can't help you with your problem!\n";
727      return;
728    }
729
730  outs() << "\n*** Found miscompiling pass"
731         << (getPassesToRun().size() == 1 ? "" : "es") << ": "
732         << getPassesString(getPassesToRun()) << '\n';
733  EmitProgressBitcode(Program, "passinput");
734
735  std::vector<Function *> MiscompiledFunctions =
736    DebugAMiscompilation(*this, TestOptimizer, *Error);
737  if (!Error->empty())
738    return;
739
740  // Output a bunch of bitcode files for the user...
741  outs() << "Outputting reduced bitcode files which expose the problem:\n";
742  ValueToValueMapTy VMap;
743  Module *ToNotOptimize = CloneModule(getProgram(), VMap).release();
744  Module *ToOptimize =
745      SplitFunctionsOutOfModule(ToNotOptimize, MiscompiledFunctions, VMap)
746          .release();
747
748  outs() << "  Non-optimized portion: ";
749  EmitProgressBitcode(ToNotOptimize, "tonotoptimize", true);
750  delete ToNotOptimize;  // Delete hacked module.
751
752  outs() << "  Portion that is input to optimizer: ";
753  EmitProgressBitcode(ToOptimize, "tooptimize");
754  delete ToOptimize;      // Delete hacked module.
755
756  return;
757}
758
759/// Get the specified modules ready for code generator testing.
760///
761static void CleanupAndPrepareModules(BugDriver &BD,
762                                     std::unique_ptr<Module> &Test,
763                                     Module *Safe) {
764  // Clean up the modules, removing extra cruft that we don't need anymore...
765  Test = BD.performFinalCleanups(Test.get());
766
767  // If we are executing the JIT, we have several nasty issues to take care of.
768  if (!BD.isExecutingJIT()) return;
769
770  // First, if the main function is in the Safe module, we must add a stub to
771  // the Test module to call into it.  Thus, we create a new function `main'
772  // which just calls the old one.
773  if (Function *oldMain = Safe->getFunction("main"))
774    if (!oldMain->isDeclaration()) {
775      // Rename it
776      oldMain->setName("llvm_bugpoint_old_main");
777      // Create a NEW `main' function with same type in the test module.
778      Function *newMain =
779          Function::Create(oldMain->getFunctionType(),
780                           GlobalValue::ExternalLinkage, "main", Test.get());
781      // Create an `oldmain' prototype in the test module, which will
782      // corresponds to the real main function in the same module.
783      Function *oldMainProto = Function::Create(oldMain->getFunctionType(),
784                                                GlobalValue::ExternalLinkage,
785                                                oldMain->getName(), Test.get());
786      // Set up and remember the argument list for the main function.
787      std::vector<Value*> args;
788      for (Function::arg_iterator
789             I = newMain->arg_begin(), E = newMain->arg_end(),
790             OI = oldMain->arg_begin(); I != E; ++I, ++OI) {
791        I->setName(OI->getName());    // Copy argument names from oldMain
792        args.push_back(&*I);
793      }
794
795      // Call the old main function and return its result
796      BasicBlock *BB = BasicBlock::Create(Safe->getContext(), "entry", newMain);
797      CallInst *call = CallInst::Create(oldMainProto, args, "", BB);
798
799      // If the type of old function wasn't void, return value of call
800      ReturnInst::Create(Safe->getContext(), call, BB);
801    }
802
803  // The second nasty issue we must deal with in the JIT is that the Safe
804  // module cannot directly reference any functions defined in the test
805  // module.  Instead, we use a JIT API call to dynamically resolve the
806  // symbol.
807
808  // Add the resolver to the Safe module.
809  // Prototype: void *getPointerToNamedFunction(const char* Name)
810  Constant *resolverFunc =
811    Safe->getOrInsertFunction("getPointerToNamedFunction",
812                    Type::getInt8PtrTy(Safe->getContext()),
813                    Type::getInt8PtrTy(Safe->getContext()),
814                       (Type *)nullptr);
815
816  // Use the function we just added to get addresses of functions we need.
817  for (Module::iterator F = Safe->begin(), E = Safe->end(); F != E; ++F) {
818    if (F->isDeclaration() && !F->use_empty() && &*F != resolverFunc &&
819        !F->isIntrinsic() /* ignore intrinsics */) {
820      Function *TestFn = Test->getFunction(F->getName());
821
822      // Don't forward functions which are external in the test module too.
823      if (TestFn && !TestFn->isDeclaration()) {
824        // 1. Add a string constant with its name to the global file
825        Constant *InitArray =
826          ConstantDataArray::getString(F->getContext(), F->getName());
827        GlobalVariable *funcName =
828          new GlobalVariable(*Safe, InitArray->getType(), true /*isConstant*/,
829                             GlobalValue::InternalLinkage, InitArray,
830                             F->getName() + "_name");
831
832        // 2. Use `GetElementPtr *funcName, 0, 0' to convert the string to an
833        // sbyte* so it matches the signature of the resolver function.
834
835        // GetElementPtr *funcName, ulong 0, ulong 0
836        std::vector<Constant*> GEPargs(2,
837                     Constant::getNullValue(Type::getInt32Ty(F->getContext())));
838        Value *GEP = ConstantExpr::getGetElementPtr(InitArray->getType(),
839                                                    funcName, GEPargs);
840        std::vector<Value*> ResolverArgs;
841        ResolverArgs.push_back(GEP);
842
843        // Rewrite uses of F in global initializers, etc. to uses of a wrapper
844        // function that dynamically resolves the calls to F via our JIT API
845        if (!F->use_empty()) {
846          // Create a new global to hold the cached function pointer.
847          Constant *NullPtr = ConstantPointerNull::get(F->getType());
848          GlobalVariable *Cache =
849            new GlobalVariable(*F->getParent(), F->getType(),
850                               false, GlobalValue::InternalLinkage,
851                               NullPtr,F->getName()+".fpcache");
852
853          // Construct a new stub function that will re-route calls to F
854          FunctionType *FuncTy = F->getFunctionType();
855          Function *FuncWrapper = Function::Create(FuncTy,
856                                                   GlobalValue::InternalLinkage,
857                                                   F->getName() + "_wrapper",
858                                                   F->getParent());
859          BasicBlock *EntryBB  = BasicBlock::Create(F->getContext(),
860                                                    "entry", FuncWrapper);
861          BasicBlock *DoCallBB = BasicBlock::Create(F->getContext(),
862                                                    "usecache", FuncWrapper);
863          BasicBlock *LookupBB = BasicBlock::Create(F->getContext(),
864                                                    "lookupfp", FuncWrapper);
865
866          // Check to see if we already looked up the value.
867          Value *CachedVal = new LoadInst(Cache, "fpcache", EntryBB);
868          Value *IsNull = new ICmpInst(*EntryBB, ICmpInst::ICMP_EQ, CachedVal,
869                                       NullPtr, "isNull");
870          BranchInst::Create(LookupBB, DoCallBB, IsNull, EntryBB);
871
872          // Resolve the call to function F via the JIT API:
873          //
874          // call resolver(GetElementPtr...)
875          CallInst *Resolver =
876            CallInst::Create(resolverFunc, ResolverArgs, "resolver", LookupBB);
877
878          // Cast the result from the resolver to correctly-typed function.
879          CastInst *CastedResolver =
880            new BitCastInst(Resolver,
881                            PointerType::getUnqual(F->getFunctionType()),
882                            "resolverCast", LookupBB);
883
884          // Save the value in our cache.
885          new StoreInst(CastedResolver, Cache, LookupBB);
886          BranchInst::Create(DoCallBB, LookupBB);
887
888          PHINode *FuncPtr = PHINode::Create(NullPtr->getType(), 2,
889                                             "fp", DoCallBB);
890          FuncPtr->addIncoming(CastedResolver, LookupBB);
891          FuncPtr->addIncoming(CachedVal, EntryBB);
892
893          // Save the argument list.
894          std::vector<Value*> Args;
895          for (Argument &A : FuncWrapper->args())
896            Args.push_back(&A);
897
898          // Pass on the arguments to the real function, return its result
899          if (F->getReturnType()->isVoidTy()) {
900            CallInst::Create(FuncPtr, Args, "", DoCallBB);
901            ReturnInst::Create(F->getContext(), DoCallBB);
902          } else {
903            CallInst *Call = CallInst::Create(FuncPtr, Args,
904                                              "retval", DoCallBB);
905            ReturnInst::Create(F->getContext(),Call, DoCallBB);
906          }
907
908          // Use the wrapper function instead of the old function
909          F->replaceAllUsesWith(FuncWrapper);
910        }
911      }
912    }
913  }
914
915  if (verifyModule(*Test) || verifyModule(*Safe)) {
916    errs() << "Bugpoint has a bug, which corrupted a module!!\n";
917    abort();
918  }
919}
920
921/// This is the predicate function used to check to see if the "Test" portion of
922/// the program is miscompiled by the code generator under test.  If so, return
923/// true.  In any case, both module arguments are deleted.
924///
925static bool TestCodeGenerator(BugDriver &BD, std::unique_ptr<Module> Test,
926                              std::unique_ptr<Module> Safe,
927                              std::string &Error) {
928  CleanupAndPrepareModules(BD, Test, Safe.get());
929
930  SmallString<128> TestModuleBC;
931  int TestModuleFD;
932  std::error_code EC = sys::fs::createTemporaryFile("bugpoint.test", "bc",
933                                                    TestModuleFD, TestModuleBC);
934  if (EC) {
935    errs() << BD.getToolName() << "Error making unique filename: "
936           << EC.message() << "\n";
937    exit(1);
938  }
939  if (BD.writeProgramToFile(TestModuleBC.str(), TestModuleFD, Test.get())) {
940    errs() << "Error writing bitcode to `" << TestModuleBC.str()
941           << "'\nExiting.";
942    exit(1);
943  }
944
945  FileRemover TestModuleBCRemover(TestModuleBC.str(), !SaveTemps);
946
947  // Make the shared library
948  SmallString<128> SafeModuleBC;
949  int SafeModuleFD;
950  EC = sys::fs::createTemporaryFile("bugpoint.safe", "bc", SafeModuleFD,
951                                    SafeModuleBC);
952  if (EC) {
953    errs() << BD.getToolName() << "Error making unique filename: "
954           << EC.message() << "\n";
955    exit(1);
956  }
957
958  if (BD.writeProgramToFile(SafeModuleBC.str(), SafeModuleFD, Safe.get())) {
959    errs() << "Error writing bitcode to `" << SafeModuleBC
960           << "'\nExiting.";
961    exit(1);
962  }
963
964  FileRemover SafeModuleBCRemover(SafeModuleBC.str(), !SaveTemps);
965
966  std::string SharedObject = BD.compileSharedObject(SafeModuleBC.str(), Error);
967  if (!Error.empty())
968    return false;
969
970  FileRemover SharedObjectRemover(SharedObject, !SaveTemps);
971
972  // Run the code generator on the `Test' code, loading the shared library.
973  // The function returns whether or not the new output differs from reference.
974  bool Result = BD.diffProgram(BD.getProgram(), TestModuleBC.str(),
975                               SharedObject, false, &Error);
976  if (!Error.empty())
977    return false;
978
979  if (Result)
980    errs() << ": still failing!\n";
981  else
982    errs() << ": didn't fail.\n";
983
984  return Result;
985}
986
987
988/// debugCodeGenerator - debug errors in LLC, LLI, or CBE.
989///
990bool BugDriver::debugCodeGenerator(std::string *Error) {
991  if ((void*)SafeInterpreter == (void*)Interpreter) {
992    std::string Result = executeProgramSafely(Program, "bugpoint.safe.out",
993                                              Error);
994    if (Error->empty()) {
995      outs() << "\n*** The \"safe\" i.e. 'known good' backend cannot match "
996             << "the reference diff.  This may be due to a\n    front-end "
997             << "bug or a bug in the original program, but this can also "
998             << "happen if bugpoint isn't running the program with the "
999             << "right flags or input.\n    I left the result of executing "
1000             << "the program with the \"safe\" backend in this file for "
1001             << "you: '"
1002             << Result << "'.\n";
1003    }
1004    return true;
1005  }
1006
1007  DisambiguateGlobalSymbols(Program);
1008
1009  std::vector<Function*> Funcs = DebugAMiscompilation(*this, TestCodeGenerator,
1010                                                      *Error);
1011  if (!Error->empty())
1012    return true;
1013
1014  // Split the module into the two halves of the program we want.
1015  ValueToValueMapTy VMap;
1016  std::unique_ptr<Module> ToNotCodeGen = CloneModule(getProgram(), VMap);
1017  std::unique_ptr<Module> ToCodeGen =
1018      SplitFunctionsOutOfModule(ToNotCodeGen.get(), Funcs, VMap);
1019
1020  // Condition the modules
1021  CleanupAndPrepareModules(*this, ToCodeGen, ToNotCodeGen.get());
1022
1023  SmallString<128> TestModuleBC;
1024  int TestModuleFD;
1025  std::error_code EC = sys::fs::createTemporaryFile("bugpoint.test", "bc",
1026                                                    TestModuleFD, TestModuleBC);
1027  if (EC) {
1028    errs() << getToolName() << "Error making unique filename: "
1029           << EC.message() << "\n";
1030    exit(1);
1031  }
1032
1033  if (writeProgramToFile(TestModuleBC.str(), TestModuleFD, ToCodeGen.get())) {
1034    errs() << "Error writing bitcode to `" << TestModuleBC
1035           << "'\nExiting.";
1036    exit(1);
1037  }
1038
1039  // Make the shared library
1040  SmallString<128> SafeModuleBC;
1041  int SafeModuleFD;
1042  EC = sys::fs::createTemporaryFile("bugpoint.safe", "bc", SafeModuleFD,
1043                                    SafeModuleBC);
1044  if (EC) {
1045    errs() << getToolName() << "Error making unique filename: "
1046           << EC.message() << "\n";
1047    exit(1);
1048  }
1049
1050  if (writeProgramToFile(SafeModuleBC.str(), SafeModuleFD,
1051                         ToNotCodeGen.get())) {
1052    errs() << "Error writing bitcode to `" << SafeModuleBC
1053           << "'\nExiting.";
1054    exit(1);
1055  }
1056  std::string SharedObject = compileSharedObject(SafeModuleBC.str(), *Error);
1057  if (!Error->empty())
1058    return true;
1059
1060  outs() << "You can reproduce the problem with the command line: \n";
1061  if (isExecutingJIT()) {
1062    outs() << "  lli -load " << SharedObject << " " << TestModuleBC;
1063  } else {
1064    outs() << "  llc " << TestModuleBC << " -o " << TestModuleBC
1065           << ".s\n";
1066    outs() << "  cc " << SharedObject << " " << TestModuleBC.str()
1067              << ".s -o " << TestModuleBC << ".exe";
1068#if defined (HAVE_LINK_R)
1069    outs() << " -Wl,-R.";
1070#endif
1071    outs() << "\n";
1072    outs() << "  " << TestModuleBC << ".exe";
1073  }
1074  for (unsigned i = 0, e = InputArgv.size(); i != e; ++i)
1075    outs() << " " << InputArgv[i];
1076  outs() << '\n';
1077  outs() << "The shared object was created with:\n  llc -march=c "
1078         << SafeModuleBC.str() << " -o temporary.c\n"
1079         << "  cc -xc temporary.c -O2 -o " << SharedObject;
1080  if (TargetTriple.getArch() == Triple::sparc)
1081    outs() << " -G";              // Compile a shared library, `-G' for Sparc
1082  else
1083    outs() << " -fPIC -shared";   // `-shared' for Linux/X86, maybe others
1084
1085  outs() << " -fno-strict-aliasing\n";
1086
1087  return false;
1088}
1089