1 //===- CrashDebugger.cpp - Debug compilation crashes ----------------------===// 2 // 3 // The LLVM Compiler Infrastructure 4 // 5 // This file is distributed under the University of Illinois Open Source 6 // License. See LICENSE.TXT for details. 7 // 8 //===----------------------------------------------------------------------===// 9 // 10 // This file defines the bugpoint internals that narrow down compilation crashes 11 // 12 //===----------------------------------------------------------------------===// 13 14 #include "BugDriver.h" 15 #include "ListReducer.h" 16 #include "ToolRunner.h" 17 #include "llvm/Analysis/TargetTransformInfo.h" 18 #include "llvm/ADT/SmallPtrSet.h" 19 #include "llvm/ADT/StringSet.h" 20 #include "llvm/IR/CFG.h" 21 #include "llvm/IR/Constants.h" 22 #include "llvm/IR/DerivedTypes.h" 23 #include "llvm/IR/Instructions.h" 24 #include "llvm/IR/LegacyPassManager.h" 25 #include "llvm/IR/Module.h" 26 #include "llvm/IR/ValueSymbolTable.h" 27 #include "llvm/IR/Verifier.h" 28 #include "llvm/Pass.h" 29 #include "llvm/Support/CommandLine.h" 30 #include "llvm/Support/FileUtilities.h" 31 #include "llvm/Transforms/Scalar.h" 32 #include "llvm/Transforms/Utils/BasicBlockUtils.h" 33 #include "llvm/Transforms/Utils/Cloning.h" 34 #include "llvm/Transforms/Utils/Local.h" 35 #include <set> 36 using namespace llvm; 37 38 namespace { 39 cl::opt<bool> 40 KeepMain("keep-main", 41 cl::desc("Force function reduction to keep main"), 42 cl::init(false)); 43 cl::opt<bool> 44 NoGlobalRM ("disable-global-remove", 45 cl::desc("Do not remove global variables"), 46 cl::init(false)); 47 48 cl::opt<bool> 49 ReplaceFuncsWithNull("replace-funcs-with-null", 50 cl::desc("When stubbing functions, replace all uses will null"), 51 cl::init(false)); 52 cl::opt<bool> 53 DontReducePassList("disable-pass-list-reduction", 54 cl::desc("Skip pass list reduction steps"), 55 cl::init(false)); 56 57 cl::opt<bool> NoNamedMDRM("disable-namedmd-remove", 58 cl::desc("Do not remove global named metadata"), 59 cl::init(false)); 60 cl::opt<bool> VerboseErrors("verbose-errors", 61 cl::desc("Print the output of crashing program"), 62 cl::init(false)); 63 } 64 65 namespace llvm { 66 class ReducePassList : public ListReducer<std::string> { 67 BugDriver &BD; 68 public: 69 ReducePassList(BugDriver &bd) : BD(bd) {} 70 71 // doTest - Return true iff running the "removed" passes succeeds, and 72 // running the "Kept" passes fail when run on the output of the "removed" 73 // passes. If we return true, we update the current module of bugpoint. 74 // 75 TestResult doTest(std::vector<std::string> &Removed, 76 std::vector<std::string> &Kept, 77 std::string &Error) override; 78 }; 79 } 80 81 ReducePassList::TestResult 82 ReducePassList::doTest(std::vector<std::string> &Prefix, 83 std::vector<std::string> &Suffix, 84 std::string &Error) { 85 std::string PrefixOutput; 86 Module *OrigProgram = nullptr; 87 if (!Prefix.empty()) { 88 outs() << "Checking to see if these passes crash: " 89 << getPassesString(Prefix) << ": "; 90 if (BD.runPasses(BD.getProgram(), Prefix, PrefixOutput)) 91 return KeepPrefix; 92 93 OrigProgram = BD.Program; 94 95 BD.Program = parseInputFile(PrefixOutput, BD.getContext()).release(); 96 if (BD.Program == nullptr) { 97 errs() << BD.getToolName() << ": Error reading bitcode file '" 98 << PrefixOutput << "'!\n"; 99 exit(1); 100 } 101 sys::fs::remove(PrefixOutput); 102 } 103 104 outs() << "Checking to see if these passes crash: " 105 << getPassesString(Suffix) << ": "; 106 107 if (BD.runPasses(BD.getProgram(), Suffix)) { 108 delete OrigProgram; // The suffix crashes alone... 109 return KeepSuffix; 110 } 111 112 // Nothing failed, restore state... 113 if (OrigProgram) { 114 delete BD.Program; 115 BD.Program = OrigProgram; 116 } 117 return NoFailure; 118 } 119 120 namespace { 121 /// ReduceCrashingGlobalVariables - This works by removing the global 122 /// variable's initializer and seeing if the program still crashes. If it 123 /// does, then we keep that program and try again. 124 /// 125 class ReduceCrashingGlobalVariables : public ListReducer<GlobalVariable*> { 126 BugDriver &BD; 127 bool (*TestFn)(const BugDriver &, Module *); 128 public: 129 ReduceCrashingGlobalVariables(BugDriver &bd, 130 bool (*testFn)(const BugDriver &, Module *)) 131 : BD(bd), TestFn(testFn) {} 132 133 TestResult doTest(std::vector<GlobalVariable*> &Prefix, 134 std::vector<GlobalVariable*> &Kept, 135 std::string &Error) override { 136 if (!Kept.empty() && TestGlobalVariables(Kept)) 137 return KeepSuffix; 138 if (!Prefix.empty() && TestGlobalVariables(Prefix)) 139 return KeepPrefix; 140 return NoFailure; 141 } 142 143 bool TestGlobalVariables(std::vector<GlobalVariable*> &GVs); 144 }; 145 } 146 147 bool 148 ReduceCrashingGlobalVariables::TestGlobalVariables( 149 std::vector<GlobalVariable*> &GVs) { 150 // Clone the program to try hacking it apart... 151 ValueToValueMapTy VMap; 152 Module *M = CloneModule(BD.getProgram(), VMap).release(); 153 154 // Convert list to set for fast lookup... 155 std::set<GlobalVariable*> GVSet; 156 157 for (unsigned i = 0, e = GVs.size(); i != e; ++i) { 158 GlobalVariable* CMGV = cast<GlobalVariable>(VMap[GVs[i]]); 159 assert(CMGV && "Global Variable not in module?!"); 160 GVSet.insert(CMGV); 161 } 162 163 outs() << "Checking for crash with only these global variables: "; 164 PrintGlobalVariableList(GVs); 165 outs() << ": "; 166 167 // Loop over and delete any global variables which we aren't supposed to be 168 // playing with... 169 for (GlobalVariable &I : M->globals()) 170 if (I.hasInitializer() && !GVSet.count(&I)) { 171 DeleteGlobalInitializer(&I); 172 I.setLinkage(GlobalValue::ExternalLinkage); 173 I.setComdat(nullptr); 174 } 175 176 // Try running the hacked up program... 177 if (TestFn(BD, M)) { 178 BD.setNewProgram(M); // It crashed, keep the trimmed version... 179 180 // Make sure to use global variable pointers that point into the now-current 181 // module. 182 GVs.assign(GVSet.begin(), GVSet.end()); 183 return true; 184 } 185 186 delete M; 187 return false; 188 } 189 190 namespace { 191 /// ReduceCrashingFunctions reducer - This works by removing functions and 192 /// seeing if the program still crashes. If it does, then keep the newer, 193 /// smaller program. 194 /// 195 class ReduceCrashingFunctions : public ListReducer<Function*> { 196 BugDriver &BD; 197 bool (*TestFn)(const BugDriver &, Module *); 198 public: 199 ReduceCrashingFunctions(BugDriver &bd, 200 bool (*testFn)(const BugDriver &, Module *)) 201 : BD(bd), TestFn(testFn) {} 202 203 TestResult doTest(std::vector<Function*> &Prefix, 204 std::vector<Function*> &Kept, 205 std::string &Error) override { 206 if (!Kept.empty() && TestFuncs(Kept)) 207 return KeepSuffix; 208 if (!Prefix.empty() && TestFuncs(Prefix)) 209 return KeepPrefix; 210 return NoFailure; 211 } 212 213 bool TestFuncs(std::vector<Function*> &Prefix); 214 }; 215 } 216 217 static void RemoveFunctionReferences(Module *M, const char* Name) { 218 auto *UsedVar = M->getGlobalVariable(Name, true); 219 if (!UsedVar || !UsedVar->hasInitializer()) return; 220 if (isa<ConstantAggregateZero>(UsedVar->getInitializer())) { 221 assert(UsedVar->use_empty()); 222 UsedVar->eraseFromParent(); 223 return; 224 } 225 auto *OldUsedVal = cast<ConstantArray>(UsedVar->getInitializer()); 226 std::vector<Constant*> Used; 227 for(Value *V : OldUsedVal->operand_values()) { 228 Constant *Op = cast<Constant>(V->stripPointerCasts()); 229 if(!Op->isNullValue()) { 230 Used.push_back(cast<Constant>(V)); 231 } 232 } 233 auto *NewValElemTy = OldUsedVal->getType()->getElementType(); 234 auto *NewValTy = ArrayType::get(NewValElemTy, Used.size()); 235 auto *NewUsedVal = ConstantArray::get(NewValTy, Used); 236 UsedVar->mutateType(NewUsedVal->getType()->getPointerTo()); 237 UsedVar->setInitializer(NewUsedVal); 238 } 239 240 bool ReduceCrashingFunctions::TestFuncs(std::vector<Function*> &Funcs) { 241 // If main isn't present, claim there is no problem. 242 if (KeepMain && !is_contained(Funcs, BD.getProgram()->getFunction("main"))) 243 return false; 244 245 // Clone the program to try hacking it apart... 246 ValueToValueMapTy VMap; 247 Module *M = CloneModule(BD.getProgram(), VMap).release(); 248 249 // Convert list to set for fast lookup... 250 std::set<Function*> Functions; 251 for (unsigned i = 0, e = Funcs.size(); i != e; ++i) { 252 Function *CMF = cast<Function>(VMap[Funcs[i]]); 253 assert(CMF && "Function not in module?!"); 254 assert(CMF->getFunctionType() == Funcs[i]->getFunctionType() && "wrong ty"); 255 assert(CMF->getName() == Funcs[i]->getName() && "wrong name"); 256 Functions.insert(CMF); 257 } 258 259 outs() << "Checking for crash with only these functions: "; 260 PrintFunctionList(Funcs); 261 outs() << ": "; 262 if (!ReplaceFuncsWithNull) { 263 // Loop over and delete any functions which we aren't supposed to be playing 264 // with... 265 for (Function &I : *M) 266 if (!I.isDeclaration() && !Functions.count(&I)) 267 DeleteFunctionBody(&I); 268 } else { 269 std::vector<GlobalValue*> ToRemove; 270 // First, remove aliases to functions we're about to purge. 271 for (GlobalAlias &Alias : M->aliases()) { 272 GlobalObject *Root = Alias.getBaseObject(); 273 Function *F = dyn_cast_or_null<Function>(Root); 274 if (F) { 275 if (Functions.count(F)) 276 // We're keeping this function. 277 continue; 278 } else if (Root->isNullValue()) { 279 // This referenced a globalalias that we've already replaced, 280 // so we still need to replace this alias. 281 } else if (!F) { 282 // Not a function, therefore not something we mess with. 283 continue; 284 } 285 286 PointerType *Ty = cast<PointerType>(Alias.getType()); 287 Constant *Replacement = ConstantPointerNull::get(Ty); 288 Alias.replaceAllUsesWith(Replacement); 289 ToRemove.push_back(&Alias); 290 } 291 292 for (Function &I : *M) { 293 if (!I.isDeclaration() && !Functions.count(&I)) { 294 PointerType *Ty = cast<PointerType>(I.getType()); 295 Constant *Replacement = ConstantPointerNull::get(Ty); 296 I.replaceAllUsesWith(Replacement); 297 ToRemove.push_back(&I); 298 } 299 } 300 301 for (auto *F : ToRemove) { 302 F->eraseFromParent(); 303 } 304 305 // Finally, remove any null members from any global intrinsic. 306 RemoveFunctionReferences(M, "llvm.used"); 307 RemoveFunctionReferences(M, "llvm.compiler.used"); 308 } 309 // Try running the hacked up program... 310 if (TestFn(BD, M)) { 311 BD.setNewProgram(M); // It crashed, keep the trimmed version... 312 313 // Make sure to use function pointers that point into the now-current 314 // module. 315 Funcs.assign(Functions.begin(), Functions.end()); 316 return true; 317 } 318 delete M; 319 return false; 320 } 321 322 namespace { 323 /// Simplify the CFG without completely destroying it. 324 /// This is not well defined, but basically comes down to "try to eliminate 325 /// unreachable blocks and constant fold terminators without deciding that 326 /// certain undefined behavior cuts off the program at the legs". 327 void simpleSimplifyCfg(Function &F, SmallVectorImpl<BasicBlock *> &BBs) { 328 if (F.empty()) 329 return; 330 331 for (auto *BB : BBs) { 332 ConstantFoldTerminator(BB); 333 MergeBlockIntoPredecessor(BB); 334 } 335 336 // Remove unreachable blocks 337 // removeUnreachableBlocks can't be used here, it will turn various 338 // undefined behavior into unreachables, but bugpoint was the thing that 339 // generated the undefined behavior, and we don't want it to kill the entire 340 // program. 341 SmallPtrSet<BasicBlock *, 16> Visited; 342 for (auto *BB : depth_first(&F.getEntryBlock())) 343 Visited.insert(BB); 344 345 SmallVector<BasicBlock *, 16> Unreachable; 346 for (auto &BB : F) 347 if (!Visited.count(&BB)) 348 Unreachable.push_back(&BB); 349 350 // The dead BB's may be in a dead cycle or otherwise have references to each 351 // other. Because of this, we have to drop all references first, then delete 352 // them all at once. 353 for (auto *BB : Unreachable) { 354 for (BasicBlock *Successor : successors(&*BB)) 355 if (Visited.count(Successor)) 356 Successor->removePredecessor(&*BB); 357 BB->dropAllReferences(); 358 } 359 for (auto *BB : Unreachable) 360 BB->eraseFromParent(); 361 } 362 /// ReduceCrashingBlocks reducer - This works by setting the terminators of 363 /// all terminators except the specified basic blocks to a 'ret' instruction, 364 /// then running the simplify-cfg pass. This has the effect of chopping up 365 /// the CFG really fast which can reduce large functions quickly. 366 /// 367 class ReduceCrashingBlocks : public ListReducer<const BasicBlock*> { 368 BugDriver &BD; 369 bool (*TestFn)(const BugDriver &, Module *); 370 public: 371 ReduceCrashingBlocks(BugDriver &BD, 372 bool (*testFn)(const BugDriver &, Module *)) 373 : BD(BD), TestFn(testFn) {} 374 375 TestResult doTest(std::vector<const BasicBlock*> &Prefix, 376 std::vector<const BasicBlock*> &Kept, 377 std::string &Error) override { 378 if (!Kept.empty() && TestBlocks(Kept)) 379 return KeepSuffix; 380 if (!Prefix.empty() && TestBlocks(Prefix)) 381 return KeepPrefix; 382 return NoFailure; 383 } 384 385 bool TestBlocks(std::vector<const BasicBlock*> &Prefix); 386 }; 387 } 388 389 bool ReduceCrashingBlocks::TestBlocks(std::vector<const BasicBlock*> &BBs) { 390 // Clone the program to try hacking it apart... 391 ValueToValueMapTy VMap; 392 Module *M = CloneModule(BD.getProgram(), VMap).release(); 393 394 // Convert list to set for fast lookup... 395 SmallPtrSet<BasicBlock*, 8> Blocks; 396 for (unsigned i = 0, e = BBs.size(); i != e; ++i) 397 Blocks.insert(cast<BasicBlock>(VMap[BBs[i]])); 398 399 outs() << "Checking for crash with only these blocks:"; 400 unsigned NumPrint = Blocks.size(); 401 if (NumPrint > 10) NumPrint = 10; 402 for (unsigned i = 0, e = NumPrint; i != e; ++i) 403 outs() << " " << BBs[i]->getName(); 404 if (NumPrint < Blocks.size()) 405 outs() << "... <" << Blocks.size() << " total>"; 406 outs() << ": "; 407 408 // Loop over and delete any hack up any blocks that are not listed... 409 for (Module::iterator I = M->begin(), E = M->end(); I != E; ++I) 410 for (Function::iterator BB = I->begin(), E = I->end(); BB != E; ++BB) 411 if (!Blocks.count(&*BB) && BB->getTerminator()->getNumSuccessors()) { 412 // Loop over all of the successors of this block, deleting any PHI nodes 413 // that might include it. 414 for (succ_iterator SI = succ_begin(&*BB), E = succ_end(&*BB); SI != E; 415 ++SI) 416 (*SI)->removePredecessor(&*BB); 417 418 TerminatorInst *BBTerm = BB->getTerminator(); 419 if (BBTerm->isEHPad() || BBTerm->getType()->isTokenTy()) 420 continue; 421 if (!BBTerm->getType()->isVoidTy()) 422 BBTerm->replaceAllUsesWith(Constant::getNullValue(BBTerm->getType())); 423 424 // Replace the old terminator instruction. 425 BB->getInstList().pop_back(); 426 new UnreachableInst(BB->getContext(), &*BB); 427 } 428 429 // The CFG Simplifier pass may delete one of the basic blocks we are 430 // interested in. If it does we need to take the block out of the list. Make 431 // a "persistent mapping" by turning basic blocks into <function, name> pairs. 432 // This won't work well if blocks are unnamed, but that is just the risk we 433 // have to take. 434 std::vector<std::pair<std::string, std::string> > BlockInfo; 435 436 for (BasicBlock *BB : Blocks) 437 BlockInfo.emplace_back(BB->getParent()->getName(), BB->getName()); 438 439 SmallVector<BasicBlock *, 16> ToProcess; 440 for (auto &F :*M) { 441 for (auto &BB : F) 442 if (!Blocks.count(&BB)) 443 ToProcess.push_back(&BB); 444 simpleSimplifyCfg(F, ToProcess); 445 ToProcess.clear(); 446 } 447 // Verify we didn't break anything 448 std::vector<std::string> Passes; 449 Passes.push_back("verify"); 450 std::unique_ptr<Module> New = BD.runPassesOn(M, Passes); 451 delete M; 452 if (!New) { 453 errs() << "verify failed!\n"; 454 exit(1); 455 } 456 M = New.release(); 457 458 // Try running on the hacked up program... 459 if (TestFn(BD, M)) { 460 BD.setNewProgram(M); // It crashed, keep the trimmed version... 461 462 // Make sure to use basic block pointers that point into the now-current 463 // module, and that they don't include any deleted blocks. 464 BBs.clear(); 465 const ValueSymbolTable &GST = M->getValueSymbolTable(); 466 for (unsigned i = 0, e = BlockInfo.size(); i != e; ++i) { 467 Function *F = cast<Function>(GST.lookup(BlockInfo[i].first)); 468 ValueSymbolTable &ST = F->getValueSymbolTable(); 469 Value* V = ST.lookup(BlockInfo[i].second); 470 if (V && V->getType() == Type::getLabelTy(V->getContext())) 471 BBs.push_back(cast<BasicBlock>(V)); 472 } 473 return true; 474 } 475 delete M; // It didn't crash, try something else. 476 return false; 477 } 478 479 namespace { 480 /// ReduceCrashingConditionals reducer - This works by changing 481 /// conditional branches to unconditional ones, then simplifying the CFG 482 /// This has the effect of chopping up the CFG really fast which can reduce 483 /// large functions quickly. 484 /// 485 class ReduceCrashingConditionals : public ListReducer<const BasicBlock *> { 486 BugDriver &BD; 487 bool (*TestFn)(const BugDriver &, Module *); 488 bool Direction; 489 490 public: 491 ReduceCrashingConditionals(BugDriver &bd, 492 bool (*testFn)(const BugDriver &, Module *), 493 bool Direction) 494 : BD(bd), TestFn(testFn), Direction(Direction) {} 495 496 TestResult doTest(std::vector<const BasicBlock *> &Prefix, 497 std::vector<const BasicBlock *> &Kept, 498 std::string &Error) override { 499 if (!Kept.empty() && TestBlocks(Kept)) 500 return KeepSuffix; 501 if (!Prefix.empty() && TestBlocks(Prefix)) 502 return KeepPrefix; 503 return NoFailure; 504 } 505 506 bool TestBlocks(std::vector<const BasicBlock *> &Prefix); 507 }; 508 } 509 510 bool ReduceCrashingConditionals::TestBlocks( 511 std::vector<const BasicBlock *> &BBs) { 512 // Clone the program to try hacking it apart... 513 ValueToValueMapTy VMap; 514 Module *M = CloneModule(BD.getProgram(), VMap).release(); 515 516 // Convert list to set for fast lookup... 517 SmallPtrSet<const BasicBlock *, 8> Blocks; 518 for (const auto *BB: BBs) 519 Blocks.insert(cast<BasicBlock>(VMap[BB])); 520 521 outs() << "Checking for crash with changing conditionals to always jump to " 522 << (Direction ? "true" : "false") << ":"; 523 unsigned NumPrint = Blocks.size(); 524 if (NumPrint > 10) 525 NumPrint = 10; 526 for (unsigned i = 0, e = NumPrint; i != e; ++i) 527 outs() << " " << BBs[i]->getName(); 528 if (NumPrint < Blocks.size()) 529 outs() << "... <" << Blocks.size() << " total>"; 530 outs() << ": "; 531 532 // Loop over and delete any hack up any blocks that are not listed... 533 for (auto &F: *M) 534 for (auto &BB : F) 535 if (!Blocks.count(&BB)) { 536 auto *BR = dyn_cast<BranchInst>(BB.getTerminator()); 537 if (!BR || !BR->isConditional()) 538 continue; 539 if (Direction) 540 BR->setCondition(ConstantInt::getTrue(BR->getContext())); 541 else 542 BR->setCondition(ConstantInt::getFalse(BR->getContext())); 543 } 544 545 // The following may destroy some blocks, so we save them first 546 std::vector<std::pair<std::string, std::string>> BlockInfo; 547 548 for (const BasicBlock *BB : Blocks) 549 BlockInfo.emplace_back(BB->getParent()->getName(), BB->getName()); 550 551 SmallVector<BasicBlock *, 16> ToProcess; 552 for (auto &F :*M) { 553 for (auto &BB : F) 554 if (!Blocks.count(&BB)) 555 ToProcess.push_back(&BB); 556 simpleSimplifyCfg(F, ToProcess); 557 ToProcess.clear(); 558 } 559 // Verify we didn't break anything 560 std::vector<std::string> Passes; 561 Passes.push_back("verify"); 562 std::unique_ptr<Module> New = BD.runPassesOn(M, Passes); 563 delete M; 564 if (!New) { 565 errs() << "verify failed!\n"; 566 exit(1); 567 } 568 M = New.release(); 569 570 // Try running on the hacked up program... 571 if (TestFn(BD, M)) { 572 BD.setNewProgram(M); // It crashed, keep the trimmed version... 573 574 // Make sure to use basic block pointers that point into the now-current 575 // module, and that they don't include any deleted blocks. 576 BBs.clear(); 577 const ValueSymbolTable &GST = M->getValueSymbolTable(); 578 for (auto &BI : BlockInfo) { 579 auto *F = cast<Function>(GST.lookup(BI.first)); 580 ValueSymbolTable &ST = F->getValueSymbolTable(); 581 Value *V = ST.lookup(BI.second); 582 if (V && V->getType() == Type::getLabelTy(V->getContext())) 583 BBs.push_back(cast<BasicBlock>(V)); 584 } 585 return true; 586 } 587 delete M; // It didn't crash, try something else. 588 return false; 589 } 590 591 namespace { 592 /// SimplifyCFG reducer - This works by calling SimplifyCFG on each basic block 593 /// in the program. 594 595 class ReduceSimplifyCFG : public ListReducer<const BasicBlock *> { 596 BugDriver &BD; 597 bool (*TestFn)(const BugDriver &, Module *); 598 TargetTransformInfo TTI; 599 600 public: 601 ReduceSimplifyCFG(BugDriver &bd, 602 bool (*testFn)(const BugDriver &, Module *)) 603 : BD(bd), TestFn(testFn), TTI(bd.getProgram()->getDataLayout()) 604 {} 605 606 TestResult doTest(std::vector<const BasicBlock *> &Prefix, 607 std::vector<const BasicBlock *> &Kept, 608 std::string &Error) override { 609 if (!Kept.empty() && TestBlocks(Kept)) 610 return KeepSuffix; 611 if (!Prefix.empty() && TestBlocks(Prefix)) 612 return KeepPrefix; 613 return NoFailure; 614 } 615 616 bool TestBlocks(std::vector<const BasicBlock *> &Prefix); 617 }; 618 } 619 620 bool ReduceSimplifyCFG::TestBlocks( 621 std::vector<const BasicBlock *> &BBs) { 622 // Clone the program to try hacking it apart... 623 ValueToValueMapTy VMap; 624 Module *M = CloneModule(BD.getProgram(), VMap).release(); 625 626 // Convert list to set for fast lookup... 627 SmallPtrSet<const BasicBlock *, 8> Blocks; 628 for (const auto *BB: BBs) 629 Blocks.insert(cast<BasicBlock>(VMap[BB])); 630 631 outs() << "Checking for crash with CFG simplifying:"; 632 unsigned NumPrint = Blocks.size(); 633 if (NumPrint > 10) 634 NumPrint = 10; 635 for (unsigned i = 0, e = NumPrint; i != e; ++i) 636 outs() << " " << BBs[i]->getName(); 637 if (NumPrint < Blocks.size()) 638 outs() << "... <" << Blocks.size() << " total>"; 639 outs() << ": "; 640 641 // The following may destroy some blocks, so we save them first 642 std::vector<std::pair<std::string, std::string>> BlockInfo; 643 644 for (const BasicBlock *BB : Blocks) 645 BlockInfo.emplace_back(BB->getParent()->getName(), BB->getName()); 646 647 648 // Loop over and delete any hack up any blocks that are not listed... 649 for (auto &F: *M) 650 // Loop over all of the basic blocks and remove them if they are unneeded. 651 for (Function::iterator BBIt = F.begin(); BBIt != F.end(); ) { 652 if (!Blocks.count(&*BBIt)) { 653 ++BBIt; 654 continue; 655 } 656 SimplifyCFG(&*BBIt++, TTI, 1); 657 } 658 // Verify we didn't break anything 659 std::vector<std::string> Passes; 660 Passes.push_back("verify"); 661 std::unique_ptr<Module> New = BD.runPassesOn(M, Passes); 662 delete M; 663 if (!New) { 664 errs() << "verify failed!\n"; 665 exit(1); 666 } 667 M = New.release(); 668 669 // Try running on the hacked up program... 670 if (TestFn(BD, M)) { 671 BD.setNewProgram(M); // It crashed, keep the trimmed version... 672 673 // Make sure to use basic block pointers that point into the now-current 674 // module, and that they don't include any deleted blocks. 675 BBs.clear(); 676 const ValueSymbolTable &GST = M->getValueSymbolTable(); 677 for (auto &BI : BlockInfo){ 678 auto *F = cast<Function>(GST.lookup(BI.first)); 679 ValueSymbolTable &ST = F->getValueSymbolTable(); 680 Value *V = ST.lookup(BI.second); 681 if (V && V->getType() == Type::getLabelTy(V->getContext())) 682 BBs.push_back(cast<BasicBlock>(V)); 683 } 684 return true; 685 } 686 delete M; // It didn't crash, try something else. 687 return false; 688 } 689 690 namespace { 691 /// ReduceCrashingInstructions reducer - This works by removing the specified 692 /// non-terminator instructions and replacing them with undef. 693 /// 694 class ReduceCrashingInstructions : public ListReducer<const Instruction*> { 695 BugDriver &BD; 696 bool (*TestFn)(const BugDriver &, Module *); 697 public: 698 ReduceCrashingInstructions(BugDriver &bd, 699 bool (*testFn)(const BugDriver &, Module *)) 700 : BD(bd), TestFn(testFn) {} 701 702 TestResult doTest(std::vector<const Instruction*> &Prefix, 703 std::vector<const Instruction*> &Kept, 704 std::string &Error) override { 705 if (!Kept.empty() && TestInsts(Kept)) 706 return KeepSuffix; 707 if (!Prefix.empty() && TestInsts(Prefix)) 708 return KeepPrefix; 709 return NoFailure; 710 } 711 712 bool TestInsts(std::vector<const Instruction*> &Prefix); 713 }; 714 } 715 716 bool ReduceCrashingInstructions::TestInsts(std::vector<const Instruction*> 717 &Insts) { 718 // Clone the program to try hacking it apart... 719 ValueToValueMapTy VMap; 720 Module *M = CloneModule(BD.getProgram(), VMap).release(); 721 722 // Convert list to set for fast lookup... 723 SmallPtrSet<Instruction*, 32> Instructions; 724 for (unsigned i = 0, e = Insts.size(); i != e; ++i) { 725 assert(!isa<TerminatorInst>(Insts[i])); 726 Instructions.insert(cast<Instruction>(VMap[Insts[i]])); 727 } 728 729 outs() << "Checking for crash with only " << Instructions.size(); 730 if (Instructions.size() == 1) 731 outs() << " instruction: "; 732 else 733 outs() << " instructions: "; 734 735 for (Module::iterator MI = M->begin(), ME = M->end(); MI != ME; ++MI) 736 for (Function::iterator FI = MI->begin(), FE = MI->end(); FI != FE; ++FI) 737 for (BasicBlock::iterator I = FI->begin(), E = FI->end(); I != E;) { 738 Instruction *Inst = &*I++; 739 if (!Instructions.count(Inst) && !isa<TerminatorInst>(Inst) && 740 !Inst->isEHPad() && !Inst->getType()->isTokenTy()) { 741 if (!Inst->getType()->isVoidTy()) 742 Inst->replaceAllUsesWith(UndefValue::get(Inst->getType())); 743 Inst->eraseFromParent(); 744 } 745 } 746 747 // Verify that this is still valid. 748 legacy::PassManager Passes; 749 Passes.add(createVerifierPass()); 750 Passes.run(*M); 751 752 // Try running on the hacked up program... 753 if (TestFn(BD, M)) { 754 BD.setNewProgram(M); // It crashed, keep the trimmed version... 755 756 // Make sure to use instruction pointers that point into the now-current 757 // module, and that they don't include any deleted blocks. 758 Insts.clear(); 759 for (Instruction *Inst : Instructions) 760 Insts.push_back(Inst); 761 return true; 762 } 763 delete M; // It didn't crash, try something else. 764 return false; 765 } 766 767 namespace { 768 // Reduce the list of Named Metadata nodes. We keep this as a list of 769 // names to avoid having to convert back and forth every time. 770 class ReduceCrashingNamedMD : public ListReducer<std::string> { 771 BugDriver &BD; 772 bool (*TestFn)(const BugDriver &, Module *); 773 774 public: 775 ReduceCrashingNamedMD(BugDriver &bd, 776 bool (*testFn)(const BugDriver &, Module *)) 777 : BD(bd), TestFn(testFn) {} 778 779 TestResult doTest(std::vector<std::string> &Prefix, 780 std::vector<std::string> &Kept, 781 std::string &Error) override { 782 if (!Kept.empty() && TestNamedMDs(Kept)) 783 return KeepSuffix; 784 if (!Prefix.empty() && TestNamedMDs(Prefix)) 785 return KeepPrefix; 786 return NoFailure; 787 } 788 789 bool TestNamedMDs(std::vector<std::string> &NamedMDs); 790 }; 791 } 792 793 bool ReduceCrashingNamedMD::TestNamedMDs(std::vector<std::string> &NamedMDs) { 794 795 ValueToValueMapTy VMap; 796 Module *M = CloneModule(BD.getProgram(), VMap).release(); 797 798 outs() << "Checking for crash with only these named metadata nodes:"; 799 unsigned NumPrint = std::min<size_t>(NamedMDs.size(), 10); 800 for (unsigned i = 0, e = NumPrint; i != e; ++i) 801 outs() << " " << NamedMDs[i]; 802 if (NumPrint < NamedMDs.size()) 803 outs() << "... <" << NamedMDs.size() << " total>"; 804 outs() << ": "; 805 806 // Make a StringMap for faster lookup 807 StringSet<> Names; 808 for (const std::string &Name : NamedMDs) 809 Names.insert(Name); 810 811 // First collect all the metadata to delete in a vector, then 812 // delete them all at once to avoid invalidating the iterator 813 std::vector<NamedMDNode *> ToDelete; 814 ToDelete.reserve(M->named_metadata_size() - Names.size()); 815 for (auto &NamedMD : M->named_metadata()) 816 // Always keep a nonempty llvm.dbg.cu because the Verifier would complain. 817 if (!Names.count(NamedMD.getName()) && 818 (!(NamedMD.getName() == "llvm.dbg.cu" && NamedMD.getNumOperands() > 0))) 819 ToDelete.push_back(&NamedMD); 820 821 for (auto *NamedMD : ToDelete) 822 NamedMD->eraseFromParent(); 823 824 // Verify that this is still valid. 825 legacy::PassManager Passes; 826 Passes.add(createVerifierPass()); 827 Passes.run(*M); 828 829 // Try running on the hacked up program... 830 if (TestFn(BD, M)) { 831 BD.setNewProgram(M); // It crashed, keep the trimmed version... 832 return true; 833 } 834 delete M; // It didn't crash, try something else. 835 return false; 836 } 837 838 namespace { 839 // Reduce the list of operands to named metadata nodes 840 class ReduceCrashingNamedMDOps : public ListReducer<const MDNode *> { 841 BugDriver &BD; 842 bool (*TestFn)(const BugDriver &, Module *); 843 844 public: 845 ReduceCrashingNamedMDOps(BugDriver &bd, 846 bool (*testFn)(const BugDriver &, Module *)) 847 : BD(bd), TestFn(testFn) {} 848 849 TestResult doTest(std::vector<const MDNode *> &Prefix, 850 std::vector<const MDNode *> &Kept, 851 std::string &Error) override { 852 if (!Kept.empty() && TestNamedMDOps(Kept)) 853 return KeepSuffix; 854 if (!Prefix.empty() && TestNamedMDOps(Prefix)) 855 return KeepPrefix; 856 return NoFailure; 857 } 858 859 bool TestNamedMDOps(std::vector<const MDNode *> &NamedMDOps); 860 }; 861 } 862 863 bool ReduceCrashingNamedMDOps::TestNamedMDOps( 864 std::vector<const MDNode *> &NamedMDOps) { 865 // Convert list to set for fast lookup... 866 SmallPtrSet<const MDNode *, 32> OldMDNodeOps; 867 for (unsigned i = 0, e = NamedMDOps.size(); i != e; ++i) { 868 OldMDNodeOps.insert(NamedMDOps[i]); 869 } 870 871 outs() << "Checking for crash with only " << OldMDNodeOps.size(); 872 if (OldMDNodeOps.size() == 1) 873 outs() << " named metadata operand: "; 874 else 875 outs() << " named metadata operands: "; 876 877 ValueToValueMapTy VMap; 878 Module *M = CloneModule(BD.getProgram(), VMap).release(); 879 880 // This is a little wasteful. In the future it might be good if we could have 881 // these dropped during cloning. 882 for (auto &NamedMD : BD.getProgram()->named_metadata()) { 883 // Drop the old one and create a new one 884 M->eraseNamedMetadata(M->getNamedMetadata(NamedMD.getName())); 885 NamedMDNode *NewNamedMDNode = 886 M->getOrInsertNamedMetadata(NamedMD.getName()); 887 for (MDNode *op : NamedMD.operands()) 888 if (OldMDNodeOps.count(op)) 889 NewNamedMDNode->addOperand(cast<MDNode>(MapMetadata(op, VMap))); 890 } 891 892 // Verify that this is still valid. 893 legacy::PassManager Passes; 894 Passes.add(createVerifierPass()); 895 Passes.run(*M); 896 897 // Try running on the hacked up program... 898 if (TestFn(BD, M)) { 899 // Make sure to use instruction pointers that point into the now-current 900 // module, and that they don't include any deleted blocks. 901 NamedMDOps.clear(); 902 for (const MDNode *Node : OldMDNodeOps) 903 NamedMDOps.push_back(cast<MDNode>(*VMap.getMappedMD(Node))); 904 905 BD.setNewProgram(M); // It crashed, keep the trimmed version... 906 return true; 907 } 908 delete M; // It didn't crash, try something else. 909 return false; 910 } 911 912 static void ReduceGlobalInitializers(BugDriver &BD, 913 bool (*TestFn)(const BugDriver &, Module *), 914 std::string &Error) { 915 if (BD.getProgram()->global_begin() != BD.getProgram()->global_end()) { 916 // Now try to reduce the number of global variable initializers in the 917 // module to something small. 918 Module *M = CloneModule(BD.getProgram()).release(); 919 bool DeletedInit = false; 920 921 for (Module::global_iterator I = M->global_begin(), E = M->global_end(); 922 I != E; ++I) 923 if (I->hasInitializer()) { 924 DeleteGlobalInitializer(&*I); 925 I->setLinkage(GlobalValue::ExternalLinkage); 926 I->setComdat(nullptr); 927 DeletedInit = true; 928 } 929 930 if (!DeletedInit) { 931 delete M; // No change made... 932 } else { 933 // See if the program still causes a crash... 934 outs() << "\nChecking to see if we can delete global inits: "; 935 936 if (TestFn(BD, M)) { // Still crashes? 937 BD.setNewProgram(M); 938 outs() << "\n*** Able to remove all global initializers!\n"; 939 } else { // No longer crashes? 940 outs() << " - Removing all global inits hides problem!\n"; 941 delete M; 942 943 std::vector<GlobalVariable*> GVs; 944 945 for (Module::global_iterator I = BD.getProgram()->global_begin(), 946 E = BD.getProgram()->global_end(); I != E; ++I) 947 if (I->hasInitializer()) 948 GVs.push_back(&*I); 949 950 if (GVs.size() > 1 && !BugpointIsInterrupted) { 951 outs() << "\n*** Attempting to reduce the number of global " 952 << "variables in the testcase\n"; 953 954 unsigned OldSize = GVs.size(); 955 ReduceCrashingGlobalVariables(BD, TestFn).reduceList(GVs, Error); 956 assert(!Error.empty()); 957 958 if (GVs.size() < OldSize) 959 BD.EmitProgressBitcode(BD.getProgram(), "reduced-global-variables"); 960 } 961 } 962 } 963 } 964 } 965 966 static void ReduceInsts(BugDriver &BD, 967 bool (*TestFn)(const BugDriver &, Module *), 968 std::string &Error) { 969 // Attempt to delete instructions using bisection. This should help out nasty 970 // cases with large basic blocks where the problem is at one end. 971 if (!BugpointIsInterrupted) { 972 std::vector<const Instruction*> Insts; 973 for (const Function &F : *BD.getProgram()) 974 for (const BasicBlock &BB : F) 975 for (const Instruction &I : BB) 976 if (!isa<TerminatorInst>(&I)) 977 Insts.push_back(&I); 978 979 ReduceCrashingInstructions(BD, TestFn).reduceList(Insts, Error); 980 } 981 982 unsigned Simplification = 2; 983 do { 984 if (BugpointIsInterrupted) 985 return; 986 --Simplification; 987 outs() << "\n*** Attempting to reduce testcase by deleting instruc" 988 << "tions: Simplification Level #" << Simplification << '\n'; 989 990 // Now that we have deleted the functions that are unnecessary for the 991 // program, try to remove instructions that are not necessary to cause the 992 // crash. To do this, we loop through all of the instructions in the 993 // remaining functions, deleting them (replacing any values produced with 994 // nulls), and then running ADCE and SimplifyCFG. If the transformed input 995 // still triggers failure, keep deleting until we cannot trigger failure 996 // anymore. 997 // 998 unsigned InstructionsToSkipBeforeDeleting = 0; 999 TryAgain: 1000 1001 // Loop over all of the (non-terminator) instructions remaining in the 1002 // function, attempting to delete them. 1003 unsigned CurInstructionNum = 0; 1004 for (Module::const_iterator FI = BD.getProgram()->begin(), 1005 E = BD.getProgram()->end(); FI != E; ++FI) 1006 if (!FI->isDeclaration()) 1007 for (Function::const_iterator BI = FI->begin(), E = FI->end(); BI != E; 1008 ++BI) 1009 for (BasicBlock::const_iterator I = BI->begin(), E = --BI->end(); 1010 I != E; ++I, ++CurInstructionNum) { 1011 if (InstructionsToSkipBeforeDeleting) { 1012 --InstructionsToSkipBeforeDeleting; 1013 } else { 1014 if (BugpointIsInterrupted) 1015 return; 1016 1017 if (I->isEHPad() || I->getType()->isTokenTy()) 1018 continue; 1019 1020 outs() << "Checking instruction: " << *I; 1021 std::unique_ptr<Module> M = 1022 BD.deleteInstructionFromProgram(&*I, Simplification); 1023 1024 // Find out if the pass still crashes on this pass... 1025 if (TestFn(BD, M.get())) { 1026 // Yup, it does, we delete the old module, and continue trying 1027 // to reduce the testcase... 1028 BD.setNewProgram(M.release()); 1029 InstructionsToSkipBeforeDeleting = CurInstructionNum; 1030 goto TryAgain; // I wish I had a multi-level break here! 1031 } 1032 } 1033 } 1034 1035 if (InstructionsToSkipBeforeDeleting) { 1036 InstructionsToSkipBeforeDeleting = 0; 1037 goto TryAgain; 1038 } 1039 1040 } while (Simplification); 1041 BD.EmitProgressBitcode(BD.getProgram(), "reduced-instructions"); 1042 } 1043 1044 1045 /// DebugACrash - Given a predicate that determines whether a component crashes 1046 /// on a program, try to destructively reduce the program while still keeping 1047 /// the predicate true. 1048 static bool DebugACrash(BugDriver &BD, 1049 bool (*TestFn)(const BugDriver &, Module *), 1050 std::string &Error) { 1051 // See if we can get away with nuking some of the global variable initializers 1052 // in the program... 1053 if (!NoGlobalRM) 1054 ReduceGlobalInitializers(BD, TestFn, Error); 1055 1056 // Now try to reduce the number of functions in the module to something small. 1057 std::vector<Function*> Functions; 1058 for (Function &F : *BD.getProgram()) 1059 if (!F.isDeclaration()) 1060 Functions.push_back(&F); 1061 1062 if (Functions.size() > 1 && !BugpointIsInterrupted) { 1063 outs() << "\n*** Attempting to reduce the number of functions " 1064 "in the testcase\n"; 1065 1066 unsigned OldSize = Functions.size(); 1067 ReduceCrashingFunctions(BD, TestFn).reduceList(Functions, Error); 1068 1069 if (Functions.size() < OldSize) 1070 BD.EmitProgressBitcode(BD.getProgram(), "reduced-function"); 1071 } 1072 1073 // Attempt to change conditional branches into unconditional branches to 1074 // eliminate blocks. 1075 if (!DisableSimplifyCFG && !BugpointIsInterrupted) { 1076 std::vector<const BasicBlock*> Blocks; 1077 for (Function &F : *BD.getProgram()) 1078 for (BasicBlock &BB : F) 1079 Blocks.push_back(&BB); 1080 unsigned OldSize = Blocks.size(); 1081 ReduceCrashingConditionals(BD, TestFn, true).reduceList(Blocks, Error); 1082 ReduceCrashingConditionals(BD, TestFn, false).reduceList(Blocks, Error); 1083 if (Blocks.size() < OldSize) 1084 BD.EmitProgressBitcode(BD.getProgram(), "reduced-conditionals"); 1085 } 1086 1087 // Attempt to delete entire basic blocks at a time to speed up 1088 // convergence... this actually works by setting the terminator of the blocks 1089 // to a return instruction then running simplifycfg, which can potentially 1090 // shrinks the code dramatically quickly 1091 // 1092 if (!DisableSimplifyCFG && !BugpointIsInterrupted) { 1093 std::vector<const BasicBlock*> Blocks; 1094 for (Function &F : *BD.getProgram()) 1095 for (BasicBlock &BB : F) 1096 Blocks.push_back(&BB); 1097 unsigned OldSize = Blocks.size(); 1098 ReduceCrashingBlocks(BD, TestFn).reduceList(Blocks, Error); 1099 if (Blocks.size() < OldSize) 1100 BD.EmitProgressBitcode(BD.getProgram(), "reduced-blocks"); 1101 } 1102 1103 if (!DisableSimplifyCFG & !BugpointIsInterrupted) { 1104 std::vector<const BasicBlock*> Blocks; 1105 for (Function &F : *BD.getProgram()) 1106 for (BasicBlock &BB : F) 1107 Blocks.push_back(&BB); 1108 unsigned OldSize = Blocks.size(); 1109 ReduceSimplifyCFG(BD, TestFn).reduceList(Blocks, Error); 1110 if (Blocks.size() < OldSize) 1111 BD.EmitProgressBitcode(BD.getProgram(), "reduced-simplifycfg"); 1112 } 1113 1114 // Attempt to delete instructions using bisection. This should help out nasty 1115 // cases with large basic blocks where the problem is at one end. 1116 if (!BugpointIsInterrupted) 1117 ReduceInsts(BD, TestFn, Error); 1118 1119 if (!NoNamedMDRM) { 1120 if (!BugpointIsInterrupted) { 1121 // Try to reduce the amount of global metadata (particularly debug info), 1122 // by dropping global named metadata that anchors them 1123 outs() << "\n*** Attempting to remove named metadata: "; 1124 std::vector<std::string> NamedMDNames; 1125 for (auto &NamedMD : BD.getProgram()->named_metadata()) 1126 NamedMDNames.push_back(NamedMD.getName().str()); 1127 ReduceCrashingNamedMD(BD, TestFn).reduceList(NamedMDNames, Error); 1128 } 1129 1130 if (!BugpointIsInterrupted) { 1131 // Now that we quickly dropped all the named metadata that doesn't 1132 // contribute to the crash, bisect the operands of the remaining ones 1133 std::vector<const MDNode *> NamedMDOps; 1134 for (auto &NamedMD : BD.getProgram()->named_metadata()) 1135 for (auto op : NamedMD.operands()) 1136 NamedMDOps.push_back(op); 1137 ReduceCrashingNamedMDOps(BD, TestFn).reduceList(NamedMDOps, Error); 1138 } 1139 BD.EmitProgressBitcode(BD.getProgram(), "reduced-named-md"); 1140 } 1141 1142 // Try to clean up the testcase by running funcresolve and globaldce... 1143 if (!BugpointIsInterrupted) { 1144 outs() << "\n*** Attempting to perform final cleanups: "; 1145 Module *M = CloneModule(BD.getProgram()).release(); 1146 M = BD.performFinalCleanups(M, true).release(); 1147 1148 // Find out if the pass still crashes on the cleaned up program... 1149 if (TestFn(BD, M)) { 1150 BD.setNewProgram(M); // Yup, it does, keep the reduced version... 1151 } else { 1152 delete M; 1153 } 1154 } 1155 1156 BD.EmitProgressBitcode(BD.getProgram(), "reduced-simplified"); 1157 1158 return false; 1159 } 1160 1161 static bool TestForOptimizerCrash(const BugDriver &BD, Module *M) { 1162 return BD.runPasses(M, BD.getPassesToRun()); 1163 } 1164 1165 /// debugOptimizerCrash - This method is called when some pass crashes on input. 1166 /// It attempts to prune down the testcase to something reasonable, and figure 1167 /// out exactly which pass is crashing. 1168 /// 1169 bool BugDriver::debugOptimizerCrash(const std::string &ID) { 1170 outs() << "\n*** Debugging optimizer crash!\n"; 1171 1172 std::string Error; 1173 // Reduce the list of passes which causes the optimizer to crash... 1174 if (!BugpointIsInterrupted && !DontReducePassList) 1175 ReducePassList(*this).reduceList(PassesToRun, Error); 1176 assert(Error.empty()); 1177 1178 outs() << "\n*** Found crashing pass" 1179 << (PassesToRun.size() == 1 ? ": " : "es: ") 1180 << getPassesString(PassesToRun) << '\n'; 1181 1182 EmitProgressBitcode(Program, ID); 1183 1184 bool Success = DebugACrash(*this, TestForOptimizerCrash, Error); 1185 assert(Error.empty()); 1186 return Success; 1187 } 1188 1189 static bool TestForCodeGenCrash(const BugDriver &BD, Module *M) { 1190 std::string Error; 1191 BD.compileProgram(M, &Error); 1192 if (!Error.empty()) { 1193 if (VerboseErrors) 1194 errs() << Error << "\n"; 1195 else 1196 errs() << "<crash>\n"; 1197 return true; // Tool is still crashing. 1198 } 1199 errs() << '\n'; 1200 return false; 1201 } 1202 1203 /// debugCodeGeneratorCrash - This method is called when the code generator 1204 /// crashes on an input. It attempts to reduce the input as much as possible 1205 /// while still causing the code generator to crash. 1206 bool BugDriver::debugCodeGeneratorCrash(std::string &Error) { 1207 errs() << "*** Debugging code generator crash!\n"; 1208 1209 return DebugACrash(*this, TestForCodeGenCrash, Error); 1210 } 1211