1 //===- CrashDebugger.cpp - Debug compilation crashes ----------------------===// 2 // 3 // The LLVM Compiler Infrastructure 4 // 5 // This file is distributed under the University of Illinois Open Source 6 // License. See LICENSE.TXT for details. 7 // 8 //===----------------------------------------------------------------------===// 9 // 10 // This file defines the bugpoint internals that narrow down compilation crashes 11 // 12 //===----------------------------------------------------------------------===// 13 14 #include "BugDriver.h" 15 #include "ListReducer.h" 16 #include "ToolRunner.h" 17 #include "llvm/Analysis/TargetTransformInfo.h" 18 #include "llvm/ADT/SmallPtrSet.h" 19 #include "llvm/ADT/StringSet.h" 20 #include "llvm/IR/CFG.h" 21 #include "llvm/IR/Constants.h" 22 #include "llvm/IR/DerivedTypes.h" 23 #include "llvm/IR/Instructions.h" 24 #include "llvm/IR/LegacyPassManager.h" 25 #include "llvm/IR/Module.h" 26 #include "llvm/IR/ValueSymbolTable.h" 27 #include "llvm/IR/Verifier.h" 28 #include "llvm/Pass.h" 29 #include "llvm/Support/CommandLine.h" 30 #include "llvm/Support/FileUtilities.h" 31 #include "llvm/Transforms/Scalar.h" 32 #include "llvm/Transforms/Utils/BasicBlockUtils.h" 33 #include "llvm/Transforms/Utils/Cloning.h" 34 #include "llvm/Transforms/Utils/Local.h" 35 #include <set> 36 using namespace llvm; 37 38 namespace { 39 cl::opt<bool> 40 KeepMain("keep-main", 41 cl::desc("Force function reduction to keep main"), 42 cl::init(false)); 43 cl::opt<bool> 44 NoGlobalRM ("disable-global-remove", 45 cl::desc("Do not remove global variables"), 46 cl::init(false)); 47 48 cl::opt<bool> 49 ReplaceFuncsWithNull("replace-funcs-with-null", 50 cl::desc("When stubbing functions, replace all uses will null"), 51 cl::init(false)); 52 cl::opt<bool> 53 DontReducePassList("disable-pass-list-reduction", 54 cl::desc("Skip pass list reduction steps"), 55 cl::init(false)); 56 57 cl::opt<bool> NoNamedMDRM("disable-namedmd-remove", 58 cl::desc("Do not remove global named metadata"), 59 cl::init(false)); 60 cl::opt<bool> VerboseErrors("verbose-errors", 61 cl::desc("Print the output of crashing program"), 62 cl::init(false)); 63 } 64 65 namespace llvm { 66 class ReducePassList : public ListReducer<std::string> { 67 BugDriver &BD; 68 public: 69 ReducePassList(BugDriver &bd) : BD(bd) {} 70 71 // doTest - Return true iff running the "removed" passes succeeds, and 72 // running the "Kept" passes fail when run on the output of the "removed" 73 // passes. If we return true, we update the current module of bugpoint. 74 // 75 TestResult doTest(std::vector<std::string> &Removed, 76 std::vector<std::string> &Kept, 77 std::string &Error) override; 78 }; 79 } 80 81 ReducePassList::TestResult 82 ReducePassList::doTest(std::vector<std::string> &Prefix, 83 std::vector<std::string> &Suffix, 84 std::string &Error) { 85 std::string PrefixOutput; 86 Module *OrigProgram = nullptr; 87 if (!Prefix.empty()) { 88 outs() << "Checking to see if these passes crash: " 89 << getPassesString(Prefix) << ": "; 90 if (BD.runPasses(BD.getProgram(), Prefix, PrefixOutput)) 91 return KeepPrefix; 92 93 OrigProgram = BD.Program; 94 95 BD.Program = parseInputFile(PrefixOutput, BD.getContext()).release(); 96 if (BD.Program == nullptr) { 97 errs() << BD.getToolName() << ": Error reading bitcode file '" 98 << PrefixOutput << "'!\n"; 99 exit(1); 100 } 101 sys::fs::remove(PrefixOutput); 102 } 103 104 outs() << "Checking to see if these passes crash: " 105 << getPassesString(Suffix) << ": "; 106 107 if (BD.runPasses(BD.getProgram(), Suffix)) { 108 delete OrigProgram; // The suffix crashes alone... 109 return KeepSuffix; 110 } 111 112 // Nothing failed, restore state... 113 if (OrigProgram) { 114 delete BD.Program; 115 BD.Program = OrigProgram; 116 } 117 return NoFailure; 118 } 119 120 namespace { 121 /// ReduceCrashingGlobalVariables - This works by removing the global 122 /// variable's initializer and seeing if the program still crashes. If it 123 /// does, then we keep that program and try again. 124 /// 125 class ReduceCrashingGlobalVariables : public ListReducer<GlobalVariable*> { 126 BugDriver &BD; 127 bool (*TestFn)(const BugDriver &, Module *); 128 public: 129 ReduceCrashingGlobalVariables(BugDriver &bd, 130 bool (*testFn)(const BugDriver &, Module *)) 131 : BD(bd), TestFn(testFn) {} 132 133 TestResult doTest(std::vector<GlobalVariable*> &Prefix, 134 std::vector<GlobalVariable*> &Kept, 135 std::string &Error) override { 136 if (!Kept.empty() && TestGlobalVariables(Kept)) 137 return KeepSuffix; 138 if (!Prefix.empty() && TestGlobalVariables(Prefix)) 139 return KeepPrefix; 140 return NoFailure; 141 } 142 143 bool TestGlobalVariables(std::vector<GlobalVariable*> &GVs); 144 }; 145 } 146 147 bool 148 ReduceCrashingGlobalVariables::TestGlobalVariables( 149 std::vector<GlobalVariable*> &GVs) { 150 // Clone the program to try hacking it apart... 151 ValueToValueMapTy VMap; 152 Module *M = CloneModule(BD.getProgram(), VMap).release(); 153 154 // Convert list to set for fast lookup... 155 std::set<GlobalVariable*> GVSet; 156 157 for (unsigned i = 0, e = GVs.size(); i != e; ++i) { 158 GlobalVariable* CMGV = cast<GlobalVariable>(VMap[GVs[i]]); 159 assert(CMGV && "Global Variable not in module?!"); 160 GVSet.insert(CMGV); 161 } 162 163 outs() << "Checking for crash with only these global variables: "; 164 PrintGlobalVariableList(GVs); 165 outs() << ": "; 166 167 // Loop over and delete any global variables which we aren't supposed to be 168 // playing with... 169 for (GlobalVariable &I : M->globals()) 170 if (I.hasInitializer() && !GVSet.count(&I)) { 171 DeleteGlobalInitializer(&I); 172 I.setLinkage(GlobalValue::ExternalLinkage); 173 I.setComdat(nullptr); 174 } 175 176 // Try running the hacked up program... 177 if (TestFn(BD, M)) { 178 BD.setNewProgram(M); // It crashed, keep the trimmed version... 179 180 // Make sure to use global variable pointers that point into the now-current 181 // module. 182 GVs.assign(GVSet.begin(), GVSet.end()); 183 return true; 184 } 185 186 delete M; 187 return false; 188 } 189 190 namespace { 191 /// ReduceCrashingFunctions reducer - This works by removing functions and 192 /// seeing if the program still crashes. If it does, then keep the newer, 193 /// smaller program. 194 /// 195 class ReduceCrashingFunctions : public ListReducer<Function*> { 196 BugDriver &BD; 197 bool (*TestFn)(const BugDriver &, Module *); 198 public: 199 ReduceCrashingFunctions(BugDriver &bd, 200 bool (*testFn)(const BugDriver &, Module *)) 201 : BD(bd), TestFn(testFn) {} 202 203 TestResult doTest(std::vector<Function*> &Prefix, 204 std::vector<Function*> &Kept, 205 std::string &Error) override { 206 if (!Kept.empty() && TestFuncs(Kept)) 207 return KeepSuffix; 208 if (!Prefix.empty() && TestFuncs(Prefix)) 209 return KeepPrefix; 210 return NoFailure; 211 } 212 213 bool TestFuncs(std::vector<Function*> &Prefix); 214 }; 215 } 216 217 static void RemoveFunctionReferences(Module *M, const char* Name) { 218 auto *UsedVar = M->getGlobalVariable(Name, true); 219 if (!UsedVar || !UsedVar->hasInitializer()) return; 220 if (isa<ConstantAggregateZero>(UsedVar->getInitializer())) { 221 assert(UsedVar->use_empty()); 222 UsedVar->eraseFromParent(); 223 return; 224 } 225 auto *OldUsedVal = cast<ConstantArray>(UsedVar->getInitializer()); 226 std::vector<Constant*> Used; 227 for(Value *V : OldUsedVal->operand_values()) { 228 Constant *Op = cast<Constant>(V->stripPointerCasts()); 229 if(!Op->isNullValue()) { 230 Used.push_back(cast<Constant>(V)); 231 } 232 } 233 auto *NewValElemTy = OldUsedVal->getType()->getElementType(); 234 auto *NewValTy = ArrayType::get(NewValElemTy, Used.size()); 235 auto *NewUsedVal = ConstantArray::get(NewValTy, Used); 236 UsedVar->mutateType(NewUsedVal->getType()->getPointerTo()); 237 UsedVar->setInitializer(NewUsedVal); 238 } 239 240 bool ReduceCrashingFunctions::TestFuncs(std::vector<Function*> &Funcs) { 241 // If main isn't present, claim there is no problem. 242 if (KeepMain && std::find(Funcs.begin(), Funcs.end(), 243 BD.getProgram()->getFunction("main")) == 244 Funcs.end()) 245 return false; 246 247 // Clone the program to try hacking it apart... 248 ValueToValueMapTy VMap; 249 Module *M = CloneModule(BD.getProgram(), VMap).release(); 250 251 // Convert list to set for fast lookup... 252 std::set<Function*> Functions; 253 for (unsigned i = 0, e = Funcs.size(); i != e; ++i) { 254 Function *CMF = cast<Function>(VMap[Funcs[i]]); 255 assert(CMF && "Function not in module?!"); 256 assert(CMF->getFunctionType() == Funcs[i]->getFunctionType() && "wrong ty"); 257 assert(CMF->getName() == Funcs[i]->getName() && "wrong name"); 258 Functions.insert(CMF); 259 } 260 261 outs() << "Checking for crash with only these functions: "; 262 PrintFunctionList(Funcs); 263 outs() << ": "; 264 if (!ReplaceFuncsWithNull) { 265 // Loop over and delete any functions which we aren't supposed to be playing 266 // with... 267 for (Function &I : *M) 268 if (!I.isDeclaration() && !Functions.count(&I)) 269 DeleteFunctionBody(&I); 270 } else { 271 std::vector<GlobalValue*> ToRemove; 272 // First, remove aliases to functions we're about to purge. 273 for (GlobalAlias &Alias : M->aliases()) { 274 GlobalObject *Root = Alias.getBaseObject(); 275 Function *F = dyn_cast_or_null<Function>(Root); 276 if (F) { 277 if (Functions.count(F)) 278 // We're keeping this function. 279 continue; 280 } else if (Root->isNullValue()) { 281 // This referenced a globalalias that we've already replaced, 282 // so we still need to replace this alias. 283 } else if (!F) { 284 // Not a function, therefore not something we mess with. 285 continue; 286 } 287 288 PointerType *Ty = cast<PointerType>(Alias.getType()); 289 Constant *Replacement = ConstantPointerNull::get(Ty); 290 Alias.replaceAllUsesWith(Replacement); 291 ToRemove.push_back(&Alias); 292 } 293 294 for (Function &I : *M) { 295 if (!I.isDeclaration() && !Functions.count(&I)) { 296 PointerType *Ty = cast<PointerType>(I.getType()); 297 Constant *Replacement = ConstantPointerNull::get(Ty); 298 I.replaceAllUsesWith(Replacement); 299 ToRemove.push_back(&I); 300 } 301 } 302 303 for (auto *F : ToRemove) { 304 F->eraseFromParent(); 305 } 306 307 // Finally, remove any null members from any global intrinsic. 308 RemoveFunctionReferences(M, "llvm.used"); 309 RemoveFunctionReferences(M, "llvm.compiler.used"); 310 } 311 // Try running the hacked up program... 312 if (TestFn(BD, M)) { 313 BD.setNewProgram(M); // It crashed, keep the trimmed version... 314 315 // Make sure to use function pointers that point into the now-current 316 // module. 317 Funcs.assign(Functions.begin(), Functions.end()); 318 return true; 319 } 320 delete M; 321 return false; 322 } 323 324 namespace { 325 /// Simplify the CFG without completely destroying it. 326 /// This is not well defined, but basically comes down to "try to eliminate 327 /// unreachable blocks and constant fold terminators without deciding that 328 /// certain undefined behavior cuts off the program at the legs". 329 void simpleSimplifyCfg(Function &F, SmallVectorImpl<BasicBlock *> &BBs) { 330 if (F.empty()) 331 return; 332 333 for (auto *BB : BBs) { 334 ConstantFoldTerminator(BB); 335 MergeBlockIntoPredecessor(BB); 336 } 337 338 // Remove unreachable blocks 339 // removeUnreachableBlocks can't be used here, it will turn various 340 // undefined behavior into unreachables, but bugpoint was the thing that 341 // generated the undefined behavior, and we don't want it to kill the entire 342 // program. 343 SmallPtrSet<BasicBlock *, 16> Visited; 344 for (auto *BB : depth_first(&F.getEntryBlock())) 345 Visited.insert(BB); 346 347 SmallVector<BasicBlock *, 16> Unreachable; 348 for (auto &BB : F) 349 if (!Visited.count(&BB)) 350 Unreachable.push_back(&BB); 351 352 // The dead BB's may be in a dead cycle or otherwise have references to each 353 // other. Because of this, we have to drop all references first, then delete 354 // them all at once. 355 for (auto *BB : Unreachable) { 356 for (BasicBlock *Successor : successors(&*BB)) 357 if (Visited.count(Successor)) 358 Successor->removePredecessor(&*BB); 359 BB->dropAllReferences(); 360 } 361 for (auto *BB : Unreachable) 362 BB->eraseFromParent(); 363 } 364 /// ReduceCrashingBlocks reducer - This works by setting the terminators of 365 /// all terminators except the specified basic blocks to a 'ret' instruction, 366 /// then running the simplify-cfg pass. This has the effect of chopping up 367 /// the CFG really fast which can reduce large functions quickly. 368 /// 369 class ReduceCrashingBlocks : public ListReducer<const BasicBlock*> { 370 BugDriver &BD; 371 bool (*TestFn)(const BugDriver &, Module *); 372 public: 373 ReduceCrashingBlocks(BugDriver &BD, 374 bool (*testFn)(const BugDriver &, Module *)) 375 : BD(BD), TestFn(testFn) {} 376 377 TestResult doTest(std::vector<const BasicBlock*> &Prefix, 378 std::vector<const BasicBlock*> &Kept, 379 std::string &Error) override { 380 if (!Kept.empty() && TestBlocks(Kept)) 381 return KeepSuffix; 382 if (!Prefix.empty() && TestBlocks(Prefix)) 383 return KeepPrefix; 384 return NoFailure; 385 } 386 387 bool TestBlocks(std::vector<const BasicBlock*> &Prefix); 388 }; 389 } 390 391 bool ReduceCrashingBlocks::TestBlocks(std::vector<const BasicBlock*> &BBs) { 392 // Clone the program to try hacking it apart... 393 ValueToValueMapTy VMap; 394 Module *M = CloneModule(BD.getProgram(), VMap).release(); 395 396 // Convert list to set for fast lookup... 397 SmallPtrSet<BasicBlock*, 8> Blocks; 398 for (unsigned i = 0, e = BBs.size(); i != e; ++i) 399 Blocks.insert(cast<BasicBlock>(VMap[BBs[i]])); 400 401 outs() << "Checking for crash with only these blocks:"; 402 unsigned NumPrint = Blocks.size(); 403 if (NumPrint > 10) NumPrint = 10; 404 for (unsigned i = 0, e = NumPrint; i != e; ++i) 405 outs() << " " << BBs[i]->getName(); 406 if (NumPrint < Blocks.size()) 407 outs() << "... <" << Blocks.size() << " total>"; 408 outs() << ": "; 409 410 // Loop over and delete any hack up any blocks that are not listed... 411 for (Module::iterator I = M->begin(), E = M->end(); I != E; ++I) 412 for (Function::iterator BB = I->begin(), E = I->end(); BB != E; ++BB) 413 if (!Blocks.count(&*BB) && BB->getTerminator()->getNumSuccessors()) { 414 // Loop over all of the successors of this block, deleting any PHI nodes 415 // that might include it. 416 for (succ_iterator SI = succ_begin(&*BB), E = succ_end(&*BB); SI != E; 417 ++SI) 418 (*SI)->removePredecessor(&*BB); 419 420 TerminatorInst *BBTerm = BB->getTerminator(); 421 if (BBTerm->isEHPad() || BBTerm->getType()->isTokenTy()) 422 continue; 423 if (!BBTerm->getType()->isVoidTy()) 424 BBTerm->replaceAllUsesWith(Constant::getNullValue(BBTerm->getType())); 425 426 // Replace the old terminator instruction. 427 BB->getInstList().pop_back(); 428 new UnreachableInst(BB->getContext(), &*BB); 429 } 430 431 // The CFG Simplifier pass may delete one of the basic blocks we are 432 // interested in. If it does we need to take the block out of the list. Make 433 // a "persistent mapping" by turning basic blocks into <function, name> pairs. 434 // This won't work well if blocks are unnamed, but that is just the risk we 435 // have to take. 436 std::vector<std::pair<std::string, std::string> > BlockInfo; 437 438 for (BasicBlock *BB : Blocks) 439 BlockInfo.emplace_back(BB->getParent()->getName(), BB->getName()); 440 441 SmallVector<BasicBlock *, 16> ToProcess; 442 for (auto &F :*M) { 443 for (auto &BB : F) 444 if (!Blocks.count(&BB)) 445 ToProcess.push_back(&BB); 446 simpleSimplifyCfg(F, ToProcess); 447 ToProcess.clear(); 448 } 449 // Verify we didn't break anything 450 std::vector<std::string> Passes; 451 Passes.push_back("verify"); 452 std::unique_ptr<Module> New = BD.runPassesOn(M, Passes); 453 delete M; 454 if (!New) { 455 errs() << "verify failed!\n"; 456 exit(1); 457 } 458 M = New.release(); 459 460 // Try running on the hacked up program... 461 if (TestFn(BD, M)) { 462 BD.setNewProgram(M); // It crashed, keep the trimmed version... 463 464 // Make sure to use basic block pointers that point into the now-current 465 // module, and that they don't include any deleted blocks. 466 BBs.clear(); 467 const ValueSymbolTable &GST = M->getValueSymbolTable(); 468 for (unsigned i = 0, e = BlockInfo.size(); i != e; ++i) { 469 Function *F = cast<Function>(GST.lookup(BlockInfo[i].first)); 470 ValueSymbolTable &ST = F->getValueSymbolTable(); 471 Value* V = ST.lookup(BlockInfo[i].second); 472 if (V && V->getType() == Type::getLabelTy(V->getContext())) 473 BBs.push_back(cast<BasicBlock>(V)); 474 } 475 return true; 476 } 477 delete M; // It didn't crash, try something else. 478 return false; 479 } 480 481 namespace { 482 /// ReduceCrashingConditionals reducer - This works by changing 483 /// conditional branches to unconditional ones, then simplifying the CFG 484 /// This has the effect of chopping up the CFG really fast which can reduce 485 /// large functions quickly. 486 /// 487 class ReduceCrashingConditionals : public ListReducer<const BasicBlock *> { 488 BugDriver &BD; 489 bool (*TestFn)(const BugDriver &, Module *); 490 bool Direction; 491 492 public: 493 ReduceCrashingConditionals(BugDriver &bd, 494 bool (*testFn)(const BugDriver &, Module *), 495 bool Direction) 496 : BD(bd), TestFn(testFn), Direction(Direction) {} 497 498 TestResult doTest(std::vector<const BasicBlock *> &Prefix, 499 std::vector<const BasicBlock *> &Kept, 500 std::string &Error) override { 501 if (!Kept.empty() && TestBlocks(Kept)) 502 return KeepSuffix; 503 if (!Prefix.empty() && TestBlocks(Prefix)) 504 return KeepPrefix; 505 return NoFailure; 506 } 507 508 bool TestBlocks(std::vector<const BasicBlock *> &Prefix); 509 }; 510 } 511 512 bool ReduceCrashingConditionals::TestBlocks( 513 std::vector<const BasicBlock *> &BBs) { 514 // Clone the program to try hacking it apart... 515 ValueToValueMapTy VMap; 516 Module *M = CloneModule(BD.getProgram(), VMap).release(); 517 518 // Convert list to set for fast lookup... 519 SmallPtrSet<const BasicBlock *, 8> Blocks; 520 for (const auto *BB: BBs) 521 Blocks.insert(cast<BasicBlock>(VMap[BB])); 522 523 outs() << "Checking for crash with changing conditionals to always jump to " 524 << (Direction ? "true" : "false") << ":"; 525 unsigned NumPrint = Blocks.size(); 526 if (NumPrint > 10) 527 NumPrint = 10; 528 for (unsigned i = 0, e = NumPrint; i != e; ++i) 529 outs() << " " << BBs[i]->getName(); 530 if (NumPrint < Blocks.size()) 531 outs() << "... <" << Blocks.size() << " total>"; 532 outs() << ": "; 533 534 // Loop over and delete any hack up any blocks that are not listed... 535 for (auto &F: *M) 536 for (auto &BB : F) 537 if (!Blocks.count(&BB)) { 538 auto *BR = dyn_cast<BranchInst>(BB.getTerminator()); 539 if (!BR || !BR->isConditional()) 540 continue; 541 if (Direction) 542 BR->setCondition(ConstantInt::getTrue(BR->getContext())); 543 else 544 BR->setCondition(ConstantInt::getFalse(BR->getContext())); 545 } 546 547 // The following may destroy some blocks, so we save them first 548 std::vector<std::pair<std::string, std::string>> BlockInfo; 549 550 for (const BasicBlock *BB : Blocks) 551 BlockInfo.emplace_back(BB->getParent()->getName(), BB->getName()); 552 553 SmallVector<BasicBlock *, 16> ToProcess; 554 for (auto &F :*M) { 555 for (auto &BB : F) 556 if (!Blocks.count(&BB)) 557 ToProcess.push_back(&BB); 558 simpleSimplifyCfg(F, ToProcess); 559 ToProcess.clear(); 560 } 561 // Verify we didn't break anything 562 std::vector<std::string> Passes; 563 Passes.push_back("verify"); 564 std::unique_ptr<Module> New = BD.runPassesOn(M, Passes); 565 delete M; 566 if (!New) { 567 errs() << "verify failed!\n"; 568 exit(1); 569 } 570 M = New.release(); 571 572 // Try running on the hacked up program... 573 if (TestFn(BD, M)) { 574 BD.setNewProgram(M); // It crashed, keep the trimmed version... 575 576 // Make sure to use basic block pointers that point into the now-current 577 // module, and that they don't include any deleted blocks. 578 BBs.clear(); 579 const ValueSymbolTable &GST = M->getValueSymbolTable(); 580 for (auto &BI : BlockInfo) { 581 auto *F = cast<Function>(GST.lookup(BI.first)); 582 ValueSymbolTable &ST = F->getValueSymbolTable(); 583 Value *V = ST.lookup(BI.second); 584 if (V && V->getType() == Type::getLabelTy(V->getContext())) 585 BBs.push_back(cast<BasicBlock>(V)); 586 } 587 return true; 588 } 589 delete M; // It didn't crash, try something else. 590 return false; 591 } 592 593 namespace { 594 /// SimplifyCFG reducer - This works by calling SimplifyCFG on each basic block 595 /// in the program. 596 597 class ReduceSimplifyCFG : public ListReducer<const BasicBlock *> { 598 BugDriver &BD; 599 bool (*TestFn)(const BugDriver &, Module *); 600 TargetTransformInfo TTI; 601 602 public: 603 ReduceSimplifyCFG(BugDriver &bd, 604 bool (*testFn)(const BugDriver &, Module *)) 605 : BD(bd), TestFn(testFn), TTI(bd.getProgram()->getDataLayout()) 606 {} 607 608 TestResult doTest(std::vector<const BasicBlock *> &Prefix, 609 std::vector<const BasicBlock *> &Kept, 610 std::string &Error) override { 611 if (!Kept.empty() && TestBlocks(Kept)) 612 return KeepSuffix; 613 if (!Prefix.empty() && TestBlocks(Prefix)) 614 return KeepPrefix; 615 return NoFailure; 616 } 617 618 bool TestBlocks(std::vector<const BasicBlock *> &Prefix); 619 }; 620 } 621 622 bool ReduceSimplifyCFG::TestBlocks( 623 std::vector<const BasicBlock *> &BBs) { 624 // Clone the program to try hacking it apart... 625 ValueToValueMapTy VMap; 626 Module *M = CloneModule(BD.getProgram(), VMap).release(); 627 628 // Convert list to set for fast lookup... 629 SmallPtrSet<const BasicBlock *, 8> Blocks; 630 for (const auto *BB: BBs) 631 Blocks.insert(cast<BasicBlock>(VMap[BB])); 632 633 outs() << "Checking for crash with CFG simplifying:"; 634 unsigned NumPrint = Blocks.size(); 635 if (NumPrint > 10) 636 NumPrint = 10; 637 for (unsigned i = 0, e = NumPrint; i != e; ++i) 638 outs() << " " << BBs[i]->getName(); 639 if (NumPrint < Blocks.size()) 640 outs() << "... <" << Blocks.size() << " total>"; 641 outs() << ": "; 642 643 // The following may destroy some blocks, so we save them first 644 std::vector<std::pair<std::string, std::string>> BlockInfo; 645 646 for (const BasicBlock *BB : Blocks) 647 BlockInfo.emplace_back(BB->getParent()->getName(), BB->getName()); 648 649 650 // Loop over and delete any hack up any blocks that are not listed... 651 for (auto &F: *M) 652 // Loop over all of the basic blocks and remove them if they are unneeded. 653 for (Function::iterator BBIt = F.begin(); BBIt != F.end(); ) { 654 if (!Blocks.count(&*BBIt)) { 655 ++BBIt; 656 continue; 657 } 658 SimplifyCFG(&*BBIt++, TTI, 1); 659 } 660 // Verify we didn't break anything 661 std::vector<std::string> Passes; 662 Passes.push_back("verify"); 663 std::unique_ptr<Module> New = BD.runPassesOn(M, Passes); 664 delete M; 665 if (!New) { 666 errs() << "verify failed!\n"; 667 exit(1); 668 } 669 M = New.release(); 670 671 // Try running on the hacked up program... 672 if (TestFn(BD, M)) { 673 BD.setNewProgram(M); // It crashed, keep the trimmed version... 674 675 // Make sure to use basic block pointers that point into the now-current 676 // module, and that they don't include any deleted blocks. 677 BBs.clear(); 678 const ValueSymbolTable &GST = M->getValueSymbolTable(); 679 for (auto &BI : BlockInfo){ 680 auto *F = cast<Function>(GST.lookup(BI.first)); 681 ValueSymbolTable &ST = F->getValueSymbolTable(); 682 Value *V = ST.lookup(BI.second); 683 if (V && V->getType() == Type::getLabelTy(V->getContext())) 684 BBs.push_back(cast<BasicBlock>(V)); 685 } 686 return true; 687 } 688 delete M; // It didn't crash, try something else. 689 return false; 690 } 691 692 namespace { 693 /// ReduceCrashingInstructions reducer - This works by removing the specified 694 /// non-terminator instructions and replacing them with undef. 695 /// 696 class ReduceCrashingInstructions : public ListReducer<const Instruction*> { 697 BugDriver &BD; 698 bool (*TestFn)(const BugDriver &, Module *); 699 public: 700 ReduceCrashingInstructions(BugDriver &bd, 701 bool (*testFn)(const BugDriver &, Module *)) 702 : BD(bd), TestFn(testFn) {} 703 704 TestResult doTest(std::vector<const Instruction*> &Prefix, 705 std::vector<const Instruction*> &Kept, 706 std::string &Error) override { 707 if (!Kept.empty() && TestInsts(Kept)) 708 return KeepSuffix; 709 if (!Prefix.empty() && TestInsts(Prefix)) 710 return KeepPrefix; 711 return NoFailure; 712 } 713 714 bool TestInsts(std::vector<const Instruction*> &Prefix); 715 }; 716 } 717 718 bool ReduceCrashingInstructions::TestInsts(std::vector<const Instruction*> 719 &Insts) { 720 // Clone the program to try hacking it apart... 721 ValueToValueMapTy VMap; 722 Module *M = CloneModule(BD.getProgram(), VMap).release(); 723 724 // Convert list to set for fast lookup... 725 SmallPtrSet<Instruction*, 32> Instructions; 726 for (unsigned i = 0, e = Insts.size(); i != e; ++i) { 727 assert(!isa<TerminatorInst>(Insts[i])); 728 Instructions.insert(cast<Instruction>(VMap[Insts[i]])); 729 } 730 731 outs() << "Checking for crash with only " << Instructions.size(); 732 if (Instructions.size() == 1) 733 outs() << " instruction: "; 734 else 735 outs() << " instructions: "; 736 737 for (Module::iterator MI = M->begin(), ME = M->end(); MI != ME; ++MI) 738 for (Function::iterator FI = MI->begin(), FE = MI->end(); FI != FE; ++FI) 739 for (BasicBlock::iterator I = FI->begin(), E = FI->end(); I != E;) { 740 Instruction *Inst = &*I++; 741 if (!Instructions.count(Inst) && !isa<TerminatorInst>(Inst) && 742 !Inst->isEHPad() && !Inst->getType()->isTokenTy()) { 743 if (!Inst->getType()->isVoidTy()) 744 Inst->replaceAllUsesWith(UndefValue::get(Inst->getType())); 745 Inst->eraseFromParent(); 746 } 747 } 748 749 // Verify that this is still valid. 750 legacy::PassManager Passes; 751 Passes.add(createVerifierPass()); 752 Passes.run(*M); 753 754 // Try running on the hacked up program... 755 if (TestFn(BD, M)) { 756 BD.setNewProgram(M); // It crashed, keep the trimmed version... 757 758 // Make sure to use instruction pointers that point into the now-current 759 // module, and that they don't include any deleted blocks. 760 Insts.clear(); 761 for (Instruction *Inst : Instructions) 762 Insts.push_back(Inst); 763 return true; 764 } 765 delete M; // It didn't crash, try something else. 766 return false; 767 } 768 769 namespace { 770 // Reduce the list of Named Metadata nodes. We keep this as a list of 771 // names to avoid having to convert back and forth every time. 772 class ReduceCrashingNamedMD : public ListReducer<std::string> { 773 BugDriver &BD; 774 bool (*TestFn)(const BugDriver &, Module *); 775 776 public: 777 ReduceCrashingNamedMD(BugDriver &bd, 778 bool (*testFn)(const BugDriver &, Module *)) 779 : BD(bd), TestFn(testFn) {} 780 781 TestResult doTest(std::vector<std::string> &Prefix, 782 std::vector<std::string> &Kept, 783 std::string &Error) override { 784 if (!Kept.empty() && TestNamedMDs(Kept)) 785 return KeepSuffix; 786 if (!Prefix.empty() && TestNamedMDs(Prefix)) 787 return KeepPrefix; 788 return NoFailure; 789 } 790 791 bool TestNamedMDs(std::vector<std::string> &NamedMDs); 792 }; 793 } 794 795 bool ReduceCrashingNamedMD::TestNamedMDs(std::vector<std::string> &NamedMDs) { 796 797 ValueToValueMapTy VMap; 798 Module *M = CloneModule(BD.getProgram(), VMap).release(); 799 800 outs() << "Checking for crash with only these named metadata nodes:"; 801 unsigned NumPrint = std::min<size_t>(NamedMDs.size(), 10); 802 for (unsigned i = 0, e = NumPrint; i != e; ++i) 803 outs() << " " << NamedMDs[i]; 804 if (NumPrint < NamedMDs.size()) 805 outs() << "... <" << NamedMDs.size() << " total>"; 806 outs() << ": "; 807 808 // Make a StringMap for faster lookup 809 StringSet<> Names; 810 for (const std::string &Name : NamedMDs) 811 Names.insert(Name); 812 813 // First collect all the metadata to delete in a vector, then 814 // delete them all at once to avoid invalidating the iterator 815 std::vector<NamedMDNode *> ToDelete; 816 ToDelete.reserve(M->named_metadata_size() - Names.size()); 817 for (auto &NamedMD : M->named_metadata()) 818 // Always keep a nonempty llvm.dbg.cu because the Verifier would complain. 819 if (!Names.count(NamedMD.getName()) && 820 (!(NamedMD.getName() == "llvm.dbg.cu" && NamedMD.getNumOperands() > 0))) 821 ToDelete.push_back(&NamedMD); 822 823 for (auto *NamedMD : ToDelete) 824 NamedMD->eraseFromParent(); 825 826 // Verify that this is still valid. 827 legacy::PassManager Passes; 828 Passes.add(createVerifierPass()); 829 Passes.run(*M); 830 831 // Try running on the hacked up program... 832 if (TestFn(BD, M)) { 833 BD.setNewProgram(M); // It crashed, keep the trimmed version... 834 return true; 835 } 836 delete M; // It didn't crash, try something else. 837 return false; 838 } 839 840 namespace { 841 // Reduce the list of operands to named metadata nodes 842 class ReduceCrashingNamedMDOps : public ListReducer<const MDNode *> { 843 BugDriver &BD; 844 bool (*TestFn)(const BugDriver &, Module *); 845 846 public: 847 ReduceCrashingNamedMDOps(BugDriver &bd, 848 bool (*testFn)(const BugDriver &, Module *)) 849 : BD(bd), TestFn(testFn) {} 850 851 TestResult doTest(std::vector<const MDNode *> &Prefix, 852 std::vector<const MDNode *> &Kept, 853 std::string &Error) override { 854 if (!Kept.empty() && TestNamedMDOps(Kept)) 855 return KeepSuffix; 856 if (!Prefix.empty() && TestNamedMDOps(Prefix)) 857 return KeepPrefix; 858 return NoFailure; 859 } 860 861 bool TestNamedMDOps(std::vector<const MDNode *> &NamedMDOps); 862 }; 863 } 864 865 bool ReduceCrashingNamedMDOps::TestNamedMDOps( 866 std::vector<const MDNode *> &NamedMDOps) { 867 // Convert list to set for fast lookup... 868 SmallPtrSet<const MDNode *, 32> OldMDNodeOps; 869 for (unsigned i = 0, e = NamedMDOps.size(); i != e; ++i) { 870 OldMDNodeOps.insert(NamedMDOps[i]); 871 } 872 873 outs() << "Checking for crash with only " << OldMDNodeOps.size(); 874 if (OldMDNodeOps.size() == 1) 875 outs() << " named metadata operand: "; 876 else 877 outs() << " named metadata operands: "; 878 879 ValueToValueMapTy VMap; 880 Module *M = CloneModule(BD.getProgram(), VMap).release(); 881 882 // This is a little wasteful. In the future it might be good if we could have 883 // these dropped during cloning. 884 for (auto &NamedMD : BD.getProgram()->named_metadata()) { 885 // Drop the old one and create a new one 886 M->eraseNamedMetadata(M->getNamedMetadata(NamedMD.getName())); 887 NamedMDNode *NewNamedMDNode = 888 M->getOrInsertNamedMetadata(NamedMD.getName()); 889 for (MDNode *op : NamedMD.operands()) 890 if (OldMDNodeOps.count(op)) 891 NewNamedMDNode->addOperand(cast<MDNode>(MapMetadata(op, VMap))); 892 } 893 894 // Verify that this is still valid. 895 legacy::PassManager Passes; 896 Passes.add(createVerifierPass()); 897 Passes.run(*M); 898 899 // Try running on the hacked up program... 900 if (TestFn(BD, M)) { 901 // Make sure to use instruction pointers that point into the now-current 902 // module, and that they don't include any deleted blocks. 903 NamedMDOps.clear(); 904 for (const MDNode *Node : OldMDNodeOps) 905 NamedMDOps.push_back(cast<MDNode>(*VMap.getMappedMD(Node))); 906 907 BD.setNewProgram(M); // It crashed, keep the trimmed version... 908 return true; 909 } 910 delete M; // It didn't crash, try something else. 911 return false; 912 } 913 914 static void ReduceGlobalInitializers(BugDriver &BD, 915 bool (*TestFn)(const BugDriver &, Module *), 916 std::string &Error) { 917 if (BD.getProgram()->global_begin() != BD.getProgram()->global_end()) { 918 // Now try to reduce the number of global variable initializers in the 919 // module to something small. 920 Module *M = CloneModule(BD.getProgram()).release(); 921 bool DeletedInit = false; 922 923 for (Module::global_iterator I = M->global_begin(), E = M->global_end(); 924 I != E; ++I) 925 if (I->hasInitializer()) { 926 DeleteGlobalInitializer(&*I); 927 I->setLinkage(GlobalValue::ExternalLinkage); 928 I->setComdat(nullptr); 929 DeletedInit = true; 930 } 931 932 if (!DeletedInit) { 933 delete M; // No change made... 934 } else { 935 // See if the program still causes a crash... 936 outs() << "\nChecking to see if we can delete global inits: "; 937 938 if (TestFn(BD, M)) { // Still crashes? 939 BD.setNewProgram(M); 940 outs() << "\n*** Able to remove all global initializers!\n"; 941 } else { // No longer crashes? 942 outs() << " - Removing all global inits hides problem!\n"; 943 delete M; 944 945 std::vector<GlobalVariable*> GVs; 946 947 for (Module::global_iterator I = BD.getProgram()->global_begin(), 948 E = BD.getProgram()->global_end(); I != E; ++I) 949 if (I->hasInitializer()) 950 GVs.push_back(&*I); 951 952 if (GVs.size() > 1 && !BugpointIsInterrupted) { 953 outs() << "\n*** Attempting to reduce the number of global " 954 << "variables in the testcase\n"; 955 956 unsigned OldSize = GVs.size(); 957 ReduceCrashingGlobalVariables(BD, TestFn).reduceList(GVs, Error); 958 assert(!Error.empty()); 959 960 if (GVs.size() < OldSize) 961 BD.EmitProgressBitcode(BD.getProgram(), "reduced-global-variables"); 962 } 963 } 964 } 965 } 966 } 967 968 static void ReduceInsts(BugDriver &BD, 969 bool (*TestFn)(const BugDriver &, Module *), 970 std::string &Error) { 971 // Attempt to delete instructions using bisection. This should help out nasty 972 // cases with large basic blocks where the problem is at one end. 973 if (!BugpointIsInterrupted) { 974 std::vector<const Instruction*> Insts; 975 for (const Function &F : *BD.getProgram()) 976 for (const BasicBlock &BB : F) 977 for (const Instruction &I : BB) 978 if (!isa<TerminatorInst>(&I)) 979 Insts.push_back(&I); 980 981 ReduceCrashingInstructions(BD, TestFn).reduceList(Insts, Error); 982 } 983 984 unsigned Simplification = 2; 985 do { 986 if (BugpointIsInterrupted) 987 return; 988 --Simplification; 989 outs() << "\n*** Attempting to reduce testcase by deleting instruc" 990 << "tions: Simplification Level #" << Simplification << '\n'; 991 992 // Now that we have deleted the functions that are unnecessary for the 993 // program, try to remove instructions that are not necessary to cause the 994 // crash. To do this, we loop through all of the instructions in the 995 // remaining functions, deleting them (replacing any values produced with 996 // nulls), and then running ADCE and SimplifyCFG. If the transformed input 997 // still triggers failure, keep deleting until we cannot trigger failure 998 // anymore. 999 // 1000 unsigned InstructionsToSkipBeforeDeleting = 0; 1001 TryAgain: 1002 1003 // Loop over all of the (non-terminator) instructions remaining in the 1004 // function, attempting to delete them. 1005 unsigned CurInstructionNum = 0; 1006 for (Module::const_iterator FI = BD.getProgram()->begin(), 1007 E = BD.getProgram()->end(); FI != E; ++FI) 1008 if (!FI->isDeclaration()) 1009 for (Function::const_iterator BI = FI->begin(), E = FI->end(); BI != E; 1010 ++BI) 1011 for (BasicBlock::const_iterator I = BI->begin(), E = --BI->end(); 1012 I != E; ++I, ++CurInstructionNum) { 1013 if (InstructionsToSkipBeforeDeleting) { 1014 --InstructionsToSkipBeforeDeleting; 1015 } else { 1016 if (BugpointIsInterrupted) 1017 return; 1018 1019 if (I->isEHPad() || I->getType()->isTokenTy()) 1020 continue; 1021 1022 outs() << "Checking instruction: " << *I; 1023 std::unique_ptr<Module> M = 1024 BD.deleteInstructionFromProgram(&*I, Simplification); 1025 1026 // Find out if the pass still crashes on this pass... 1027 if (TestFn(BD, M.get())) { 1028 // Yup, it does, we delete the old module, and continue trying 1029 // to reduce the testcase... 1030 BD.setNewProgram(M.release()); 1031 InstructionsToSkipBeforeDeleting = CurInstructionNum; 1032 goto TryAgain; // I wish I had a multi-level break here! 1033 } 1034 } 1035 } 1036 1037 if (InstructionsToSkipBeforeDeleting) { 1038 InstructionsToSkipBeforeDeleting = 0; 1039 goto TryAgain; 1040 } 1041 1042 } while (Simplification); 1043 BD.EmitProgressBitcode(BD.getProgram(), "reduced-instructions"); 1044 } 1045 1046 1047 /// DebugACrash - Given a predicate that determines whether a component crashes 1048 /// on a program, try to destructively reduce the program while still keeping 1049 /// the predicate true. 1050 static bool DebugACrash(BugDriver &BD, 1051 bool (*TestFn)(const BugDriver &, Module *), 1052 std::string &Error) { 1053 // See if we can get away with nuking some of the global variable initializers 1054 // in the program... 1055 if (!NoGlobalRM) 1056 ReduceGlobalInitializers(BD, TestFn, Error); 1057 1058 // Now try to reduce the number of functions in the module to something small. 1059 std::vector<Function*> Functions; 1060 for (Function &F : *BD.getProgram()) 1061 if (!F.isDeclaration()) 1062 Functions.push_back(&F); 1063 1064 if (Functions.size() > 1 && !BugpointIsInterrupted) { 1065 outs() << "\n*** Attempting to reduce the number of functions " 1066 "in the testcase\n"; 1067 1068 unsigned OldSize = Functions.size(); 1069 ReduceCrashingFunctions(BD, TestFn).reduceList(Functions, Error); 1070 1071 if (Functions.size() < OldSize) 1072 BD.EmitProgressBitcode(BD.getProgram(), "reduced-function"); 1073 } 1074 1075 // Attempt to change conditional branches into unconditional branches to 1076 // eliminate blocks. 1077 if (!DisableSimplifyCFG && !BugpointIsInterrupted) { 1078 std::vector<const BasicBlock*> Blocks; 1079 for (Function &F : *BD.getProgram()) 1080 for (BasicBlock &BB : F) 1081 Blocks.push_back(&BB); 1082 unsigned OldSize = Blocks.size(); 1083 ReduceCrashingConditionals(BD, TestFn, true).reduceList(Blocks, Error); 1084 ReduceCrashingConditionals(BD, TestFn, false).reduceList(Blocks, Error); 1085 if (Blocks.size() < OldSize) 1086 BD.EmitProgressBitcode(BD.getProgram(), "reduced-conditionals"); 1087 } 1088 1089 // Attempt to delete entire basic blocks at a time to speed up 1090 // convergence... this actually works by setting the terminator of the blocks 1091 // to a return instruction then running simplifycfg, which can potentially 1092 // shrinks the code dramatically quickly 1093 // 1094 if (!DisableSimplifyCFG && !BugpointIsInterrupted) { 1095 std::vector<const BasicBlock*> Blocks; 1096 for (Function &F : *BD.getProgram()) 1097 for (BasicBlock &BB : F) 1098 Blocks.push_back(&BB); 1099 unsigned OldSize = Blocks.size(); 1100 ReduceCrashingBlocks(BD, TestFn).reduceList(Blocks, Error); 1101 if (Blocks.size() < OldSize) 1102 BD.EmitProgressBitcode(BD.getProgram(), "reduced-blocks"); 1103 } 1104 1105 if (!DisableSimplifyCFG & !BugpointIsInterrupted) { 1106 std::vector<const BasicBlock*> Blocks; 1107 for (Function &F : *BD.getProgram()) 1108 for (BasicBlock &BB : F) 1109 Blocks.push_back(&BB); 1110 unsigned OldSize = Blocks.size(); 1111 ReduceSimplifyCFG(BD, TestFn).reduceList(Blocks, Error); 1112 if (Blocks.size() < OldSize) 1113 BD.EmitProgressBitcode(BD.getProgram(), "reduced-simplifycfg"); 1114 } 1115 1116 // Attempt to delete instructions using bisection. This should help out nasty 1117 // cases with large basic blocks where the problem is at one end. 1118 if (!BugpointIsInterrupted) 1119 ReduceInsts(BD, TestFn, Error); 1120 1121 if (!NoNamedMDRM) { 1122 if (!BugpointIsInterrupted) { 1123 // Try to reduce the amount of global metadata (particularly debug info), 1124 // by dropping global named metadata that anchors them 1125 outs() << "\n*** Attempting to remove named metadata: "; 1126 std::vector<std::string> NamedMDNames; 1127 for (auto &NamedMD : BD.getProgram()->named_metadata()) 1128 NamedMDNames.push_back(NamedMD.getName().str()); 1129 ReduceCrashingNamedMD(BD, TestFn).reduceList(NamedMDNames, Error); 1130 } 1131 1132 if (!BugpointIsInterrupted) { 1133 // Now that we quickly dropped all the named metadata that doesn't 1134 // contribute to the crash, bisect the operands of the remaining ones 1135 std::vector<const MDNode *> NamedMDOps; 1136 for (auto &NamedMD : BD.getProgram()->named_metadata()) 1137 for (auto op : NamedMD.operands()) 1138 NamedMDOps.push_back(op); 1139 ReduceCrashingNamedMDOps(BD, TestFn).reduceList(NamedMDOps, Error); 1140 } 1141 BD.EmitProgressBitcode(BD.getProgram(), "reduced-named-md"); 1142 } 1143 1144 // Try to clean up the testcase by running funcresolve and globaldce... 1145 if (!BugpointIsInterrupted) { 1146 outs() << "\n*** Attempting to perform final cleanups: "; 1147 Module *M = CloneModule(BD.getProgram()).release(); 1148 M = BD.performFinalCleanups(M, true).release(); 1149 1150 // Find out if the pass still crashes on the cleaned up program... 1151 if (TestFn(BD, M)) { 1152 BD.setNewProgram(M); // Yup, it does, keep the reduced version... 1153 } else { 1154 delete M; 1155 } 1156 } 1157 1158 BD.EmitProgressBitcode(BD.getProgram(), "reduced-simplified"); 1159 1160 return false; 1161 } 1162 1163 static bool TestForOptimizerCrash(const BugDriver &BD, Module *M) { 1164 return BD.runPasses(M, BD.getPassesToRun()); 1165 } 1166 1167 /// debugOptimizerCrash - This method is called when some pass crashes on input. 1168 /// It attempts to prune down the testcase to something reasonable, and figure 1169 /// out exactly which pass is crashing. 1170 /// 1171 bool BugDriver::debugOptimizerCrash(const std::string &ID) { 1172 outs() << "\n*** Debugging optimizer crash!\n"; 1173 1174 std::string Error; 1175 // Reduce the list of passes which causes the optimizer to crash... 1176 if (!BugpointIsInterrupted && !DontReducePassList) 1177 ReducePassList(*this).reduceList(PassesToRun, Error); 1178 assert(Error.empty()); 1179 1180 outs() << "\n*** Found crashing pass" 1181 << (PassesToRun.size() == 1 ? ": " : "es: ") 1182 << getPassesString(PassesToRun) << '\n'; 1183 1184 EmitProgressBitcode(Program, ID); 1185 1186 bool Success = DebugACrash(*this, TestForOptimizerCrash, Error); 1187 assert(Error.empty()); 1188 return Success; 1189 } 1190 1191 static bool TestForCodeGenCrash(const BugDriver &BD, Module *M) { 1192 std::string Error; 1193 BD.compileProgram(M, &Error); 1194 if (!Error.empty()) { 1195 if (VerboseErrors) 1196 errs() << Error << "\n"; 1197 else 1198 errs() << "<crash>\n"; 1199 return true; // Tool is still crashing. 1200 } 1201 errs() << '\n'; 1202 return false; 1203 } 1204 1205 /// debugCodeGeneratorCrash - This method is called when the code generator 1206 /// crashes on an input. It attempts to reduce the input as much as possible 1207 /// while still causing the code generator to crash. 1208 bool BugDriver::debugCodeGeneratorCrash(std::string &Error) { 1209 errs() << "*** Debugging code generator crash!\n"; 1210 1211 return DebugACrash(*this, TestForCodeGenCrash, Error); 1212 } 1213