Home | History | Annotate | Download | only in bugpoint
      1 //===- Miscompilation.cpp - Debug program miscompilations -----------------===//
      2 //
      3 //                     The LLVM Compiler Infrastructure
      4 //
      5 // This file is distributed under the University of Illinois Open Source
      6 // License. See LICENSE.TXT for details.
      7 //
      8 //===----------------------------------------------------------------------===//
      9 //
     10 // This file implements optimizer and code generation miscompilation debugging
     11 // support.
     12 //
     13 //===----------------------------------------------------------------------===//
     14 
     15 #include "BugDriver.h"
     16 #include "ListReducer.h"
     17 #include "ToolRunner.h"
     18 #include "llvm/Config/config.h"   // for HAVE_LINK_R
     19 #include "llvm/IR/Constants.h"
     20 #include "llvm/IR/DerivedTypes.h"
     21 #include "llvm/IR/Instructions.h"
     22 #include "llvm/IR/Module.h"
     23 #include "llvm/IR/Verifier.h"
     24 #include "llvm/Linker/Linker.h"
     25 #include "llvm/Pass.h"
     26 #include "llvm/Support/CommandLine.h"
     27 #include "llvm/Support/FileUtilities.h"
     28 #include "llvm/Transforms/Utils/Cloning.h"
     29 using namespace llvm;
     30 
     31 namespace llvm {
     32   extern cl::opt<std::string> OutputPrefix;
     33   extern cl::list<std::string> InputArgv;
     34 }
     35 
     36 namespace {
     37   static llvm::cl::opt<bool>
     38     DisableLoopExtraction("disable-loop-extraction",
     39         cl::desc("Don't extract loops when searching for miscompilations"),
     40         cl::init(false));
     41   static llvm::cl::opt<bool>
     42     DisableBlockExtraction("disable-block-extraction",
     43         cl::desc("Don't extract blocks when searching for miscompilations"),
     44         cl::init(false));
     45 
     46   class ReduceMiscompilingPasses : public ListReducer<std::string> {
     47     BugDriver &BD;
     48   public:
     49     ReduceMiscompilingPasses(BugDriver &bd) : BD(bd) {}
     50 
     51     TestResult doTest(std::vector<std::string> &Prefix,
     52                       std::vector<std::string> &Suffix,
     53                       std::string &Error) override;
     54   };
     55 }
     56 
     57 /// TestResult - After passes have been split into a test group and a control
     58 /// group, see if they still break the program.
     59 ///
     60 ReduceMiscompilingPasses::TestResult
     61 ReduceMiscompilingPasses::doTest(std::vector<std::string> &Prefix,
     62                                  std::vector<std::string> &Suffix,
     63                                  std::string &Error) {
     64   // First, run the program with just the Suffix passes.  If it is still broken
     65   // with JUST the kept passes, discard the prefix passes.
     66   outs() << "Checking to see if '" << getPassesString(Suffix)
     67          << "' compiles correctly: ";
     68 
     69   std::string BitcodeResult;
     70   if (BD.runPasses(BD.getProgram(), Suffix, BitcodeResult, false/*delete*/,
     71                    true/*quiet*/)) {
     72     errs() << " Error running this sequence of passes"
     73            << " on the input program!\n";
     74     BD.setPassesToRun(Suffix);
     75     BD.EmitProgressBitcode(BD.getProgram(), "pass-error",  false);
     76     exit(BD.debugOptimizerCrash());
     77   }
     78 
     79   // Check to see if the finished program matches the reference output...
     80   bool Diff = BD.diffProgram(BD.getProgram(), BitcodeResult, "",
     81                              true /*delete bitcode*/, &Error);
     82   if (!Error.empty())
     83     return InternalError;
     84   if (Diff) {
     85     outs() << " nope.\n";
     86     if (Suffix.empty()) {
     87       errs() << BD.getToolName() << ": I'm confused: the test fails when "
     88              << "no passes are run, nondeterministic program?\n";
     89       exit(1);
     90     }
     91     return KeepSuffix;         // Miscompilation detected!
     92   }
     93   outs() << " yup.\n";      // No miscompilation!
     94 
     95   if (Prefix.empty()) return NoFailure;
     96 
     97   // Next, see if the program is broken if we run the "prefix" passes first,
     98   // then separately run the "kept" passes.
     99   outs() << "Checking to see if '" << getPassesString(Prefix)
    100          << "' compiles correctly: ";
    101 
    102   // If it is not broken with the kept passes, it's possible that the prefix
    103   // passes must be run before the kept passes to break it.  If the program
    104   // WORKS after the prefix passes, but then fails if running the prefix AND
    105   // kept passes, we can update our bitcode file to include the result of the
    106   // prefix passes, then discard the prefix passes.
    107   //
    108   if (BD.runPasses(BD.getProgram(), Prefix, BitcodeResult, false/*delete*/,
    109                    true/*quiet*/)) {
    110     errs() << " Error running this sequence of passes"
    111            << " on the input program!\n";
    112     BD.setPassesToRun(Prefix);
    113     BD.EmitProgressBitcode(BD.getProgram(), "pass-error",  false);
    114     exit(BD.debugOptimizerCrash());
    115   }
    116 
    117   // If the prefix maintains the predicate by itself, only keep the prefix!
    118   Diff = BD.diffProgram(BD.getProgram(), BitcodeResult, "", false, &Error);
    119   if (!Error.empty())
    120     return InternalError;
    121   if (Diff) {
    122     outs() << " nope.\n";
    123     sys::fs::remove(BitcodeResult);
    124     return KeepPrefix;
    125   }
    126   outs() << " yup.\n";      // No miscompilation!
    127 
    128   // Ok, so now we know that the prefix passes work, try running the suffix
    129   // passes on the result of the prefix passes.
    130   //
    131   std::unique_ptr<Module> PrefixOutput =
    132       parseInputFile(BitcodeResult, BD.getContext());
    133   if (!PrefixOutput) {
    134     errs() << BD.getToolName() << ": Error reading bitcode file '"
    135            << BitcodeResult << "'!\n";
    136     exit(1);
    137   }
    138   sys::fs::remove(BitcodeResult);
    139 
    140   // Don't check if there are no passes in the suffix.
    141   if (Suffix.empty())
    142     return NoFailure;
    143 
    144   outs() << "Checking to see if '" << getPassesString(Suffix)
    145             << "' passes compile correctly after the '"
    146             << getPassesString(Prefix) << "' passes: ";
    147 
    148   std::unique_ptr<Module> OriginalInput(
    149       BD.swapProgramIn(PrefixOutput.release()));
    150   if (BD.runPasses(BD.getProgram(), Suffix, BitcodeResult, false/*delete*/,
    151                    true/*quiet*/)) {
    152     errs() << " Error running this sequence of passes"
    153            << " on the input program!\n";
    154     BD.setPassesToRun(Suffix);
    155     BD.EmitProgressBitcode(BD.getProgram(), "pass-error",  false);
    156     exit(BD.debugOptimizerCrash());
    157   }
    158 
    159   // Run the result...
    160   Diff = BD.diffProgram(BD.getProgram(), BitcodeResult, "",
    161                         true /*delete bitcode*/, &Error);
    162   if (!Error.empty())
    163     return InternalError;
    164   if (Diff) {
    165     outs() << " nope.\n";
    166     return KeepSuffix;
    167   }
    168 
    169   // Otherwise, we must not be running the bad pass anymore.
    170   outs() << " yup.\n";      // No miscompilation!
    171   // Restore orig program & free test.
    172   delete BD.swapProgramIn(OriginalInput.release());
    173   return NoFailure;
    174 }
    175 
    176 namespace {
    177   class ReduceMiscompilingFunctions : public ListReducer<Function*> {
    178     BugDriver &BD;
    179     bool (*TestFn)(BugDriver &, std::unique_ptr<Module>,
    180                    std::unique_ptr<Module>, std::string &);
    181 
    182   public:
    183     ReduceMiscompilingFunctions(BugDriver &bd,
    184                                 bool (*F)(BugDriver &, std::unique_ptr<Module>,
    185                                           std::unique_ptr<Module>,
    186                                           std::string &))
    187         : BD(bd), TestFn(F) {}
    188 
    189     TestResult doTest(std::vector<Function*> &Prefix,
    190                       std::vector<Function*> &Suffix,
    191                       std::string &Error) override {
    192       if (!Suffix.empty()) {
    193         bool Ret = TestFuncs(Suffix, Error);
    194         if (!Error.empty())
    195           return InternalError;
    196         if (Ret)
    197           return KeepSuffix;
    198       }
    199       if (!Prefix.empty()) {
    200         bool Ret = TestFuncs(Prefix, Error);
    201         if (!Error.empty())
    202           return InternalError;
    203         if (Ret)
    204           return KeepPrefix;
    205       }
    206       return NoFailure;
    207     }
    208 
    209     bool TestFuncs(const std::vector<Function*> &Prefix, std::string &Error);
    210   };
    211 }
    212 
    213 /// Given two modules, link them together and run the program, checking to see
    214 /// if the program matches the diff. If there is an error, return NULL. If not,
    215 /// return the merged module. The Broken argument will be set to true if the
    216 /// output is different. If the DeleteInputs argument is set to true then this
    217 /// function deletes both input modules before it returns.
    218 ///
    219 static std::unique_ptr<Module> testMergedProgram(const BugDriver &BD,
    220                                                  std::unique_ptr<Module> M1,
    221                                                  std::unique_ptr<Module> M2,
    222                                                  std::string &Error,
    223                                                  bool &Broken) {
    224   if (Linker::linkModules(*M1, std::move(M2)))
    225     exit(1);
    226 
    227   // Execute the program.
    228   Broken = BD.diffProgram(M1.get(), "", "", false, &Error);
    229   if (!Error.empty())
    230     return nullptr;
    231   return M1;
    232 }
    233 
    234 /// TestFuncs - split functions in a Module into two groups: those that are
    235 /// under consideration for miscompilation vs. those that are not, and test
    236 /// accordingly. Each group of functions becomes a separate Module.
    237 ///
    238 bool ReduceMiscompilingFunctions::TestFuncs(const std::vector<Function*> &Funcs,
    239                                             std::string &Error) {
    240   // Test to see if the function is misoptimized if we ONLY run it on the
    241   // functions listed in Funcs.
    242   outs() << "Checking to see if the program is misoptimized when "
    243          << (Funcs.size()==1 ? "this function is" : "these functions are")
    244          << " run through the pass"
    245          << (BD.getPassesToRun().size() == 1 ? "" : "es") << ":";
    246   PrintFunctionList(Funcs);
    247   outs() << '\n';
    248 
    249   // Create a clone for two reasons:
    250   // * If the optimization passes delete any function, the deleted function
    251   //   will be in the clone and Funcs will still point to valid memory
    252   // * If the optimization passes use interprocedural information to break
    253   //   a function, we want to continue with the original function. Otherwise
    254   //   we can conclude that a function triggers the bug when in fact one
    255   //   needs a larger set of original functions to do so.
    256   ValueToValueMapTy VMap;
    257   Module *Clone = CloneModule(BD.getProgram(), VMap).release();
    258   Module *Orig = BD.swapProgramIn(Clone);
    259 
    260   std::vector<Function*> FuncsOnClone;
    261   for (unsigned i = 0, e = Funcs.size(); i != e; ++i) {
    262     Function *F = cast<Function>(VMap[Funcs[i]]);
    263     FuncsOnClone.push_back(F);
    264   }
    265 
    266   // Split the module into the two halves of the program we want.
    267   VMap.clear();
    268   std::unique_ptr<Module> ToNotOptimize = CloneModule(BD.getProgram(), VMap);
    269   std::unique_ptr<Module> ToOptimize =
    270       SplitFunctionsOutOfModule(ToNotOptimize.get(), FuncsOnClone, VMap);
    271 
    272   bool Broken =
    273       TestFn(BD, std::move(ToOptimize), std::move(ToNotOptimize), Error);
    274 
    275   delete BD.swapProgramIn(Orig);
    276 
    277   return Broken;
    278 }
    279 
    280 /// DisambiguateGlobalSymbols - Give anonymous global values names.
    281 ///
    282 static void DisambiguateGlobalSymbols(Module *M) {
    283   for (Module::global_iterator I = M->global_begin(), E = M->global_end();
    284        I != E; ++I)
    285     if (!I->hasName())
    286       I->setName("anon_global");
    287   for (Module::iterator I = M->begin(), E = M->end(); I != E; ++I)
    288     if (!I->hasName())
    289       I->setName("anon_fn");
    290 }
    291 
    292 /// Given a reduced list of functions that still exposed the bug, check to see
    293 /// if we can extract the loops in the region without obscuring the bug.  If so,
    294 /// it reduces the amount of code identified.
    295 ///
    296 static bool ExtractLoops(BugDriver &BD,
    297                          bool (*TestFn)(BugDriver &, std::unique_ptr<Module>,
    298                                         std::unique_ptr<Module>, std::string &),
    299                          std::vector<Function *> &MiscompiledFunctions,
    300                          std::string &Error) {
    301   bool MadeChange = false;
    302   while (1) {
    303     if (BugpointIsInterrupted) return MadeChange;
    304 
    305     ValueToValueMapTy VMap;
    306     std::unique_ptr<Module> ToNotOptimize = CloneModule(BD.getProgram(), VMap);
    307     Module *ToOptimize = SplitFunctionsOutOfModule(ToNotOptimize.get(),
    308                                                    MiscompiledFunctions, VMap)
    309                              .release();
    310     std::unique_ptr<Module> ToOptimizeLoopExtracted =
    311         BD.extractLoop(ToOptimize);
    312     if (!ToOptimizeLoopExtracted) {
    313       // If the loop extractor crashed or if there were no extractible loops,
    314       // then this chapter of our odyssey is over with.
    315       delete ToOptimize;
    316       return MadeChange;
    317     }
    318 
    319     errs() << "Extracted a loop from the breaking portion of the program.\n";
    320 
    321     // Bugpoint is intentionally not very trusting of LLVM transformations.  In
    322     // particular, we're not going to assume that the loop extractor works, so
    323     // we're going to test the newly loop extracted program to make sure nothing
    324     // has broken.  If something broke, then we'll inform the user and stop
    325     // extraction.
    326     AbstractInterpreter *AI = BD.switchToSafeInterpreter();
    327     bool Failure;
    328     std::unique_ptr<Module> New =
    329         testMergedProgram(BD, std::move(ToOptimizeLoopExtracted),
    330                           std::move(ToNotOptimize), Error, Failure);
    331     if (!New)
    332       return false;
    333 
    334     // Delete the original and set the new program.
    335     Module *Old = BD.swapProgramIn(New.release());
    336     for (unsigned i = 0, e = MiscompiledFunctions.size(); i != e; ++i)
    337       MiscompiledFunctions[i] = cast<Function>(VMap[MiscompiledFunctions[i]]);
    338     delete Old;
    339 
    340     if (Failure) {
    341       BD.switchToInterpreter(AI);
    342 
    343       // Merged program doesn't work anymore!
    344       errs() << "  *** ERROR: Loop extraction broke the program. :("
    345              << " Please report a bug!\n";
    346       errs() << "      Continuing on with un-loop-extracted version.\n";
    347 
    348       BD.writeProgramToFile(OutputPrefix + "-loop-extract-fail-tno.bc",
    349                             ToNotOptimize.get());
    350       BD.writeProgramToFile(OutputPrefix + "-loop-extract-fail-to.bc",
    351                             ToOptimize);
    352       BD.writeProgramToFile(OutputPrefix + "-loop-extract-fail-to-le.bc",
    353                             ToOptimizeLoopExtracted.get());
    354 
    355       errs() << "Please submit the "
    356              << OutputPrefix << "-loop-extract-fail-*.bc files.\n";
    357       delete ToOptimize;
    358       return MadeChange;
    359     }
    360     delete ToOptimize;
    361     BD.switchToInterpreter(AI);
    362 
    363     outs() << "  Testing after loop extraction:\n";
    364     // Clone modules, the tester function will free them.
    365     std::unique_ptr<Module> TOLEBackup =
    366         CloneModule(ToOptimizeLoopExtracted.get(), VMap);
    367     std::unique_ptr<Module> TNOBackup = CloneModule(ToNotOptimize.get(), VMap);
    368 
    369     for (unsigned i = 0, e = MiscompiledFunctions.size(); i != e; ++i)
    370       MiscompiledFunctions[i] = cast<Function>(VMap[MiscompiledFunctions[i]]);
    371 
    372     Failure = TestFn(BD, std::move(ToOptimizeLoopExtracted),
    373                      std::move(ToNotOptimize), Error);
    374     if (!Error.empty())
    375       return false;
    376 
    377     ToOptimizeLoopExtracted = std::move(TOLEBackup);
    378     ToNotOptimize = std::move(TNOBackup);
    379 
    380     if (!Failure) {
    381       outs() << "*** Loop extraction masked the problem.  Undoing.\n";
    382       // If the program is not still broken, then loop extraction did something
    383       // that masked the error.  Stop loop extraction now.
    384 
    385       std::vector<std::pair<std::string, FunctionType*> > MisCompFunctions;
    386       for (Function *F : MiscompiledFunctions) {
    387         MisCompFunctions.emplace_back(F->getName(), F->getFunctionType());
    388       }
    389 
    390       if (Linker::linkModules(*ToNotOptimize,
    391                               std::move(ToOptimizeLoopExtracted)))
    392         exit(1);
    393 
    394       MiscompiledFunctions.clear();
    395       for (unsigned i = 0, e = MisCompFunctions.size(); i != e; ++i) {
    396         Function *NewF = ToNotOptimize->getFunction(MisCompFunctions[i].first);
    397 
    398         assert(NewF && "Function not found??");
    399         MiscompiledFunctions.push_back(NewF);
    400       }
    401 
    402       BD.setNewProgram(ToNotOptimize.release());
    403       return MadeChange;
    404     }
    405 
    406     outs() << "*** Loop extraction successful!\n";
    407 
    408     std::vector<std::pair<std::string, FunctionType*> > MisCompFunctions;
    409     for (Module::iterator I = ToOptimizeLoopExtracted->begin(),
    410            E = ToOptimizeLoopExtracted->end(); I != E; ++I)
    411       if (!I->isDeclaration())
    412         MisCompFunctions.emplace_back(I->getName(), I->getFunctionType());
    413 
    414     // Okay, great!  Now we know that we extracted a loop and that loop
    415     // extraction both didn't break the program, and didn't mask the problem.
    416     // Replace the current program with the loop extracted version, and try to
    417     // extract another loop.
    418     if (Linker::linkModules(*ToNotOptimize, std::move(ToOptimizeLoopExtracted)))
    419       exit(1);
    420 
    421     // All of the Function*'s in the MiscompiledFunctions list are in the old
    422     // module.  Update this list to include all of the functions in the
    423     // optimized and loop extracted module.
    424     MiscompiledFunctions.clear();
    425     for (unsigned i = 0, e = MisCompFunctions.size(); i != e; ++i) {
    426       Function *NewF = ToNotOptimize->getFunction(MisCompFunctions[i].first);
    427 
    428       assert(NewF && "Function not found??");
    429       MiscompiledFunctions.push_back(NewF);
    430     }
    431 
    432     BD.setNewProgram(ToNotOptimize.release());
    433     MadeChange = true;
    434   }
    435 }
    436 
    437 namespace {
    438   class ReduceMiscompiledBlocks : public ListReducer<BasicBlock*> {
    439     BugDriver &BD;
    440     bool (*TestFn)(BugDriver &, std::unique_ptr<Module>,
    441                    std::unique_ptr<Module>, std::string &);
    442     std::vector<Function*> FunctionsBeingTested;
    443   public:
    444     ReduceMiscompiledBlocks(BugDriver &bd,
    445                             bool (*F)(BugDriver &, std::unique_ptr<Module>,
    446                                       std::unique_ptr<Module>, std::string &),
    447                             const std::vector<Function *> &Fns)
    448         : BD(bd), TestFn(F), FunctionsBeingTested(Fns) {}
    449 
    450     TestResult doTest(std::vector<BasicBlock*> &Prefix,
    451                       std::vector<BasicBlock*> &Suffix,
    452                       std::string &Error) override {
    453       if (!Suffix.empty()) {
    454         bool Ret = TestFuncs(Suffix, Error);
    455         if (!Error.empty())
    456           return InternalError;
    457         if (Ret)
    458           return KeepSuffix;
    459       }
    460       if (!Prefix.empty()) {
    461         bool Ret = TestFuncs(Prefix, Error);
    462         if (!Error.empty())
    463           return InternalError;
    464         if (Ret)
    465           return KeepPrefix;
    466       }
    467       return NoFailure;
    468     }
    469 
    470     bool TestFuncs(const std::vector<BasicBlock*> &BBs, std::string &Error);
    471   };
    472 }
    473 
    474 /// TestFuncs - Extract all blocks for the miscompiled functions except for the
    475 /// specified blocks.  If the problem still exists, return true.
    476 ///
    477 bool ReduceMiscompiledBlocks::TestFuncs(const std::vector<BasicBlock*> &BBs,
    478                                         std::string &Error) {
    479   // Test to see if the function is misoptimized if we ONLY run it on the
    480   // functions listed in Funcs.
    481   outs() << "Checking to see if the program is misoptimized when all ";
    482   if (!BBs.empty()) {
    483     outs() << "but these " << BBs.size() << " blocks are extracted: ";
    484     for (unsigned i = 0, e = BBs.size() < 10 ? BBs.size() : 10; i != e; ++i)
    485       outs() << BBs[i]->getName() << " ";
    486     if (BBs.size() > 10) outs() << "...";
    487   } else {
    488     outs() << "blocks are extracted.";
    489   }
    490   outs() << '\n';
    491 
    492   // Split the module into the two halves of the program we want.
    493   ValueToValueMapTy VMap;
    494   Module *Clone = CloneModule(BD.getProgram(), VMap).release();
    495   Module *Orig = BD.swapProgramIn(Clone);
    496   std::vector<Function*> FuncsOnClone;
    497   std::vector<BasicBlock*> BBsOnClone;
    498   for (unsigned i = 0, e = FunctionsBeingTested.size(); i != e; ++i) {
    499     Function *F = cast<Function>(VMap[FunctionsBeingTested[i]]);
    500     FuncsOnClone.push_back(F);
    501   }
    502   for (unsigned i = 0, e = BBs.size(); i != e; ++i) {
    503     BasicBlock *BB = cast<BasicBlock>(VMap[BBs[i]]);
    504     BBsOnClone.push_back(BB);
    505   }
    506   VMap.clear();
    507 
    508   std::unique_ptr<Module> ToNotOptimize = CloneModule(BD.getProgram(), VMap);
    509   std::unique_ptr<Module> ToOptimize =
    510       SplitFunctionsOutOfModule(ToNotOptimize.get(), FuncsOnClone, VMap);
    511 
    512   // Try the extraction.  If it doesn't work, then the block extractor crashed
    513   // or something, in which case bugpoint can't chase down this possibility.
    514   if (std::unique_ptr<Module> New =
    515           BD.extractMappedBlocksFromModule(BBsOnClone, ToOptimize.get())) {
    516     bool Ret = TestFn(BD, std::move(New), std::move(ToNotOptimize), Error);
    517     delete BD.swapProgramIn(Orig);
    518     return Ret;
    519   }
    520   delete BD.swapProgramIn(Orig);
    521   return false;
    522 }
    523 
    524 /// Given a reduced list of functions that still expose the bug, extract as many
    525 /// basic blocks from the region as possible without obscuring the bug.
    526 ///
    527 static bool ExtractBlocks(BugDriver &BD,
    528                           bool (*TestFn)(BugDriver &, std::unique_ptr<Module>,
    529                                          std::unique_ptr<Module>,
    530                                          std::string &),
    531                           std::vector<Function *> &MiscompiledFunctions,
    532                           std::string &Error) {
    533   if (BugpointIsInterrupted) return false;
    534 
    535   std::vector<BasicBlock*> Blocks;
    536   for (unsigned i = 0, e = MiscompiledFunctions.size(); i != e; ++i)
    537     for (BasicBlock &BB : *MiscompiledFunctions[i])
    538       Blocks.push_back(&BB);
    539 
    540   // Use the list reducer to identify blocks that can be extracted without
    541   // obscuring the bug.  The Blocks list will end up containing blocks that must
    542   // be retained from the original program.
    543   unsigned OldSize = Blocks.size();
    544 
    545   // Check to see if all blocks are extractible first.
    546   bool Ret = ReduceMiscompiledBlocks(BD, TestFn, MiscompiledFunctions)
    547                                   .TestFuncs(std::vector<BasicBlock*>(), Error);
    548   if (!Error.empty())
    549     return false;
    550   if (Ret) {
    551     Blocks.clear();
    552   } else {
    553     ReduceMiscompiledBlocks(BD, TestFn,
    554                             MiscompiledFunctions).reduceList(Blocks, Error);
    555     if (!Error.empty())
    556       return false;
    557     if (Blocks.size() == OldSize)
    558       return false;
    559   }
    560 
    561   ValueToValueMapTy VMap;
    562   Module *ProgClone = CloneModule(BD.getProgram(), VMap).release();
    563   Module *ToExtract =
    564       SplitFunctionsOutOfModule(ProgClone, MiscompiledFunctions, VMap)
    565           .release();
    566   std::unique_ptr<Module> Extracted =
    567       BD.extractMappedBlocksFromModule(Blocks, ToExtract);
    568   if (!Extracted) {
    569     // Weird, extraction should have worked.
    570     errs() << "Nondeterministic problem extracting blocks??\n";
    571     delete ProgClone;
    572     delete ToExtract;
    573     return false;
    574   }
    575 
    576   // Otherwise, block extraction succeeded.  Link the two program fragments back
    577   // together.
    578   delete ToExtract;
    579 
    580   std::vector<std::pair<std::string, FunctionType*> > MisCompFunctions;
    581   for (Module::iterator I = Extracted->begin(), E = Extracted->end();
    582        I != E; ++I)
    583     if (!I->isDeclaration())
    584       MisCompFunctions.emplace_back(I->getName(), I->getFunctionType());
    585 
    586   if (Linker::linkModules(*ProgClone, std::move(Extracted)))
    587     exit(1);
    588 
    589   // Set the new program and delete the old one.
    590   BD.setNewProgram(ProgClone);
    591 
    592   // Update the list of miscompiled functions.
    593   MiscompiledFunctions.clear();
    594 
    595   for (unsigned i = 0, e = MisCompFunctions.size(); i != e; ++i) {
    596     Function *NewF = ProgClone->getFunction(MisCompFunctions[i].first);
    597     assert(NewF && "Function not found??");
    598     MiscompiledFunctions.push_back(NewF);
    599   }
    600 
    601   return true;
    602 }
    603 
    604 /// This is a generic driver to narrow down miscompilations, either in an
    605 /// optimization or a code generator.
    606 ///
    607 static std::vector<Function *>
    608 DebugAMiscompilation(BugDriver &BD,
    609                      bool (*TestFn)(BugDriver &, std::unique_ptr<Module>,
    610                                     std::unique_ptr<Module>, std::string &),
    611                      std::string &Error) {
    612   // Okay, now that we have reduced the list of passes which are causing the
    613   // failure, see if we can pin down which functions are being
    614   // miscompiled... first build a list of all of the non-external functions in
    615   // the program.
    616   std::vector<Function*> MiscompiledFunctions;
    617   Module *Prog = BD.getProgram();
    618   for (Function &F : *Prog)
    619     if (!F.isDeclaration())
    620       MiscompiledFunctions.push_back(&F);
    621 
    622   // Do the reduction...
    623   if (!BugpointIsInterrupted)
    624     ReduceMiscompilingFunctions(BD, TestFn).reduceList(MiscompiledFunctions,
    625                                                        Error);
    626   if (!Error.empty()) {
    627     errs() << "\n***Cannot reduce functions: ";
    628     return MiscompiledFunctions;
    629   }
    630   outs() << "\n*** The following function"
    631          << (MiscompiledFunctions.size() == 1 ? " is" : "s are")
    632          << " being miscompiled: ";
    633   PrintFunctionList(MiscompiledFunctions);
    634   outs() << '\n';
    635 
    636   // See if we can rip any loops out of the miscompiled functions and still
    637   // trigger the problem.
    638 
    639   if (!BugpointIsInterrupted && !DisableLoopExtraction) {
    640     bool Ret = ExtractLoops(BD, TestFn, MiscompiledFunctions, Error);
    641     if (!Error.empty())
    642       return MiscompiledFunctions;
    643     if (Ret) {
    644       // Okay, we extracted some loops and the problem still appears.  See if
    645       // we can eliminate some of the created functions from being candidates.
    646       DisambiguateGlobalSymbols(BD.getProgram());
    647 
    648       // Do the reduction...
    649       if (!BugpointIsInterrupted)
    650         ReduceMiscompilingFunctions(BD, TestFn).reduceList(MiscompiledFunctions,
    651                                                            Error);
    652       if (!Error.empty())
    653         return MiscompiledFunctions;
    654 
    655       outs() << "\n*** The following function"
    656              << (MiscompiledFunctions.size() == 1 ? " is" : "s are")
    657              << " being miscompiled: ";
    658       PrintFunctionList(MiscompiledFunctions);
    659       outs() << '\n';
    660     }
    661   }
    662 
    663   if (!BugpointIsInterrupted && !DisableBlockExtraction) {
    664     bool Ret = ExtractBlocks(BD, TestFn, MiscompiledFunctions, Error);
    665     if (!Error.empty())
    666       return MiscompiledFunctions;
    667     if (Ret) {
    668       // Okay, we extracted some blocks and the problem still appears.  See if
    669       // we can eliminate some of the created functions from being candidates.
    670       DisambiguateGlobalSymbols(BD.getProgram());
    671 
    672       // Do the reduction...
    673       ReduceMiscompilingFunctions(BD, TestFn).reduceList(MiscompiledFunctions,
    674                                                          Error);
    675       if (!Error.empty())
    676         return MiscompiledFunctions;
    677 
    678       outs() << "\n*** The following function"
    679              << (MiscompiledFunctions.size() == 1 ? " is" : "s are")
    680              << " being miscompiled: ";
    681       PrintFunctionList(MiscompiledFunctions);
    682       outs() << '\n';
    683     }
    684   }
    685 
    686   return MiscompiledFunctions;
    687 }
    688 
    689 /// This is the predicate function used to check to see if the "Test" portion of
    690 /// the program is misoptimized.  If so, return true.  In any case, both module
    691 /// arguments are deleted.
    692 ///
    693 static bool TestOptimizer(BugDriver &BD, std::unique_ptr<Module> Test,
    694                           std::unique_ptr<Module> Safe, std::string &Error) {
    695   // Run the optimization passes on ToOptimize, producing a transformed version
    696   // of the functions being tested.
    697   outs() << "  Optimizing functions being tested: ";
    698   std::unique_ptr<Module> Optimized =
    699       BD.runPassesOn(Test.get(), BD.getPassesToRun(),
    700                      /*AutoDebugCrashes*/ true);
    701   outs() << "done.\n";
    702 
    703   outs() << "  Checking to see if the merged program executes correctly: ";
    704   bool Broken;
    705   std::unique_ptr<Module> New = testMergedProgram(
    706       BD, std::move(Optimized), std::move(Safe), Error, Broken);
    707   if (New) {
    708     outs() << (Broken ? " nope.\n" : " yup.\n");
    709     // Delete the original and set the new program.
    710     delete BD.swapProgramIn(New.release());
    711   }
    712   return Broken;
    713 }
    714 
    715 
    716 /// debugMiscompilation - This method is used when the passes selected are not
    717 /// crashing, but the generated output is semantically different from the
    718 /// input.
    719 ///
    720 void BugDriver::debugMiscompilation(std::string *Error) {
    721   // Make sure something was miscompiled...
    722   if (!BugpointIsInterrupted)
    723     if (!ReduceMiscompilingPasses(*this).reduceList(PassesToRun, *Error)) {
    724       if (Error->empty())
    725         errs() << "*** Optimized program matches reference output!  No problem"
    726                << " detected...\nbugpoint can't help you with your problem!\n";
    727       return;
    728     }
    729 
    730   outs() << "\n*** Found miscompiling pass"
    731          << (getPassesToRun().size() == 1 ? "" : "es") << ": "
    732          << getPassesString(getPassesToRun()) << '\n';
    733   EmitProgressBitcode(Program, "passinput");
    734 
    735   std::vector<Function *> MiscompiledFunctions =
    736     DebugAMiscompilation(*this, TestOptimizer, *Error);
    737   if (!Error->empty())
    738     return;
    739 
    740   // Output a bunch of bitcode files for the user...
    741   outs() << "Outputting reduced bitcode files which expose the problem:\n";
    742   ValueToValueMapTy VMap;
    743   Module *ToNotOptimize = CloneModule(getProgram(), VMap).release();
    744   Module *ToOptimize =
    745       SplitFunctionsOutOfModule(ToNotOptimize, MiscompiledFunctions, VMap)
    746           .release();
    747 
    748   outs() << "  Non-optimized portion: ";
    749   EmitProgressBitcode(ToNotOptimize, "tonotoptimize", true);
    750   delete ToNotOptimize;  // Delete hacked module.
    751 
    752   outs() << "  Portion that is input to optimizer: ";
    753   EmitProgressBitcode(ToOptimize, "tooptimize");
    754   delete ToOptimize;      // Delete hacked module.
    755 
    756   return;
    757 }
    758 
    759 /// Get the specified modules ready for code generator testing.
    760 ///
    761 static void CleanupAndPrepareModules(BugDriver &BD,
    762                                      std::unique_ptr<Module> &Test,
    763                                      Module *Safe) {
    764   // Clean up the modules, removing extra cruft that we don't need anymore...
    765   Test = BD.performFinalCleanups(Test.get());
    766 
    767   // If we are executing the JIT, we have several nasty issues to take care of.
    768   if (!BD.isExecutingJIT()) return;
    769 
    770   // First, if the main function is in the Safe module, we must add a stub to
    771   // the Test module to call into it.  Thus, we create a new function `main'
    772   // which just calls the old one.
    773   if (Function *oldMain = Safe->getFunction("main"))
    774     if (!oldMain->isDeclaration()) {
    775       // Rename it
    776       oldMain->setName("llvm_bugpoint_old_main");
    777       // Create a NEW `main' function with same type in the test module.
    778       Function *newMain =
    779           Function::Create(oldMain->getFunctionType(),
    780                            GlobalValue::ExternalLinkage, "main", Test.get());
    781       // Create an `oldmain' prototype in the test module, which will
    782       // corresponds to the real main function in the same module.
    783       Function *oldMainProto = Function::Create(oldMain->getFunctionType(),
    784                                                 GlobalValue::ExternalLinkage,
    785                                                 oldMain->getName(), Test.get());
    786       // Set up and remember the argument list for the main function.
    787       std::vector<Value*> args;
    788       for (Function::arg_iterator
    789              I = newMain->arg_begin(), E = newMain->arg_end(),
    790              OI = oldMain->arg_begin(); I != E; ++I, ++OI) {
    791         I->setName(OI->getName());    // Copy argument names from oldMain
    792         args.push_back(&*I);
    793       }
    794 
    795       // Call the old main function and return its result
    796       BasicBlock *BB = BasicBlock::Create(Safe->getContext(), "entry", newMain);
    797       CallInst *call = CallInst::Create(oldMainProto, args, "", BB);
    798 
    799       // If the type of old function wasn't void, return value of call
    800       ReturnInst::Create(Safe->getContext(), call, BB);
    801     }
    802 
    803   // The second nasty issue we must deal with in the JIT is that the Safe
    804   // module cannot directly reference any functions defined in the test
    805   // module.  Instead, we use a JIT API call to dynamically resolve the
    806   // symbol.
    807 
    808   // Add the resolver to the Safe module.
    809   // Prototype: void *getPointerToNamedFunction(const char* Name)
    810   Constant *resolverFunc =
    811     Safe->getOrInsertFunction("getPointerToNamedFunction",
    812                     Type::getInt8PtrTy(Safe->getContext()),
    813                     Type::getInt8PtrTy(Safe->getContext()),
    814                        (Type *)nullptr);
    815 
    816   // Use the function we just added to get addresses of functions we need.
    817   for (Module::iterator F = Safe->begin(), E = Safe->end(); F != E; ++F) {
    818     if (F->isDeclaration() && !F->use_empty() && &*F != resolverFunc &&
    819         !F->isIntrinsic() /* ignore intrinsics */) {
    820       Function *TestFn = Test->getFunction(F->getName());
    821 
    822       // Don't forward functions which are external in the test module too.
    823       if (TestFn && !TestFn->isDeclaration()) {
    824         // 1. Add a string constant with its name to the global file
    825         Constant *InitArray =
    826           ConstantDataArray::getString(F->getContext(), F->getName());
    827         GlobalVariable *funcName =
    828           new GlobalVariable(*Safe, InitArray->getType(), true /*isConstant*/,
    829                              GlobalValue::InternalLinkage, InitArray,
    830                              F->getName() + "_name");
    831 
    832         // 2. Use `GetElementPtr *funcName, 0, 0' to convert the string to an
    833         // sbyte* so it matches the signature of the resolver function.
    834 
    835         // GetElementPtr *funcName, ulong 0, ulong 0
    836         std::vector<Constant*> GEPargs(2,
    837                      Constant::getNullValue(Type::getInt32Ty(F->getContext())));
    838         Value *GEP = ConstantExpr::getGetElementPtr(InitArray->getType(),
    839                                                     funcName, GEPargs);
    840         std::vector<Value*> ResolverArgs;
    841         ResolverArgs.push_back(GEP);
    842 
    843         // Rewrite uses of F in global initializers, etc. to uses of a wrapper
    844         // function that dynamically resolves the calls to F via our JIT API
    845         if (!F->use_empty()) {
    846           // Create a new global to hold the cached function pointer.
    847           Constant *NullPtr = ConstantPointerNull::get(F->getType());
    848           GlobalVariable *Cache =
    849             new GlobalVariable(*F->getParent(), F->getType(),
    850                                false, GlobalValue::InternalLinkage,
    851                                NullPtr,F->getName()+".fpcache");
    852 
    853           // Construct a new stub function that will re-route calls to F
    854           FunctionType *FuncTy = F->getFunctionType();
    855           Function *FuncWrapper = Function::Create(FuncTy,
    856                                                    GlobalValue::InternalLinkage,
    857                                                    F->getName() + "_wrapper",
    858                                                    F->getParent());
    859           BasicBlock *EntryBB  = BasicBlock::Create(F->getContext(),
    860                                                     "entry", FuncWrapper);
    861           BasicBlock *DoCallBB = BasicBlock::Create(F->getContext(),
    862                                                     "usecache", FuncWrapper);
    863           BasicBlock *LookupBB = BasicBlock::Create(F->getContext(),
    864                                                     "lookupfp", FuncWrapper);
    865 
    866           // Check to see if we already looked up the value.
    867           Value *CachedVal = new LoadInst(Cache, "fpcache", EntryBB);
    868           Value *IsNull = new ICmpInst(*EntryBB, ICmpInst::ICMP_EQ, CachedVal,
    869                                        NullPtr, "isNull");
    870           BranchInst::Create(LookupBB, DoCallBB, IsNull, EntryBB);
    871 
    872           // Resolve the call to function F via the JIT API:
    873           //
    874           // call resolver(GetElementPtr...)
    875           CallInst *Resolver =
    876             CallInst::Create(resolverFunc, ResolverArgs, "resolver", LookupBB);
    877 
    878           // Cast the result from the resolver to correctly-typed function.
    879           CastInst *CastedResolver =
    880             new BitCastInst(Resolver,
    881                             PointerType::getUnqual(F->getFunctionType()),
    882                             "resolverCast", LookupBB);
    883 
    884           // Save the value in our cache.
    885           new StoreInst(CastedResolver, Cache, LookupBB);
    886           BranchInst::Create(DoCallBB, LookupBB);
    887 
    888           PHINode *FuncPtr = PHINode::Create(NullPtr->getType(), 2,
    889                                              "fp", DoCallBB);
    890           FuncPtr->addIncoming(CastedResolver, LookupBB);
    891           FuncPtr->addIncoming(CachedVal, EntryBB);
    892 
    893           // Save the argument list.
    894           std::vector<Value*> Args;
    895           for (Argument &A : FuncWrapper->args())
    896             Args.push_back(&A);
    897 
    898           // Pass on the arguments to the real function, return its result
    899           if (F->getReturnType()->isVoidTy()) {
    900             CallInst::Create(FuncPtr, Args, "", DoCallBB);
    901             ReturnInst::Create(F->getContext(), DoCallBB);
    902           } else {
    903             CallInst *Call = CallInst::Create(FuncPtr, Args,
    904                                               "retval", DoCallBB);
    905             ReturnInst::Create(F->getContext(),Call, DoCallBB);
    906           }
    907 
    908           // Use the wrapper function instead of the old function
    909           F->replaceAllUsesWith(FuncWrapper);
    910         }
    911       }
    912     }
    913   }
    914 
    915   if (verifyModule(*Test) || verifyModule(*Safe)) {
    916     errs() << "Bugpoint has a bug, which corrupted a module!!\n";
    917     abort();
    918   }
    919 }
    920 
    921 /// This is the predicate function used to check to see if the "Test" portion of
    922 /// the program is miscompiled by the code generator under test.  If so, return
    923 /// true.  In any case, both module arguments are deleted.
    924 ///
    925 static bool TestCodeGenerator(BugDriver &BD, std::unique_ptr<Module> Test,
    926                               std::unique_ptr<Module> Safe,
    927                               std::string &Error) {
    928   CleanupAndPrepareModules(BD, Test, Safe.get());
    929 
    930   SmallString<128> TestModuleBC;
    931   int TestModuleFD;
    932   std::error_code EC = sys::fs::createTemporaryFile("bugpoint.test", "bc",
    933                                                     TestModuleFD, TestModuleBC);
    934   if (EC) {
    935     errs() << BD.getToolName() << "Error making unique filename: "
    936            << EC.message() << "\n";
    937     exit(1);
    938   }
    939   if (BD.writeProgramToFile(TestModuleBC.str(), TestModuleFD, Test.get())) {
    940     errs() << "Error writing bitcode to `" << TestModuleBC.str()
    941            << "'\nExiting.";
    942     exit(1);
    943   }
    944 
    945   FileRemover TestModuleBCRemover(TestModuleBC.str(), !SaveTemps);
    946 
    947   // Make the shared library
    948   SmallString<128> SafeModuleBC;
    949   int SafeModuleFD;
    950   EC = sys::fs::createTemporaryFile("bugpoint.safe", "bc", SafeModuleFD,
    951                                     SafeModuleBC);
    952   if (EC) {
    953     errs() << BD.getToolName() << "Error making unique filename: "
    954            << EC.message() << "\n";
    955     exit(1);
    956   }
    957 
    958   if (BD.writeProgramToFile(SafeModuleBC.str(), SafeModuleFD, Safe.get())) {
    959     errs() << "Error writing bitcode to `" << SafeModuleBC
    960            << "'\nExiting.";
    961     exit(1);
    962   }
    963 
    964   FileRemover SafeModuleBCRemover(SafeModuleBC.str(), !SaveTemps);
    965 
    966   std::string SharedObject = BD.compileSharedObject(SafeModuleBC.str(), Error);
    967   if (!Error.empty())
    968     return false;
    969 
    970   FileRemover SharedObjectRemover(SharedObject, !SaveTemps);
    971 
    972   // Run the code generator on the `Test' code, loading the shared library.
    973   // The function returns whether or not the new output differs from reference.
    974   bool Result = BD.diffProgram(BD.getProgram(), TestModuleBC.str(),
    975                                SharedObject, false, &Error);
    976   if (!Error.empty())
    977     return false;
    978 
    979   if (Result)
    980     errs() << ": still failing!\n";
    981   else
    982     errs() << ": didn't fail.\n";
    983 
    984   return Result;
    985 }
    986 
    987 
    988 /// debugCodeGenerator - debug errors in LLC, LLI, or CBE.
    989 ///
    990 bool BugDriver::debugCodeGenerator(std::string *Error) {
    991   if ((void*)SafeInterpreter == (void*)Interpreter) {
    992     std::string Result = executeProgramSafely(Program, "bugpoint.safe.out",
    993                                               Error);
    994     if (Error->empty()) {
    995       outs() << "\n*** The \"safe\" i.e. 'known good' backend cannot match "
    996              << "the reference diff.  This may be due to a\n    front-end "
    997              << "bug or a bug in the original program, but this can also "
    998              << "happen if bugpoint isn't running the program with the "
    999              << "right flags or input.\n    I left the result of executing "
   1000              << "the program with the \"safe\" backend in this file for "
   1001              << "you: '"
   1002              << Result << "'.\n";
   1003     }
   1004     return true;
   1005   }
   1006 
   1007   DisambiguateGlobalSymbols(Program);
   1008 
   1009   std::vector<Function*> Funcs = DebugAMiscompilation(*this, TestCodeGenerator,
   1010                                                       *Error);
   1011   if (!Error->empty())
   1012     return true;
   1013 
   1014   // Split the module into the two halves of the program we want.
   1015   ValueToValueMapTy VMap;
   1016   std::unique_ptr<Module> ToNotCodeGen = CloneModule(getProgram(), VMap);
   1017   std::unique_ptr<Module> ToCodeGen =
   1018       SplitFunctionsOutOfModule(ToNotCodeGen.get(), Funcs, VMap);
   1019 
   1020   // Condition the modules
   1021   CleanupAndPrepareModules(*this, ToCodeGen, ToNotCodeGen.get());
   1022 
   1023   SmallString<128> TestModuleBC;
   1024   int TestModuleFD;
   1025   std::error_code EC = sys::fs::createTemporaryFile("bugpoint.test", "bc",
   1026                                                     TestModuleFD, TestModuleBC);
   1027   if (EC) {
   1028     errs() << getToolName() << "Error making unique filename: "
   1029            << EC.message() << "\n";
   1030     exit(1);
   1031   }
   1032 
   1033   if (writeProgramToFile(TestModuleBC.str(), TestModuleFD, ToCodeGen.get())) {
   1034     errs() << "Error writing bitcode to `" << TestModuleBC
   1035            << "'\nExiting.";
   1036     exit(1);
   1037   }
   1038 
   1039   // Make the shared library
   1040   SmallString<128> SafeModuleBC;
   1041   int SafeModuleFD;
   1042   EC = sys::fs::createTemporaryFile("bugpoint.safe", "bc", SafeModuleFD,
   1043                                     SafeModuleBC);
   1044   if (EC) {
   1045     errs() << getToolName() << "Error making unique filename: "
   1046            << EC.message() << "\n";
   1047     exit(1);
   1048   }
   1049 
   1050   if (writeProgramToFile(SafeModuleBC.str(), SafeModuleFD,
   1051                          ToNotCodeGen.get())) {
   1052     errs() << "Error writing bitcode to `" << SafeModuleBC
   1053            << "'\nExiting.";
   1054     exit(1);
   1055   }
   1056   std::string SharedObject = compileSharedObject(SafeModuleBC.str(), *Error);
   1057   if (!Error->empty())
   1058     return true;
   1059 
   1060   outs() << "You can reproduce the problem with the command line: \n";
   1061   if (isExecutingJIT()) {
   1062     outs() << "  lli -load " << SharedObject << " " << TestModuleBC;
   1063   } else {
   1064     outs() << "  llc " << TestModuleBC << " -o " << TestModuleBC
   1065            << ".s\n";
   1066     outs() << "  cc " << SharedObject << " " << TestModuleBC.str()
   1067               << ".s -o " << TestModuleBC << ".exe";
   1068 #if defined (HAVE_LINK_R)
   1069     outs() << " -Wl,-R.";
   1070 #endif
   1071     outs() << "\n";
   1072     outs() << "  " << TestModuleBC << ".exe";
   1073   }
   1074   for (unsigned i = 0, e = InputArgv.size(); i != e; ++i)
   1075     outs() << " " << InputArgv[i];
   1076   outs() << '\n';
   1077   outs() << "The shared object was created with:\n  llc -march=c "
   1078          << SafeModuleBC.str() << " -o temporary.c\n"
   1079          << "  cc -xc temporary.c -O2 -o " << SharedObject;
   1080   if (TargetTriple.getArch() == Triple::sparc)
   1081     outs() << " -G";              // Compile a shared library, `-G' for Sparc
   1082   else
   1083     outs() << " -fPIC -shared";   // `-shared' for Linux/X86, maybe others
   1084 
   1085   outs() << " -fno-strict-aliasing\n";
   1086 
   1087   return false;
   1088 }
   1089