#include "SystemUtils.h"
#include "ListReducer.h"
#include "llvm/Module.h"
+#include "llvm/PassManager.h"
+#include "llvm/Pass.h"
+#include "llvm/Constant.h"
+#include "llvm/iTerminators.h"
+#include "llvm/Type.h"
+#include "llvm/SymbolTable.h"
+#include "llvm/Support/CFG.h"
+#include "llvm/Analysis/Verifier.h"
+#include "llvm/Transforms/Scalar.h"
#include "llvm/Transforms/Utils/Cloning.h"
#include "llvm/Bytecode/Writer.h"
-#include "llvm/Pass.h"
#include <fstream>
#include <set>
}
+/// ReduceCrashingBlocks reducer - This works by setting the terminators of all
+/// terminators except the specified basic blocks to a 'ret' instruction, then
+/// running the simplify-cfg pass. This has the effect of chopping up the CFG
+/// really fast which can reduce large functions quickly.
+///
+class ReduceCrashingBlocks : public ListReducer<BasicBlock*> {
+ BugDriver &BD;
+public:
+ ReduceCrashingBlocks(BugDriver &bd) : BD(bd) {}
+
+ virtual TestResult doTest(std::vector<BasicBlock*> &Prefix,
+ std::vector<BasicBlock*> &Kept) {
+ if (TestBlocks(Kept))
+ return KeepSuffix;
+ if (!Prefix.empty() && TestBlocks(Prefix))
+ return KeepPrefix;
+ return NoFailure;
+ }
+
+ bool TestBlocks(std::vector<BasicBlock*> &Prefix);
+};
+
+bool ReduceCrashingBlocks::TestBlocks(std::vector<BasicBlock*> &BBs) {
+ // Clone the program to try hacking it appart...
+ Module *M = CloneModule(BD.Program);
+
+ // Convert list to set for fast lookup...
+ std::set<BasicBlock*> Blocks;
+ for (unsigned i = 0, e = BBs.size(); i != e; ++i) {
+ // Convert the basic block from the original module to the new module...
+ Function *F = BBs[i]->getParent();
+ Function *CMF = M->getFunction(F->getName(), F->getFunctionType());
+ assert(CMF && "Function not in module?!");
+
+ // Get the mapped basic block...
+ Function::iterator CBI = CMF->begin();
+ std::advance(CBI, std::distance(F->begin(), Function::iterator(BBs[i])));
+ Blocks.insert(CBI);
+ }
+
+ std::cout << "Checking for crash with only these blocks:";
+ for (unsigned i = 0, e = Blocks.size(); i != e; ++i)
+ std::cout << " " << BBs[i]->getName();
+ std::cout << ": ";
+
+ // Loop over and delete any hack up any blocks that are not listed...
+ for (Module::iterator I = M->begin(), E = M->end(); I != E; ++I)
+ for (Function::iterator BB = I->begin(), E = I->end(); BB != E; ++BB)
+ if (!Blocks.count(BB) && !isa<ReturnInst>(BB->getTerminator())) {
+ // Loop over all of the successors of this block, deleting any PHI nodes
+ // that might include it.
+ for (succ_iterator SI = succ_begin(BB), E = succ_end(BB); SI != E; ++SI)
+ (*SI)->removePredecessor(BB);
+
+ // Delete the old terminator instruction...
+ BB->getInstList().pop_back();
+
+ // Add a new return instruction of the appropriate type...
+ const Type *RetTy = BB->getParent()->getReturnType();
+ ReturnInst *RI = new ReturnInst(RetTy == Type::VoidTy ? 0 :
+ Constant::getNullValue(RetTy));
+ BB->getInstList().push_back(RI);
+ }
+
+ // The CFG Simplifier pass may delete one of the basic blocks we are
+ // interested in. If it does we need to take the block out of the list. Make
+ // a "persistent mapping" by turning basic blocks into <function, name> pairs.
+ // This won't work well if blocks are unnamed, but that is just the risk we
+ // have to take.
+ std::vector<std::pair<Function*, std::string> > BlockInfo;
+
+ for (std::set<BasicBlock*>::iterator I = Blocks.begin(), E = Blocks.end();
+ I != E; ++I)
+ BlockInfo.push_back(std::make_pair((*I)->getParent(), (*I)->getName()));
+
+ // Now run the CFG simplify pass on the function...
+ PassManager Passes;
+ Passes.add(createCFGSimplificationPass());
+ Passes.add(createVerifierPass());
+ Passes.run(*M);
+
+ // Try running on the hacked up program...
+ std::swap(BD.Program, M);
+ if (BD.runPasses(BD.PassesToRun)) {
+ delete M; // It crashed, keep the trimmed version...
+
+ // Make sure to use basic block pointers that point into the now-current
+ // module, and that they don't include any deleted blocks.
+ BBs.clear();
+ for (unsigned i = 0, e = BlockInfo.size(); i != e; ++i) {
+ SymbolTable &ST = BlockInfo[i].first->getSymbolTable();
+ SymbolTable::iterator I = ST.find(Type::LabelTy);
+ if (I != ST.end() && I->second.count(BlockInfo[i].second))
+ BBs.push_back(cast<BasicBlock>(I->second[BlockInfo[i].second]));
+ }
+ return true;
+ }
+ delete BD.Program; // It didn't crash, revert...
+ BD.Program = M;
+ return false;
+}
+
/// debugCrash - This method is called when some pass crashes on input. It
/// attempts to prune down the testcase to something reasonable, and figure
/// out exactly which pass is crashing.
}
}
- // FIXME: This should attempt to delete entire basic blocks at a time to speed
- // up convergence...
+ // Attempt to delete entire basic blocks at a time to speed up
+ // convergence... this actually works by setting the terminator of the blocks
+ // to a return instruction then running simplifycfg, which can potentially
+ // shrinks the code dramatically quickly
+ //
+ std::vector<BasicBlock*> Blocks;
+ for (Module::iterator I = Program->begin(), E = Program->end(); I != E; ++I)
+ for (Function::iterator FI = I->begin(), E = I->end(); FI != E; ++FI)
+ Blocks.push_back(FI);
+ ReduceCrashingBlocks(*this).reduceList(Blocks);
// FIXME: This should use the list reducer to converge faster by deleting
// larger chunks of instructions at a time!