1 .. _bugpoint: 2 3 ==================================== 4 LLVM bugpoint tool: design and usage 5 ==================================== 6 7 .. contents:: 8 :local: 9 10 Description 11 =========== 12 13 ``bugpoint`` narrows down the source of problems in LLVM tools and passes. It 14 can be used to debug three types of failures: optimizer crashes, miscompilations 15 by optimizers, or bad native code generation (including problems in the static 16 and JIT compilers). It aims to reduce large test cases to small, useful ones. 17 For example, if ``opt`` crashes while optimizing a file, it will identify the 18 optimization (or combination of optimizations) that causes the crash, and reduce 19 the file down to a small example which triggers the crash. 20 21 For detailed case scenarios, such as debugging ``opt``, or one of the LLVM code 22 generators, see `How To Submit a Bug Report document <HowToSubmitABug.html>`_. 23 24 Design Philosophy 25 ================= 26 27 ``bugpoint`` is designed to be a useful tool without requiring any hooks into 28 the LLVM infrastructure at all. It works with any and all LLVM passes and code 29 generators, and does not need to "know" how they work. Because of this, it may 30 appear to do stupid things or miss obvious simplifications. ``bugpoint`` is 31 also designed to trade off programmer time for computer time in the 32 compiler-debugging process; consequently, it may take a long period of 33 (unattended) time to reduce a test case, but we feel it is still worth it. Note 34 that ``bugpoint`` is generally very quick unless debugging a miscompilation 35 where each test of the program (which requires executing it) takes a long time. 36 37 Automatic Debugger Selection 38 ---------------------------- 39 40 ``bugpoint`` reads each ``.bc`` or ``.ll`` file specified on the command line 41 and links them together into a single module, called the test program. If any 42 LLVM passes are specified on the command line, it runs these passes on the test 43 program. If any of the passes crash, or if they produce malformed output (which 44 causes the verifier to abort), ``bugpoint`` starts the `crash debugger`_. 45 46 Otherwise, if the ``-output`` option was not specified, ``bugpoint`` runs the 47 test program with the "safe" backend (which is assumed to generate good code) to 48 generate a reference output. Once ``bugpoint`` has a reference output for the 49 test program, it tries executing it with the selected code generator. If the 50 selected code generator crashes, ``bugpoint`` starts the `crash debugger`_ on 51 the code generator. Otherwise, if the resulting output differs from the 52 reference output, it assumes the difference resulted from a code generator 53 failure, and starts the `code generator debugger`_. 54 55 Finally, if the output of the selected code generator matches the reference 56 output, ``bugpoint`` runs the test program after all of the LLVM passes have 57 been applied to it. If its output differs from the reference output, it assumes 58 the difference resulted from a failure in one of the LLVM passes, and enters the 59 `miscompilation debugger`_. Otherwise, there is no problem ``bugpoint`` can 60 debug. 61 62 .. _crash debugger: 63 64 Crash debugger 65 -------------- 66 67 If an optimizer or code generator crashes, ``bugpoint`` will try as hard as it 68 can to reduce the list of passes (for optimizer crashes) and the size of the 69 test program. First, ``bugpoint`` figures out which combination of optimizer 70 passes triggers the bug. This is useful when debugging a problem exposed by 71 ``opt``, for example, because it runs over 38 passes. 72 73 Next, ``bugpoint`` tries removing functions from the test program, to reduce its 74 size. Usually it is able to reduce a test program to a single function, when 75 debugging intraprocedural optimizations. Once the number of functions has been 76 reduced, it attempts to delete various edges in the control flow graph, to 77 reduce the size of the function as much as possible. Finally, ``bugpoint`` 78 deletes any individual LLVM instructions whose absence does not eliminate the 79 failure. At the end, ``bugpoint`` should tell you what passes crash, give you a 80 bitcode file, and give you instructions on how to reproduce the failure with 81 ``opt`` or ``llc``. 82 83 .. _code generator debugger: 84 85 Code generator debugger 86 ----------------------- 87 88 The code generator debugger attempts to narrow down the amount of code that is 89 being miscompiled by the selected code generator. To do this, it takes the test 90 program and partitions it into two pieces: one piece which it compiles with the 91 "safe" backend (into a shared object), and one piece which it runs with either 92 the JIT or the static LLC compiler. It uses several techniques to reduce the 93 amount of code pushed through the LLVM code generator, to reduce the potential 94 scope of the problem. After it is finished, it emits two bitcode files (called 95 "test" [to be compiled with the code generator] and "safe" [to be compiled with 96 the "safe" backend], respectively), and instructions for reproducing the 97 problem. The code generator debugger assumes that the "safe" backend produces 98 good code. 99 100 .. _miscompilation debugger: 101 102 Miscompilation debugger 103 ----------------------- 104 105 The miscompilation debugger works similarly to the code generator debugger. It 106 works by splitting the test program into two pieces, running the optimizations 107 specified on one piece, linking the two pieces back together, and then executing 108 the result. It attempts to narrow down the list of passes to the one (or few) 109 which are causing the miscompilation, then reduce the portion of the test 110 program which is being miscompiled. The miscompilation debugger assumes that 111 the selected code generator is working properly. 112 113 Advice for using bugpoint 114 ========================= 115 116 ``bugpoint`` can be a remarkably useful tool, but it sometimes works in 117 non-obvious ways. Here are some hints and tips: 118 119 * In the code generator and miscompilation debuggers, ``bugpoint`` only works 120 with programs that have deterministic output. Thus, if the program outputs 121 ``argv[0]``, the date, time, or any other "random" data, ``bugpoint`` may 122 misinterpret differences in these data, when output, as the result of a 123 miscompilation. Programs should be temporarily modified to disable outputs 124 that are likely to vary from run to run. 125 126 * In the code generator and miscompilation debuggers, debugging will go faster 127 if you manually modify the program or its inputs to reduce the runtime, but 128 still exhibit the problem. 129 130 * ``bugpoint`` is extremely useful when working on a new optimization: it helps 131 track down regressions quickly. To avoid having to relink ``bugpoint`` every 132 time you change your optimization however, have ``bugpoint`` dynamically load 133 your optimization with the ``-load`` option. 134 135 * ``bugpoint`` can generate a lot of output and run for a long period of time. 136 It is often useful to capture the output of the program to file. For example, 137 in the C shell, you can run: 138 139 .. code-block:: bash 140 141 bugpoint ... |& tee bugpoint.log 142 143 to get a copy of ``bugpoint``'s output in the file ``bugpoint.log``, as well 144 as on your terminal. 145 146 * ``bugpoint`` cannot debug problems with the LLVM linker. If ``bugpoint`` 147 crashes before you see its "All input ok" message, you might try ``llvm-link 148 -v`` on the same set of input files. If that also crashes, you may be 149 experiencing a linker bug. 150 151 * ``bugpoint`` is useful for proactively finding bugs in LLVM. Invoking 152 ``bugpoint`` with the ``-find-bugs`` option will cause the list of specified 153 optimizations to be randomized and applied to the program. This process will 154 repeat until a bug is found or the user kills ``bugpoint``. 155 156 What to do when bugpoint isn't enough 157 ===================================== 158 159 Sometimes, ``bugpoint`` is not enough. In particular, InstCombine and 160 TargetLowering both have visitor structured code with lots of potential 161 transformations. If the process of using bugpoint has left you with still too 162 much code to figure out and the problem seems to be in instcombine, the 163 following steps may help. These same techniques are useful with TargetLowering 164 as well. 165 166 Turn on ``-debug-only=instcombine`` and see which transformations within 167 instcombine are firing by selecting out lines with "``IC``" in them. 168 169 At this point, you have a decision to make. Is the number of transformations 170 small enough to step through them using a debugger? If so, then try that. 171 172 If there are too many transformations, then a source modification approach may 173 be helpful. In this approach, you can modify the source code of instcombine to 174 disable just those transformations that are being performed on your test input 175 and perform a binary search over the set of transformations. One set of places 176 to modify are the "``visit*``" methods of ``InstCombiner`` (*e.g.* 177 ``visitICmpInst``) by adding a "``return false``" as the first line of the 178 method. 179 180 If that still doesn't remove enough, then change the caller of 181 ``InstCombiner::DoOneIteration``, ``InstCombiner::runOnFunction`` to limit the 182 number of iterations. 183 184 You may also find it useful to use "``-stats``" now to see what parts of 185 instcombine are firing. This can guide where to put additional reporting code. 186 187 At this point, if the amount of transformations is still too large, then 188 inserting code to limit whether or not to execute the body of the code in the 189 visit function can be helpful. Add a static counter which is incremented on 190 every invocation of the function. Then add code which simply returns false on 191 desired ranges. For example: 192 193 .. code-block:: c++ 194 195 196 static int calledCount = 0; 197 calledCount++; 198 DEBUG(if (calledCount < 212) return false); 199 DEBUG(if (calledCount > 217) return false); 200 DEBUG(if (calledCount == 213) return false); 201 DEBUG(if (calledCount == 214) return false); 202 DEBUG(if (calledCount == 215) return false); 203 DEBUG(if (calledCount == 216) return false); 204 DEBUG(dbgs() << "visitXOR calledCount: " << calledCount << "\n"); 205 DEBUG(dbgs() << "I: "; I->dump()); 206 207 could be added to ``visitXOR`` to limit ``visitXor`` to being applied only to 208 calls 212 and 217. This is from an actual test case and raises an important 209 point---a simple binary search may not be sufficient, as transformations that 210 interact may require isolating more than one call. In TargetLowering, use 211 ``return SDNode();`` instead of ``return false;``. 212 213 Now that that the number of transformations is down to a manageable number, try 214 examining the output to see if you can figure out which transformations are 215 being done. If that can be figured out, then do the usual debugging. If which 216 code corresponds to the transformation being performed isn't obvious, set a 217 breakpoint after the call count based disabling and step through the code. 218 Alternatively, you can use "``printf``" style debugging to report waypoints. 219
