1.. _bugpoint: 2 3==================================== 4LLVM bugpoint tool: design and usage 5==================================== 6 7.. contents:: 8 :local: 9 10Description 11=========== 12 13``bugpoint`` narrows down the source of problems in LLVM tools and passes. It 14can be used to debug three types of failures: optimizer crashes, miscompilations 15by optimizers, or bad native code generation (including problems in the static 16and JIT compilers). It aims to reduce large test cases to small, useful ones. 17For example, if ``opt`` crashes while optimizing a file, it will identify the 18optimization (or combination of optimizations) that causes the crash, and reduce 19the file down to a small example which triggers the crash. 20 21For detailed case scenarios, such as debugging ``opt``, or one of the LLVM code 22generators, see `How To Submit a Bug Report document <HowToSubmitABug.html>`_. 23 24Design Philosophy 25================= 26 27``bugpoint`` is designed to be a useful tool without requiring any hooks into 28the LLVM infrastructure at all. It works with any and all LLVM passes and code 29generators, and does not need to "know" how they work. Because of this, it may 30appear to do stupid things or miss obvious simplifications. ``bugpoint`` is 31also designed to trade off programmer time for computer time in the 32compiler-debugging process; consequently, it may take a long period of 33(unattended) time to reduce a test case, but we feel it is still worth it. Note 34that ``bugpoint`` is generally very quick unless debugging a miscompilation 35where each test of the program (which requires executing it) takes a long time. 36 37Automatic Debugger Selection 38---------------------------- 39 40``bugpoint`` reads each ``.bc`` or ``.ll`` file specified on the command line 41and links them together into a single module, called the test program. If any 42LLVM passes are specified on the command line, it runs these passes on the test 43program. If any of the passes crash, or if they produce malformed output (which 44causes the verifier to abort), ``bugpoint`` starts the `crash debugger`_. 45 46Otherwise, if the ``-output`` option was not specified, ``bugpoint`` runs the 47test program with the "safe" backend (which is assumed to generate good code) to 48generate a reference output. Once ``bugpoint`` has a reference output for the 49test program, it tries executing it with the selected code generator. If the 50selected code generator crashes, ``bugpoint`` starts the `crash debugger`_ on 51the code generator. Otherwise, if the resulting output differs from the 52reference output, it assumes the difference resulted from a code generator 53failure, and starts the `code generator debugger`_. 54 55Finally, if the output of the selected code generator matches the reference 56output, ``bugpoint`` runs the test program after all of the LLVM passes have 57been applied to it. If its output differs from the reference output, it assumes 58the difference resulted from a failure in one of the LLVM passes, and enters the 59`miscompilation debugger`_. Otherwise, there is no problem ``bugpoint`` can 60debug. 61 62.. _crash debugger: 63 64Crash debugger 65-------------- 66 67If an optimizer or code generator crashes, ``bugpoint`` will try as hard as it 68can to reduce the list of passes (for optimizer crashes) and the size of the 69test program. First, ``bugpoint`` figures out which combination of optimizer 70passes triggers the bug. This is useful when debugging a problem exposed by 71``opt``, for example, because it runs over 38 passes. 72 73Next, ``bugpoint`` tries removing functions from the test program, to reduce its 74size. Usually it is able to reduce a test program to a single function, when 75debugging intraprocedural optimizations. Once the number of functions has been 76reduced, it attempts to delete various edges in the control flow graph, to 77reduce the size of the function as much as possible. Finally, ``bugpoint`` 78deletes any individual LLVM instructions whose absence does not eliminate the 79failure. At the end, ``bugpoint`` should tell you what passes crash, give you a 80bitcode file, and give you instructions on how to reproduce the failure with 81``opt`` or ``llc``. 82 83.. _code generator debugger: 84 85Code generator debugger 86----------------------- 87 88The code generator debugger attempts to narrow down the amount of code that is 89being miscompiled by the selected code generator. To do this, it takes the test 90program and partitions it into two pieces: one piece which it compiles with the 91"safe" backend (into a shared object), and one piece which it runs with either 92the JIT or the static LLC compiler. It uses several techniques to reduce the 93amount of code pushed through the LLVM code generator, to reduce the potential 94scope of the problem. After it is finished, it emits two bitcode files (called 95"test" [to be compiled with the code generator] and "safe" [to be compiled with 96the "safe" backend], respectively), and instructions for reproducing the 97problem. The code generator debugger assumes that the "safe" backend produces 98good code. 99 100.. _miscompilation debugger: 101 102Miscompilation debugger 103----------------------- 104 105The miscompilation debugger works similarly to the code generator debugger. It 106works by splitting the test program into two pieces, running the optimizations 107specified on one piece, linking the two pieces back together, and then executing 108the result. It attempts to narrow down the list of passes to the one (or few) 109which are causing the miscompilation, then reduce the portion of the test 110program which is being miscompiled. The miscompilation debugger assumes that 111the selected code generator is working properly. 112 113Advice for using bugpoint 114========================= 115 116``bugpoint`` can be a remarkably useful tool, but it sometimes works in 117non-obvious ways. Here are some hints and tips: 118 119* In the code generator and miscompilation debuggers, ``bugpoint`` only works 120 with programs that have deterministic output. Thus, if the program outputs 121 ``argv[0]``, the date, time, or any other "random" data, ``bugpoint`` may 122 misinterpret differences in these data, when output, as the result of a 123 miscompilation. Programs should be temporarily modified to disable outputs 124 that are likely to vary from run to run. 125 126* In the code generator and miscompilation debuggers, debugging will go faster 127 if you manually modify the program or its inputs to reduce the runtime, but 128 still exhibit the problem. 129 130* ``bugpoint`` is extremely useful when working on a new optimization: it helps 131 track down regressions quickly. To avoid having to relink ``bugpoint`` every 132 time you change your optimization however, have ``bugpoint`` dynamically load 133 your optimization with the ``-load`` option. 134 135* ``bugpoint`` can generate a lot of output and run for a long period of time. 136 It is often useful to capture the output of the program to file. For example, 137 in the C shell, you can run: 138 139 .. code-block:: bash 140 141 bugpoint ... |& tee bugpoint.log 142 143 to get a copy of ``bugpoint``'s output in the file ``bugpoint.log``, as well 144 as on your terminal. 145 146* ``bugpoint`` cannot debug problems with the LLVM linker. If ``bugpoint`` 147 crashes before you see its "All input ok" message, you might try ``llvm-link 148 -v`` on the same set of input files. If that also crashes, you may be 149 experiencing a linker bug. 150 151* ``bugpoint`` is useful for proactively finding bugs in LLVM. Invoking 152 ``bugpoint`` with the ``-find-bugs`` option will cause the list of specified 153 optimizations to be randomized and applied to the program. This process will 154 repeat until a bug is found or the user kills ``bugpoint``. 155 156What to do when bugpoint isn't enough 157===================================== 158 159Sometimes, ``bugpoint`` is not enough. In particular, InstCombine and 160TargetLowering both have visitor structured code with lots of potential 161transformations. If the process of using bugpoint has left you with still too 162much code to figure out and the problem seems to be in instcombine, the 163following steps may help. These same techniques are useful with TargetLowering 164as well. 165 166Turn on ``-debug-only=instcombine`` and see which transformations within 167instcombine are firing by selecting out lines with "``IC``" in them. 168 169At this point, you have a decision to make. Is the number of transformations 170small enough to step through them using a debugger? If so, then try that. 171 172If there are too many transformations, then a source modification approach may 173be helpful. In this approach, you can modify the source code of instcombine to 174disable just those transformations that are being performed on your test input 175and perform a binary search over the set of transformations. One set of places 176to modify are the "``visit*``" methods of ``InstCombiner`` (*e.g.* 177``visitICmpInst``) by adding a "``return false``" as the first line of the 178method. 179 180If that still doesn't remove enough, then change the caller of 181``InstCombiner::DoOneIteration``, ``InstCombiner::runOnFunction`` to limit the 182number of iterations. 183 184You may also find it useful to use "``-stats``" now to see what parts of 185instcombine are firing. This can guide where to put additional reporting code. 186 187At this point, if the amount of transformations is still too large, then 188inserting code to limit whether or not to execute the body of the code in the 189visit function can be helpful. Add a static counter which is incremented on 190every invocation of the function. Then add code which simply returns false on 191desired ranges. For example: 192 193.. code-block:: c++ 194 195 196 static int calledCount = 0; 197 calledCount++; 198 DEBUG(if (calledCount < 212) return false); 199 DEBUG(if (calledCount > 217) return false); 200 DEBUG(if (calledCount == 213) return false); 201 DEBUG(if (calledCount == 214) return false); 202 DEBUG(if (calledCount == 215) return false); 203 DEBUG(if (calledCount == 216) return false); 204 DEBUG(dbgs() << "visitXOR calledCount: " << calledCount << "\n"); 205 DEBUG(dbgs() << "I: "; I->dump()); 206 207could be added to ``visitXOR`` to limit ``visitXor`` to being applied only to 208calls 212 and 217. This is from an actual test case and raises an important 209point---a simple binary search may not be sufficient, as transformations that 210interact may require isolating more than one call. In TargetLowering, use 211``return SDNode();`` instead of ``return false;``. 212 213Now that that the number of transformations is down to a manageable number, try 214examining the output to see if you can figure out which transformations are 215being done. If that can be figured out, then do the usual debugging. If which 216code corresponds to the transformation being performed isn't obvious, set a 217breakpoint after the call count based disabling and step through the code. 218Alternatively, you can use "``printf``" style debugging to report waypoints. 219