LLVM bugpoint tool: design and usage

Description

bugpoint narrows down the source of problems in LLVM tools and passes. Itcan be used to debug three types of failures: optimizer crashes, miscompilationsby optimizers, or bad native code generation (including problems in the staticand JIT compilers). It aims to reduce large test cases to small, useful ones.For example, if opt crashes while optimizing a file, it will identify theoptimization (or combination of optimizations) that causes the crash, and reducethe file down to a small example which triggers the crash.

For detailed case scenarios, such as debugging opt, or one of the LLVM codegenerators, see How to submit an LLVM bug report.

Design Philosophy

bugpoint is designed to be a useful tool without requiring any hooks intothe LLVM infrastructure at all. It works with any and all LLVM passes and codegenerators, and does not need to “know” how they work. Because of this, it mayappear to do stupid things or miss obvious simplifications. bugpoint isalso designed to trade off programmer time for computer time in thecompiler-debugging process; consequently, it may take a long period of(unattended) time to reduce a test case, but we feel it is still worth it. Notethat bugpoint is generally very quick unless debugging a miscompilationwhere each test of the program (which requires executing it) takes a long time.

Automatic Debugger Selection

bugpoint reads each .bc or .ll file specified on the command lineand links them together into a single module, called the test program. If anyLLVM passes are specified on the command line, it runs these passes on the testprogram. If any of the passes crash, or if they produce malformed output (whichcauses the verifier to abort), bugpoint starts the crash debugger.

Otherwise, if the -output option was not specified, bugpoint runs thetest program with the “safe” backend (which is assumed to generate good code) togenerate a reference output. Once bugpoint has a reference output for thetest program, it tries executing it with the selected code generator. If theselected code generator crashes, bugpoint starts the crash debugger onthe code generator. Otherwise, if the resulting output differs from thereference output, it assumes the difference resulted from a code generatorfailure, and starts the code generator debugger.

Finally, if the output of the selected code generator matches the referenceoutput, bugpoint runs the test program after all of the LLVM passes havebeen applied to it. If its output differs from the reference output, it assumesthe difference resulted from a failure in one of the LLVM passes, and enters themiscompilation debugger. Otherwise, there is no problem bugpoint candebug.

Crash debugger

If an optimizer or code generator crashes, bugpoint will try as hard as itcan to reduce the list of passes (for optimizer crashes) and the size of thetest program. First, bugpoint figures out which combination of optimizerpasses triggers the bug. This is useful when debugging a problem exposed byopt, for example, because it runs over 38 passes.

Next, bugpoint tries removing functions from the test program, to reduce itssize. Usually it is able to reduce a test program to a single function, whendebugging intraprocedural optimizations. Once the number of functions has beenreduced, it attempts to delete various edges in the control flow graph, toreduce the size of the function as much as possible. Finally, bugpointdeletes any individual LLVM instructions whose absence does not eliminate thefailure. At the end, bugpoint should tell you what passes crash, give you abitcode file, and give you instructions on how to reproduce the failure withopt or llc.

Code generator debugger

The code generator debugger attempts to narrow down the amount of code that isbeing miscompiled by the selected code generator. To do this, it takes the testprogram and partitions it into two pieces: one piece which it compiles with the“safe” backend (into a shared object), and one piece which it runs with eitherthe JIT or the static LLC compiler. It uses several techniques to reduce theamount of code pushed through the LLVM code generator, to reduce the potentialscope of the problem. After it is finished, it emits two bitcode files (called“test” [to be compiled with the code generator] and “safe” [to be compiled withthe “safe” backend], respectively), and instructions for reproducing theproblem. The code generator debugger assumes that the “safe” backend producesgood code.

Miscompilation debugger

The miscompilation debugger works similarly to the code generator debugger. Itworks by splitting the test program into two pieces, running the optimizationsspecified on one piece, linking the two pieces back together, and then executingthe result. It attempts to narrow down the list of passes to the one (or few)which are causing the miscompilation, then reduce the portion of the testprogram which is being miscompiled. The miscompilation debugger assumes thatthe selected code generator is working properly.

Advice for using bugpoint

bugpoint can be a remarkably useful tool, but it sometimes works innon-obvious ways. Here are some hints and tips:

  • In the code generator and miscompilation debuggers, bugpoint only workswith programs that have deterministic output. Thus, if the program outputsargv[0], the date, time, or any other “random” data, bugpoint maymisinterpret differences in these data, when output, as the result of amiscompilation. Programs should be temporarily modified to disable outputsthat are likely to vary from run to run.

  • In the crash debugger, bugpoint does not distinguish different crashesduring reduction. Thus, if new crash or miscompilation happens, bugpointwill continue with the new crash instead. If you would like to stick toparticular crash, you should write check scripts to validate the errormessage, see -compile-command in bugpoint - automatic test case reduction tool.

  • In the code generator and miscompilation debuggers, debugging will go fasterif you manually modify the program or its inputs to reduce the runtime, butstill exhibit the problem.

  • bugpoint is extremely useful when working on a new optimization: it helpstrack down regressions quickly. To avoid having to relink bugpoint everytime you change your optimization however, have bugpoint dynamically loadyour optimization with the -load option.

  • bugpoint can generate a lot of output and run for a long period of time.It is often useful to capture the output of the program to file. For example,in the C shell, you can run:

  1. $ bugpoint  ... |& tee bugpoint.log

to get a copy of bugpoint’s output in the file bugpoint.log, as wellas on your terminal.

  • bugpoint cannot debug problems with the LLVM linker. If bugpointcrashes before you see its “All input ok” message, you might try llvm-link-v on the same set of input files. If that also crashes, you may beexperiencing a linker bug.

  • bugpoint is useful for proactively finding bugs in LLVM. Invokingbugpoint with the -find-bugs option will cause the list of specifiedoptimizations to be randomized and applied to the program. This process willrepeat until a bug is found or the user kills bugpoint.

  • bugpoint can produce IR which contains long names. Run opt-metarenamer over the IR to rename everything using easy-to-read,metasyntactic names. Alternatively, run opt -strip -instnamer to renameeverything with very short (often purely numeric) names.

What to do when bugpoint isn’t enough

Sometimes, bugpoint is not enough. In particular, InstCombine andTargetLowering both have visitor structured code with lots of potentialtransformations. If the process of using bugpoint has left you with still toomuch code to figure out and the problem seems to be in instcombine, thefollowing steps may help. These same techniques are useful with TargetLoweringas well.

Turn on -debug-only=instcombine and see which transformations withininstcombine are firing by selecting out lines with “IC” in them.

At this point, you have a decision to make. Is the number of transformationssmall enough to step through them using a debugger? If so, then try that.

If there are too many transformations, then a source modification approach maybe helpful. In this approach, you can modify the source code of instcombine todisable just those transformations that are being performed on your test inputand perform a binary search over the set of transformations. One set of placesto modify are the “visit*” methods of InstCombiner (e.g.visitICmpInst) by adding a “return false” as the first line of themethod.

If that still doesn’t remove enough, then change the caller ofInstCombiner::DoOneIteration, InstCombiner::runOnFunction to limit thenumber of iterations.

You may also find it useful to use “-stats” now to see what parts ofinstcombine are firing. This can guide where to put additional reporting code.

At this point, if the amount of transformations is still too large, theninserting code to limit whether or not to execute the body of the code in thevisit function can be helpful. Add a static counter which is incremented onevery invocation of the function. Then add code which simply returns false ondesired ranges. For example:

  1. static int calledCount = 0;
  2. calledCount++;
  3. LLVM_DEBUG(if (calledCount < 212) return false);
  4. LLVM_DEBUG(if (calledCount > 217) return false);
  5. LLVM_DEBUG(if (calledCount == 213) return false);
  6. LLVM_DEBUG(if (calledCount == 214) return false);
  7. LLVM_DEBUG(if (calledCount == 215) return false);
  8. LLVM_DEBUG(if (calledCount == 216) return false);
  9. LLVM_DEBUG(dbgs() << "visitXOR calledCount: " << calledCount << "\n");
  10. LLVM_DEBUG(dbgs() << "I: "; I->dump());

could be added to visitXOR to limit visitXor to being applied only tocalls 212 and 217. This is from an actual test case and raises an importantpoint—a simple binary search may not be sufficient, as transformations thatinteract may require isolating more than one call. In TargetLowering, usereturn SDNode(); instead of return false;.

Now that the number of transformations is down to a manageable number, tryexamining the output to see if you can figure out which transformations arebeing done. If that can be figured out, then do the usual debugging. If whichcode corresponds to the transformation being performed isn’t obvious, set abreakpoint after the call count based disabling and step through the code.Alternatively, you can use “printf” style debugging to report waypoints.