1================================ 2How to submit an LLVM bug report 3================================ 4 5Introduction - Got bugs? 6======================== 7 8 9If you're working with LLVM and run into a bug, we definitely want to know 10about it. This document describes what you can do to increase the odds of 11getting it fixed quickly. 12 13 If you believe that the bug is security related, please follow :ref:`report-security-issue`. 14 15Basically you have to do two things at a minimum. First, decide whether the 16bug `crashes the compiler`_ or if the compiler is `miscompiling`_ the program 17(i.e., the compiler successfully produces an executable, but it doesn't run 18right). Based on what type of bug it is, follow the instructions in the 19linked section to narrow down the bug so that the person who fixes it will be 20able to find the problem more easily. 21 22Once you have a reduced test-case, go to `the LLVM Bug Tracking System 23<https://bugs.llvm.org/enter_bug.cgi>`_ and fill out the form with the 24necessary details (note that you don't need to pick a category, just use 25the "new-bugs" category if you're not sure). The bug description should 26contain the following information: 27 28* All information necessary to reproduce the problem. 29* The reduced test-case that triggers the bug. 30* The location where you obtained LLVM (if not from our Git 31 repository). 32 33Thanks for helping us make LLVM better! 34 35.. _crashes the compiler: 36 37Crashing Bugs 38============= 39 40More often than not, bugs in the compiler cause it to crash---often due to 41an assertion failure of some sort. The most important piece of the puzzle 42is to figure out if it is crashing in the Clang front-end or if it is one of 43the LLVM libraries (e.g. the optimizer or code generator) that has 44problems. 45 46To figure out which component is crashing (the front-end, middle-end 47optimizer, or backend code generator), run the ``clang`` command line as you 48were when the crash occurred, but with the following extra command line 49options: 50 51* ``-emit-llvm -Xclang -disable-llvm-passes``: If ``clang`` still crashes when 52 passed these options (which disable the optimizer and code generator), then 53 the crash is in the front-end. Jump ahead to :ref:`front-end bugs 54 <frontend-crash>`. 55 56* ``-emit-llvm``: If ``clang`` crashes with this option (which disables 57 the code generator), you found a middle-end optimizer bug. Jump ahead to 58 :ref:`middle-end bugs <middleend-crash>`. 59 60* Otherwise, you have a backend code generator crash. Jump ahead to :ref:`code 61 generator bugs <backend-crash>`. 62 63.. _frontend-crash: 64 65Front-end bugs 66-------------- 67 68On a ``clang`` crash, the compiler will dump a preprocessed file and a script 69to replay the ``clang`` command. For example, you should see something like 70 71.. code-block:: text 72 73 PLEASE ATTACH THE FOLLOWING FILES TO THE BUG REPORT: 74 Preprocessed source(s) and associated run script(s) are located at: 75 clang: note: diagnostic msg: /tmp/foo-xxxxxx.c 76 clang: note: diagnostic msg: /tmp/foo-xxxxxx.sh 77 78The `creduce <https://github.com/csmith-project/creduce>`_ tool helps to 79reduce the preprocessed file down to the smallest amount of code that still 80replicates the problem. You're encouraged to use creduce to reduce the code 81to make the developers' lives easier. The 82``clang/utils/creduce-clang-crash.py`` script can be used on the files 83that clang dumps to help with automating creating a test to check for the 84compiler crash. 85 86`cvise <https://github.com/marxin/cvise>`_ is an alternative to ``creduce``. 87 88.. _middleend-crash: 89 90Middle-end optimization bugs 91---------------------------- 92 93If you find that a bug crashes in the optimizer, compile your test-case to a 94``.bc`` file by passing "``-emit-llvm -O1 -Xclang -disable-llvm-passes -c -o 95foo.bc``". The ``-O1`` is important because ``-O0`` adds the ``optnone`` 96function attribute to all functions and many passes don't run on ``optnone`` 97functions. Then run: 98 99.. code-block:: bash 100 101 opt -O3 foo.bc -disable-output 102 103If this doesn't crash, please follow the instructions for a :ref:`front-end 104bug <frontend-crash>`. 105 106If this does crash, then you should be able to debug this with the following 107:doc:`bugpoint <Bugpoint>` command: 108 109.. code-block:: bash 110 111 bugpoint foo.bc -O3 112 113Run this, then file a bug with the instructions and reduced .bc 114files that bugpoint emits. 115 116If bugpoint doesn't reproduce the crash, ``llvm-reduce`` is an alternative 117way to reduce LLVM IR. Create a script that repros the crash and run: 118 119.. code-block:: bash 120 121 llvm-reduce --test=path/to/script foo.bc 122 123which should produce reduced IR that reproduces the crash. Be warned the 124``llvm-reduce`` is still fairly immature and may crash. 125 126If none of the above work, you can get the IR before a crash by running the 127``opt`` command with the ``--print-before-all --print-module-scope`` flags to 128dump the IR before every pass. Be warned that this is very verbose. 129 130.. _backend-crash: 131 132Backend code generator bugs 133--------------------------- 134 135If you find a bug that crashes clang in the code generator, compile your 136source file to a .bc file by passing "``-emit-llvm -c -o foo.bc``" to 137clang (in addition to the options you already pass). Once your have 138foo.bc, one of the following commands should fail: 139 140#. ``llc foo.bc`` 141#. ``llc foo.bc -relocation-model=pic`` 142#. ``llc foo.bc -relocation-model=static`` 143 144If none of these crash, please follow the instructions for a :ref:`front-end 145bug<frontend-crash>`. If one of these do crash, you should be able to reduce 146this with one of the following :doc:`bugpoint <Bugpoint>` command lines (use 147the one corresponding to the command above that failed): 148 149#. ``bugpoint -run-llc foo.bc`` 150#. ``bugpoint -run-llc foo.bc --tool-args -relocation-model=pic`` 151#. ``bugpoint -run-llc foo.bc --tool-args -relocation-model=static`` 152 153Please run this, then file a bug with the instructions and reduced .bc file 154that bugpoint emits. If something goes wrong with bugpoint, please submit 155the "foo.bc" file and the option that llc crashes with. 156 157.. _miscompiling: 158 159Miscompilations 160=============== 161 162If clang successfully produces an executable, but that executable doesn't run 163right, this is either a bug in the code or a bug in the compiler. The first 164thing to check is to make sure it is not using undefined behavior (e.g. 165reading a variable before it is defined). In particular, check to see if the 166program is clean under various `sanitizers 167<https://github.com/google/sanitizers>`_ (e.g. ``clang 168-fsanitize=undefined,address``) and `valgrind <http://valgrind.org/>`_. Many 169"LLVM bugs" that we have chased down ended up being bugs in the program being 170compiled, not LLVM. 171 172Once you determine that the program itself is not buggy, you should choose 173which code generator you wish to compile the program with (e.g. LLC or the JIT) 174and optionally a series of LLVM passes to run. For example: 175 176.. code-block:: bash 177 178 bugpoint -run-llc [... optzn passes ...] file-to-test.bc --args -- [program arguments] 179 180bugpoint will try to narrow down your list of passes to the one pass that 181causes an error, and simplify the bitcode file as much as it can to assist 182you. It will print a message letting you know how to reproduce the 183resulting error. 184 185The :doc:`OptBisect <OptBisect>` page shows an alternative method for finding 186incorrect optimization passes. 187 188Incorrect code generation 189========================= 190 191Similarly to debugging incorrect compilation by mis-behaving passes, you 192can debug incorrect code generation by either LLC or the JIT, using 193``bugpoint``. The process ``bugpoint`` follows in this case is to try to 194narrow the code down to a function that is miscompiled by one or the other 195method, but since for correctness, the entire program must be run, 196``bugpoint`` will compile the code it deems to not be affected with the C 197Backend, and then link in the shared object it generates. 198 199To debug the JIT: 200 201.. code-block:: bash 202 203 bugpoint -run-jit -output=[correct output file] [bitcode file] \ 204 --tool-args -- [arguments to pass to lli] \ 205 --args -- [program arguments] 206 207Similarly, to debug the LLC, one would run: 208 209.. code-block:: bash 210 211 bugpoint -run-llc -output=[correct output file] [bitcode file] \ 212 --tool-args -- [arguments to pass to llc] \ 213 --args -- [program arguments] 214 215**Special note:** if you are debugging MultiSource or SPEC tests that 216already exist in the ``llvm/test`` hierarchy, there is an easier way to 217debug the JIT, LLC, and CBE, using the pre-written Makefile targets, which 218will pass the program options specified in the Makefiles: 219 220.. code-block:: bash 221 222 cd llvm/test/../../program 223 make bugpoint-jit 224 225At the end of a successful ``bugpoint`` run, you will be presented 226with two bitcode files: a *safe* file which can be compiled with the C 227backend and the *test* file which either LLC or the JIT 228mis-codegenerates, and thus causes the error. 229 230To reproduce the error that ``bugpoint`` found, it is sufficient to do 231the following: 232 233#. Regenerate the shared object from the safe bitcode file: 234 235 .. code-block:: bash 236 237 llc -march=c safe.bc -o safe.c 238 gcc -shared safe.c -o safe.so 239 240#. If debugging LLC, compile test bitcode native and link with the shared 241 object: 242 243 .. code-block:: bash 244 245 llc test.bc -o test.s 246 gcc test.s safe.so -o test.llc 247 ./test.llc [program options] 248 249#. If debugging the JIT, load the shared object and supply the test 250 bitcode: 251 252 .. code-block:: bash 253 254 lli -load=safe.so test.bc [program options] 255