1================================
2How to submit an LLVM bug report
3================================
4
5Introduction - Got bugs?
6========================
7
8
9If you're working with LLVM and run into a bug, we definitely want to know
10about it.  This document describes what you can do to increase the odds of
11getting it fixed quickly.
12
13�� If you believe that the bug is security related, please follow :ref:`report-security-issue`. ��
14
15Basically you have to do two things at a minimum. First, decide whether the
16bug `crashes the compiler`_ or if the compiler is `miscompiling`_ the program
17(i.e., the compiler successfully produces an executable, but it doesn't run
18right). Based on what type of bug it is, follow the instructions in the
19linked section to narrow down the bug so that the person who fixes it will be
20able to find the problem more easily.
21
22Once you have a reduced test-case, go to `the LLVM Bug Tracking System
23<https://bugs.llvm.org/enter_bug.cgi>`_ and fill out the form with the
24necessary details (note that you don't need to pick a category, just use
25the "new-bugs" category if you're not sure).  The bug description should
26contain the following information:
27
28* All information necessary to reproduce the problem.
29* The reduced test-case that triggers the bug.
30* The location where you obtained LLVM (if not from our Git
31  repository).
32
33Thanks for helping us make LLVM better!
34
35.. _crashes the compiler:
36
37Crashing Bugs
38=============
39
40More often than not, bugs in the compiler cause it to crash---often due to
41an assertion failure of some sort. The most important piece of the puzzle
42is to figure out if it is crashing in the Clang front-end or if it is one of
43the LLVM libraries (e.g. the optimizer or code generator) that has
44problems.
45
46To figure out which component is crashing (the front-end, middle-end
47optimizer, or backend code generator), run the ``clang`` command line as you
48were when the crash occurred, but with the following extra command line
49options:
50
51* ``-emit-llvm -Xclang -disable-llvm-passes``: If ``clang`` still crashes when
52  passed these options (which disable the optimizer and code generator), then
53  the crash is in the front-end. Jump ahead to :ref:`front-end bugs
54  <frontend-crash>`.
55
56* ``-emit-llvm``: If ``clang`` crashes with this option (which disables
57  the code generator), you found a middle-end optimizer bug. Jump ahead to
58  :ref:`middle-end bugs <middleend-crash>`.
59
60* Otherwise, you have a backend code generator crash. Jump ahead to :ref:`code
61  generator bugs <backend-crash>`.
62
63.. _frontend-crash:
64
65Front-end bugs
66--------------
67
68On a ``clang`` crash, the compiler will dump a preprocessed file and a script
69to replay the ``clang`` command. For example, you should see something like
70
71.. code-block:: text
72
73   PLEASE ATTACH THE FOLLOWING FILES TO THE BUG REPORT:
74   Preprocessed source(s) and associated run script(s) are located at:
75   clang: note: diagnostic msg: /tmp/foo-xxxxxx.c
76   clang: note: diagnostic msg: /tmp/foo-xxxxxx.sh
77
78The `creduce <https://github.com/csmith-project/creduce>`_ tool helps to
79reduce the preprocessed file down to the smallest amount of code that still
80replicates the problem. You're encouraged to use creduce to reduce the code
81to make the developers' lives easier. The
82``clang/utils/creduce-clang-crash.py`` script can be used on the files
83that clang dumps to help with automating creating a test to check for the
84compiler crash.
85
86`cvise <https://github.com/marxin/cvise>`_ is an alternative to ``creduce``.
87
88.. _middleend-crash:
89
90Middle-end optimization bugs
91----------------------------
92
93If you find that a bug crashes in the optimizer, compile your test-case to a
94``.bc`` file by passing "``-emit-llvm -O1 -Xclang -disable-llvm-passes -c -o
95foo.bc``". The ``-O1`` is important because ``-O0`` adds the ``optnone``
96function attribute to all functions and many passes don't run on ``optnone``
97functions. Then run:
98
99.. code-block:: bash
100
101   opt -O3 foo.bc -disable-output
102
103If this doesn't crash, please follow the instructions for a :ref:`front-end
104bug <frontend-crash>`.
105
106If this does crash, then you should be able to debug this with the following
107:doc:`bugpoint <Bugpoint>` command:
108
109.. code-block:: bash
110
111   bugpoint foo.bc -O3
112
113Run this, then file a bug with the instructions and reduced .bc
114files that bugpoint emits.
115
116If bugpoint doesn't reproduce the crash, ``llvm-reduce`` is an alternative
117way to reduce LLVM IR. Create a script that repros the crash and run:
118
119.. code-block:: bash
120
121   llvm-reduce --test=path/to/script foo.bc
122
123which should produce reduced IR that reproduces the crash. Be warned the
124``llvm-reduce`` is still fairly immature and may crash.
125
126If none of the above work, you can get the IR before a crash by running the
127``opt`` command with the ``--print-before-all --print-module-scope`` flags to
128dump the IR before every pass. Be warned that this is very verbose.
129
130.. _backend-crash:
131
132Backend code generator bugs
133---------------------------
134
135If you find a bug that crashes clang in the code generator, compile your
136source file to a .bc file by passing "``-emit-llvm -c -o foo.bc``" to
137clang (in addition to the options you already pass).  Once your have
138foo.bc, one of the following commands should fail:
139
140#. ``llc foo.bc``
141#. ``llc foo.bc -relocation-model=pic``
142#. ``llc foo.bc -relocation-model=static``
143
144If none of these crash, please follow the instructions for a :ref:`front-end
145bug<frontend-crash>`. If one of these do crash, you should be able to reduce
146this with one of the following :doc:`bugpoint <Bugpoint>` command lines (use
147the one corresponding to the command above that failed):
148
149#. ``bugpoint -run-llc foo.bc``
150#. ``bugpoint -run-llc foo.bc --tool-args -relocation-model=pic``
151#. ``bugpoint -run-llc foo.bc --tool-args -relocation-model=static``
152
153Please run this, then file a bug with the instructions and reduced .bc file
154that bugpoint emits.  If something goes wrong with bugpoint, please submit
155the "foo.bc" file and the option that llc crashes with.
156
157.. _miscompiling:
158
159Miscompilations
160===============
161
162If clang successfully produces an executable, but that executable doesn't run
163right, this is either a bug in the code or a bug in the compiler. The first
164thing to check is to make sure it is not using undefined behavior (e.g.
165reading a variable before it is defined). In particular, check to see if the
166program is clean under various `sanitizers
167<https://github.com/google/sanitizers>`_ (e.g. ``clang
168-fsanitize=undefined,address``) and `valgrind <http://valgrind.org/>`_. Many
169"LLVM bugs" that we have chased down ended up being bugs in the program being
170compiled, not LLVM.
171
172Once you determine that the program itself is not buggy, you should choose
173which code generator you wish to compile the program with (e.g. LLC or the JIT)
174and optionally a series of LLVM passes to run.  For example:
175
176.. code-block:: bash
177
178   bugpoint -run-llc [... optzn passes ...] file-to-test.bc --args -- [program arguments]
179
180bugpoint will try to narrow down your list of passes to the one pass that
181causes an error, and simplify the bitcode file as much as it can to assist
182you. It will print a message letting you know how to reproduce the
183resulting error.
184
185The :doc:`OptBisect <OptBisect>` page shows an alternative method for finding
186incorrect optimization passes.
187
188Incorrect code generation
189=========================
190
191Similarly to debugging incorrect compilation by mis-behaving passes, you
192can debug incorrect code generation by either LLC or the JIT, using
193``bugpoint``. The process ``bugpoint`` follows in this case is to try to
194narrow the code down to a function that is miscompiled by one or the other
195method, but since for correctness, the entire program must be run,
196``bugpoint`` will compile the code it deems to not be affected with the C
197Backend, and then link in the shared object it generates.
198
199To debug the JIT:
200
201.. code-block:: bash
202
203   bugpoint -run-jit -output=[correct output file] [bitcode file]  \
204            --tool-args -- [arguments to pass to lli]              \
205            --args -- [program arguments]
206
207Similarly, to debug the LLC, one would run:
208
209.. code-block:: bash
210
211   bugpoint -run-llc -output=[correct output file] [bitcode file]  \
212            --tool-args -- [arguments to pass to llc]              \
213            --args -- [program arguments]
214
215**Special note:** if you are debugging MultiSource or SPEC tests that
216already exist in the ``llvm/test`` hierarchy, there is an easier way to
217debug the JIT, LLC, and CBE, using the pre-written Makefile targets, which
218will pass the program options specified in the Makefiles:
219
220.. code-block:: bash
221
222   cd llvm/test/../../program
223   make bugpoint-jit
224
225At the end of a successful ``bugpoint`` run, you will be presented
226with two bitcode files: a *safe* file which can be compiled with the C
227backend and the *test* file which either LLC or the JIT
228mis-codegenerates, and thus causes the error.
229
230To reproduce the error that ``bugpoint`` found, it is sufficient to do
231the following:
232
233#. Regenerate the shared object from the safe bitcode file:
234
235   .. code-block:: bash
236
237      llc -march=c safe.bc -o safe.c
238      gcc -shared safe.c -o safe.so
239
240#. If debugging LLC, compile test bitcode native and link with the shared
241   object:
242
243   .. code-block:: bash
244
245      llc test.bc -o test.s
246      gcc test.s safe.so -o test.llc
247      ./test.llc [program options]
248
249#. If debugging the JIT, load the shared object and supply the test
250   bitcode:
251
252   .. code-block:: bash
253
254      lli -load=safe.so test.bc [program options]
255