docs/Bugpoint.rst

====================================
LLVM bugpoint tool: design and usage
====================================

.. contents::
   :local:

Description
===========

``bugpoint`` narrows down the source of problems in LLVM tools and passes.  It
can be used to debug three types of failures: optimizer crashes, miscompilations
by optimizers, or bad native code generation (including problems in the static
and JIT compilers).  It aims to reduce large test cases to small, useful ones.
For example, if ``opt`` crashes while optimizing a file, it will identify the
optimization (or combination of optimizations) that causes the crash, and reduce
the file down to a small example which triggers the crash.

For detailed case scenarios, such as debugging ``opt``, or one of the LLVM code
generators, see :doc:`HowToSubmitABug`.

Design Philosophy
=================

``bugpoint`` is designed to be a useful tool without requiring any hooks into
the LLVM infrastructure at all.  It works with any and all LLVM passes and code
generators, and does not need to "know" how they work.  Because of this, it may
appear to do stupid things or miss obvious simplifications.  ``bugpoint`` is
also designed to trade off programmer time for computer time in the
compiler-debugging process; consequently, it may take a long period of
(unattended) time to reduce a test case, but we feel it is still worth it. Note
that ``bugpoint`` is generally very quick unless debugging a miscompilation
where each test of the program (which requires executing it) takes a long time.

Automatic Debugger Selection
----------------------------

``bugpoint`` reads each ``.bc`` or ``.ll`` file specified on the command line
and links them together into a single module, called the test program.  If any
LLVM passes are specified on the command line, it runs these passes on the test
program.  If any of the passes crash, or if they produce malformed output (which
causes the verifier to abort), ``bugpoint`` starts the `crash debugger`_.

Otherwise, if the ``-output`` option was not specified, ``bugpoint`` runs the
test program with the "safe" backend (which is assumed to generate good code) to
generate a reference output.  Once ``bugpoint`` has a reference output for the
test program, it tries executing it with the selected code generator.  If the
selected code generator crashes, ``bugpoint`` starts the `crash debugger`_ on
the code generator.  Otherwise, if the resulting output differs from the
reference output, it assumes the difference resulted from a code generator
failure, and starts the `code generator debugger`_.

Finally, if the output of the selected code generator matches the reference
output, ``bugpoint`` runs the test program after all of the LLVM passes have
been applied to it.  If its output differs from the reference output, it assumes
the difference resulted from a failure in one of the LLVM passes, and enters the
`miscompilation debugger`_.  Otherwise, there is no problem ``bugpoint`` can
debug.

.. _crash debugger:

Crash debugger
--------------

If an optimizer or code generator crashes, ``bugpoint`` will try as hard as it
can to reduce the list of passes (for optimizer crashes) and the size of the
test program.  First, ``bugpoint`` figures out which combination of optimizer
passes triggers the bug. This is useful when debugging a problem exposed by
``opt``, for example, because it runs over 38 passes.

Next, ``bugpoint`` tries removing functions from the test program, to reduce its
size.  Usually it is able to reduce a test program to a single function, when
debugging intraprocedural optimizations.  Once the number of functions has been
reduced, it attempts to delete various edges in the control flow graph, to
reduce the size of the function as much as possible.  Finally, ``bugpoint``
deletes any individual LLVM instructions whose absence does not eliminate the
failure.  At the end, ``bugpoint`` should tell you what passes crash, give you a
bitcode file, and give you instructions on how to reproduce the failure with
``opt`` or ``llc``.

.. _code generator debugger:

Code generator debugger
-----------------------

The code generator debugger attempts to narrow down the amount of code that is
being miscompiled by the selected code generator.  To do this, it takes the test
program and partitions it into two pieces: one piece which it compiles with the
"safe" backend (into a shared object), and one piece which it runs with either
the JIT or the static LLC compiler.  It uses several techniques to reduce the
amount of code pushed through the LLVM code generator, to reduce the potential
scope of the problem.  After it is finished, it emits two bitcode files (called
"test" [to be compiled with the code generator] and "safe" [to be compiled with
the "safe" backend], respectively), and instructions for reproducing the
problem.  The code generator debugger assumes that the "safe" backend produces
good code.

.. _miscompilation debugger:

Miscompilation debugger
-----------------------

The miscompilation debugger works similarly to the code generator debugger.  It
works by splitting the test program into two pieces, running the optimizations
specified on one piece, linking the two pieces back together, and then executing
the result.  It attempts to narrow down the list of passes to the one (or few)
which are causing the miscompilation, then reduce the portion of the test
program which is being miscompiled.  The miscompilation debugger assumes that
the selected code generator is working properly.

Advice for using bugpoint
=========================

``bugpoint`` can be a remarkably useful tool, but it sometimes works in
non-obvious ways.  Here are some hints and tips:

* In the code generator and miscompilation debuggers, ``bugpoint`` only works
  with programs that have deterministic output.  Thus, if the program outputs
  ``argv[0]``, the date, time, or any other "random" data, ``bugpoint`` may
  misinterpret differences in these data, when output, as the result of a
  miscompilation.  Programs should be temporarily modified to disable outputs
  that are likely to vary from run to run.

* In the code generator and miscompilation debuggers, debugging will go faster
  if you manually modify the program or its inputs to reduce the runtime, but
  still exhibit the problem.

* ``bugpoint`` is extremely useful when working on a new optimization: it helps
  track down regressions quickly.  To avoid having to relink ``bugpoint`` every
  time you change your optimization however, have ``bugpoint`` dynamically load
  your optimization with the ``-load`` option.

* ``bugpoint`` can generate a lot of output and run for a long period of time.
  It is often useful to capture the output of the program to file.  For example,
  in the C shell, you can run:

  .. code-block:: console

    $ bugpoint  ... |& tee bugpoint.log

  to get a copy of ``bugpoint``'s output in the file ``bugpoint.log``, as well
  as on your terminal.

* ``bugpoint`` cannot debug problems with the LLVM linker. If ``bugpoint``
  crashes before you see its "All input ok" message, you might try ``llvm-link
  -v`` on the same set of input files. If that also crashes, you may be
  experiencing a linker bug.

* ``bugpoint`` is useful for proactively finding bugs in LLVM.  Invoking
  ``bugpoint`` with the ``-find-bugs`` option will cause the list of specified
  optimizations to be randomized and applied to the program. This process will
  repeat until a bug is found or the user kills ``bugpoint``.

* ``bugpoint`` can produce IR which contains long names. Run ``opt
  -metarenamer`` over the IR to rename everything using easy-to-read,
  metasyntactic names. Alternatively, run ``opt -strip -instnamer`` to rename
  everything with very short (often purely numeric) names.

What to do when bugpoint isn't enough
=====================================
	
Sometimes, ``bugpoint`` is not enough. In particular, InstCombine and
TargetLowering both have visitor structured code with lots of potential
transformations.  If the process of using bugpoint has left you with still too
much code to figure out and the problem seems to be in instcombine, the
following steps may help.  These same techniques are useful with TargetLowering
as well.

Turn on ``-debug-only=instcombine`` and see which transformations within
instcombine are firing by selecting out lines with "``IC``" in them.

At this point, you have a decision to make.  Is the number of transformations
small enough to step through them using a debugger?  If so, then try that.

If there are too many transformations, then a source modification approach may
be helpful.  In this approach, you can modify the source code of instcombine to
disable just those transformations that are being performed on your test input
and perform a binary search over the set of transformations.  One set of places
to modify are the "``visit*``" methods of ``InstCombiner`` (*e.g.*
``visitICmpInst``) by adding a "``return false``" as the first line of the
method.

If that still doesn't remove enough, then change the caller of
``InstCombiner::DoOneIteration``, ``InstCombiner::runOnFunction`` to limit the
number of iterations.

You may also find it useful to use "``-stats``" now to see what parts of
instcombine are firing.  This can guide where to put additional reporting code.

At this point, if the amount of transformations is still too large, then
inserting code to limit whether or not to execute the body of the code in the
visit function can be helpful.  Add a static counter which is incremented on
every invocation of the function.  Then add code which simply returns false on
desired ranges.  For example:

.. code-block:: c++


  static int calledCount = 0;
  calledCount++;
  LLVM_DEBUG(if (calledCount < 212) return false);
  LLVM_DEBUG(if (calledCount > 217) return false);
  LLVM_DEBUG(if (calledCount == 213) return false);
  LLVM_DEBUG(if (calledCount == 214) return false);
  LLVM_DEBUG(if (calledCount == 215) return false);
  LLVM_DEBUG(if (calledCount == 216) return false);
  LLVM_DEBUG(dbgs() << "visitXOR calledCount: " << calledCount << "\n");
  LLVM_DEBUG(dbgs() << "I: "; I->dump());

could be added to ``visitXOR`` to limit ``visitXor`` to being applied only to
calls 212 and 217. This is from an actual test case and raises an important
point---a simple binary search may not be sufficient, as transformations that
interact may require isolating more than one call.  In TargetLowering, use
``return SDNode();`` instead of ``return false;``.

Now that the number of transformations is down to a manageable number, try
examining the output to see if you can figure out which transformations are
being done.  If that can be figured out, then do the usual debugging.  If which
code corresponds to the transformation being performed isn't obvious, set a
breakpoint after the call count based disabling and step through the code.
Alternatively, you can use "``printf``" style debugging to report waypoints.