| Reproducers |
| =========== |
| |
| As unbelievable as it may sound, the debugger has bugs. These bugs might |
| manifest themselves as errors, missing results or even a crash. Quite often |
| these bugs don't reproduce in simple, isolated scenarios. The debugger deals |
| with a lot of moving parts and subtle differences can easily add up. |
| |
| Reproducers in LLDB improve the experience for both the users encountering bugs |
| and the developers working on resolving them. The general idea consists of |
| *capturing* all the information necessary to later *replay* a debug session |
| while debugging the debugger. |
| |
| .. contents:: |
| :local: |
| |
| Usage |
| ----- |
| |
| Reproducers are a generic concept in LLDB and are not inherently coupled with |
| the command line driver. The functionality can be used for anything that uses |
| the SB API and the driver is just one example. However, because it's probably |
| the most common way users interact with lldb, that's the workflow described in |
| this section. |
| |
| Capture |
| ``````` |
| |
| Until reproducer capture is enabled by default, you need to launch LLDB in |
| capture mode. For the command line driver, this means passing ``--capture``. |
| You cannot enable reproducer capture from within LLDB, as this would be too |
| late to capture initialization of the debugger. |
| |
| .. code-block:: bash |
| |
| $ lldb --capture |
| |
| In capture mode, LLDB will keep track of all the information it needs to replay |
| the current debug session. Most data is captured lazily to limit the impact on |
| performance. To create the reproducer, use the ``reproducer generate`` |
| sub-command. It's always possible to check the status of the reproducers with |
| the ``reproducer status`` sub-command. Note that generating the reproducer |
| terminates the debug session. |
| |
| .. code-block:: none |
| |
| (lldb) reproducer status |
| Reproducer is in capture mode. |
| (lldb) reproducer generate |
| Reproducer written to '/path/to/reproducer' |
| Please have a look at the directory to assess if you're willing to share the contained information. |
| |
| |
| The resulting reproducer is a directory. It was a conscious decision to not |
| compress and archive it automatically. The reproducer can contain potentially |
| sensitive information like object and symbol files, their paths on disk, debug |
| information, memory excerpts of the inferior process, etc. |
| |
| Replay |
| `````` |
| |
| It is strongly recommended to replay the reproducer locally to ensure it |
| actually reproduces the expected behavior. If the reproducer doesn't behave |
| correctly locally, it means there's a bug in the reproducer implementation that |
| should be addressed. |
| |
| To replay a reproducer, simply pass its path to LLDB through the ``--replay`` |
| flag. It is unnecessary to pass any other command line flags. The flags that |
| were passed to LLDB during capture are already part of the reproducer. |
| |
| .. code-block:: bash |
| |
| $ lldb --replay /path/to/reproducer |
| |
| |
| During replay LLDB will behave similar to batch mode. The session should be |
| identical to the recorded debug session. The only expected differences are that |
| the binary being debugged doesn't actually run during replay. That means that |
| you won't see any of its side effects, like things being printed to the |
| terminal. Another expected difference is the behavior of the ``reproducer |
| generate`` command, which becomes a NOOP during replay. |
| |
| Augmenting a Bug Report with a Reproducer |
| ````````````````````````````````````````` |
| |
| A reproducer can significantly improve a bug report, but it in itself is not |
| sufficient. Always describe the expected and unexpected behavior. Just like the |
| debugger can have bugs, the reproducer can have bugs too. |
| |
| |
| Design |
| ------ |
| |
| |
| Replay |
| `````` |
| |
| Reproducers support two replay modes. The main and most common mode is active |
| replay. It's called active, because it's LLDB that is driving replay by calling |
| the captured SB API functions one after each other. The second mode is passive |
| replay. In this mode, LLDB sits idle until an SB API function is called, for |
| example from Python, and then replays just this individual call. |
| |
| Active Replay |
| ^^^^^^^^^^^^^ |
| |
| No matter how a reproducer was captured, they can always be replayed with the |
| command line driver. When a reproducer is passed with the ``--replay`` flag, the |
| driver short-circuits and passes off control to the reproducer infrastructure, |
| effectively bypassing its normal operation. This works because the driver is |
| implemented using the SB API and is therefore nothing more than a sequence of |
| SB API calls. |
| |
| Replay is driven by the ``Registry::Replay``. As long as there's data in the |
| buffer holding the API data, the next SB API function call is deserialized. |
| Once the function is known, the registry can retrieve its signature, and use |
| that to deserialize its arguments. The function can then be invoked, most |
| commonly through the synthesized default replayer, or potentially using a |
| custom defined replay function. This process continues, until more data is |
| available or a replay error is encountered. |
| |
| During replay only a function's side effects matter. The result returned by the |
| replayed function is ignored because it cannot be observed beyond the driver. |
| This is sound, because anything that is passed into a subsequent API call will |
| have been serialized as an input argument. This also works for SB API objects |
| because the reproducers know about every object that has crossed the API |
| boundary, which is true by definition for object return values. |
| |
| |
| Passive Replay |
| ^^^^^^^^^^^^^^ |
| |
| Passive replay exists to support running the API test suite against a |
| reproducer. The API test suite is written in Python and tests the debugger by |
| calling into its API from Python. To make this work, the API must transparently |
| replay itself when called. This is what makes passive replay different from |
| driver replay, where it is lldb itself that's driving replay. For passive |
| replay, the driving factor is external. |
| |
| In order to replay API calls, the reproducers need a way to intercept them. |
| Every API call is already instrumented with an ``LLDB_RECORD_*`` macro that |
| captures its input arguments. Furthermore, it also contains the necessary logic |
| to detect which calls cross the API boundary and should be intercepted. We were |
| able to reuse all of this to implement passive replay. |
| |
| During passive replay is enabled, nothing happens until an SB API is called. |
| Inside that API function, the macro detects whether this call should be |
| replayed (i.e. crossed the API boundary). If the answer is yes, the next |
| function is deserialized from the SB API data and compared to the current |
| function. If the signature matches, we deserialize its input arguments and |
| reinvoke the current function with the deserialized arguments. We don't need to |
| do anything special to prevent us from recursively calling the replayed version |
| again, as the API boundary crossing logic knows that we're still behind the API |
| boundary when we re-invoked the current function. |
| |
| Another big difference with driver replay is the return value. While this |
| didn't matter for driver replay, it's key for passive replay, because that's |
| what gets checked by the test suite. Luckily, the ``LLDB_RECORD_*`` macros |
| contained sufficient type information to derive the result type. |
| |
| Testing |
| ------- |
| |
| Reproducers are tested in the following ways: |
| |
| - Unit tests to cover the reproducer infrastructure. There are tests for the |
| provider, loader and for the reproducer instrumentation. |
| - Feature specific end-to-end test cases in the ``test/Shell/Reproducer`` |
| directory. These tests serve as integration and regression tests for the |
| reproducers infrastructure, as well as doing some sanity checking for basic |
| debugger functionality. |
| - The API and shell tests can be run against a replayed reproducer. The |
| ``check-lldb-reproducers`` target will run the API and shell test suite |
| twice: first running the test normally while capturing a reproducer and then |
| a second time using the replayed session as the test input. For the shell |
| tests this use a little shim (``lldb-repro``) that uses the arguments and |
| current working directory to transparently generate or replay a reproducer. |
| For the API tests an extra argument with the reproducer path is passed to |
| ``dotest.py`` which initializes the debugger in the appropriate mode. |
| Certain tests do not fit this paradigm (for example test that check the |
| output of the binary being debugged) and are skipped by marking them as |
| unsupported by adding ``UNSUPPORTED: lldb-repro`` to the top of the shell |
| test or adding the ``skipIfReproducer`` decorator for the API tests. |
| |
| Knows Issues |
| ------------ |
| |
| The reproducers are still a work in progress. Here's a non-exhaustive list of |
| outstanding work, limitations and known issues. |
| |
| - The VFS cannot deal with more than one current working directory. Changing |
| the current working directory during the debug session will break relative |
| paths. |
| - Not all SB APIs are properly instrumented. We need customer serialization |
| for APIs that take buffers and lengths. |
| - We leak memory during replay because the reproducer doesn't capture the end |
| of an object's life time. We need to add instrumentation to the destructor |
| of SB API objects. |
| - The reproducer includes every file opened by LLDB. This is overkill. For |
| example we do not need to capture source files for code listings. There's |
| currently no way to say that some file shouldn't be included in the |
| reproducer. |
| - We do not yet automatically generate a reproducer on a crash. The reason is |
| that generating the reproducer is too expensive to do in a signal handler. |
| We should re-invoke lldb after a crash and do the heavy lifting. |