llvm/docs/HowToSubmitABug.rst

================================
How to submit an LLVM bug report
================================

Introduction - Got bugs?
========================


If you're working with LLVM and run into a bug, we definitely want to know
about it.  This document describes what you can do to increase the odds of
getting it fixed quickly.

🔒 If you believe that the bug is security related, please follow :ref:`report-security-issue`. 🔒

Basically you have to do two things at a minimum. First, decide whether the
bug `crashes the compiler`_ or if the compiler is `miscompiling`_ the program
(i.e., the compiler successfully produces an executable, but it doesn't run
right). Based on what type of bug it is, follow the instructions in the
linked section to narrow down the bug so that the person who fixes it will be
able to find the problem more easily.

Once you have a reduced test-case, go to `the LLVM Bug Tracking System
<https://github.com/llvm/llvm-project/issues>`_ and fill out the form with the
necessary details (note that you don't need to pick a label, just use if you're
not sure).  The bug description should contain the following information:

* All information necessary to reproduce the problem.
* The reduced test-case that triggers the bug.
* The location where you obtained LLVM (if not from our Git
  repository).

Thanks for helping us make LLVM better!

.. _crashes the compiler:

Crashing Bugs
=============

More often than not, bugs in the compiler cause it to crash---often due to
an assertion failure of some sort. The most important piece of the puzzle
is to figure out if it is crashing in the Clang front-end or if it is one of
the LLVM libraries (e.g. the optimizer or code generator) that has
problems.

To figure out which component is crashing (the front-end, middle-end
optimizer, or backend code generator), run the ``clang`` command line as you
were when the crash occurred, but with the following extra command line
options:

* ``-emit-llvm -Xclang -disable-llvm-passes``: If ``clang`` still crashes when
  passed these options (which disable the optimizer and code generator), then
  the crash is in the front-end. Jump ahead to :ref:`front-end bugs
  <frontend-crash>`.

* ``-emit-llvm``: If ``clang`` crashes with this option (which disables
  the code generator), you found a middle-end optimizer bug. Jump ahead to
  :ref:`middle-end bugs <middleend-crash>`.

* Otherwise, you have a backend code generator crash. Jump ahead to :ref:`code
  generator bugs <backend-crash>`.

.. _frontend-crash:

Front-end bugs
--------------

On a ``clang`` crash, the compiler will dump a preprocessed file and a script
to replay the ``clang`` command. For example, you should see something like

.. code-block:: text

   PLEASE ATTACH THE FOLLOWING FILES TO THE BUG REPORT:
   Preprocessed source(s) and associated run script(s) are located at:
   clang: note: diagnostic msg: /tmp/foo-xxxxxx.c
   clang: note: diagnostic msg: /tmp/foo-xxxxxx.sh

The `creduce <https://github.com/csmith-project/creduce>`_ tool helps to
reduce the preprocessed file down to the smallest amount of code that still
replicates the problem. You're encouraged to use creduce to reduce the code
to make the developers' lives easier. The
``clang/utils/creduce-clang-crash.py`` script can be used on the files
that clang dumps to help with automating creating a test to check for the
compiler crash.

`cvise <https://github.com/marxin/cvise>`_ is an alternative to ``creduce``.

.. _middleend-crash:

Middle-end optimization bugs
----------------------------

If you find that a bug crashes in the optimizer, compile your test-case to a
``.bc`` file by passing "``-emit-llvm -O1 -Xclang -disable-llvm-passes -c -o
foo.bc``". The ``-O1`` is important because ``-O0`` adds the ``optnone``
function attribute to all functions and many passes don't run on ``optnone``
functions. Then run:

.. code-block:: bash

   opt -O3 foo.bc -disable-output

If this doesn't crash, please follow the instructions for a :ref:`front-end
bug <frontend-crash>`.

If this does crash, then you should be able to debug this with the following
:doc:`bugpoint <Bugpoint>` command:

.. code-block:: bash

   bugpoint foo.bc -O3

Run this, then file a bug with the instructions and reduced .bc
files that bugpoint emits.

If bugpoint doesn't reproduce the crash,
:doc:`llvm-reduce <CommandGuide/llvm-reduce>` is an alternative way to reduce
LLVM IR. Create a script that repros the crash and run:

.. code-block:: bash

   llvm-reduce --test=path/to/script foo.bc

which should produce reduced IR that reproduces the crash.

.. TIP::
   ``llvm-reduce`` is still fairly immature and may crash. On the other hand,
   unlike ``bugpoint``, ``llvm-reduce -j $NUM_THREADS`` is multi-threaded and
   can therefore potentially be much faster.

If none of the above work, you can get the IR before a crash by running the
``opt`` command with the ``--print-before-all --print-module-scope`` flags to
dump the IR before every pass. Be warned that this is very verbose.

.. _backend-crash:

Backend code generator bugs
---------------------------

If you find a bug that crashes clang in the code generator, compile your
source file to a .bc file by passing "``-emit-llvm -c -o foo.bc``" to
clang (in addition to the options you already pass).  Once your have
foo.bc, one of the following commands should fail:

#. ``llc foo.bc``
#. ``llc foo.bc -relocation-model=pic``
#. ``llc foo.bc -relocation-model=static``

If none of these crash, please follow the instructions for a :ref:`front-end
bug<frontend-crash>`. If one of these do crash, you should be able to reduce
this with one of the following :doc:`bugpoint <Bugpoint>` command lines (use
the one corresponding to the command above that failed):

#. ``bugpoint -run-llc foo.bc``
#. ``bugpoint -run-llc foo.bc --tool-args -relocation-model=pic``
#. ``bugpoint -run-llc foo.bc --tool-args -relocation-model=static``

Please run this, then file a bug with the instructions and reduced .bc file
that bugpoint emits.  If something goes wrong with bugpoint, please submit
the "foo.bc" file and the option that llc crashes with.

LTO bugs
---------------------------

If you encounter a bug that leads to crashes in the LLVM LTO phase when using
the ``-flto`` option, follow these steps to diagnose and report the issue:

Compile your source file to a ``.bc`` (Bitcode) file with the following options,
in addition to your existing compilation options:

.. code-block:: bash

   export CFLAGS="-flto -fuse-ld=lld" CXXFLAGS="-flto -fuse-ld=lld" LDFLAGS="-Wl,-plugin-opt=save-temps"

These options enable LTO and save temporary files generated during compilation
for later analysis.

On Windows, you should be using lld-link as the linker. Adjust your compilation 
flags as follows:
* Add ``/lldsavetemps`` to the linker flags.
* When linking from the compiler driver, add ``/link /lldsavetemps`` in order to forward that flag to the linker.

Using the specified flags will generate four intermediate bytecode files:

#. a.out.0.0.preopt.bc (Before any link-time optimizations (LTO) are applied)
#. a.out.0.2.internalize.bc (After initial optimizations are applied)
#. a.out.0.4.opt.bc (After an extensive set of optimizations)
#. a.out.0.5.precodegen.bc (After LTO but before translating into machine code)

Execute one of the following commands to identify the source of the problem:

#. ``opt "-passes=lto<O3>" a.out.0.2.internalize.bc``
#. ``llc a.out.0.5.precodegen.bc``

If one of these do crash, you should be able to reduce
this with :program:`llvm-reduce`
command line (use the bc file corresponding to the command above that failed):

.. code-block:: bash

   llvm-reduce --test reduce.sh a.out.0.2.internalize.bc

Example of reduce.sh script

.. code-block:: bash

   $ cat reduce.sh
   #!/bin/bash -e

   path/to/not --crash path/to/opt "-passes=lto<O3>" $1 -o temp.bc  2> err.log
   grep -q "It->second == &Insn" err.log

Here we have grepped the failed assert message.

Please run this, then file a bug with the instructions and reduced .bc file
that llvm-reduce emits.

.. _miscompiling:

Miscompilations
===============

If clang successfully produces an executable, but that executable doesn't run
right, this is either a bug in the code or a bug in the compiler. The first
thing to check is to make sure it is not using undefined behavior (e.g.
reading a variable before it is defined). In particular, check to see if the
program is clean under various `sanitizers
<https://github.com/google/sanitizers>`_ (e.g. ``clang
-fsanitize=undefined,address``) and `valgrind <http://valgrind.org/>`_. Many
"LLVM bugs" that we have chased down ended up being bugs in the program being
compiled, not LLVM.

Once you determine that the program itself is not buggy, you should choose
which code generator you wish to compile the program with (e.g. LLC or the JIT)
and optionally a series of LLVM passes to run.  For example:

.. code-block:: bash

   bugpoint -run-llc [... optzn passes ...] file-to-test.bc --args -- [program arguments]

bugpoint will try to narrow down your list of passes to the one pass that
causes an error, and simplify the bitcode file as much as it can to assist
you. It will print a message letting you know how to reproduce the
resulting error.

The :doc:`OptBisect <OptBisect>` page shows an alternative method for finding
incorrect optimization passes.

Incorrect code generation
=========================

Similarly to debugging incorrect compilation by mis-behaving passes, you
can debug incorrect code generation by either LLC or the JIT, using
``bugpoint``. The process ``bugpoint`` follows in this case is to try to
narrow the code down to a function that is miscompiled by one or the other
method, but since for correctness, the entire program must be run,
``bugpoint`` will compile the code it deems to not be affected with the C
Backend, and then link in the shared object it generates.

To debug the JIT:

.. code-block:: bash

   bugpoint -run-jit -output=[correct output file] [bitcode file]  \
            --tool-args -- [arguments to pass to lli]              \
            --args -- [program arguments]

Similarly, to debug the LLC, one would run:

.. code-block:: bash

   bugpoint -run-llc -output=[correct output file] [bitcode file]  \
            --tool-args -- [arguments to pass to llc]              \
            --args -- [program arguments]

**Special note:** if you are debugging MultiSource or SPEC tests that
already exist in the ``llvm/test`` hierarchy, there is an easier way to
debug the JIT, LLC, and CBE, using the pre-written Makefile targets, which
will pass the program options specified in the Makefiles:

.. code-block:: bash

   cd llvm/test/../../program
   make bugpoint-jit

At the end of a successful ``bugpoint`` run, you will be presented
with two bitcode files: a *safe* file which can be compiled with the C
backend and the *test* file which either LLC or the JIT
mis-codegenerates, and thus causes the error.

To reproduce the error that ``bugpoint`` found, it is sufficient to do
the following:

#. Regenerate the shared object from the safe bitcode file:

   .. code-block:: bash

      llc -march=c safe.bc -o safe.c
      gcc -shared safe.c -o safe.so

#. If debugging LLC, compile test bitcode native and link with the shared
   object:

   .. code-block:: bash

      llc test.bc -o test.s
      gcc test.s safe.so -o test.llc
      ./test.llc [program options]

#. If debugging the JIT, load the shared object and supply the test
   bitcode:

   .. code-block:: bash

      lli -load=safe.so test.bc [program options]