1================================
2How to submit an LLVM bug report
3================================
4
5Introduction - Got bugs?
6========================
7
8
9If you're working with LLVM and run into a bug, we definitely want to know
10about it.  This document describes what you can do to increase the odds of
11getting it fixed quickly.
12
13�� If you believe that the bug is security related, please follow :ref:`report-security-issue`. ��
14
15Basically you have to do two things at a minimum. First, decide whether the
16bug `crashes the compiler`_ or if the compiler is `miscompiling`_ the program
17(i.e., the compiler successfully produces an executable, but it doesn't run
18right). Based on what type of bug it is, follow the instructions in the
19linked section to narrow down the bug so that the person who fixes it will be
20able to find the problem more easily.
21
22Once you have a reduced test-case, go to `the LLVM Bug Tracking System
23<https://github.com/llvm/llvm-project/issues>`_ and fill out the form with the
24necessary details (note that you don't need to pick a label, just use if you're
25not sure).  The bug description should contain the following information:
26
27* All information necessary to reproduce the problem.
28* The reduced test-case that triggers the bug.
29* The location where you obtained LLVM (if not from our Git
30  repository).
31
32Thanks for helping us make LLVM better!
33
34.. _crashes the compiler:
35
36Crashing Bugs
37=============
38
39More often than not, bugs in the compiler cause it to crash---often due to
40an assertion failure of some sort. The most important piece of the puzzle
41is to figure out if it is crashing in the Clang front-end or if it is one of
42the LLVM libraries (e.g. the optimizer or code generator) that has
43problems.
44
45To figure out which component is crashing (the front-end, middle-end
46optimizer, or backend code generator), run the ``clang`` command line as you
47were when the crash occurred, but with the following extra command line
48options:
49
50* ``-emit-llvm -Xclang -disable-llvm-passes``: If ``clang`` still crashes when
51  passed these options (which disable the optimizer and code generator), then
52  the crash is in the front-end. Jump ahead to :ref:`front-end bugs
53  <frontend-crash>`.
54
55* ``-emit-llvm``: If ``clang`` crashes with this option (which disables
56  the code generator), you found a middle-end optimizer bug. Jump ahead to
57  :ref:`middle-end bugs <middleend-crash>`.
58
59* Otherwise, you have a backend code generator crash. Jump ahead to :ref:`code
60  generator bugs <backend-crash>`.
61
62.. _frontend-crash:
63
64Front-end bugs
65--------------
66
67On a ``clang`` crash, the compiler will dump a preprocessed file and a script
68to replay the ``clang`` command. For example, you should see something like
69
70.. code-block:: text
71
72   PLEASE ATTACH THE FOLLOWING FILES TO THE BUG REPORT:
73   Preprocessed source(s) and associated run script(s) are located at:
74   clang: note: diagnostic msg: /tmp/foo-xxxxxx.c
75   clang: note: diagnostic msg: /tmp/foo-xxxxxx.sh
76
77The `creduce <https://github.com/csmith-project/creduce>`_ tool helps to
78reduce the preprocessed file down to the smallest amount of code that still
79replicates the problem. You're encouraged to use creduce to reduce the code
80to make the developers' lives easier. The
81``clang/utils/creduce-clang-crash.py`` script can be used on the files
82that clang dumps to help with automating creating a test to check for the
83compiler crash.
84
85`cvise <https://github.com/marxin/cvise>`_ is an alternative to ``creduce``.
86
87.. _middleend-crash:
88
89Middle-end optimization bugs
90----------------------------
91
92If you find that a bug crashes in the optimizer, compile your test-case to a
93``.bc`` file by passing "``-emit-llvm -O1 -Xclang -disable-llvm-passes -c -o
94foo.bc``". The ``-O1`` is important because ``-O0`` adds the ``optnone``
95function attribute to all functions and many passes don't run on ``optnone``
96functions. Then run:
97
98.. code-block:: bash
99
100   opt -O3 foo.bc -disable-output
101
102If this doesn't crash, please follow the instructions for a :ref:`front-end
103bug <frontend-crash>`.
104
105If this does crash, then you should be able to debug this with the following
106:doc:`bugpoint <Bugpoint>` command:
107
108.. code-block:: bash
109
110   bugpoint foo.bc -O3
111
112Run this, then file a bug with the instructions and reduced .bc
113files that bugpoint emits.
114
115If bugpoint doesn't reproduce the crash, ``llvm-reduce`` is an alternative
116way to reduce LLVM IR. Create a script that repros the crash and run:
117
118.. code-block:: bash
119
120   llvm-reduce --test=path/to/script foo.bc
121
122which should produce reduced IR that reproduces the crash. Be warned the
123``llvm-reduce`` is still fairly immature and may crash.
124
125If none of the above work, you can get the IR before a crash by running the
126``opt`` command with the ``--print-before-all --print-module-scope`` flags to
127dump the IR before every pass. Be warned that this is very verbose.
128
129.. _backend-crash:
130
131Backend code generator bugs
132---------------------------
133
134If you find a bug that crashes clang in the code generator, compile your
135source file to a .bc file by passing "``-emit-llvm -c -o foo.bc``" to
136clang (in addition to the options you already pass).  Once your have
137foo.bc, one of the following commands should fail:
138
139#. ``llc foo.bc``
140#. ``llc foo.bc -relocation-model=pic``
141#. ``llc foo.bc -relocation-model=static``
142
143If none of these crash, please follow the instructions for a :ref:`front-end
144bug<frontend-crash>`. If one of these do crash, you should be able to reduce
145this with one of the following :doc:`bugpoint <Bugpoint>` command lines (use
146the one corresponding to the command above that failed):
147
148#. ``bugpoint -run-llc foo.bc``
149#. ``bugpoint -run-llc foo.bc --tool-args -relocation-model=pic``
150#. ``bugpoint -run-llc foo.bc --tool-args -relocation-model=static``
151
152Please run this, then file a bug with the instructions and reduced .bc file
153that bugpoint emits.  If something goes wrong with bugpoint, please submit
154the "foo.bc" file and the option that llc crashes with.
155
156.. _miscompiling:
157
158Miscompilations
159===============
160
161If clang successfully produces an executable, but that executable doesn't run
162right, this is either a bug in the code or a bug in the compiler. The first
163thing to check is to make sure it is not using undefined behavior (e.g.
164reading a variable before it is defined). In particular, check to see if the
165program is clean under various `sanitizers
166<https://github.com/google/sanitizers>`_ (e.g. ``clang
167-fsanitize=undefined,address``) and `valgrind <http://valgrind.org/>`_. Many
168"LLVM bugs" that we have chased down ended up being bugs in the program being
169compiled, not LLVM.
170
171Once you determine that the program itself is not buggy, you should choose
172which code generator you wish to compile the program with (e.g. LLC or the JIT)
173and optionally a series of LLVM passes to run.  For example:
174
175.. code-block:: bash
176
177   bugpoint -run-llc [... optzn passes ...] file-to-test.bc --args -- [program arguments]
178
179bugpoint will try to narrow down your list of passes to the one pass that
180causes an error, and simplify the bitcode file as much as it can to assist
181you. It will print a message letting you know how to reproduce the
182resulting error.
183
184The :doc:`OptBisect <OptBisect>` page shows an alternative method for finding
185incorrect optimization passes.
186
187Incorrect code generation
188=========================
189
190Similarly to debugging incorrect compilation by mis-behaving passes, you
191can debug incorrect code generation by either LLC or the JIT, using
192``bugpoint``. The process ``bugpoint`` follows in this case is to try to
193narrow the code down to a function that is miscompiled by one or the other
194method, but since for correctness, the entire program must be run,
195``bugpoint`` will compile the code it deems to not be affected with the C
196Backend, and then link in the shared object it generates.
197
198To debug the JIT:
199
200.. code-block:: bash
201
202   bugpoint -run-jit -output=[correct output file] [bitcode file]  \
203            --tool-args -- [arguments to pass to lli]              \
204            --args -- [program arguments]
205
206Similarly, to debug the LLC, one would run:
207
208.. code-block:: bash
209
210   bugpoint -run-llc -output=[correct output file] [bitcode file]  \
211            --tool-args -- [arguments to pass to llc]              \
212            --args -- [program arguments]
213
214**Special note:** if you are debugging MultiSource or SPEC tests that
215already exist in the ``llvm/test`` hierarchy, there is an easier way to
216debug the JIT, LLC, and CBE, using the pre-written Makefile targets, which
217will pass the program options specified in the Makefiles:
218
219.. code-block:: bash
220
221   cd llvm/test/../../program
222   make bugpoint-jit
223
224At the end of a successful ``bugpoint`` run, you will be presented
225with two bitcode files: a *safe* file which can be compiled with the C
226backend and the *test* file which either LLC or the JIT
227mis-codegenerates, and thus causes the error.
228
229To reproduce the error that ``bugpoint`` found, it is sufficient to do
230the following:
231
232#. Regenerate the shared object from the safe bitcode file:
233
234   .. code-block:: bash
235
236      llc -march=c safe.bc -o safe.c
237      gcc -shared safe.c -o safe.so
238
239#. If debugging LLC, compile test bitcode native and link with the shared
240   object:
241
242   .. code-block:: bash
243
244      llc test.bc -o test.s
245      gcc test.s safe.so -o test.llc
246      ./test.llc [program options]
247
248#. If debugging the JIT, load the shared object and supply the test
249   bitcode:
250
251   .. code-block:: bash
252
253      lli -load=safe.so test.bc [program options]
254