Source Level Debugging with LLVM

This document is the central repository for all information pertaining to debug information in LLVM. It describes the user interface for the llvm-db tool, which provides a powerful source-level debugger to users of LLVM-based compilers. It then describes the various components that make up the debugger and the libraries which future clients may use. Finally, it describes the actual format that the LLVM debug information takes, which is useful for those interested in creating front-ends or dealing directly with the information.

Philosophy behind LLVM debugging information

The idea of the LLVM debugging information is to capture how the important pieces of the source-language's Abstract Syntax Tree map onto LLVM code. Several design aspects have shaped the solution that appears here. The important ones are:

The approach used by the LLVM implementation is to use a small set of intrinsic functions to define a mapping between LLVM program objects and the source-level objects. The description of the source-level program is maintained in LLVM global variables in an implementation-defined format (the C/C++ front-end currently uses working draft 7 of the Dwarf 3 standard).

When a program is debugged, the debugger interacts with the user and turns the stored debug information into source-language specific information. As such, the debugger must be aware of the source-language, and is thus tied to a specific language of family of languages. The LLVM debugger is designed to be modular in its support for source-languages.

Debugging optimized code

An extremely high priority of LLVM debugging information is to make it interact well with optimizations and analysis. In particular, the LLVM debug information provides the following guarantees:

Basically, the debug information allows you to compile a program with "-O0 -g" and get full debug information, allowing you to arbitrarily modify the program as it executes from the debugger. Compiling a program with "-O3 -g" gives you full debug information that is always available and accurate for reading (e.g., you get accurate stack traces despite tail call elimination and inlining), but you might lose the ability to modify the program and call functions where were optimized out of the program, or inlined away completely.

Future work

There are several important extensions that could be eventually added to the LLVM debugger. The most important extension would be to upgrade the LLVM code generators to support debugging information. This would also allow, for example, the X86 code generator to emit native objects that contain debugging information consumable by traditional source-level debuggers like GDB or DBX.

Additionally, LLVM optimizations can be upgraded to incrementally update the debugging information, new commands can be added to the debugger, and thread support could be added to the debugger.

The "SourceLanguage" modules provided by llvm-db could be substantially improved to provide good support for C++ language features like namespaces and scoping rules.

After working with the debugger for a while, perhaps the nicest improvement would be to add some sort of line editor, such as GNU readline (but one that is compatible with the LLVM license).

For someone so inclined, it should be straight-forward to write different front-ends for the LLVM debugger, as the LLVM debugging engine is cleanly separated from the llvm-db front-end. A new LLVM GUI debugger or IDE would be nice. :)

Using the llvm-db tool

The llvm-db tool provides a GDB-like interface for source-level debugging of programs. This tool provides many standard commands for inspecting and modifying the program as it executes, loading new programs, single stepping, placing breakpoints, etc. This section describes how to use the debugger.

llvm-db has been designed to be as similar to GDB in its user interface as possible. This should make it extremely easy to learn llvm-db if you already know GDB. In general, llvm-db provides the subset of GDB commands that are applicable to LLVM debugging users. If there is a command missing that make a reasonable amount of sense within the limitations of llvm-db, please report it as a bug or, better yet, submit a patch to add it. :)

Limitations of llvm-db

llvm-db is designed to be modular and easy to extend. This extensibility was key to getting the debugger up-and-running quickly, because we can start with simple-but-unsophisicated implementations of various components. Because of this, it is currently missing many features, though they should be easy to add over time (patches welcomed!). The biggest inherent limitations of llvm-db are currently due to extremely simple debugger backend (implemented in "lib/Debugger/UnixLocalInferiorProcess.cpp") which is designed to work without any cooperation from the code generators. Because it is so simple, it suffers from the following inherent limitations:

That said, the debugger is still quite useful, and all of these limitations can be eliminated by integrating support for the debugger into the code generators, and writing a new InferiorProcess subclass to use it. See the future work section for ideas of how to extend the LLVM debugger despite these limitations.

A sample llvm-db session

TODO: this is obviously lame, when more is implemented, this can be much better.

$ llvm-db funccall
llvm-db: The LLVM source-level debugger
Loading program... successfully loaded 'funccall.bc'!
(llvm-db) create
Starting program: funccall.bc
main at funccall.c:9:2
9 ->            q = 0;
(llvm-db) list main
4       void foo() {
5               int t = q;
6               q = t + 1;
7       }
8       int main() {
9 ->            q = 0;
10              foo();
11              q = q - 1;
13              return q;
(llvm-db) list
14      }
(llvm-db) step
10 ->           foo();
(llvm-db) s
foo at funccall.c:5:2
5 ->            int t = q;
(llvm-db) bt
#0 ->   0x85ffba0 in foo at funccall.c:5:2
#1      0x85ffd98 in main at funccall.c:10:2
(llvm-db) finish
main at funccall.c:11:2
11 ->           q = q - 1;
(llvm-db) s
13 ->           return q;
(llvm-db) s
The program stopped with exit code 0
(llvm-db) quit

Starting the debugger

There are three ways to start up the llvm-db debugger:

When run with no options, just llvm-db, the debugger starts up without a program loaded at all. You must use the file command to load a program, and the set args or run commands to specify the arguments for the program.

If you start the debugger with one argument, as llvm-db <program>, the debugger will start up and load in the specified program. You can then optionally specify arguments to the program with the set args or run commands.

The third way to start the program is with the --args option. This option allows you to specify the program to load and the arguments to start out with. Example use: llvm-db --args ls /home

Commands recognized by the debugger

FIXME: this needs work obviously. See the GDB documentation for information about what these do, or try 'help [command]' within llvm-db to get information.

General usage:

Program inspection and interaction:

Call stack inspection:

Debugger inspection and interaction:


Architecture of the LLVM debugger

The LLVM debugger is built out of three distinct layers of software. These layers provide clients with different interface options depending on what pieces of they want to implement themselves, and it also promotes code modularity and good design. The three layers are the Debugger interface, the "info" interfaces, and the llvm-db tool itself.

The Debugger and InferiorProcess classes

The Debugger class (defined in the include/llvm/Debugger/ directory) is a low-level class which is used to maintain information about the loaded program, as well as start and stop the program running as necessary. This class does not provide any high-level analysis or control over the program, only exposing simple interfaces like load/unloadProgram, create/killProgram, step/next/finish/contProgram, and low-level methods for installing breakpoints.

The Debugger class is itself a wrapper around the lowest-level InferiorProcess class. This class is used to represent an instance of the program running under debugger control. The InferiorProcess class can be implemented in different ways for different targets and execution scenarios (e.g., remote debugging). The InferiorProcess class exposes a small and simple collection of interfaces which are useful for inspecting the current state of the program (such as collecting stack trace information, reading the memory image of the process, etc). The interfaces in this class are designed to be as low-level and simple as possible, to make it easy to create new instances of the class.

The Debugger class exposes the currently active instance of InferiorProcess through the Debugger::getRunningProcess method, which returns a const reference to the class. This means that clients of the Debugger class can only inspect the running instance of the program directly. To change the executing process in some way, they must use the interces exposed by the Debugger class.

The RuntimeInfo, ProgramInfo, and SourceLanguage classes

The next-highest level of debugger abstraction is provided through the ProgramInfo, RuntimeInfo, SourceLanguage and related classes (also defined in the include/llvm/Debugger/ directory). These classes efficiently decode the debugging information and low-level interfaces exposed by InferiorProcess into a higher-level representation, suitable for analysis by the debugger.

The ProgramInfo class exposes a variety of different kinds of information about the program objects in the source-level-language. The SourceFileInfo class represents a source-file in the program (e.g. a .cpp or .h file). The SourceFileInfo class captures information such as which SourceLanguage was used to compile the file, where the debugger can get access to the actual file text (which is lazily loaded on demand), etc. The SourceFunctionInfo class represents a... FIXME: finish. The ProgramInfo class provides interfaces to lazily find and decode the information needed to create the Source*Info classes requested by the debugger.

The RuntimeInfo class exposes information about the currently executed program, by decoding information from the InferiorProcess and ProgramInfo classes. It provides a StackFrame class which provides an easy-to-use interface for inspecting the current and suspended stack frames in the program.

The SourceLanguage class is an abstract interface used by the debugger to perform all source-language-specific tasks. For example, this interface is used by the ProgramInfo class to decode language-specific types and functions and by the debugger front-end (such as llvm-db to evaluate source-langauge expressions typed into the debugger. This class uses the RuntimeInfo & ProgramInfo classes to get information about the current execution context and the loaded program, respectively.

The llvm-db tool

The llvm-db is designed to be a debugger providing an interface as similar to GDB as reasonable, but no more so than that. Because the Debugger and info classes implement all of the heavy lifting and analysis, llvm-db (which lives in llvm/tools/llvm-db) consists mainly of of code to interact with the user and parse commands. The CLIDebugger constructor registers all of the builtin commands for the debugger, and each command is implemented as a CLIDebugger::[name]Command method.

Short-term TODO list

FIXME: this section will eventually go away. These are notes to myself of things that should be implemented, but haven't yet.

Breakpoints: Support is already implemented in the 'InferiorProcess' class, though it hasn't been tested yet. To finish breakpoint support, we need to implement breakCommand (which should reuse the linespec parser from the list command), and handle the fact that 'break foo' or 'break file.c:53' may insert multiple breakpoints. Also, if you say 'break file.c:53' and there is no stoppoint on line 53, the breakpoint should go on the next available line. My idea was to have the Debugger class provide a "Breakpoint" class which encapsulated this messiness, giving the debugger front-end a simple interface. The debugger front-end would have to map the really complex semantics of temporary breakpoints and 'conditional' breakpoints onto this intermediate level. Also, breakpoints should survive as much as possible across program reloads.

UnixLocalInferiorProcess.cpp speedup: There is no reason for the debugged process to code gen the globals corresponding to debug information. The IntrinsicLowering object could instead change descriptors into constant expr casts of the constant address of the LLVM objects for the descriptors. This would also allow us to eliminate the mapping back and forth between physical addresses that must be done.

Process deaths: The InferiorProcessDead exception should be extended to know "how" a process died, i.e., it was killed by a signal. This is easy to collect in the UnixLocalInferiorProcess, we just need to represent it.

Debugging information format

LLVM debugging information has been carefully designed to make it possible for the optimizer to optimize the program and debugging information without necessarily having to know anything about debugging information. In particular, the global constant merging pass automatically eliminates duplicated debugging information (often caused by header files), the global dead code elimination pass automatically deletes debugging information for a function if it decides to delete the function, and the linker eliminates debug information when it merges linkonce functions.

To do this, most of the debugging information (descriptors for types, variables, functions, source files, etc) is inserted by the language front-end in the form of LLVM global variables. These LLVM global variables are no different from any other global variables, except that they have a web of LLVM intrinsic functions that point to them. If the last references to a particular piece of debugging information are deleted (for example, by the -globaldce pass), the extraneous debug information will automatically become dead and be removed by the optimizer.

The debugger is designed to be agnostic about the contents of most of the debugging information. It uses a source-language-specific module to decode the information that represents variables, types, functions, namespaces, etc: this allows for arbitrary source-language semantics and type-systems to be used, as long as there is a module written for the debugger to interpret the information.

To provide basic functionality, the LLVM debugger does have to make some assumptions about the source-level language being debugged, though it keeps these to a minimum. The only common features that the LLVM debugger assumes exist are source files, and program objects. These abstract objects are used by the debugger to form stack traces, show information about local variables, etc.

This section of the documentation first describes the representation aspects common to any source-language. The next section describes the data layout conventions used by the C and C++ front-ends.

Anchors for global objects

One important aspect of the LLVM debug representation is that it allows the LLVM debugger to efficiently index all of the global objects without having the scan the program. To do this, all of the global objects use "anchor" globals of type "{}", with designated names. These anchor objects obviously do not contain any content or meaning by themselves, but all of the global objects of a particular type (e.g., source file descriptors) contain a pointer to the anchor. This pointer allows the debugger to use def-use chains to find all global objects of that type.

So far, the following names are recognized as anchors by the LLVM debugger:

  %llvm.dbg.translation_units = linkonce global {} {}
  %llvm.dbg.globals         = linkonce global {} {}

Using anchors in this way (where the source file descriptor points to the anchors, as opposed to having a list of source file descriptors) allows for the standard dead global elimination and merging passes to automatically remove unused debugging information. If the globals were kept track of through lists, there would always be an object pointing to the descriptors, thus would never be deleted.

Representing stopping points in the source program

LLVM debugger "stop points" are a key part of the debugging representation that allows the LLVM to maintain simple semantics for debugging optimized code. The basic idea is that the front-end inserts calls to the %llvm.dbg.stoppoint intrinsic function at every point in the program where the debugger should be able to inspect the program (these correspond to places the debugger stops when you "step" through it). The front-end can choose to place these as fine-grained as it would like (for example, before every subexpression evaluated), but it is recommended to only put them after every source statement that includes executable code.

Using calls to this intrinsic function to demark legal points for the debugger to inspect the program automatically disables any optimizations that could potentially confuse debugging information. To non-debug-information-aware transformations, these calls simply look like calls to an external function, which they must assume to do anything (including reading or writing to any part of reachable memory). On the other hand, it does not impact many optimizations, such as code motion of non-trapping instructions, nor does it impact optimization of subexpressions, code duplication transformations, or basic-block reordering transformations.

An important aspect of the calls to the %llvm.dbg.stoppoint intrinsic is that the function-local debugging information is woven together with use-def chains. This makes it easy for the debugger to, for example, locate the 'next' stop point. For a concrete example of stop points, see the example in the next section.

Object lifetimes and scoping

In many languages, the local variables in functions can have their lifetime or scope limited to a subset of a function. In the C family of languages, for example, variables are only live (readable and writable) within the source block that they are defined in. In functional languages, values are only readable after they have been defined. Though this is a very obvious concept, it is also non-trivial to model in LLVM, because it has no notion of scoping in this sense, and does not want to be tied to a language's scoping rules.

In order to handle this, the LLVM debug format uses the notion of "regions" of a function, delineated by calls to intrinsic functions. These intrinsic functions define new regions of the program and indicate when the region lifetime expires. Consider the following C fragment, for example:

1.  void foo() {
2.    int X = ...;
3.    int Y = ...;
4.    {
5.      int Z = ...;
6.      ...
7.    }
8.    ...
9.  }

Compiled to LLVM, this function would be represented like this (FIXME: CHECK AND UPDATE THIS):

void %foo() {
    %X = alloca int
    %Y = alloca int
    %Z = alloca int
    %D1 = call {}* %llvm.dbg.func.start(*
    %D2 = call {}* %llvm.dbg.stoppoint({}* %D1, uint 2, uint 2, %lldb.compile_unit* %file)

    %D3 = call {}* %llvm.dbg.DEFINEVARIABLE({}* %D2, ...)
    ;; Evaluate expression on line 2, assigning to X.
    %D4 = call {}* %llvm.dbg.stoppoint({}* %D3, uint 3, uint 2, %lldb.compile_unit* %file)

    %D5 = call {}* %llvm.dbg.DEFINEVARIABLE({}* %D4, ...)
    ;; Evaluate expression on line 3, assigning to Y.
    %D6 = call {}* %llvm.dbg.stoppoint({}* %D5, uint 5, uint 4, %lldb.compile_unit* %file)

    %D7 = call {}* %llvm.region.start({}* %D6)
    %D8 = call {}* %llvm.dbg.DEFINEVARIABLE({}* %D7, ...)
    ;; Evaluate expression on line 5, assigning to Z.
    %D9 = call {}* %llvm.dbg.stoppoint({}* %D8, uint 6, uint 4, %lldb.compile_unit* %file)

    ;; Code for line 6.
    %D10 = call {}* %llvm.region.end({}* %D9)
    %D11 = call {}* %llvm.dbg.stoppoint({}* %D10, uint 8, uint 2, %lldb.compile_unit* %file)

    ;; Code for line 8.
    %D12 = call {}* %llvm.region.end({}* %D11)
    ret void

This example illustrates a few important details about the LLVM debugging information. In particular, it shows how the various intrinsics used are woven together with def-use and use-def chains, similar to how anchors are used with globals. This allows the debugger to analyze the relationship between statements, variable definitions, and the code used to implement the function.

In this example, two explicit regions are defined, one with the definition of the %D1 variable and one with the definition of %D7. In the case of %D1, the debug information indicates that the function whose descriptor is specified as an argument to the intrinsic. This defines a new stack frame whose lifetime ends when the region is ended by the %D12 call.

Using regions to represent the boundaries of source-level functions allow LLVM interprocedural optimizations to arbitrarily modify LLVM functions without having to worry about breaking mapping information between the LLVM code and the and source-level program. In particular, the inliner requires no modification to support inlining with debugging information: there is no explicit correlation drawn between LLVM functions and their source-level counterparts (note however, that if the inliner inlines all instances of a non-strong-linkage function into its caller that it will not be possible for the user to manually invoke the inlined function from the debugger).

Once the function has been defined, the stopping point corresponding to line #2 of the function is encountered. At this point in the function, no local variables are live. As lines 2 and 3 of the example are executed, their variable definitions are automatically introduced into the program, without the need to specify a new region. These variables do not require new regions to be introduced because they go out of scope at the same point in the program: line 9.

In contrast, the Z variable goes out of scope at a different time, on line 7. For this reason, it is defined within the %D7 region, which kills the availability of Z before the code for line 8 is executed. In this way, regions can support arbitrary source-language scoping rules, as long as they can only be nested (ie, one scope cannot partially overlap with a part of another scope).

It is worth noting that this scoping mechanism is used to control scoping of all declarations, not just variable declarations. For example, the scope of a C++ using declaration is controlled with this, and the llvm-db C++ support routines could use this to change how name lookup is performed (though this is not implemented yet).

Object descriptor formats

The LLVM debugger expects the descriptors for program objects to start in a canonical format, but the descriptors can include additional information appended at the end that is source-language specific. All LLVM debugging information is versioned, allowing backwards compatibility in the case that the core structures need to change in some way. Also, all debugging information objects start with a tag to indicate what type of object it is. The source-language is allows to define its own objects, by using unreserved tag numbers.

The lowest-level descriptor are those describing the files containing the program source code, as most other descriptors (sometimes indirectly) refer to them.

Representation of source files

Source file descriptors are patterned after the Dwarf "compile_unit" object. The descriptor currently is defined to have at least the following LLVM type entries:

%lldb.compile_unit = type {
       uint,                 ;; Tag: LLVM_COMPILE_UNIT
       ushort,               ;; LLVM debug version number
       ushort,               ;; Dwarf language identifier
       sbyte*,               ;; Filename
       sbyte*,               ;; Working directory when compiled
       sbyte*                ;; Producer of the debug information

These descriptors contain the version number for the debug info, a source language ID for the file (we use the Dwarf 3.0 ID numbers, such as DW_LANG_C89, DW_LANG_C_plus_plus, DW_LANG_Cobol74, etc), three strings describing the filename, working directory of the compiler, and an identifier string for the compiler that produced it. Note that actual compile_unit declarations must also include an anchor to llvm.dbg.translation_units, but it is not specified where the anchor is to be located. Here is an example descriptor:

%arraytest_source_file = internal constant %lldb.compile_unit {
    uint 17,                                                      ; Tag value
    ushort 0,                                                     ; Version #0
    ushort 1,                                                     ; DW_LANG_C89
    sbyte* getelementptr ([12 x sbyte]* %.str_1, long 0, long 0), ; filename
    sbyte* getelementptr ([12 x sbyte]* %.str_2, long 0, long 0), ; working dir
    sbyte* getelementptr ([12 x sbyte]* %.str_3, long 0, long 0), ; producer
    {}* %llvm.dbg.translation_units                               ; Anchor
%.str_1 = internal constant [12 x sbyte] c"arraytest.c\00"
%.str_2 = internal constant [12 x sbyte] c"/home/sabre\00"
%.str_3 = internal constant [12 x sbyte] c"llvmgcc 3.4\00"

Note that the LLVM constant merging pass should eliminate duplicate copies of the strings that get emitted to each translation unit, such as the producer.

Representation of program objects

The LLVM debugger needs to know about some source-language program objects, in order to build stack traces, print information about local variables, and other related activities. The LLVM debugger differentiates between three different types of program objects: subprograms (functions, messages, methods, etc), variables (locals and globals), and others. Because source-languages have widely varying forms of these objects, the LLVM debugger expects only a few fields in the descriptor for each object:

%lldb.object = type {
       uint,                  ;; A tag
       any*,                  ;; The context for the object
       sbyte*                 ;; The object 'name'

The first field contains a tag for the descriptor. The second field contains either a pointer to the descriptor for the containing source file, or it contains a pointer to another program object whose context pointer eventually reaches a source file. Through this context pointer, the LLVM debugger can establish the debug version number of the object.

The third field contains a string that the debugger can use to identify the object if it does not contain explicit support for the source-language in use (ie, the 'unknown' source language handler uses this string). This should be some sort of unmangled string that corresponds to the object, but it is a quality of implementation issue what exactly it contains (it is legal, though not useful, for all of these strings to be null).

Note again that descriptors can be extended to include source-language-specific information in addition to the fields required by the LLVM debugger. See the section on the C/C++ front-end for more information. Also remember that global objects (functions, selectors, global variables, etc) must contain an anchor to the llvm.dbg.globals variable.

Program object contexts

Allow source-language specific contexts, use to identify namespaces etc
Must end up in a source file descriptor.
Debugger core ignores all unknown context objects.

Debugger intrinsic functions

Define each intrinsics, as an extension of the language reference manual.


Values for debugger tags

Happen to be the same value as the similarly named Dwarf-3 tags, this may change in the future.

  LLVM_SUBPROGRAM       : 46
  LLVM_VARIABLE         : 52

C/C++ front-end specific debug information

The C and C++ front-ends represent information about the program in a format that is effectively identical to Dwarf 3.0 in terms of information content. This allows code generators to trivially support native debuggers by generating standard dwarf information, and contains enough information for non-dwarf targets to translate it as needed.

The basic debug information required by the debugger is (intentionally) designed to be as minimal as possible. This basic information is so minimal that it is unlikely that any source-language could be adequately described by it. Because of this, the debugger format was designed for extension to support source-language-specific information. The extended descriptors are read and interpreted by the language-specific modules in the debugger if there is support available, otherwise it is ignored.

This section describes the extensions used to represent C and C++ programs. Other languages could pattern themselves after this (which itself is tuned to representing programs in the same way that Dwarf 3 does), or they could choose to provide completely different extensions if they don't fit into the Dwarf model. As support for debugging information gets added to the various LLVM source-language front-ends, the information used should be documented here.

Program Scope Entries

Compilation unit entries

Translation units do not add any information over the standard source file representation already expected by the debugger. As such, it uses descriptors of the type specified, with a trailing anchor.

Module, namespace, and importing entries

Data objects (program variables)