With ThinLTO, we only support cases where the input bitcode is built with the same LLVM revision

I am pretty sure ThinLTO was designed without this restriction, where is it coming from?

In D143229#4101251, @mehdi_amini wrote:

With ThinLTO, we only support cases where the input bitcode is built with the same LLVM revision

I am pretty sure ThinLTO was designed without this restriction, where is it coming from?

Hmm I thought I remembered this being true, I may be wrong though. Hopefully others can comment.
If my assumption is wrong, I can make this into a flag instead.

A flag seems a bit ad-hoc to me, can we detect from the bitcode itself if this is necessary?

In D143229#4101253, @aeubanks wrote:

In D143229#4101251, @mehdi_amini wrote:

With ThinLTO, we only support cases where the input bitcode is built with the same LLVM revision

I am pretty sure ThinLTO was designed without this restriction, where is it coming from?

Hmm I thought I remembered this being true, I may be wrong though. Hopefully others can comment.
If my assumption is wrong, I can make this into a flag instead.

Yeah, my understanding's with @mehdi_amini too - that ThinLTO should be/is currently compatible with archived bitcode (Apple folks would be the ones most likely to speak to that, perhaps @tejohnson knows who's best to rope in on their side these days), it's just that our (Google) internal use doesn't need this flexibility and is paying a penalty for it. The cost of running the IR verifier for debug info might interest @aprantl and @JDevlieghere in case they've got ideas about other ways to address this or might just be interested in knowing it's hot and might be worth improvements, even if Google still ends up turning it off entirely.

In D143229#4101256, @mehdi_amini wrote:

A flag seems a bit ad-hoc to me, can we detect from the bitcode itself if this is necessary?

Not really that I know of - if it's untrusted bitcode, everything's got to be validated/can't just check a version flag and assume it's good.

Having some generic flag for "this bitcode is trusted" might be a nice general purpose thing to have for users that can ensure that.

In D143229#4101272, @dblaikie wrote:

In D143229#4101253, @aeubanks wrote:

In D143229#4101251, @mehdi_amini wrote:

With ThinLTO, we only support cases where the input bitcode is built with the same LLVM revision

I am pretty sure ThinLTO was designed without this restriction, where is it coming from?

Hmm I thought I remembered this being true, I may be wrong though. Hopefully others can comment.
If my assumption is wrong, I can make this into a flag instead.

Yeah, my understanding's with @mehdi_amini too - that ThinLTO should be/is currently compatible with archived bitcode (Apple folks would be the ones most likely to speak to that, perhaps @tejohnson knows who's best to rope in on their side these days), it's just that our (Google) internal use doesn't need this flexibility and is paying a penalty for it. The cost of running the IR verifier for debug info might interest @aprantl and @JDevlieghere in case they've got ideas about other ways to address this or might just be interested in knowing it's hot and might be worth improvements, even if Google still ends up turning it off entirely.

Right, it is not a general requirement for ThinLTO that the input bitcode must be built with the same revision. Inside our Google builds this does end up being the case, however, because of the way the build system works. So we would need to put it under a flag.

In D143229#4101291, @dblaikie wrote:

In D143229#4101256, @mehdi_amini wrote:

A flag seems a bit ad-hoc to me, can we detect from the bitcode itself if this is necessary?

Not really that I know of - if it's untrusted bitcode, everything's got to be validated/can't just check a version flag and assume it's good.

The description in this revision isn't about "trust" but about "matching revision", can you elaborate what you have in mind as "trust" issue here?

I don't think this restriction works for Apple. Compatibility is important for users that needs external dependencies that they do not control. If the debug info upgrader is expensive for you, we can probably add a fast check to skip that, or just give user a flag to control that behavior.

In D143229#4103332, @aeubanks wrote:

check llvm.ident instead

If my source module is bitcode upgraded, it won't get a new llvm.ident right? Then the upgrade pass will be wrongly skipped. I think we need a LLVM code generator version somewhere in the IR

In D143229#4103364, @steven_wu wrote:

In D143229#4103332, @aeubanks wrote:

check llvm.ident instead

If my source module is bitcode upgraded, it won't get a new llvm.ident right? Then the upgrade pass will be wrongly skipped. I think we need a LLVM code generator version somewhere in the IR

it the bitcode was upgraded, then during the upgrade it should already have had UpgradeDebugInfo called on it (with the expected LLVM revision) right?

I don't think you can / should trust llvm.ident. It shouldn't be given a semantic meaning

In D143229#4103431, @arsenm wrote:

I don't think you can / should trust llvm.ident. It shouldn't be given a semantic meaning

Plus this isn't even a single field, it's a list of many versions (unfortunately it's not deduplicated either)

In D143229#4103367, @aeubanks wrote:

In D143229#4103364, @steven_wu wrote:

In D143229#4103332, @aeubanks wrote:

check llvm.ident instead

If my source module is bitcode upgraded, it won't get a new llvm.ident right? Then the upgrade pass will be wrongly skipped. I think we need a LLVM code generator version somewhere in the IR

it the bitcode was upgraded, then during the upgrade it should already have had UpgradeDebugInfo called on it (with the expected LLVM revision) right?

I am talking about A.bc imports function from B.bc. Both of bitcode files are out of date, so A.bc gets upgraded when loaded, then A tries to import B, they have the same ident so the upgrade from B is skipped.

In D143229#4101609, @mehdi_amini wrote:

In D143229#4101291, @dblaikie wrote:

In D143229#4101256, @mehdi_amini wrote:

A flag seems a bit ad-hoc to me, can we detect from the bitcode itself if this is necessary?

Not really that I know of - if it's untrusted bitcode, everything's got to be validated/can't just check a version flag and assume it's good.

The description in this revision isn't about "trust" but about "matching revision", can you elaborate what you have in mind as "trust" issue here?

In the sense that if I write some handcrafted IR, LLVM should verify it before moving forward because other things interacting with the IR will assume it's valid & may crash if it isn't. So there's a trust boundary, generally - like in memory IR usually isn't verified, it's assumed the producer produced something valid by construction & it's a bug on the producer side if it didn't. But generally once we're reading things off disk we assume it might have come from anywhere & to be somewhat stable/not so crashy, we usually verify it on input (at least that was/is my rough understanding). So if you happen to be willing to sacrifice that extra stability guarantee because because you can guarantee that outside the system outside the program will ensure that only valid IR is passed in - then maybe having a flag to communicate that guarantee would be appropriate.

I guess it depends what the contract is for UpgradeDebugInfo, because from the name it didn't seem to me like a "verifier"?

In D143229#4103432, @arsenm wrote:

In D143229#4103431, @arsenm wrote:

I don't think you can / should trust llvm.ident. It shouldn't be given a semantic meaning

Plus this isn't even a single field, it's a list of many versions (unfortunately it's not deduplicated either)

Oh I misread the verifier code, yes you're right.

In D143229#4103619, @steven_wu wrote:

In D143229#4103367, @aeubanks wrote:

In D143229#4103364, @steven_wu wrote:

In D143229#4103332, @aeubanks wrote:

check llvm.ident instead

If my source module is bitcode upgraded, it won't get a new llvm.ident right? Then the upgrade pass will be wrongly skipped. I think we need a LLVM code generator version somewhere in the IR

it the bitcode was upgraded, then during the upgrade it should already have had UpgradeDebugInfo called on it (with the expected LLVM revision) right?

I am talking about A.bc imports function from B.bc. Both of bitcode files are out of date, so A.bc gets upgraded when loaded, then A tries to import B, they have the same ident so the upgrade from B is skipped.

I see, yes you're right.

In D143229#4107077, @dblaikie wrote:

In the sense that if I write some handcrafted IR, LLVM should verify it before moving forward because other things interacting with the IR will assume it's valid & may crash if it isn't. So there's a trust boundary, generally - like in memory IR usually isn't verified, it's assumed the producer produced something valid by construction & it's a bug on the producer side if it didn't. But generally once we're reading things off disk we assume it might have come from anywhere & to be somewhat stable/not so crashy, we usually verify it on input (at least that was/is my rough understanding). So if you happen to be willing to sacrifice that extra stability guarantee because because you can guarantee that outside the system outside the program will ensure that only valid IR is passed in - then maybe having a flag to communicate that guarantee would be appropriate.

At this point I agree that a flag would be what I'd try for now.

In D143229#4107125, @mehdi_amini wrote:

I guess it depends what the contract is for UpgradeDebugInfo, because from the name it didn't seem to me like a "verifier"?

UpgradeDebugInfo runs the verifier, and the verifier has a mode that doesn't fail if the debug info is invalid, but rather reports it separately. We could separate out the debug info portion of the verifier into a separate DIVerifier and use that instead. But we're still doing unnecessary work verifying debug info that we can assume to be valid in our build environments.

Looking at the implementation:

/// Check the debug info version number, if it is out-dated, drop the debug
/// info. Return true if module is modified.
bool llvm::UpgradeDebugInfo(Module &M) {
  unsigned Version = getDebugMetadataVersionFromModule(M);
  if (Version == DEBUG_METADATA_VERSION) {
    bool BrokenDebugInfo = false;
    if (verifyModule(M, &llvm::errs(), &BrokenDebugInfo))
      report_fatal_error("Broken module found, compilation aborted!");
    if (!BrokenDebugInfo)
      // Everything is ok.
      return false;
    else {
      // Diagnose malformed debug info.
      DiagnosticInfoIgnoringInvalidDebugMetadata Diag(M);
      M.getContext().diagnose(Diag);
    }
  }
...

1. Contrary to the name of the API, this does not seem to "upgrade" anything: it merely drops outdated debug info. (Am I missing something?)
2. This runs the verifier but does not fail verification on debug info related issue, instead it'll drop metadata when something is wrong there.

So are we re-running the IR verifier independently? And if we don't what kind of inconsistency would we be setting up?

In D143229#4107958, @mehdi_amini wrote:

Looking at the implementation:

/// Check the debug info version number, if it is out-dated, drop the debug
/// info. Return true if module is modified.
bool llvm::UpgradeDebugInfo(Module &M) {
  unsigned Version = getDebugMetadataVersionFromModule(M);
  if (Version == DEBUG_METADATA_VERSION) {
    bool BrokenDebugInfo = false;
    if (verifyModule(M, &llvm::errs(), &BrokenDebugInfo))
      report_fatal_error("Broken module found, compilation aborted!");
    if (!BrokenDebugInfo)
      // Everything is ok.
      return false;
    else {
      // Diagnose malformed debug info.
      DiagnosticInfoIgnoringInvalidDebugMetadata Diag(M);
      M.getContext().diagnose(Diag);
    }
  }
...

1. Contrary to the name of the API, this does not seem to "upgrade" anything: it merely drops outdated debug info. (Am I missing something?)
2. This runs the verifier but does not fail verification on debug info related issue, instead it'll drop metadata when something is wrong there.

So are we re-running the IR verifier independently? And if we don't what kind of inconsistency would we be setting up?

We don't typically run the verifier in assert builds because it's expensive. We assume that input bitcode passes the verifier.

In D143229#4107958, @mehdi_amini wrote:

Looking at the implementation:

1. Contrary to the name of the API, this does not seem to "upgrade" anything: it merely drops outdated debug info. (Am I missing something?)
2. This runs the verifier but does not fail verification on debug info related issue, instead it'll drop metadata when something is wrong there.

So are we re-running the IR verifier independently? And if we don't what kind of inconsistency would we be setting up?

The name "upgrade" comes from a time when regularly bumped DEBUG_METADATA_VERSION. Back then it "upgraded" older debug info formats by dropping the outdated metadata. In the more recent past we are trying to make debug info upgradeable in the bit code reader. Unfortunately, because debug info metadata is a cyclic graph we keep finding bugs where the metadata produced by older versions of LLVM and/or 3rd party frontends is malformed in a way that causes problems (crashes, infinite loops, ...) with newer version of LLVM. Whenever we find such a problem we improve the IR Verifier to detect the malformed IR.

Because of this, the upgrade function insists on running the Verifier. If it finds malformed debug info it will perform an "upgrade" by dropping the malformed debug info.

In D143229#4113874, @aprantl wrote:

In D143229#4107958, @mehdi_amini wrote:

Looking at the implementation:

1. Contrary to the name of the API, this does not seem to "upgrade" anything: it merely drops outdated debug info. (Am I missing something?)
2. This runs the verifier but does not fail verification on debug info related issue, instead it'll drop metadata when something is wrong there.

So are we re-running the IR verifier independently? And if we don't what kind of inconsistency would we be setting up?

The name "upgrade" comes from a time when regularly bumped DEBUG_METADATA_VERSION. Back then it "upgraded" older debug info formats by dropping the outdated metadata. In the more recent past we are trying to make debug info upgradeable in the bit code reader. Unfortunately, because debug info metadata is a cyclic graph we keep finding bugs where the metadata produced by older versions of LLVM and/or 3rd party frontends is malformed in a way that causes problems (crashes, infinite loops, ...) with newer version of LLVM. Whenever we find such a problem we improve the IR Verifier to detect the malformed IR.

It seems reasonable to me to provide a way to skip this for situations where the build system guarantees that the bitcode is always generated by the same compiler, e.g. in a distributed ThinLTO build where any change in compiler will force a rebuild anyway, which is the case @aeubanks is looking at.

@aeubanks are we also invoking UpgradeDebugInfo, or the Verifier separately, on the main input bitcode in the distributed ThinLTO backend clang invocation (e.g. the clang -x ir input file)? For the same reason, we should be able to skip that. So I wonder if it makes sense then for the disabling mechanism (e.g. flag or whatever) to be in UpgradeDebugInfo or the Verifier itself?

It seems reasonable to me to provide a way to skip this for situations where the build system guarantees that the bitcode is always generated by the same compiler, e.g. in a distributed ThinLTO build where any change in compiler will force a rebuild anyway, which is the case @aeubanks is looking at.

I'm having a hard time imagining how a build system would be able to guarantee this, especially if multiple compiler frontends are involved. The only scenario where this makes sense if you are only doing clean world builds with only clang as the compiler. Maybe that's what you are doing, but IMHO that is such a niche use-case that I'd rather see such a flag being implemented downstream and not in the main llvm-project. As @mehdi_amini pointed out, it complicates the qualification matrix quite a lot.

In D143229#4126345, @aprantl wrote:

It seems reasonable to me to provide a way to skip this for situations where the build system guarantees that the bitcode is always generated by the same compiler, e.g. in a distributed ThinLTO build where any change in compiler will force a rebuild anyway, which is the case @aeubanks is looking at.

I'm having a hard time imagining how a build system would be able to guarantee this, especially if multiple compiler frontends are involved. The only scenario where this makes sense if you are only doing clean world builds with only clang as the compiler. Maybe that's what you are doing, but IMHO that is such a niche use-case that I'd rather see such a flag being implemented downstream and not in the main llvm-project. As @mehdi_amini pointed out, it complicates the qualification matrix quite a lot.

The compiler version being used is centrally controlled. And we're not always doing clean world builds, but Bazel's build cache is queried by a hash of all action inputs, including the compiler bits, so if anything changes it forces a rebuild. We use stock clang/LLVM, so adding an option downstream is not possible.

Taking a step back, though, the issue here is that we are verifying the same module multiple times - once when it is read to be compiled through its own ThinLTO backend (either via the linker for in-process ThinLTO, or via clang for distributed ThinLTO as we are doing), and then once per every other ThinLTO backend that imports anything from it. If the debug info is possibly out of date or untrusted then this is unavoidable. But in any build system where the inputs are expected to be from the same trusted source compilers it would be nice to have a mode whereby when the bitcode is read for compiling through its own ThinLTO backend we perform the UpgradeDebugInfo and if the verifier there fails, it is a hard error. Then skip the upgrading during the function importing process. This doesn't seem particularly niche to me. You are guaranteed that the build will simply fail if the assumption is wrong. This patch afaict only does the latter part of this, by skipping the upgrade/verification during function importing, so would need a bit more work to tie that to a guarantee that we do the upgrade/verification with a hard error during the read for each module's ThinLTO backend.

So your build system guarantees that all bitcode that is being consumed was generated by compilers linked against the same version of LLVM that is used in the LTO plugin and if that version were to serialize malformed metadata, you wouldn't be any worse off than a non-LTO build, which also doesn't verify between passes.

Based on that assumption, this option does make sense to me.

As others pointed out, it would be nice if the version number could be encoded in the bitcode itself, however, that doesn't fix the aforementioned trust boundary issue, so you're probably no better off than with this flag.

Considering all this, this patch gets an unenthusiastic LGTM from my side :-)

In chrome, we add a clang -D flag containing the toolchain revision for caching/determinism reasons so we can also guarantee that bitcode inputs will always match.

I may be wrong, but I believe rust does inter-crate (Thin)LTO, all bitcode produced from the same rustc frontend, which could also use this.

In D143229#4126191, @tejohnson wrote:

@aeubanks are we also invoking UpgradeDebugInfo, or the Verifier separately, on the main input bitcode in the distributed ThinLTO backend clang invocation (e.g. the clang -x ir input file)? For the same reason, we should be able to skip that. So I wonder if it makes sense then for the disabling mechanism (e.g. flag or whatever) to be in UpgradeDebugInfo or the Verifier itself?

Yeah there is some time spent verifying the main input bitcode (although much less than function importing). Moved the flag to autoupgrade.

I may be wrong, but I believe rust does inter-crate (Thin)LTO, all bitcode produced from the same rustc frontend, which could also use this.

Conceptually yes, we don't need verification for compiler-driven LTO (which is the default). We wouldn't be able to use it as implemented though, because we do need to auto-upgrade intrinsics in the initial IR, while this effectively "breaks" UpgradeCallsToIntrinsic().

In D143229#4168182, @nikic wrote:

I may be wrong, but I believe rust does inter-crate (Thin)LTO, all bitcode produced from the same rustc frontend, which could also use this.

Conceptually yes, we don't need verification for compiler-driven LTO (which is the default). We wouldn't be able to use it as implemented though, because we do need to auto-upgrade intrinsics in the initial IR, while this effectively "breaks" UpgradeCallsToIntrinsic().

Perhaps then it should go back to the original version that just skipped the UpgradeDebugInfo during cross-module importing - would that work for you?

In D143229#4168183, @tejohnson wrote:

In D143229#4168182, @nikic wrote:

I may be wrong, but I believe rust does inter-crate (Thin)LTO, all bitcode produced from the same rustc frontend, which could also use this.

Conceptually yes, we don't need verification for compiler-driven LTO (which is the default). We wouldn't be able to use it as implemented though, because we do need to auto-upgrade intrinsics in the initial IR, while this effectively "breaks" UpgradeCallsToIntrinsic().

Perhaps then it should go back to the original version that just skipped the UpgradeDebugInfo during cross-module importing - would that work for you?

I believe that should work, yes.

In D143229#4168182, @nikic wrote:

I may be wrong, but I believe rust does inter-crate (Thin)LTO, all bitcode produced from the same rustc frontend, which could also use this.

Conceptually yes, we don't need verification for compiler-driven LTO (which is the default). We wouldn't be able to use it as implemented though, because we do need to auto-upgrade intrinsics in the initial IR, while this effectively "breaks" UpgradeCallsToIntrinsic().

Why does rust need to auto upgrade intrinsics during in the post link LTO step?

In D143229#4168667, @aeubanks wrote:

In D143229#4168182, @nikic wrote:

I may be wrong, but I believe rust does inter-crate (Thin)LTO, all bitcode produced from the same rustc frontend, which could also use this.

Conceptually yes, we don't need verification for compiler-driven LTO (which is the default). We wouldn't be able to use it as implemented though, because we do need to auto-upgrade intrinsics in the initial IR, while this effectively "breaks" UpgradeCallsToIntrinsic().

Why does rust need to auto upgrade intrinsics during in the post link LTO step?

Rust upgrades intrinsics after initial IR generation (i.e. before the pre-link pipeline). The pre-link and post-link pipeline are part of the same process, so they can't use different opt options.

In D143229#4169077, @nikic wrote:

In D143229#4168667, @aeubanks wrote:

In D143229#4168182, @nikic wrote:

I may be wrong, but I believe rust does inter-crate (Thin)LTO, all bitcode produced from the same rustc frontend, which could also use this.

Conceptually yes, we don't need verification for compiler-driven LTO (which is the default). We wouldn't be able to use it as implemented though, because we do need to auto-upgrade intrinsics in the initial IR, while this effectively "breaks" UpgradeCallsToIntrinsic().

Why does rust need to auto upgrade intrinsics during in the post link LTO step?

Rust upgrades intrinsics after initial IR generation (i.e. before the pre-link pipeline). The pre-link and post-link pipeline are part of the same process, so they can't use different opt options.

Then the next question is, why does Rust need to upgrade intrinsics after initial IR generation, rather than constructing initially up-to-date intrinsic calls?

In D143229#4172040, @aeubanks wrote:

In D143229#4169077, @nikic wrote:

In D143229#4168667, @aeubanks wrote:

In D143229#4168182, @nikic wrote:

I may be wrong, but I believe rust does inter-crate (Thin)LTO, all bitcode produced from the same rustc frontend, which could also use this.

Conceptually yes, we don't need verification for compiler-driven LTO (which is the default). We wouldn't be able to use it as implemented though, because we do need to auto-upgrade intrinsics in the initial IR, while this effectively "breaks" UpgradeCallsToIntrinsic().

Why does rust need to auto upgrade intrinsics during in the post link LTO step?

Rust upgrades intrinsics after initial IR generation (i.e. before the pre-link pipeline). The pre-link and post-link pipeline are part of the same process, so they can't use different opt options.

Then the next question is, why does Rust need to upgrade intrinsics after initial IR generation, rather than constructing initially up-to-date intrinsic calls?

std::arch defines bindings to LLVM target intrinsics, and these need to work across multiple supported LLVM versions.

I've only skimmed the discussion, but FTR, Sony licensees are also in a single-compiler environment, which is enforced in a couple of ways. In particular we have a downstream patch to insert the compiler version into the bitcode (modeled on similar code for Darwin IIRC) and the linker will complain if it sees a different version, before starting the LTO machinery.

I'm thinking we should have (a downstream patch to make) the linker set this flag when it invokes the LTO machinery? because it has already done a check?