Is clang+llvm deterministisc?

Hi, there,

I am working on a project on software control flow checking, which instruments a program to check if the control flow at runtime matches the control flow graph computed at compile-time.

My instrumentation process has to make use of control flow information, including as control flow graph and dominator/post-dominator trees, so it is better part of the compiler. On the other hand, I don’t want any transformation pass to mess up the additional instrumentation code, so my instrumentation process has to be run after other transformation passes are complete. Therefore, I’d like to implement my instrumentation process as the last pass before the machine intermediate representation (MIR) is translated to native assembly code.

My instrumentation process also needs to take basic block execution frequencies into consideration. So I have to compile the same program twice. First, the program is compiled, adding code to collect execution frequencies. Then, when the execution frequencies have been collected, the same program is compiled again to add control flow checking instructions, which takes execution frequencies into consideration. Obviously, the program profiled to collect execution frequencies and the program instrumented with control flow checking instructions have to be consistent. At least, they have to have the same basic blocks and identical control flow graphs. So my question is this: If I compile the same program twice using Clang, with the same command line, is it guaranteed that, at the point right before the MIRs are converted to native assembly code, the MIRs are identical?

Thank you!

Ming Zhang

Hi Ming Zhang,

If you don’t want to rely on Clang reproducibility, you could save the IR into a .bc file. Clang can directly take a .bc file as input.

You then:

  • instrument a copy of that .bc file and run your counting
  • add control flow checking on an other copy of the original .bc file and you have your final binary

For the reproducibility, I think we try to preserve that, but sometime we lose it, you may have to specify -frandom-seed.

Thank you for your quick reply!

“If you don’t want to rely on Clang reproducibility, you could save the IR into a .bc file. Clang can directly take a .bc file as input.”

I’m aware of LLVM bitcode, but I’m not quite sure about what it really is, since I haven’t found any official documentation that clarifies this concept.

LLVM bitcode seems to be just another form of LLVM IR, according to “Bitcode Demystified” (https://lowlevelbits.org/bitcode-demystified/).

If that is true, then bitcode still has to go through all passes in the backend, e.g., instruction selection, register allocation, etc.

I don’t think I can work with LLVM bitcode, because I don’t want those backend passes to interfere with my instrumentation process.

Is it possible to save the intermediate result at the point right before the machine intermediate representation (MIR) is translated into native assembly code, so that a new run of clang/llc can read it and continue to compile correctly?

I have read LLVM’s official documentation about MIR (http://llvm.org/docs/MIRLangRef.html). It seems that MIR is currently only used for test purposes and still misses some important features. I’m afraid that the missing features may lead the compiler to generate incorrect native assembly code.

“For the reproducibility, I think we try to preserve that, but sometime we lose it, you may have to specify -frandom-seed.”

The comments in the source code of clang (in clang/lib/Driver/tools.cpp) indicates the -frandom-seed option is not supported.

I noticed that llc has a -rng-seed option, but I haven’t found any documentation about it.

Could you please tell me more about the reason why clang/llvm needs to use a random number generator and about the command line options?

Thank you!

I searched source code of LLVM/Clang 4.0.0 for ‘random_seed’ with grep. It seems the -frandom-seed option is not supported.

The -rng-seed option appears to be defined in ./lib/Support/RandomNumberGenerator.cpp, which is source code for class RandomNumberGenerator. The constructor of class RandomNumberGenerator is private and is only called by Module::createRNG (defined in lib/IR/Module.cpp). But Module::createRNG does not seem to be called anywhere, except by a unit test.

I also tried adding a line to print a message in Module::createRNG. The modified code compiles without any error. However, when I run clang and llc to compile a simple C program, the message is not printed out. This confirms that Module::createRNG is not called by clang or llc.

That RNG is currently not used. There are some old stalled patches
that use it, but they haven't been committed. These patches
specifically use that RNG for intentionally randomizing compiler
output.

I don't know of other major problems for reproducible control flow,
but I'm not an expert. I guess there could always be weird edge cases
like unstable iteration of hash tables of pointers?

- stephen

Thank you for clarifying the status of the RNG feature!

The possible non-determinism in code generation of the latest release of LLVM/Clang is what I worry about.
It seems that I'll have to rely on native assembly output of LLVM to provide a consistent view of the control flow graph.
Also, I may have to dump dominator trees and loop information produced by LLVM so that they can be used by my instrumentation process.

Hi, there,

I am working on a project on software control flow checking, which
instruments a program to check if the control flow at runtime matches the
control flow graph computed at compile-time.

My instrumentation process has to make use of control flow information,
including as control flow graph and dominator/post-dominator trees, so it
is better part of the compiler. On the other hand, I don't want any
transformation pass to mess up the additional instrumentation code,

This isn't totally clear to me: the usual way to design the instrumentation
is to make it robust to IR transformations. What makes the instrumentation
special here that transforming the instrumented IR would break it?

so my instrumentation process has to be run after other transformation
passes are complete. Therefore, I'd like to implement my instrumentation
process as the last pass before the machine intermediate representation
(MIR) is translated to native assembly code.

My instrumentation process also needs to take basic block execution
frequencies into consideration. So I have to compile the same program
twice. First, the program is compiled, adding code to collect execution
frequencies. Then, when the execution frequencies have been collected, the
same program is compiled again to add control flow checking instructions,
which takes execution frequencies into consideration.

This is exactly what PGO is doing if I understand correctly your
description.

Obviously, the program profiled to collect execution frequencies and the
program instrumented with control flow checking instructions have to be
consistent. At least, they have to have the same basic blocks and identical
control flow graphs. So my question is this: If I compile the same program
twice using Clang, with the same command line, is it guaranteed that, at
the point right before the MIRs are converted to native assembly code, the
MIRs are identical?

I believe any non-determinism here is considered a bug in clang/LLVM, and
should be fixed.