Brainstorming ideas for how to test incremental compilation

andrewrk · July 15, 2024, 7:54pm

It’s finally starting to happen!

github.com/ziglang/zig

make zig compiler processes live across rebuilds

ziglang:master ← ziglang:long-live-zig

opened 02:51AM - 15 Jul 24 UTC

andrewrk

+285 -105

``` $ zig build --watch -fincremental Build Summary: 5/5 steps succeeded inst…all success ├─ install abc success │ └─ zig build-lib abc Debug native success 183ms └─ install abc success └─ zig build-exe abc Debug native success 195ms watching 67 directories, 2 processes ``` Closes #20600 --- This gets the build system fully ready for incremental compilation. The next step is to finish incremental compilation features in the frontend, as you can see from using the results of this PR: ``` andy@bark ~/t/abc [SIGINT]> ~/dev/zig/build-release/stage4/bin/zig build --watch -fincremental Build Summary: 5/5 steps succeeded install success ├─ install abc success │ └─ zig build-lib abc Debug native success 1s └─ install abc success └─ zig build-exe abc Debug native success 1s install └─ install abc └─ zig build-exe abc Debug native failure error: thread 91237 panic: access of union field 'pl_node' while field 'declaration' is active /home/andy/dev/zig/lib/std/zig/Zir.zig:4027:53: 0x653b360 in getAssociatedSrcHash (zig) const pl_node = data[@intFromEnum(inst)].pl_node; ^ /home/andy/dev/zig/src/Zcu/PerThread.zig:379:45: 0x653a1f7 in updateZirRefs (zig) if (old_zir.getAssociatedSrcHash(old_inst)) |old_hash| hash_changed: { ^ /home/andy/dev/zig/src/Zcu/PerThread.zig:324:29: 0x654033e in astGenFile (zig) try pt.updateZirRefs(file, file_index, prev_zir.*); ^ /home/andy/dev/zig/src/Compilation.zig:4309:18: 0x60a5c52 in workerAstGenFile (zig) pt.astGenFile(file, file_index, path_digest, root_decl) catch |err| switch (err) { ^ /home/andy/dev/zig/lib/std/Thread/Pool.zig:178:50: 0x60a64cc in runFn (zig) @call(.auto, func, .{id.?} ++ closure.arguments); ^ /home/andy/dev/zig/lib/std/Thread/Pool.zig:291:32: 0x6064b8d in worker (zig) run_node.data.runFn(&run_node.data, id); ^ /home/andy/dev/zig/lib/std/Thread.zig:409:13: 0x5d837ba in callFn__anon_73354 (zig) @call(.auto, f, args); ^ /home/andy/dev/zig/lib/std/Thread.zig:678:30: 0x5b016e2 in entryFn (zig) return callFn(f, args_ptr.*); ^ ???:?:?: 0x7f318dada271 in ??? (libc.so.6) Unwind information for `libc.so.6:0x7f318dada271` was not available, trace may be incomplete error: the following command terminated unexpectedly: /home/andy/dev/zig/build-release/stage4/bin/zig build-exe -fno-llvm -fno-lld -ODebug -Mroot=/home/andy/tmp/abc/src/main.zig --cache-dir /home/andy/tmp/abc/.zig-cache --global-cache-dir /home/andy/.cache/zig --name abc --zig-lib-dir /home/andy/dev/zig/lib/ -fincremental --listen=- Build Summary: 2/5 steps succeeded; 1 failed install transitive failure └─ install abc transitive failure └─ zig build-exe abc Debug native failure watching 67 directories, 1 processes ``` Here, the build system has kept the compiler running, and asked for an update. The frontend crashed due to a bug/missing feature. Users should not use `-fincremental` yet, in order to avoid triggering these bugs. If you don't pass `-fincremental` then it doesn't keep the compiler alive.

With this change, we can start to actually use the incremental compilation feature. The problem is, it introduces an entire new dimension where bugs can hide. Sequences of edits could potentially affect the state in different ways.

For example, if I do this sequence:

pub fn main() !void {
    std.debug.print("hello\n", .{});
}

pub fn main() !void {
    std.debug.print("hello {s}\n", .{"world"});
}

pub fn main() !void {}

Versus this sequence:

pub fn main() !void {
    std.debug.print("hello {s}\n", .{"world"});
}

pub fn main() !void {
    std.debug.print("hello\n", .{});
}

pub fn main() !void {}

The same 3 source files are used in both cases, and the final result is the same, but the order is different. The compiler must end up with the same final result, but it will require handling different scenarios, and it’s possible that bugs could hide in these differences.

So, we need a new kind of test case to cover this kind of thing. Maybe a new kind of zig reduce to produce test cases. And ideally, we could try to find all the incremental compilation bugs before our users do. Perhaps we can invest in fuzz testing combined with zig reduce in order to generate test cases. Finally, we need a way to easily understand the state of the compiler given a failing test case, in order to fix the bug easily. If we’re spending hours or days troubleshooting any one particular bug, that’s a sign we should have invested that time instead into tooling.

A related topic is testing in the face of the new parallelism being added to the compiler, but perhaps we can save that for another topic to keep things more focused.

So, the point of opening this thread is to ask the community, do you have any testing ideas? Let’s brainstorm together.

mlugg · July 15, 2024, 8:23pm

A simple place to start would be restoring some old testing functionality we had.

In test/cases/ live the compiler “test cases”, which generally consist of a single file which we can expect a certain result from (perhaps a successful compilation with a certain output, or a safety panic, or a compile error). When the legacy implementation of incremental compilation was enabled, we also supported “incremental test cases” here. Using files of the form foo.0.zig, foo.1.zig, etc, you can simulate a series of incremental updates. At some point, we disabled these tests, as the old implementation of incremental compilation was only POC quality and was beginning to bit-rot (we eventually ripped it out entirely). Recently, I had to rip out the logic for runnig those cases too, because it relied on some legacy test logic which hooked into the compiler (rather than running it via std.process.Child, which is the preferred mechanism). Restoring this functionality would be a solid starting point for testing incremental compilation.

The starting point for this change is these lines:

github.com

ziglang/zig/blob/888708ec8af9b60681ef14fb0a5c265f2a30b41f/test/src/Cases.zig#L627-L640


      
          for (self.incremental_cases.items) |incr_case| {
              if (true) {
                  // TODO: incremental tests are disabled for now, as incremental compilation bugs were
                  // getting in the way of practical improvements to the compiler, and incremental
                  // compilation is not currently used. They should be re-enabled once incremental
                  // compilation is in a happier state.
                  continue;
              }
              // TODO: the logic for running these was bad, so I've ripped it out. Rewrite this
              // in a way that actually spawns the compiler, communicating with it over the
              // compiler server protocol.
              _ = incr_case;
              @panic("TODO implement incremental test case executor");
          }

A further enhancement here might be to change this file format to condense the data into a single file, perhaps using diffs. This would reduce the friction of manually writing these test cases. I’m just spitballing, but something like this:

pub fn main() void {
    while (true) break;
}
// run

@ 2
-    while (true) break;
+    break;
// error
//
// :2:5: error: break expression outside loop

I don’t actually think that’s a good syntax (I dislike how it awkwardly merges Zig and diff syntax), but that’s the kind of thing I’m thinking of.

andrewrk · July 15, 2024, 8:52pm

For executing those test cases, perhaps it’s time to finally implement

github.com/ziglang/zig

Implement a server in the compiler that serves information about the compilation

opened 02:43PM - 16 Nov 17 UTC

andrewrk

enhancement proposal accepted frontend zig build system

This will not be [LSP](https://langserver.org), but a custom protocol just for Z…ig. A third party project can act as a proxy between this and LSP for that use case. This issue covers both the compiler process (e.g. `zig build-exe --listen=-`) acting as a server, as well as a meta-protocol exposed by the build system (i.e. `zig build --listen=-`). The latter will act as a multiplexer for the former. Once the initial implementation of both of these is created, follow-up issues can be made for specific features.

Or at least the build runner multiplexer component (i.e. running zig build --watch as a child process). This would test the workflow and features used by a potential IDE.

I do think it would be worth investing in some kind of compact test case format. I think ideally, a single file that describes potentially multiple source files and of course multiple sequences of edits. Here’s a draft:

#update=initial version
#file=main.zig
const other = @import("other.zig");
pub fn main() !void {
    try std.io.getStdOut().writer().print("{s}\n", {other.string});
}
#file=other.zig
pub const string = "hello";
#expect_exit=0
#expect_stdout="hello\n"

#update=delete the other file
#delete=other.zig
#expect_error=file not found: other.zig

#update=fix the reference
#file=main.zig
pub fn main() !void {
    try std.io.getStdOut().writer().print("{s}\n", {"hello2"});
}
#expect_exit=0
#expect_stdout="hello2\n"

One thing that’s interesting to think about here is that it is represented in the test case as a sequence, however, the expected behavior is independent of the order in which the sequence occurs. So maybe, the test harness could try out multiple orderings, depending on a seed, and then if a problem is observed it prints the seed so that you can reproduce the failure.

Looking at the problem this way, it does start to become more clear how zig reduce could fit into this picture. It could try to reduce these test cases.

andrewrk · July 15, 2024, 9:09pm

What if…

There was a tool similar to zig reduce but instead of mutating the code and checking if some property still exists, it mutates the code by taking small steps to transform A into B.

Then we pick two commits in a source tree, and then have this tool generate a series of in-between states of the source trees.

Then we use a fuzzing algorithm to pick arbitrary subsets of these source trees, and test that incremental compilation is able to get from point A to point B, and B to A, using the source tree’s passing test suite at point A and point B to verify correctness.

matklad · July 15, 2024, 9:37pm

Several disjoint thoughts here!

I was there when incremental compilation was retrofitted into rustc and into Kotlin compilers, and in both cases there were some bad bugs shipped, where incremental compilation was enabled in X, critical bug detected in X + m, and incremental getting disabled until X + m + n. That is to say, this is likely harder than it seems, you really need to invest into some ways to prevent this kinds of bugs, and that, even if you are sure you are done (version X), your users might discover something nasty later.

Curiously, I think we had grand total of one incremental compilation bug in rust-analyzer. That is because it was incremental from day one, and it was based on incremental framework which guaranteed correct results by construction. (debugging the framework was easy, because you only needed to debug incremental update algorithm, and the actual computation were fully abstract). The bug we had was due to non-determinism in a user-defined proc macro, which broke the core assumption of the framework.

My understanding though that Zig doesn’t go for a “framework” approach (which probably makes sense, as rust-analyzer is as anti-dod as it gets), so this probably isn’t applicable

A very useful implementation property would be path independence. That, regardless of the path you use to get to a particular source code, the result is byte-for-byte identical (as opposed to being merely equivalent). That indeed opens up path for fuzzing.

Yes, obviously this needs fuzzing / randomized generative testing. After working at TigerBeetle, I am convinced that, if you care about correctness, you should build the bulk of your test-suite around an integrated randomized test. There are so many bugs which are next to impossible to find by just looking at the code or doing manual example-based test.

For fuzzing compilers, the blueprint is wasm-smith:

That is a thing that can generate random, but syntactically and semantically WASM code, which also gives minimization for free, and also for free integrates with coverage-guided fuzzers like AFL.

The idea is very simple: write a function that takes an rng argument, and produces a random valid code fragment. Which is easy — you basically pick a random expression kind, and then generate sub-expressions, pruning them by the known result type. Then, the key trick — make the rng finite, such that it can generate only up to n numbers. That is, an rng is just a pre-filled array of random bytes. And than patch the generating function to short-circuit if the rng runs out of entropy (eg, just generate undefined expression). With this setup, you can shorten the byte array to make the resulting code shorter. And you can use AFL as a source of those random bytes, to plug into coverage-guided aspect.

If you can generate random code, it should be easy to generate random equivalent histories. For example, you can start with A, then apply some operations to go from A to different B, then repeat the same with different seed to go from A to C, an then reply the edits backwards to get from B and C to identical code.

More directly, you can build A incrementally by fixing the sequence of random bytes used as a seed for the generator, and gradually increasing its length.

Alternatively, you can try applying local edits to the seed sequence, which may result in local edits to the generated code.

Fuzzing is tricky to integrate with CI. While normal tests are edge triggerd (you run test on commit, it finishes in finite time), fuzz tests are level triggered (you run it for however long you can, it can discover a failing seed at any point, and there’s a set of currently failing seeds). I think we arrived at a good pattern at TigerBeetle:

we have a machine which in a loop fetches code from the main branch, runs the fuzzer, records failing seeds and pushes (commit hash, seed) pairs to a json file in the repo
there’s a piece of html/js that displayes the table of “hey, these seeds are currently failing on these commits”: TigerBeetle DevHub.

andrewrk · July 15, 2024, 9:47pm

Thank you so much, @matklad! To be honest, I posted this brainstorming topic here specifically hoping that you would notice and have some useful advice to share, and you did not disappoint.

andrewrk · July 15, 2024, 10:00pm

Thank you for this nice introduction. This will make it easier to follow the resources you linked, which perhaps already answer my question below, but I’ll ask it anyway:

This all makes sense and will help find crashes, but how would you test for behavior correctness? I suppose we can provide a few “fixed points” along the way where we know the code example is supposed to run with exit code 0, print a specific string to stdout, or fail with certain compile errors, and then the fuzz-generated test cases would check that inserting arbitrary in-between points between those known fixed points did not cause any crashes, and also did not cause the behavior of the fixed points to change.

Or perhaps this is where your determinism comment comes in:

I think I’m starting to understand this, because you could check that two different fuzz-generated paths resulted in identical binaries and thus generate test failures from seeds alone, without even needing any “fixed points” to start with.

I’m not sure I want to require this property for debug builds, however, because it’s quite handy to allocate and free machine code buffers in the output file similar to how alloc and free work, and the orderings there could affect the positions within the machine code.

However, perhaps we can still achieve the goal, by having a post-processing “makeDeterministic()” function that takes a nondeterministic binary, and produces a deterministic one. For example, by sorting the symbols and removing padding. When comparing binaries for the purposes of path independence, this post-processed output could be checked, rather than the direct output.

matklad · July 15, 2024, 10:14pm

Yeah, that’s exactly why I think that path independence is useful.

Another question here is what’s the output here. Naively, it seems that testing all the way up to machine code might not be necessary. Like, obviously you’ll have some live patching infrastructure and what not, but that seems relatively easier to get right than various sema bits.

So perhaps it makes sense to focus the bulk of testing slightly higher than machine code. Eg, using wasm as the target backend might make sense, as it has better textual representation, and also is a bit higher level.

Or maybe just ask sema to hash all reachable functions, or something like that

Sze · July 15, 2024, 10:23pm

I think that would be an interesting approach, that could enable other/later benefits.

Since I watched “Performance Matters by Emery Berger” https://www.youtube.com/watch?v=r-TLSBdHe1A I was thinking that the incremental compilation support, could later be extended with a feature, where the compiler is able to produce many different address space layouts, while the program is running (re-shuffling the binary while the program is running), the talk explains that this can help with getting better performance metrics, because the results of specific address space layouts are averaged out and thus it helps with getting metrics and knowing whether the code changes have actually improved performance (and it wasn’t just that the compiler got lucky with picking a specific layout). It also may later be useful in developing optimizations around finding good layouts that increase performance.

But I will stop here, because this comment is a bit of a side-note.

matklad · July 16, 2024, 9:28am

I guess another option here is then just to fuzz the resulting program for equivalence? You don’t necessary fix a desired output, and instead allow the program to print whatever it wants to stdout, based on input args. Then you run two versions of the program, with random inputs, and compare the output.

One obstacle here is that a program might contain a while(true), but it’s actually easy to make sure that a program always terminates. Add the following device to each generated program:

var fuel: u32 = 1_000_000;
fn consume_fuel() {
    fuel -= 1;
    if (fuel = 0) @panic("out of fuel");
}

and then, whenever generating a looping construct or a function, also generate a call to consume_fuel

matklad · July 16, 2024, 9:40am

I guess a more principled issue with running programs is that its just slow: effectiveness of fuzzing is directly proportional to how fast can you get it going, and if you have “spawn a process” in your inner loop, that’s going to be a sizable fixed cost.

That’s actually another bit of unsolicited feedback re testing compilers: the path of the least resistance is to say that a single compiler’s test is a self-contained program, which you just compiler and run, but that actually can be quiet slow, as you need to burn two process to make this happen (compiler process, and then the program under test). A faster way is usually to say that a single compiler test is a

test "compiler test №16492" {
   // code here
}

and then create just a handful of CUs by concatenating a bunch of such individual tests into one giant file which is compiled and run only once.

mnemnion · July 16, 2024, 12:18pm

It would be pretty great if there were an API hook for this kind of AST transform. Someone recently started a thread about writing a fuzzer for Zig and hooking at the AST level is the best way to do something like that.

Now that the build system is starting to flesh out, it might be a good time to add something like that as an experimental feature accessible through a build step.

That might exist already, for all I know.

chung-leong · July 16, 2024, 1:52pm

I wonder if we can make use of the Collatz conjecture here. Have a script that performs certain transforms on a piece of code based on an integer number. Starting out from a random seed, each iteration would involve the next number in the sequence until 1 is reached.

andrewrk · July 16, 2024, 9:23pm

it does: zig/lib/std/zig/render.zig at 20563d84577203891637477b2e475a9b279152ac · ziglang/zig · GitHub

it’s used by zig reduce

andrewrk · July 17, 2024, 7:24pm

Properly Testing Concurrent Data Structures seems relevant as well for expanding this strategy into also testing multi-threading.

matklad · July 17, 2024, 9:03pm

I’ve thought about that as well, but there’s a catch: that approach requires you to manually annotate all concurrency-relevant section. Which is easy in Rust, because only few types are thread safe, and the compiler would protect you from accidentally sharing non-thread-safe stuff.

In Zig, I think the biggest concurrent problem we are going to face would be of the shape “we are accidentally sharing this int between threads, so it must be atomic”, and it’s not something you can instrument up-front.

In other words, the approach from the post works for logical race conditions, but not for physical data races.

Though: half of the Rust checking relies on essentially deeply checking types passed to thread.spawn to make sure they don’t contain non-thread safe stuff. This could also work in Zig: in spawn, we can comptime reflect on the shape of the args tuple and error, if, for example, it contains a pointer to non-atomic int or some such. Though, the other part is that Rust also tracks aliasing, it can also check that no one else points at the args array.n

andrewrk · July 17, 2024, 10:13pm

Hmmm, well, tools like Thread Sanitizer work fairly well for catching physical data races. I think the logical race conditions is the main challenge leftover.

andrewrk · July 21, 2024, 1:53am

github.com/ziglang/zig

integrated fuzz testing

opened 01:47AM - 21 Jul 24 UTC

andrewrk

enhancement standard library zig build system

Make it so that unit tests can ask for fuzz input: ```zig test "foo" { …const input_bytes = try std.testing.fuzzInput(); try std.testing.expect(!std.mem.eql(u8, "canyoufindme", input_bytes)); } ``` Introduce flags to the compiler: `-ffuzz`, `-fno-fuzz`. These end up passing `-fsanitize=fuzzer-no-link` to Clang for C/C++ files. Introduce build system equivalent API. However, neither the CLI interface nor the build system interface is needed in order to enable fuzzing. The only thing that is needed is to ask for fuzz input in unit tests, as in the above example. When the build runner interacts with the test runner, it learns which tests, if any, are fuzz tests. Then when unit tests pass, it moves on to fuzz testing, by providing our own implementation of the genetic algorithms that drive the input bytes (similar to [libFuzzer](https://llvm.org/docs/LibFuzzer.html) or [AFL](https://lcamtuf.coredump.cx/afl/)), and re-compiling the unit test binary with `-ffuzz` enabled. Fuzz testing is level-driven so we will need some CLI to operate those options. For example, `zig build --fuzz` might start fuzzing indefinitely, while `zig build --fuzz=300s` declares success after fuzzing for five minutes. When fuzz testing is not requested, it defaults to a small number of iterations just to smoke test that it's all working. Some sort of UI would be nice. For starters this could just be `std.Progress`. In the future perhaps there could be a live-updating HTML page to visualize progress and code coverage in realtime. How cool would it be to watch source code turn from red to green *live* as the fuzzer finds new branches? I think there's value in being able to fuzz test a mix of Zig and C/C++ source code, so let's start with evaluating LLVM's instrumentation and perhaps being compatible with it, or at least supporting it. First step is to implement the support library in Zig. Comments are welcome. Note this is an enhancement not a proposal. The question is not "whether?" but "how?". Related: * #352 * #5484 * #17609 * #15953

prokoprandacek · July 21, 2024, 7:30am

Reminds me of go’s txtar. It seems to solve a very similar problem.

mnemnion · July 21, 2024, 3:26pm

Worth considering something like Russ Cox’s bisect tool for Go. Which is already similar to zig reduce, in a few ways.

In fact, I needed to read the zig reduce source to be sure it wasn’t doing everything that gets covered in the article.

The part I wanted to draw attention to is taking two versions of a function, and distributing them through every place in the code where that function is called. This can work with every function which changed from A to B, and isolate a stack trace with the specific new function which triggers the bug, and the context in which that happens.

Or to take a pull quote from the article:

That is, we can run binary search on a different axis: over the program’s code, not its version history. We’ve implemented this search in a new tool unimaginatively named bisect. When applied to library function behavior like the timer change, bisect can search over all stack traces leading to the new code, enabling the new code for some stacks and disabling it for others. By repeated execution, it can narrow the failure down to enabling the code only for one specific stack

So very similiar to what zig reduce does already. The difference is that the input to zig reduce is a program and an ‘interestingness’ checker, and the input into this kind of bisection is two editions of a program, which differ in some particulars, and the output is a specific stack trace, which makes use of some combination of the old and new code, where that stack trace is where the interesting error happens.

So to use this with incremental compilation, the old and new editions of the program are a whole-program compilation which is not interesting, and the new one is an incrementally-compiled version of the same source code, which is interesting.

This can then be further narrowed and permuted to identify what subset of available incremental combinations will produce interestingness. As in, if you have A->B->C, that can be reduced to AB->C and A->BC.

This could be pretty powerful when diagnosing why and how the difference between whole-program compilation, and incremental compilation which should arrive at the same state, actually fails.

This is tricky to do after the fact, but instrumentation can collect this data fairly straightforwardly, by making deltas from every version of a project which parses and then compiles, to the next version.

It would be possible to brute-force a large diff into a series of small ones, but there the difference is that the temporal information is lost, and can’t be retrieved, so you’ll end up with paths from A to B which were never taken by the program. Since the invariant is “incremental compilation applied in any order results in a program with the same behavior”, that might be either ok or good, but it’s also a case where it’s plausible to identify a bug, then find a different one, and need to hold onto it somewhere while the program finishes searching for the original one.

Done naively this can be a very large search space as well. For example, it might need to find a transition in which fifteen examples of a token all change at once, in order to have a minimal delta which compiles. Memorization and structure-aware optimizations can help with that, at the cost of more complexity.

There’s room for both I suspect.