search

Quuxplusone / LLVMBugzillaTest

0 stars 0 forks source link

HWAsan crashes with SIGBUS/SIGSEGV when reading any pointer #47137

Open Quuxplusone opened 3 years ago

Quuxplusone commented 3 years ago
Bugzilla Link PR48168
Status NEW
Importance P normal
Reported by Andrew Anderson (aanderso@tcd.ie)
Reported on 2020-11-13 03:05:00 -0800
Last modified on 2021-01-12 01:53:19 -0800
Version 11.0
Hardware PC Linux
CC aanderso@tcd.ie, llvm-bugs@lists.llvm.org
Fixed by commit(s)
Attachments malloc_target.c (253 bytes, text/plain)
Blocks
Blocked by
See also 
When compiling the SPEC CPU2017 benchmarks on Linux x86_64, I tried using
hwasan with -fsanitize=hwaddress -Wl,--no-relax.

I see an assert triggered in ld -- details are below. I am not entirely sure if
hwasan on x86 is supposed to be working at the moment, but I can volunteer to
test any changes. The assert being triggered is this one:
http://sourceware.org/git/?p=binutils-gdb.git;a=blob;f=bfd/elflink.c;h=998b72f2281c5b9b5482795b9b55dfffe284ee23;hb=2cb5c79dad39dd438fb0f7372ac04cf5aa2a7db7#l14788

To be honest, I'm not sure if I should file this as a bug against gdb, but if
someone familiar with the workings of hwasan can test it with binutils 2.35.1
on x86, perhaps that testing will generate a bug report naturally with much
more context than I could provide.

<pre>
<code>
clang     -std=c99   -m64 -fsanitize=hwaddress -mno-relax   -Wl,--no-relax    -
g -O3 -ffast-math -march=native    -DSPEC_LINUX_X64   -fopenmp -DSPEC_OPENMP -
fno-strict-aliasing -fgnu89-inline av.o caretx.o deb.o doio.o doop.o dump.o
globals.o gv.o hv.o keywords.o locale.o mg.o numeric.o op.o pad.o perl.o
perlapi.o perlio.o perlmain.o perly.o pp.o pp_ctl.o pp_hot.o pp_pack.o
pp_sort.o pp_sys.o regcomp.o regexec.o run.o scope.o sv.o taint.o toke.o
universal.o utf8.o util.o reentr.o mro_core.o mathoms.o specrand/specrand.o
dist/PathTools/Cwd.o dist/Data-Dumper/Dumper.o ext/Devel-Peek/Peek.o
cpan/Digest-MD5/MD5.o cpan/Digest-SHA/SHA.o DynaLoader.o dist/IO/IO.o
dist/IO/poll.o cpan/MIME-Base64/Base64.o Opcode.o dist/Storable/Storable.o
ext/Sys-Hostname/Hostname.o cpan/Time-HiRes/HiRes.o ext/XS-Typemap/stdio.o
ext/attributes/attributes.o cpan/HTML-Parser/Parser.o ext/mro/mro.o ext/re/re.o
ext/re/re_comp.o ext/re/re_exec.o ext/arybase/arybase.o ext/PerlIO-
scalar/scalar.o ext/PerlIO-via/via.o ext/File-Glob/bsd_glob.o ext/File-
Glob/Glob.o ext/Hash-Util/Util.o ext/Hash-Util-FieldHash/FieldHash.o ext/Tie-
Hash-NamedCapture/NamedCapture.o cpan/Scalar-List-Utils/ListUtil.o             -
lm         -o perlbench_s
av.o: in function `S_adjust_index':
/data/andrew/SPEC_2017/cpu2017/benchspec/CPU/600.perlbench_s/build/build_base_mytest-
m64.0000/av.c:224:(.text+0x3017): relocation truncated to fit: R_X86_64_PC32
against `.rodata'
av.o: in function `Perl_av_extend':
/data/andrew/SPEC_2017/cpu2017/benchspec/CPU/600.perlbench_s/build/build_base_mytest-
m64.0000/av.c:76:(.text+0x478f): relocation truncated to fit: R_X86_64_PC32
against `.rodata'
av.o: in function `Perl_av_push':
/data/andrew/SPEC_2017/cpu2017/benchspec/CPU/600.perlbench_s/build/build_base_mytest-
m64.0000/av.c:586:(.text+0x49dd): relocation truncated to fit: R_X86_64_PC32
against `.rodata'
av.o: in function `Perl_av_unshift':
/data/andrew/SPEC_2017/cpu2017/benchspec/CPU/600.perlbench_s/build/build_base_mytest-
m64.0000/av.c:678:(.text+0x4cb9): relocation truncated to fit: R_X86_64_PC32
against `.rodata'
av.o: in function `Perl_av_fill':
/data/andrew/SPEC_2017/cpu2017/benchspec/CPU/600.perlbench_s/build/build_base_mytest-
m64.0000/av.c:814:(.text+0x6557): relocation truncated to fit: R_X86_64_PC32
against `.rodata'
av.o: in function `Perl_av_pop':
/data/andrew/SPEC_2017/cpu2017/benchspec/CPU/600.perlbench_s/build/build_base_mytest-
m64.0000/av.c:617:(.text+0x8cd2): relocation truncated to fit: R_X86_64_PC32
against `.rodata'
av.o: in function `Perl_av_shift':
/data/andrew/SPEC_2017/cpu2017/benchspec/CPU/600.perlbench_s/build/build_base_mytest-
m64.0000/av.c:741:(.text+0x937e): relocation truncated to fit: R_X86_64_PC32
against `.rodata'
caretx.o: in function `Perl_set_caret_X':
/data/andrew/SPEC_2017/cpu2017/benchspec/CPU/600.perlbench_s/build/build_base_mytest-
m64.0000/caretx.c:57:(.text+0x19): relocation truncated to fit: R_X86_64_PC32
against `.rodata'
deb.o: in function `Perl_debstack':
/data/andrew/SPEC_2017/cpu2017/benchspec/CPU/600.perlbench_s/build/build_base_mytest-
m64.0000/deb.c:169:(.text+0x12b): relocation truncated to fit: R_X86_64_PC32
against `.rodata'
doio.o: in function `Perl_do_open_raw':
/data/andrew/SPEC_2017/cpu2017/benchspec/CPU/600.perlbench_s/build/build_base_mytest-
m64.0000/doio.c:195:(.text+0x26f): relocation truncated to fit: R_X86_64_PC32
against `.rodata'
doio.o: in function `S_openn_setup':
/data/andrew/SPEC_2017/cpu2017/benchspec/CPU/600.perlbench_s/build/build_base_mytest-
m64.0000/doio.c:112:(.text+0xe53): additional relocation overflows omitted from
the output
/usr/bin/ld: BFD (GNU Binutils) 2.35.1 assertion fail
/build/binutils/src/binutils-gdb/bfd/elflink.c:14788
clang-11: error: linker command failed with exit code 1 (use -v to see
invocation)
</code>
</pre>
Quuxplusone commented 3 years ago

I got rid of those truncations with -fpic -mcmodel=large, but the assert is still triggered.

Quuxplusone commented 3 years ago

Attached malloc_target.c (253 bytes, text/plain): minimized test case

Quuxplusone commented 3 years ago 
I have added a minimized test case for this bug. The testcase calls malloc,
attempts to print the value of the resulting pointer, then calls free.

compile with clang -mcmodel=medium -fsanitize=hwaddress malloc_target.c

When I execute a.out I see:

$ ./a.out
HWAddressSanitizer:DEADLYSIGNAL
==3910==ERROR: HWAddressSanitizer: SEGV on unknown address (pc 0x7f98868886cc
bp 0x7f98868e9520 sp 0x7ffc5821c9d8 T3910)
==3910==The signal is caused by a READ memory access.
==3910==Hint: this fault was caused by a dereference of a high value address
(see register values below).  Disassemble the provided pc to learn which
register was used.
    #0 0x7f98868886cc in __strchrnul_avx2 (/usr/lib/libc.so.6+0x1626cc)
    #1 0x7f9886791cb9 in __vfprintf_internal (/usr/lib/libc.so.6+0x6bcb9)
    #2 0x7f988677ebbe in printf (/usr/lib/libc.so.6+0x58bbe)
    #3 0x562afa7d7883 in main (/home/andrew/Workspaces/asan-workspace/llvm-sanitizer-tutorial/target_programs/a.out+0x33883)
    #4 0x7f988674e151 in __libc_start_main (/usr/lib/libc.so.6+0x28151)
    #5 0x562afa7ab3ad in _start (/home/andrew/Workspaces/asan-workspace/llvm-sanitizer-tutorial/target_programs/a.out+0x73ad)

HWAddressSanitizer can not provide additional info.
SUMMARY: HWAddressSanitizer: SEGV (/usr/lib/libc.so.6+0x1626cc) in
__strchrnul_avx2
==3910==ABORTING