HWAsan crashes with SIGBUS/SIGSEGV when reading any pointer

[11bbe755-aa08-4e00-b402-e7d2e126f291]

Bugzilla Link	48168
Version	11.0
OS	Linux
CC	@andrew-wja

Extended Description

When compiling the SPEC CPU2017 benchmarks on Linux x86_64, I tried using hwasan with -fsanitize=hwaddress -Wl,--no-relax.

I see an assert triggered in ld -- details are below. I am not entirely sure if hwasan on x86 is supposed to be working at the moment, but I can volunteer to test any changes. The assert being triggered is this one: http://sourceware.org/git/?p=binutils-gdb.git;a=blob;f=bfd/elflink.c;h=998b72f2281c5b9b5482795b9b55dfffe284ee23;hb=2cb5c79dad39dd438fb0f7372ac04cf5aa2a7db7#l14788

To be honest, I'm not sure if I should file this as a bug against gdb, but if someone familiar with the workings of hwasan can test it with binutils 2.35.1 on x86, perhaps that testing will generate a bug report naturally with much more context than I could provide.

clang     -std=c99   -m64 -fsanitize=hwaddress -mno-relax   -Wl,--no-relax    -g -O3 -ffast-math -march=native    -DSPEC_LINUX_X64   -fopenmp -DSPEC_OPENMP -fno-strict-aliasing -fgnu89-inline av.o caretx.o deb.o doio.o doop.o dump.o globals.o gv.o hv.o keywords.o locale.o mg.o numeric.o op.o pad.o perl.o perlapi.o perlio.o perlmain.o perly.o pp.o pp_ctl.o pp_hot.o pp_pack.o pp_sort.o pp_sys.o regcomp.o regexec.o run.o scope.o sv.o taint.o toke.o universal.o utf8.o util.o reentr.o mro_core.o mathoms.o specrand/specrand.o dist/PathTools/Cwd.o dist/Data-Dumper/Dumper.o ext/Devel-Peek/Peek.o cpan/Digest-MD5/MD5.o cpan/Digest-SHA/SHA.o DynaLoader.o dist/IO/IO.o dist/IO/poll.o cpan/MIME-Base64/Base64.o Opcode.o dist/Storable/Storable.o ext/Sys-Hostname/Hostname.o cpan/Time-HiRes/HiRes.o ext/XS-Typemap/stdio.o ext/attributes/attributes.o cpan/HTML-Parser/Parser.o ext/mro/mro.o ext/re/re.o ext/re/re_comp.o ext/re/re_exec.o ext/arybase/arybase.o ext/PerlIO-scalar/scalar.o ext/PerlIO-via/via.o ext/File-Glob/bsd_glob.o ext/File-Glob/Glob.o ext/Hash-Util/Util.o ext/Hash-Util-FieldHash/FieldHash.o ext/Tie-Hash-NamedCapture/NamedCapture.o cpan/Scalar-List-Utils/ListUtil.o             -lm         -o perlbench_s  
av.o: in function `S_adjust_index':
/data/andrew/SPEC_2017/cpu2017/benchspec/CPU/600.perlbench_s/build/build_base_mytest-m64.0000/av.c:224:(.text+0x3017): relocation truncated to fit: R_X86_64_PC32 against `.rodata'
av.o: in function `Perl_av_extend':
/data/andrew/SPEC_2017/cpu2017/benchspec/CPU/600.perlbench_s/build/build_base_mytest-m64.0000/av.c:76:(.text+0x478f): relocation truncated to fit: R_X86_64_PC32 against `.rodata'
av.o: in function `Perl_av_push':
/data/andrew/SPEC_2017/cpu2017/benchspec/CPU/600.perlbench_s/build/build_base_mytest-m64.0000/av.c:586:(.text+0x49dd): relocation truncated to fit: R_X86_64_PC32 against `.rodata'
av.o: in function `Perl_av_unshift':
/data/andrew/SPEC_2017/cpu2017/benchspec/CPU/600.perlbench_s/build/build_base_mytest-m64.0000/av.c:678:(.text+0x4cb9): relocation truncated to fit: R_X86_64_PC32 against `.rodata'
av.o: in function `Perl_av_fill':
/data/andrew/SPEC_2017/cpu2017/benchspec/CPU/600.perlbench_s/build/build_base_mytest-m64.0000/av.c:814:(.text+0x6557): relocation truncated to fit: R_X86_64_PC32 against `.rodata'
av.o: in function `Perl_av_pop':
/data/andrew/SPEC_2017/cpu2017/benchspec/CPU/600.perlbench_s/build/build_base_mytest-m64.0000/av.c:617:(.text+0x8cd2): relocation truncated to fit: R_X86_64_PC32 against `.rodata'
av.o: in function `Perl_av_shift':
/data/andrew/SPEC_2017/cpu2017/benchspec/CPU/600.perlbench_s/build/build_base_mytest-m64.0000/av.c:741:(.text+0x937e): relocation truncated to fit: R_X86_64_PC32 against `.rodata'
caretx.o: in function `Perl_set_caret_X':
/data/andrew/SPEC_2017/cpu2017/benchspec/CPU/600.perlbench_s/build/build_base_mytest-m64.0000/caretx.c:57:(.text+0x19): relocation truncated to fit: R_X86_64_PC32 against `.rodata'
deb.o: in function `Perl_debstack':
/data/andrew/SPEC_2017/cpu2017/benchspec/CPU/600.perlbench_s/build/build_base_mytest-m64.0000/deb.c:169:(.text+0x12b): relocation truncated to fit: R_X86_64_PC32 against `.rodata'
doio.o: in function `Perl_do_open_raw':
/data/andrew/SPEC_2017/cpu2017/benchspec/CPU/600.perlbench_s/build/build_base_mytest-m64.0000/doio.c:195:(.text+0x26f): relocation truncated to fit: R_X86_64_PC32 against `.rodata'
doio.o: in function `S_openn_setup':
/data/andrew/SPEC_2017/cpu2017/benchspec/CPU/600.perlbench_s/build/build_base_mytest-m64.0000/doio.c:112:(.text+0xe53): additional relocation overflows omitted from the output
/usr/bin/ld: BFD (GNU Binutils) 2.35.1 assertion fail /build/binutils/src/binutils-gdb/bfd/elflink.c:14788
clang-11: error: linker command failed with exit code 1 (use -v to see invocation)

[11bbe755-aa08-4e00-b402-e7d2e126f291]

I have added a minimized test case for this bug. The testcase calls malloc, attempts to print the value of the resulting pointer, then calls free.

compile with clang -mcmodel=medium -fsanitize=hwaddress malloc_target.c

When I execute a.out I see:

$ ./a.out HWAddressSanitizer:DEADLYSIGNAL ==3910==ERROR: HWAddressSanitizer: SEGV on unknown address (pc 0x7f98868886cc bp 0x7f98868e9520 sp 0x7ffc5821c9d8 T3910) ==3910==The signal is caused by a READ memory access. ==3910==Hint: this fault was caused by a dereference of a high value address (see register values below). Disassemble the provided pc to learn which register was used.

​0 0x7f98868886cc in __strchrnul_avx2 (/usr/lib/libc.so.6+0x1626cc)

#​1 0x7f9886791cb9 in __vfprintf_internal (/usr/lib/libc.so.6+0x6bcb9)
#​2 0x7f988677ebbe in printf (/usr/lib/libc.so.6+0x58bbe)
#​3 0x562afa7d7883 in main (/home/andrew/Workspaces/asan-workspace/llvm-sanitizer-tutorial/target_programs/a.out+0x33883)
#​4 0x7f988674e151 in __libc_start_main (/usr/lib/libc.so.6+0x28151)
#​5 0x562afa7ab3ad in _start (/home/andrew/Workspaces/asan-workspace/llvm-sanitizer-tutorial/target_programs/a.out+0x73ad)

HWAddressSanitizer can not provide additional info. SUMMARY: HWAddressSanitizer: SEGV (/usr/lib/libc.so.6+0x1626cc) in __strchrnul_avx2 ==3910==ABORTING

[11bbe755-aa08-4e00-b402-e7d2e126f291]

minimized test case

[11bbe755-aa08-4e00-b402-e7d2e126f291]

I got rid of those truncations with -fpic -mcmodel=large, but the assert is still triggered.