AddressSanitizer on SPECCPU2006

Hi

I am using SanitizerCoverage feature supported by clang to get the basicblock coverage.

my tested binaries are spec cpu2006. I compiled the binary with the option
COPTIMIZE = -O0 -fsanitize=address -fsanitize-coverage=bb -flto -fno-strict-aliasing -std=gnu89 -gdwarf-3

After the compiling process is end. I run the 400.perlbench. with the command
ASAN_OPTIONS=coverage=1 ./perlbench. However, the AddressSanitizer detect the global buffer overflow and I could not run the perlbench properly.

Is there anything wrong or I missed some configurations? I just want to compile the binaries with instrumented coverage information so that I can calculate the bb coverage. Many Thanks

==17619==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000000b46465 at pc 0x00000049ffcd bp 0x7fff4f265ec0 sp 0x7fff4f265670

READ of size 6 at 0x000000b46465 thread T0

#0 0x49ffcc in __interceptor_memcmp.part.75 /home/jmh/Downloads/llvm-4/llvm/projects/compiler-rt/lib/asan/…/sanitizer_common/sanitizer_common_interceptors.inc:690

#1 0x6843a0 in PerlIO_find_layer /home/jmh/Downloads/spec2006_v1.2/benchspec/CPU2006/400.perlbench/build/build_base_elf-64bit.0000/perlio.c:751:6

#2 0x6869fc in PerlIO_default_buffer /home/jmh/Downloads/spec2006_v1.2/benchspec/CPU2006/400.perlbench/build/build_base_elf-64bit.0000/perlio.c:1015:32

#3 0x683f13 in PerlIO_default_layers /home/jmh/Downloads/spec2006_v1.2/benchspec/CPU2006/400.perlbench/build/build_base_elf-64bit.0000/perlio.c:1113:6

#4 0x691cff in PerlIO_resolve_layers /home/jmh/Downloads/spec2006_v1.2/benchspec/CPU2006/400.perlbench/build/build_base_elf-64bit.0000/perlio.c:1433:26

#5 0x690ef3 in PerlIO_openn /home/jmh/Downloads/spec2006_v1.2/benchspec/CPU2006/400.perlbench/build/build_base_elf-64bit.0000/perlio.c:1519:15

#6 0x6907a1 in PerlIO_fdopen /home/jmh/Downloads/spec2006_v1.2/benchspec/CPU2006/400.perlbench/build/build_base_elf-64bit.0000/perlio.c:4745:12

#7 0x6906e8 in PerlIO_stdstreams /home/jmh/Downloads/spec2006_v1.2/benchspec/CPU2006/400.perlbench/build/build_base_elf-64bit.0000/perlio.c:1150:2

#8 0x6946ef in Perl_PerlIO_stdin /home/jmh/Downloads/spec2006_v1.2/benchspec/CPU2006/400.perlbench/build/build_base_elf-64bit.0000/perlio.c:4686:2

#9 0x66a465 in S_open_script /home/jmh/Downloads/spec2006_v1.2/benchspec/CPU2006/400.perlbench/build/build_base_elf-64bit.0000/perl.c:3348:12

#10 0x65f01d in S_parse_body /home/jmh/Downloads/spec2006_v1.2/benchspec/CPU2006/400.perlbench/build/build_base_elf-64bit.0000/perl.c:1718:5

#11 0x65b5b9 in perl_parse /home/jmh/Downloads/spec2006_v1.2/benchspec/CPU2006/400.perlbench/build/build_base_elf-64bit.0000/perl.c:1312:2

#12 0x696dd2 in main /home/jmh/Downloads/spec2006_v1.2/benchspec/CPU2006/400.perlbench/build/build_base_elf-64bit.0000/perlmain.c:96:18

#13 0x7f169601082f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/…/csu/libc-start.c:291

#14 0x41bc58 in _start (/home/jmh/Downloads/spec2006_v1.2/benchspec/CPU2006/400.perlbench/build/build_base_elf-64bit.0000/perlbench+0x41bc58)

0x000000b46465 is located 0 bytes to the right of global variable ‘’ defined in ‘perlio.c:2566:5’ (0xb46460) of size 5

‘’ is ascii string ‘unix’

SUMMARY: AddressSanitizer: global-buffer-overflow /home/jmh/Downloads/llvm-4/llvm/projects/compiler-rt/lib/asan/…/sanitizer_common/sanitizer_common_interceptors.inc:690 in __interceptor_memcmp.part.75

Shadow bytes around the buggy address:

0x000080160c30: 00 00 00 00 05 f9 f9 f9 f9 f9 f9 f9 00 00 00 00

0x000080160c40: 06 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 04 f9 f9 f9

0x000080160c50: f9 f9 f9 f9 00 00 00 00 02 f9 f9 f9 f9 f9 f9 f9

0x000080160c60: 00 00 00 00 00 00 00 00 06 f9 f9 f9 f9 f9 f9 f9

0x000080160c70: 00 00 00 00 00 00 01 f9 f9 f9 f9 f9 00 00 00 00

=>0x000080160c80: 00 00 f9 f9 f9 f9 f9 f9 00 00 00 00[05]f9 f9 f9

0x000080160c90: f9 f9 f9 f9 00 00 00 00 03 f9 f9 f9 f9 f9 f9 f9

0x000080160ca0: 00 00 00 00 02 f9 f9 f9 f9 f9 f9 f9 00 00 00 00

0x000080160cb0: 06 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 07 f9 f9 f9

0x000080160cc0: f9 f9 f9 f9 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9

0x000080160cd0: 00 00 00 00 05 f9 f9 f9 f9 f9 f9 f9 00 00 00 00

Shadow byte legend (one shadow byte represents 8 application bytes):

Addressable: 00

Partially addressable: 01 02 03 04 05 06 07

Heap left redzone: fa

Freed heap region: fd

Stack left redzone: f1

Stack mid redzone: f2

Stack right redzone: f3

Stack after return: f5

Stack use after scope: f8

Global redzone: f9

Global init order: f6

Poisoned by user: f7

Container overflow: fc

Array cookie: ac

Intra object redzone: bb

ASan internal: fe

Left alloca redzone: ca

Right alloca redzone: cb

==17619==ABORTING

Regards

Muhui

This is a known problem in SPECCPU2006, see
https://github.com/google/sanitizers/wiki/AddressSanitizerFoundBugs

Hi

If so, is it able to disable this check. All I need is just to get the BB coverage information

Regards
Muhui

Alexander Potapenko <glider@google.com>于2018年9月5日 周三下午6:57写道:

Hi Muhui,

If you want just the coverage information you can remove the
-fsanitize=address flag from the command line.

HTH,
Alex

Hi Alex

Thanks for your email. But it seems not work. I removed the -fsanitize=address flag.

The global buffer overflow message doesn’t show. However, no *.sancov file is created after I run perlbench. Thus, I could not get the BB coverage. Do you have any ideas? Many Thanks

Regards
Muhui

Alexander Potapenko <glider@google.com> 于2018年9月5日周三 下午7:14写道:

Hi Alex

Thanks for your email. But it seems not work. I removed the -fsanitize=address flag.

The global buffer overflow message doesn't show. However, no *.sancov file is created after I run perlbench. Thus, I could not get the BB coverage. Do you have any ideas? Many Thanks

This has disappeared from the docs
(http://clang.llvm.org/docs/SanitizerCoverage.html), but in the
absence of ASan runtime you should use UBSAN_OPTIONS=coverage=1
At least a small example works for me:

$ clang t.c -fsanitize-coverage=bb -o t
clang-8: warning: argument '-fsanitize-coverage=[func|bb|edge]' is
deprecated, use
'-fsanitize-coverage=[func|bb|edge],[trace-pc-guard|trace-pc]' instead
[-Wdeprecated]
$ UBSAN_OPTIONS=coverage=1 ./t
SanitizerCoverage: ./t.168004.sancov: 1 PCs written

Hi Alex

UBSAN_OPTIONS is the right answer. It works for me! Thank you very much

Regards
Muhui

Alexander Potapenko <glider@google.com> 于2018年9月5日周三 下午10:11写道: