Segmentation fault when using address sanitizer

[hheinzer]

Since quite some time now (~3 months), I have been encountering a segmentation fault / illegal hardware instruction, possibly in MPI_Init() when running with -fsanitize=address. I switched to using valgrind instead, where this does not happen. However, I would like to return to using sanitizers because they are faster. The issue occurs with both clang / gcc.

Background information

• openmpi 5.0.6
• clang 19.1.7
• gcc 14.2.1

I installed all of these with the package manager of my linux distribution (pacman, arch).

My OS is Arch Linux, my host is a ThinkPad X1 Carbon Gen 11. This happens on my local machine, so no network.

Details of the problem

Code that produces segmentation fault:

#include <mpi.h>

int main(int argc, char **argv)
{
    MPI_Init(&argc, &argv);
    MPI_Finalize();
}

Compiling and running with clang consistently produces:

$ OMPI_MPICC=clang mpicc -fsanitize=address test.c -o test && ./test
[x1carbon:317427:0:317427] Caught signal 11 (Segmentation fault: address not mapped to object at address 0x1000)
zsh: segmentation fault  ./test

Compiling and running with gcc produces sometimes:

[x1carbon:317515:0:317515] Caught signal 4 (Illegal instruction: illegal operand)
AddressSanitizer:DEADLYSIGNAL
=================================================================
==317515==ERROR: AddressSanitizer: SEGV on unknown address (pc 0x72aa6e4526af bp 0x72aa6d243dc0 sp 0x72aa6d243db8 T0)
==317515==The signal is caused by a READ memory access.
==317515==Hint: this fault was caused by a dereference of a high value address (see register values below).  Disassemble the provided pc to learn which register was used.
AddressSanitizer:DEADLYSIGNAL
AddressSanitizer: nested bug in the same thread, aborting.

and sometimes this:

[x1carbon:317530:0:317530] Caught signal 4 (Illegal instruction: illegal operand)
zsh: illegal hardware instruction (core dumped)  ./test

I would expect this code to run at most with warnings about leaks, but not with segmentation faults.

I could not find anybody else with my system configuration having the same issue, so it might be totally my fault.

[bosilca]

According to the output you should have a core file. Please extract the associated backtrace to help us point to the cause of this illegal instruction.

[hheinzer]

I adjusted the compile command to:

OMPI_MPICC={gcc,clang} mpicc -g3 -fsanitize=address tmp.c -o tmp

With gdb and clang I get:

(gdb) bt
#0  0x000055555559d6bf in getprotoent ()
#1  0x00007ffff78e2239 in mca_base_patcher_patch_apply_binary () from /usr/lib/libopen-pal.so.80
#2  0x00007fff008e2330 in ?? ()
#3  0x0000504000049dd0 in ?? ()
#4  0x00007ffff791a448 in ?? () from /usr/lib/libopen-pal.so.80
#5  0x00007ffff7919600 in opal_memory_base_framework () from /usr/lib/libopen-pal.so.80
#6  0x00000000ffffffff in ?? ()
#7  0x00007fffffffd1c0 in ?? ()
Backtrace stopped: previous frame identical to this frame (corrupt stack?)

With gdb and gcc I get:

(gdb) 
#0  0x00007ffff78526b7 in mprotect () from /usr/lib/libasan.so.8
#1  0x00007ffff6dc2239 in mca_base_patcher_patch_apply_binary () from /usr/lib/libopen-pal.so.80
#2  0x00007ffff6dc2330 in ?? () from /usr/lib/libopen-pal.so.80
#3  0x00007ffff6dbcc39 in ?? () from /usr/lib/libopen-pal.so.80
#4  0x00007ffff6d59ef3 in mca_base_framework_components_open () from /usr/lib/libopen-pal.so.80
#5  0x00007ffff6dbc6cf in ?? () from /usr/lib/libopen-pal.so.80
#6  0x00007ffff6d5b190 in mca_base_framework_open () from /usr/lib/libopen-pal.so.80
#7  0x00007ffff6d95d72 in opal_common_ucx_mca_register () from /usr/lib/libopen-pal.so.80
#8  0x00007ffff763939e in ?? () from /usr/lib/libmpi.so.40
#9  0x00007ffff6d59ef3 in mca_base_framework_components_open () from /usr/lib/libopen-pal.so.80
#10 0x00007ffff7632331 in ?? () from /usr/lib/libmpi.so.40
#11 0x00007ffff6d5b190 in mca_base_framework_open () from /usr/lib/libopen-pal.so.80
#12 0x00007ffff748bf8c in ?? () from /usr/lib/libmpi.so.40
#13 0x00007ffff748d5bd in ompi_mpi_instance_init () from /usr/lib/libmpi.so.40
#14 0x00007ffff747f053 in ompi_mpi_init () from /usr/lib/libmpi.so.40
#15 0x00007ffff74be96d in PMPI_Init () from /usr/lib/libmpi.so.40
#16 0x000055555555516c in main () at tmp.c:4

With lldb and clang I get:

(lldb) run
Process 424532 launched: '/home/hhh/Projects/teal-next/tmp' (x86_64)
Process 424532 stopped
* thread #1, name = 'tmp', stop reason = signal SIGSEGV: address not mapped to object (fault address: 0x1000)
    frame #0: 0x000055555559d6bf tmp`__interceptor_trampoline_getprotoent + 1
tmp`__interceptor_trampoline_getprotoent:
->  0x55555559d6bf <+1>: lodsl  (%rsi), %eax
    0x55555559d6c0 <+2>: outsb  (%rsi), %dx
    0x55555559d6c1 <+3>: orl    (%rax), %eax

tmp`__interceptor_trampoline_getprotobyname:
    0x55555559d6c3 <+0>: jmp    0x5555556545c0 ; ___interceptor_getprotobyname
(lldb) bt
* thread #1, name = 'tmp', stop reason = signal SIGSEGV: address not mapped to object (fault address: 0x1000)
  * frame #0: 0x000055555559d6bf tmp`__interceptor_trampoline_getprotoent + 1
    frame #1: 0x00007ffff78e2239 libopen-pal.so.80`mca_base_patcher_patch_apply_binary [inlined] ModifyMemoryProtection(addr=<unavailable>, length=<unavailable>, prot=5) at patcher_base_patch.c:143:9
    frame #2: 0x00007ffff78e2210 libopen-pal.so.80`mca_base_patcher_patch_apply_binary [inlined] apply_patch(patch_data="I\xbb\xa0Ǎ\xf7\xff\U0000007f", address=<unavailable>, data_size=13) at patcher_base_patch.c:174:5
    frame #3: 0x00007ffff78e2210 libopen-pal.so.80`mca_base_patcher_patch_apply_binary(patch=0x000050d000001a40) at patcher_base_patch.c:185:5

With lldb and gcc I get:

(lldb) bt
* thread #1, name = 'tmp', stop reason = signal SIGILL: illegal operand
  * frame #0: 0x00007ffff78526b7 libasan.so.8`__interceptor_trampoline_mprotect + 3
    frame #1: 0x00007ffff6dc2239 libopen-pal.so.80`mca_base_patcher_patch_apply_binary [inlined] ModifyMemoryProtection(addr=<unavailable>, length=<unavailable>, prot=5) at patcher_base_patch.c:143:9
    frame #2: 0x00007ffff6dc2210 libopen-pal.so.80`mca_base_patcher_patch_apply_binary [inlined] apply_patch(patch_data="I\xbb\xa0\xc7\xdb\xf6\xff\U0000007f", address=<unavailable>, data_size=13) at patcher_base_patch.c:174:5
    frame #3: 0x00007ffff6dc2210 libopen-pal.so.80`mca_base_patcher_patch_apply_binary(patch=0x000050d000001970) at patcher_base_patch.c:185:5
    frame #4: 0x00007ffff6dc2330 libopen-pal.so.80`mca_patcher_overwrite_patch_address [inlined] mca_patcher_overwrite_apply_patch(patch=0x000050d000001970) at patcher_overwrite_module.c:58:5
    frame #5: 0x00007ffff6dc22ff libopen-pal.so.80`mca_patcher_overwrite_patch_address(sys_addr=140737346086570, hook_addr=<unavailable>) at patcher_overwrite_module.c:307:14
    frame #6: 0x00007ffff6dbcc39 libopen-pal.so.80`patcher_open at memory_patcher_component.c:607:10
    frame #7: 0x00007ffff6d59ef3 libopen-pal.so.80`mca_base_framework_components_open [inlined] open_components(framework=0x00007ffff6df95a0) at mca_base_components_open.c:349:19
    frame #8: 0x00007ffff6d59ea8 libopen-pal.so.80`mca_base_framework_components_open(framework=0x00007ffff6df95a0, flags=MCA_BASE_OPEN_DEFAULT) at mca_base_components_open.c:296:12
    frame #9: 0x00007ffff6dbc6cf libopen-pal.so.80`opal_memory_base_open(flags=MCA_BASE_OPEN_DEFAULT) at memory_base_open.c:110:11
    frame #10: 0x00007ffff6d5b190 libopen-pal.so.80`mca_base_framework_open [inlined] mca_base_framework_open(framework=0x0000504000049dd0, flags=0xf6df9600) at mca_base_framework.c:194:15
    frame #11: 0x00007ffff6d5b155 libopen-pal.so.80`mca_base_framework_open(framework=0x0000504000049dd0, flags=<unavailable>) at mca_base_framework.c:161:5
    frame #12: 0x00007ffff6d95d72 libopen-pal.so.80`opal_common_ucx_mca_register [inlined] opal_common_ucx_mca_register at common_ucx.c:170:15
    frame #13: 0x00007ffff6d95d63 libopen-pal.so.80`opal_common_ucx_mca_register at common_ucx.c:155:20
    frame #14: 0x00007ffff763939e libmpi.so.40`mca_pml_ucx_component_open at pml_ucx_component.c:106:5
    frame #15: 0x00007ffff6d59ef3 libopen-pal.so.80`mca_base_framework_components_open [inlined] open_components(framework=0x00007ffff6df95a0) at mca_base_components_open.c:349:19
    frame #16: 0x00007ffff6d59ea8 libopen-pal.so.80`mca_base_framework_components_open(framework=0x00007ffff6df95a0, flags=0xf6dfa448) at mca_base_components_open.c:296:12
    frame #17: 0x00007ffff7632331 libmpi.so.40`mca_pml_base_open(flags=0xf6dfa448) at pml_base_frame.c:231:9
    frame #18: 0x00007ffff6d5b190 libopen-pal.so.80`mca_base_framework_open [inlined] mca_base_framework_open(framework=0x00007ffff76ee640, flags=MCA_BASE_OPEN_DEFAULT) at mca_base_framework.c:194:15
    frame #19: 0x00007ffff6d5b155 libopen-pal.so.80`mca_base_framework_open(framework=0x00007ffff76ee640, flags=<unavailable>) at mca_base_framework.c:161:5
    frame #20: 0x00007ffff748bf8c libmpi.so.40`ompi_mpi_instance_init_common(argc=<unavailable>, argv=<unavailable>) at instance.c:409:15
    frame #21: 0x00007ffff748d5bd libmpi.so.40`ompi_mpi_instance_init(ts_level=<unavailable>, info=0x00007ffff7716760, errhandler=0x00007ffff7714020, instance=0x00007ffff7714008, argc=0, argv=0x0000000000000000) at instance.c:826:15
    frame #22: 0x00007ffff747f053 libmpi.so.40`ompi_mpi_init(argc=0, argv=0x0000000000000000, requested=0, provided=0x00007fffffffdeb4, reinit_ok=false) at ompi_mpi_init.c:359:11
    frame #23: 0x00007ffff74be96d libmpi.so.40`PMPI_Init(argc=0x0000000000000000, argv=0x0000000000000000) at init.c:69:15
    frame #24: 0x000055555555516c tmp`main at tmp.c:4:5
    frame #25: 0x00007ffff7234e08 libc.so.6`__libc_start_call_main(main=(tmp`main at tmp.c:3:1), argc=1, argv=0x00007fffffffe028) at libc_start_call_main.h:58:16
    frame #26: 0x00007ffff7234ecc libc.so.6`__libc_start_main_impl(main=(tmp`main at tmp.c:3:1), argc=1, argv=0x00007fffffffe028, init=<unavailable>, fini=<unavailable>, rtld_fini=<unavailable>, stack_end=0x00007fffffffe018) at libc-start.c:360:3
    frame #27: 0x0000555555555085 tmp`_start + 37

[bosilca]

I won't claim I understand what ASAN is complaining about, but the code it is complaining about has been in use for the last decade on all possible architectures, so I'm pretty darn sure it is sane and safe.

Based on the info attached above it seems that ASAN is complaining about changing the memory protections on the GOT table (we need to trap the memory management support). The funny part is ASAN does not complain on the call that changes the default protection (READ|EXEC) to (READ|WRITE|EXEC), but complains on the second call where we change the memory protection back to (READ|EXEC) after we made the change.

1. Could it be that we are changing the access rights on a smaller granularity than the page ?
2. Could it be that the granularity is incorrect ? According to the trace the data_size is 13 bytes, definitively weird, as it should be either 8 or 20 (from the PatchLoadImm) function.

As you have access to the process with a debugger can you print the content of the patch argument of the mca_base_patcher_patch_apply_binary function ?

[hheinzer]

Sure, this is what I get:

(lldb) p *patch
(mca_patcher_base_patch_t) {
  super = {
    super = {
      obj_class = 0x00007ffff7916be0
      obj_reference_count = 1
    }
    opal_list_next = NULL
    opal_list_prev = NULL
    item_free = 1
  }
  patch_symbol = 0x0000000000000000
  patch_value = 140737346652064
  patch_orig = 93824992532138
  patch_data = "I\xbb\xa0Ǎ\xf7\xff\U0000007f\0\0A\xff\xe3"
  patch_orig_data = "\xe9ai\v\0\xe9<j\v\0\xe9Wm"
  patch_data_size = 13
  patch_restore = 0x0000000000000000
}

[hheinzer]

Could it be that this segmentation fault is not something that asan detects in ompi, but rather an actual segmentation fault in asan itself? The reason I ask is that usually if asan detects a segmentation fault, you get some sort of an asan output, instead of an actual segmentation fault.

[hheinzer]

My issue seems to be the as this one: #12819

The OMPI_MCA_memory=^patcher workaround also worked for me.

[bosilca]

Clearly these memory sanitizer tools don't like us messing around with the GOT table. Use OMPI_MCA_memory=^patcher for cleaning purposes but make sure you are not setting it for performance runs.

[hheinzer]

Got it, thanks for looking at my issue!