From 1ec0946834b56d44fe69256ad6bbbe72f551b991 Mon Sep 17 00:00:00 2001
From: Evgenii Stepanov <eugenis@google.com>
Date: Tue, 16 Nov 2021 17:34:39 -0800
Subject: Regression test for scudo crash in resizeTaggedChunk.

This is a copy of the upstream scudo test for CTS:
https://reviews.llvm.org/rG913d78c40c37c9c3428285d868ce454b058e40f3

Bug: 206701345
Test: CtsBionicTestCases
Merged-In: I76b6b33c0665d7ad3bdd8c07d39a39d0d24d94df
Change-Id: I76b6b33c0665d7ad3bdd8c07d39a39d0d24d94df
(cherry picked from commit f0d7a34e257494c7a0248e399849bb714bb9fcc4)
---
 tests/malloc_test.cpp | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

(limited to 'tests/malloc_test.cpp')

diff --git a/tests/malloc_test.cpp b/tests/malloc_test.cpp
index d73f2436d..f4a1c0d30 100644
--- a/tests/malloc_test.cpp
+++ b/tests/malloc_test.cpp
@@ -1371,3 +1371,25 @@ TEST(malloc, allocation_slack) {
   GTEST_SKIP() << "bionic extension";
 #endif
 }
+
+// Regression test for b/206701345 -- scudo bug, MTE only.
+// Fix: https://reviews.llvm.org/D105261
+// Fix: https://android-review.googlesource.com/c/platform/external/scudo/+/1763655
+TEST(malloc, realloc_mte_crash_b206701345) {
+  // We want to hit in-place realloc at the very end of an mmap-ed region.  Not
+  // all size classes allow such placement - mmap size has to be divisible by
+  // the block size. At the time of writing this could only be reproduced with
+  // 64 byte size class (i.e. 48 byte allocations), but that may change in the
+  // future. Try several different classes at the lower end.
+  std::vector<void*> ptrs(10000);
+  for (int i = 1; i < 32; ++i) {
+    size_t sz = 16 * i - 1;
+    for (void*& p : ptrs) {
+      p = realloc(malloc(sz), sz + 1);
+    }
+
+    for (void* p : ptrs) {
+      free(p);
+    }
+  }
+}
-- 
cgit v1.2.3