Snap for 7929330 from 1ec0946834b56d44fe69256ad6bbbe72f551b991 to sc-d2-releaseandroid-12.1.0_r26android-12.1.0_r25android-12.1.0_r24android-12.1.0_r23android-12.1.0_r18android-12.1.0_r17android-12.1.0_r16android-12.1.0_r15android-12.1.0_r14android-12.1.0_r13android-12.1.0_r12android12L-d2-s8-releaseandroid12L-d2-s7-releaseandroid12L-d2-s6-releaseandroid12L-d2-s5-releaseandroid12L-d2-s4-releaseandroid12L-d2-s3-releaseandroid12L-d2-s2-releaseandroid12L-d2-s1-releaseandroid12L-d2-release

Change-Id: Ie6b332afb6ba18eddebd155973b6d83d892acc6c

1 files changed, 22 insertions, 0 deletions

diff --git a/tests/malloc_test.cpp b/tests/malloc_test.cpp
index d73f2436d..f4a1c0d30 100644
--- a/tests/malloc_test.cpp
+++ b/tests/malloc_test.cpp
@@ -1371,3 +1371,25 @@ TEST(malloc, allocation_slack) {
   GTEST_SKIP() << "bionic extension";
 #endif
 }
+
+// Regression test for b/206701345 -- scudo bug, MTE only.
+// Fix: https://reviews.llvm.org/D105261
+// Fix: https://android-review.googlesource.com/c/platform/external/scudo/+/1763655
+TEST(malloc, realloc_mte_crash_b206701345) {
+  // We want to hit in-place realloc at the very end of an mmap-ed region.  Not
+  // all size classes allow such placement - mmap size has to be divisible by
+  // the block size. At the time of writing this could only be reproduced with
+  // 64 byte size class (i.e. 48 byte allocations), but that may change in the
+  // future. Try several different classes at the lower end.
+  std::vector<void*> ptrs(10000);
+  for (int i = 1; i < 32; ++i) {
+    size_t sz = 16 * i - 1;
+    for (void*& p : ptrs) {
+      p = realloc(malloc(sz), sz + 1);
+    }
+
+    for (void* p : ptrs) {
+      free(p);
+    }
+  }
+}