Open Menu / tests / xzone_corruption.c
Loading...
tests/xzone_corruption.c libmalloc-521.100.59 libmalloc-792.80.2 
--- libmalloc/libmalloc-521.100.59/tests/xzone_corruption.c
+++ libmalloc/libmalloc-792.80.2/tests/xzone_corruption.c
@@ -5,14 +5,14 @@
 
 #if CONFIG_XZONE_MALLOC
 
-T_GLOBAL_META(T_META_RUN_CONCURRENTLY(true));
+T_GLOBAL_META(T_META_RUN_CONCURRENTLY(true), T_META_TAG_VM_NOT_PREFERRED);
 
 // Ensure that all allocations get the same bucketing
 MALLOC_NOINLINE
 static void *
 malloc_wrapper(size_t n)
 {
-	return malloc(n);
+	return malloc_type_malloc(n, (malloc_type_id_t)42);
 }
 
 static bool
@@ -25,11 +25,8 @@
 	return chunk_a == chunk_b;
 }
 
-T_DECL(tiny_freelist_corruption, "Crash on corruption of tiny freelist",
-		T_META_ENVVAR("MallocXzoneSlotConfig=0"),
-		T_META_IGNORECRASHES("xzone_corruption"),
-		T_META_TAG_XZONE_ONLY,
-		T_META_ENABLED(__has_feature(ptrauth_calls)))
+static void
+test_freelist_corruption(bool linkage)
 {
 	pid_t child_pid = fork();
 	T_ASSERT_NE(child_pid, -1, "fork()");
@@ -65,7 +62,11 @@
 					free(p2);
 
 					xzm_block_t block = p2;
-					block->xzb_linkage.xzbl_next_value ^= (1ull << bit_to_flip);
+					if (linkage) {
+						block->xzb_linkage.xzbl_next_value ^= (1ull << bit_to_flip);
+					} else {
+						block->xzb_cookie ^= (1ull << bit_to_flip);
+					}
 
 					p2 = malloc_wrapper(1024);
 				}
@@ -87,10 +88,30 @@
 	}
 }
 
+T_DECL(tiny_freelist_cookie_corruption,
+		"Crash on corruption of tiny freelist cookie",
+		T_META_ENVVAR("MallocXzoneSlotConfig=0"),
+		T_META_IGNORECRASHES("xzone_corruption"),
+		T_META_TAG_XZONE_ONLY)
+{
+	test_freelist_corruption(false);
+}
+
+T_DECL(tiny_freelist_linkage_corruption,
+		"Crash on corruption of tiny freelist linkage",
+		T_META_ENVVAR("MallocXzoneSlotConfig=0"),
+		T_META_IGNORECRASHES("xzone_corruption"),
+		T_META_TAG_XZONE_ONLY,
+		T_META_ENABLED(__has_feature(ptrauth_calls)))
+{
+	test_freelist_corruption(true);
+}
+
 #else // CONFIG_XZONE_MALLOC
 
 T_DECL(tiny_freelist_corruption, "Crash on corruption of tiny freelist",
-		T_META_ENABLED(false))
+		T_META_ENABLED(false), T_META_TAG_VM_PREFERRED,
+		T_META_TAG_NO_ALLOCATOR_OVERRIDE)
 {
 	T_SKIP("Nothing to test for !CONFIG_XZONE_MALLOC");
 }