[PartitionAlloc] Fix crash when nullptr is passed to allocator shim on macOS

0xZOne · copybara-github · commit 659d300ab723 · 2025-08-05T00:36:45.000-07:00
This change fixes an unexpected crash that occurred when nullptr was passed to the `TryFreeDefaultFallbackToFindZoneAndFree` function. Instead of a simple `PA_CHECK(false)` that would crash even for nullptr, we now properly handle nullptr by checking if the pointer is null and only trigger the assertion for non-null pointers, logging a more descriptive error message with the pointer address. Bug: 435051700 Change-Id: I689818ede88b84d0cb07d2bb41cf7656ad002232 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6802119 Reviewed-by: Kentaro Hara <haraken@chromium.org> Commit-Queue: Yuki Shiino <yukishiino@chromium.org> Reviewed-by: Yuki Shiino <yukishiino@chromium.org> Cr-Commit-Position: refs/heads/main@{#1496755} NOKEYCHECK=True GitOrigin-RevId: 9230a68bca474d1d62901026f2c9895326187047
diff --git a/src/partition_alloc/shim/allocator_shim_apple.cc b/src/partition_alloc/shim/allocator_shim_apple.cc
@@ -32,6 +32,10 @@
 namespace allocator_shim {
 
 void TryFreeDefaultFallbackToFindZoneAndFree(void* ptr) {
+  if (!ptr) [[unlikely]] {
+    return;
+  }
+
   unsigned int zone_count = 0;
   vm_address_t* zones = nullptr;
   kern_return_t result =
@@ -57,7 +61,8 @@ void TryFreeDefaultFallbackToFindZoneAndFree(void* ptr) {
   }
 
   // There must be an owner zone.
-  PA_CHECK(false);
+  PA_CHECK(false) << "Oops! No zone found for "
+                  << reinterpret_cast<uintptr_t>(ptr);
 }
 
 }  // namespace allocator_shim
diff --git a/src/partition_alloc/shim/allocator_shim_default_dispatch_to_partition_alloc_unittest.cc b/src/partition_alloc/shim/allocator_shim_default_dispatch_to_partition_alloc_unittest.cc
@@ -209,6 +209,12 @@ TEST(PartitionAllocAsMalloc, GoodSize) {
 }
 #endif  // PA_BUILDFLAG(IS_APPLE) && PA_BUILDFLAG(USE_PARTITION_ALLOC_AS_MALLOC)
 
+#if PA_BUILDFLAG(IS_APPLE)
+TEST(PartitionAllocAsMalloc, TryFreeDefaultFallbackToFindZoneAndFree_Nullptr) {
+  TryFreeDefaultFallbackToFindZoneAndFree(nullptr);
+}
+#endif  // PA_BUILDFLAG(IS_APPLE)
+
 }  // namespace allocator_shim::internal
 #endif  // !defined(MEMORY_TOOL_REPLACES_ALLOCATOR) &&
         // PA_BUILDFLAG(USE_PARTITION_ALLOC)
