Fix PartitionAlloc cookies for large in-place reallocs

BUG=709271

Review-Url: https://codereview.chromium.org/2799323003
Cr-Commit-Position: refs/heads/master@{#463047}

base/allocator/partition_allocator/partition_alloc.cc

@@ -1051,8 +1051,13 @@ void* PartitionReallocGeneric(PartitionRootGeneric* root,
   // determine it is a win.
   if (actual_new_size == actual_old_size) {
     // Trying to allocate a block of size new_size would give us a block of
-    // the same size as the one we've already got, so no point in doing
-    // anything here.
+    // the same size as the one we've already got, so re-use the allocation
+    // after updating statistics (and cookies, if present).
+    PartitionPageSetRawSize(page, PartitionCookieSizeAdjustAdd(new_size));
+#if DCHECK_IS_ON()
+    // Write a new trailing cookie.
+    PartitionCookieWriteValue(static_cast<char*>(ptr) + new_size);
+#endif
     return ptr;
   }
 

base/allocator/partition_allocator/partition_alloc_unittest.cc

@@ -2088,6 +2088,27 @@ TEST(PartitionAllocTest, PurgeDiscardable) {
   }
 }
 
+TEST(PartitionAllocTest, ReallocMovesCookies) {
+  TestSetup();
+
+  // Resize so as to be sure to hit a "resize in place" case, and ensure that
+  // use of the entire result is compatible with the debug mode's cookies, even
+  // when the bucket size is large enough to span more than one partition page
+  // and we can track the "raw" size. See https://crbug.com/709271
+  const size_t kSize = base::kMaxSystemPagesPerSlotSpan * base::kSystemPageSize;
+  void* ptr =
+      PartitionAllocGeneric(generic_allocator.root(), kSize + 1, type_name);
+  EXPECT_TRUE(ptr);
+
+  memset(ptr, 0xbd, kSize + 1);
+  ptr = PartitionReallocGeneric(generic_allocator.root(), ptr, kSize + 2,
+                                type_name);
+  EXPECT_TRUE(ptr);
+
+  memset(ptr, 0xbd, kSize + 2);
+  PartitionFreeGeneric(generic_allocator.root(), ptr);
+}
+
 }  // namespace base
 
 #endif  // !defined(MEMORY_TOOL_REPLACES_ALLOCATOR)