From ba8e26eadf1a6f3534f5ef902e4045ad8b924809 Mon Sep 17 00:00:00 2001
From: Anton Lapounov <antonl@microsoft.com>
Date: Wed, 8 Jan 2020 02:12:25 -0800
Subject: [PATCH] Fix GC heap corruption on ARM. (#1389)

The allocate_in_free code path in allocate_in_expanded_heap incorrectly calculated the large (double) alignment padding size when limiting the plug size (SHORT_PLUGS) if set_padding_on_saved_p was true:

    set_padding_in_expand (old_loc, set_padding_on_saved_p, pinned_plug_entry); // Sets the padding flag on the saved plug
    ...
    pad += switch_alignment_size (is_plug_padded (old_loc)); // Reads the padding flag from the old (different!) plug

That caused access violation during a later heap walk since the g_gc_pFreeObjectMethodTable pointer marking the gap was not placed at the right address.

Change-Id: I10a5fa443b3f5a614909983cd3c06d5420d22858
---
 src/gc/gc.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/gc/gc.cpp b/src/gc/gc.cpp
index f493664..f13cf17 100644
--- a/src/gc/gc.cpp
+++ b/src/gc/gc.cpp
@@ -14961,7 +14961,7 @@ allocate_in_free:
 #else // FEATURE_STRUCTALIGN
         if (!((old_loc == 0) || same_large_alignment_p (old_loc, result+pad)))
         {
-            pad += switch_alignment_size (is_plug_padded (old_loc));
+            pad += switch_alignment_size (pad != 0);
             set_node_realigned (old_loc);
             dprintf (3, ("Allocation realignment old_loc: %Ix, new_loc:%Ix",
                          (size_t)old_loc, (size_t)(result+pad)));
-- 
2.7.4