<table border="1" cellspacing="0" cellpadding="8">
    <tr>
        <th>Issue</th>
        <td>
            <a href=https://github.com/llvm/llvm-project/issues/75761>75761</a>
        </td>
    </tr>

    <tr>
        <th>Summary</th>
        <td>
            scudo/CHECK_GE failed
        </td>
    </tr>

    <tr>
      <th>Labels</th>
      <td>
            new issue
      </td>
    </tr>

    <tr>
      <th>Assignees</th>
      <td>
      </td>
    </tr>

    <tr>
      <th>Reporter</th>
      <td>
          chericc
      </td>
    </tr>
</table>

<pre>
    # scudo/CHECK_GE failed

## Crash outputs

```bash
...((Sci->Stats.PoppedBlocks)) >= ((Sci->Stats.PushedBlocks)) (252, 4294966864)...
```

## Location

**file**: primary32.h

**lines**:

```c++
 NOINLINE uptr releaseToOSMaybe(SizeClassInfo *Sci, uptr ClassId,
 bool Force = false) {
    const uptr BlockSize = getSizeByClassId(ClassId);
    const uptr PageSize = getPageSizeCached();

    CHECK_GE(Sci->Stats.PoppedBlocks, Sci->Stats.PushedBlocks);
    const uptr BytesInFreeList =
 Sci->AllocatedUser -
        (Sci->Stats.PoppedBlocks - Sci->Stats.PushedBlocks) * BlockSize;
```

Line `CHECK_GE(Sci->Stats.PoppedBlocks, Sci->Stats.PushedBlocks);`may **FAIL** when PoppedBlocks crosses `UINT32_MAX` while `PushedBlocks` not.

## Problem reproduction

```c++
std::list<void*> g_list;
while (true)
{
        g_list.clear();
        for (int i = 0; i < 10000; ++i)
        {
                void *p = malloc(1600);
                g_list.push_back(p);
        }
        for (auto i : g_list)
        {
                free(i);
        }
}
```

If `malloc` executes for about `UINT32_MAX` times, then `CHECK_GE` will fail.

## Version

This problem occurs with scudo version in 2019(the specific version number not known).
The newest version(2023.12.18) has change `CHECK_GE` to `DCHECK_GE`, but this problem still exists.

</pre>
<img width="1px" height="1px" alt="" src="http://email.email.llvm.org/o/eJysVctu47gS_Rp6U4hAUbYeCy1sx77XmHS6gXQPZhdQVMnihBYFkorb8_UDUn4kjpPVGIRVIounThUPVdxaue0QSzJbkNn9hA-u1aYULRopxKTS9aEkLAErhloTtl7-f7X84_l_K2i4VFgTek_o_PjPEu-5NNy2oAfXD86-W0_pOCpu23EqiiLCcsLyJyHvSLJ6ctzZ6Ifue6wXSosXS1hBWAEkWZHkHm45D7a9dmY5mzHCljBlxbRI0zydElb4YO-J3GD_oAV3Unfvl_xopMLRIskceiN33BwSFrUfXZXs0J59b9ZAELbwI8zC4_fN48PmcQVD7wwYVMgt_tTfn77xQ4U-ZfkPLhW3dtM1GgibPwnpEwz-40JN2PIIV2mtYK2NQPBVa7iyGAqTnQICgNCddSNAqJ4PEdy36Ly9OJxx87NVkOQ2xA--xbcIp_clFy3W4dwuey8IJzl9LYElfHnkn1BaHBzaTbc2iA_SOs_s6HdEmyvlTxvrXxYN3F1A_O8rRnD3JSF_PpeaXrK-JbsH2SGQlP5XhUjpjh9g1N56vnkYLdi32MG7FITR1qL1sX9tHn8m7Pnb_C-SUti3UgVK79BTCp120Y0b88PoSuEODPZG14P4cHtuSt662l-NZK6kdSRZvmpZh-uygu3zOHf0PPJhuTODV_ERNTtrqRg3REIhNx-UVjTa-N2ycyCDOilJFsFcQkwpDa8jNXmBp8XbCIQWnqCvax8wdtxrh7A8Tim9Cnhh1A-2fa64eCEs76-9svtrinxwOhCbn2rwOZ3GoP8uyE9Rz8Yt1W0aCEoJSaQU8DeKwaEFz4RXenAfdeHkDoMEndfSW8l60UilQku4pZA_0dgrUfxspYX-qBwtxGAs7KVrxz4Dr-MOkB0wGhf-8FsE26OQjRTn5W7YVWi8MOGl0_vOf-RP-Agd7tG6k7NvCpQlUcyi2EsEWm5BtLzb4nUyTvuZ-zdTPu1qcODe0rbOJ42_pXX2GHZSl0ldJAWfYBlnlOVpFufZpC1nGS9YhXEtKKWzvOZ1IfKmnk1pQ2k9xYksPbuYxTllSTHNopw1eTpNs5o2dY00J1OKO19gpV53kTbbibR2wDKbZWk8UbxCZUMTZ6zDPYRFwpjv6ab0e-6qYWvJlKrA94zipFNYftLeJ4NRZetcb_1lZWvC1lvp2qGKhN4RtvYox8ddb_TfKBxh6xDbErYO3P4NAAD__wERZPE">