hakmem/FALSE_POSITIVE_REPORT.md

# False Positive Analysis Report: LIBC Pointer Misidentification

## Executive Summary

The `free(): invalid pointer` error is caused by **SS guessing logic** (lines 58-61 in `core/box/hak_free_api.inc.h`) which incorrectly identifies LIBC pointers as HAKMEM SuperSlab pointers, leading to wrong free path execution.

## Root Cause: SS Guessing Logic

### The Problematic Code
```c
// Lines 58-61 in core/box/hak_free_api.inc.h
for (int lg=21; lg>=20; lg--) {
    uintptr_t mask=((uintptr_t)1<<lg)-1;
    SuperSlab* guess=(SuperSlab*)((uintptr_t)ptr & ~mask);
    if (guess && guess->magic==SUPERSLAB_MAGIC) {
        int sidx=slab_index_for(guess,ptr);
        int cap=ss_slabs_capacity(guess);
        if (sidx>=0&&sidx<cap){
            hak_free_route_log("ss_guess", ptr);
            hak_tiny_free(ptr);  // <-- WRONG! ptr might be from LIBC!
            goto done;
        }
    }
}
```

### Why This Is Dangerous

1. **Reads Arbitrary Memory**: The code aligns any pointer to 2MB/1MB boundary and reads from that address
2. **No Ownership Validation**: Even if magic matches, there's no proof the pointer belongs to that SuperSlab
3. **False Positive Risk**: If aligned address happens to contain `SUPERSLAB_MAGIC`, LIBC pointers get misrouted

## False Positive Scenarios

### Scenario 1: Memory Reuse
- HAKMEM previously allocated a SuperSlab at address X
- SuperSlab was freed but memory wasn't cleared
- LIBC malloc reuses memory near X
- SS guessing finds old SUPERSLAB_MAGIC at aligned address
- LIBC pointer wrongly sent to `hak_tiny_free()`

### Scenario 2: Random Collision
- LIBC allocates memory
- 2MB-aligned base happens to contain the magic value
- Bounds check accidentally passes
- LIBC pointer wrongly freed through HAKMEM

### Scenario 3: Race Condition
- Thread A: Checks magic, it matches
- Thread B: Frees the SuperSlab
- Thread A: Proceeds to use freed SuperSlab -> CRASH

## Test Results

Our test program demonstrates:
```
LIBC pointer:     0x65329b0e42b0
2MB-aligned base: 0x65329b000000 (reading from here is UNSAFE!)
```

The SS guessing reads from `0x65329b000000` which is:
- 2,093,072 bytes away from the actual pointer
- Arbitrary memory that might contain anything
- Not validated as belonging to HAKMEM

## Other Lookup Functions

### ✅ `hak_super_lookup()` - SAFE
- Uses proper registry with O(1) lookup
- Validates magic BEFORE returning pointer
- Thread-safe with acquire/release semantics
- Returns NULL for LIBC pointers

### ✅ `hak_pool_mid_lookup()` - SAFE
- Uses page descriptor hash table
- Only returns true for registered Mid pages
- Returns 0 for LIBC pointers

### ✅ `hak_l25_lookup()` - SAFE
- Uses page descriptor lookup
- Only returns true for registered L2.5 pages
- Returns 0 for LIBC pointers

### ❌ SS Guessing (lines 58-61) - UNSAFE
- Reads from arbitrary aligned addresses
- No proper validation
- High false positive risk

## Recommended Fix

### Option 1: Remove SS Guessing (RECOMMENDED)
```c
// DELETE lines 58-61 entirely
// The registered lookup already handles valid SuperSlabs
```

### Option 2: Add Proper Validation
```c
// Only use registered SuperSlabs, no guessing
SuperSlab* ss = hak_super_lookup(ptr);
if (ss && ss->magic == SUPERSLAB_MAGIC) {
    int sidx = slab_index_for(ss, ptr);
    int cap = ss_slabs_capacity(ss);
    if (sidx >= 0 && sidx < cap) {
        hak_tiny_free(ptr);
        goto done;
    }
}
// No guessing loop!
```

### Option 3: Check Header First
```c
// Check header magic BEFORE any SS operations
AllocHeader* hdr = (AllocHeader*)((char*)ptr - HEADER_SIZE);
if (hdr->magic == HAKMEM_MAGIC) {
    // Only then try SS operations
} else {
    // Definitely LIBC, use __libc_free()
    __libc_free(ptr);
    goto done;
}
```

## Recommended Routing Order

The safest routing order for `hak_free_at()`:

1. **NULL check** - Return immediately if ptr is NULL
2. **Header check** - Check HAKMEM_MAGIC first (most reliable)
3. **Registered lookups only** - Use hak_super_lookup(), never guess
4. **Mid/L25 lookups** - These are safe with proper registry
5. **Fallback to LIBC** - If no match, assume LIBC and use __libc_free()

## Impact

- **Current**: LIBC pointers can be misidentified → crash
- **After fix**: Clean separation between HAKMEM and LIBC pointers
- **Performance**: Removing guessing loop actually improves performance

## Action Items

1. **IMMEDIATE**: Remove lines 58-61 (SS guessing loop)
2. **TEST**: Verify LIBC allocations work correctly
3. **AUDIT**: Check for similar guessing logic elsewhere
4. **DOCUMENT**: Add warnings about reading arbitrary aligned memory
Phase 6-2.4: Fix SuperSlab free SEGV: remove guess loop and add memory readability check; add registry atomic consistency (base as _Atomic uintptr_t with acq/rel); add debug toggles (SUPER_REG_DEBUG/REQTRACE); update CURRENT_TASK with results and next steps; capture suite results. 2025-11-07 18:07:48 +09:00			`# False Positive Analysis Report: LIBC Pointer Misidentification`

			`## Executive Summary`

			The `free(): invalid pointer` error is caused by SS guessing logic (lines 58-61 in `core/box/hak_free_api.inc.h`) which incorrectly identifies LIBC pointers as HAKMEM SuperSlab pointers, leading to wrong free path execution.

			`## Root Cause: SS Guessing Logic`

			`### The Problematic Code`
			```c
			`// Lines 58-61 in core/box/hak_free_api.inc.h`
			`for (int lg=21; lg>=20; lg--) {`
			`uintptr_t mask=((uintptr_t)1<<lg)-1;`
			`SuperSlab* guess=(SuperSlab*)((uintptr_t)ptr & ~mask);`
			`if (guess && guess->magic==SUPERSLAB_MAGIC) {`
			`int sidx=slab_index_for(guess,ptr);`
			`int cap=ss_slabs_capacity(guess);`
			`if (sidx>=0&&sidx<cap){`
			`hak_free_route_log("ss_guess", ptr);`
			`hak_tiny_free(ptr); // <-- WRONG! ptr might be from LIBC!`
			`goto done;`
			`}`
			`}`
			`}`
			```

			`### Why This Is Dangerous`

			`1. Reads Arbitrary Memory: The code aligns any pointer to 2MB/1MB boundary and reads from that address`
			`2. No Ownership Validation: Even if magic matches, there's no proof the pointer belongs to that SuperSlab`
			3. False Positive Risk: If aligned address happens to contain `SUPERSLAB_MAGIC`, LIBC pointers get misrouted

			`## False Positive Scenarios`

			`### Scenario 1: Memory Reuse`
			`- HAKMEM previously allocated a SuperSlab at address X`
			`- SuperSlab was freed but memory wasn't cleared`
			`- LIBC malloc reuses memory near X`
			`- SS guessing finds old SUPERSLAB_MAGIC at aligned address`
			- LIBC pointer wrongly sent to `hak_tiny_free()`

			`### Scenario 2: Random Collision`
			`- LIBC allocates memory`
			`- 2MB-aligned base happens to contain the magic value`
			`- Bounds check accidentally passes`
			`- LIBC pointer wrongly freed through HAKMEM`

			`### Scenario 3: Race Condition`
			`- Thread A: Checks magic, it matches`
			`- Thread B: Frees the SuperSlab`
			`- Thread A: Proceeds to use freed SuperSlab -> CRASH`

			`## Test Results`

			`Our test program demonstrates:`
			```
			`LIBC pointer: 0x65329b0e42b0`
			`2MB-aligned base: 0x65329b000000 (reading from here is UNSAFE!)`
			```

			The SS guessing reads from `0x65329b000000` which is:
			`- 2,093,072 bytes away from the actual pointer`
			`- Arbitrary memory that might contain anything`
			`- Not validated as belonging to HAKMEM`

			`## Other Lookup Functions`

			### ✅ `hak_super_lookup()` - SAFE
			`- Uses proper registry with O(1) lookup`
			`- Validates magic BEFORE returning pointer`
			`- Thread-safe with acquire/release semantics`
			`- Returns NULL for LIBC pointers`

			### ✅ `hak_pool_mid_lookup()` - SAFE
			`- Uses page descriptor hash table`
			`- Only returns true for registered Mid pages`
			`- Returns 0 for LIBC pointers`

			### ✅ `hak_l25_lookup()` - SAFE
			`- Uses page descriptor lookup`
			`- Only returns true for registered L2.5 pages`
			`- Returns 0 for LIBC pointers`

			`### ❌ SS Guessing (lines 58-61) - UNSAFE`
			`- Reads from arbitrary aligned addresses`
			`- No proper validation`
			`- High false positive risk`

			`## Recommended Fix`

			`### Option 1: Remove SS Guessing (RECOMMENDED)`
			```c
			`// DELETE lines 58-61 entirely`
			`// The registered lookup already handles valid SuperSlabs`
			```

			`### Option 2: Add Proper Validation`
			```c
			`// Only use registered SuperSlabs, no guessing`
			`SuperSlab* ss = hak_super_lookup(ptr);`
			`if (ss && ss->magic == SUPERSLAB_MAGIC) {`
			`int sidx = slab_index_for(ss, ptr);`
			`int cap = ss_slabs_capacity(ss);`
			`if (sidx >= 0 && sidx < cap) {`
			`hak_tiny_free(ptr);`
			`goto done;`
			`}`
			`}`
			`// No guessing loop!`
			```

			`### Option 3: Check Header First`
			```c
			`// Check header magic BEFORE any SS operations`
			`AllocHeader* hdr = (AllocHeader)((char)ptr - HEADER_SIZE);`
			`if (hdr->magic == HAKMEM_MAGIC) {`
			`// Only then try SS operations`
			`} else {`
			`// Definitely LIBC, use __libc_free()`
			`__libc_free(ptr);`
			`goto done;`
			`}`
			```

			`## Recommended Routing Order`

			The safest routing order for `hak_free_at()`:

			`1. NULL check - Return immediately if ptr is NULL`
			`2. Header check - Check HAKMEM_MAGIC first (most reliable)`
			`3. Registered lookups only - Use hak_super_lookup(), never guess`
			`4. Mid/L25 lookups - These are safe with proper registry`
			`5. Fallback to LIBC - If no match, assume LIBC and use __libc_free()`

			`## Impact`

			`- Current: LIBC pointers can be misidentified → crash`
			`- After fix: Clean separation between HAKMEM and LIBC pointers`
			`- Performance: Removing guessing loop actually improves performance`

			`## Action Items`

			`1. IMMEDIATE: Remove lines 58-61 (SS guessing loop)`
			`2. TEST: Verify LIBC allocations work correctly`
			`3. AUDIT: Check for similar guessing logic elsewhere`
			`4. DOCUMENT: Add warnings about reading arbitrary aligned memory`