tomoaki/hakmem
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
d378ee11a090f2cb15e07eda66606b03389adc38
hakmem/FINAL_ANALYSIS_C2_CORRUPTION.md

244 lines
7.3 KiB
Markdown
Raw Normal View History

Fix #16: Resolve double BASE→USER conversion causing header corruption 🎯 ROOT CAUSE: Internal allocation helpers were prematurely converting BASE → USER pointers before returning to caller. The caller then applied HAK_RET_ALLOC/tiny_region_id_write_header which performed ANOTHER BASE→USER conversion, resulting in double offset (BASE+2) and header written at wrong location. 📦 BOX THEORY SOLUTION: Establish clean pointer conversion boundary at tiny_region_id_write_header, making it the single source of truth for BASE → USER conversion. 🔧 CHANGES: - Fix #16: Remove premature BASE→USER conversions (6 locations) * core/tiny_alloc_fast.inc.h (3 fixes) * core/hakmem_tiny_refill.inc.h (2 fixes) * core/hakmem_tiny_fastcache.inc.h (1 fix) - Fix #12: Add header validation in tls_sll_pop (detect corruption) - Fix #14: Defense-in-depth header restoration in tls_sll_splice - Fix #15: USER pointer detection (for debugging) - Fix #13: Bump window header restoration - Fix #2, #6, #7, #8: Various header restoration & NULL termination 🧪 TEST RESULTS: 100% SUCCESS - 10K-500K iterations: All passed - 8 seeds × 100K: All passed (42,123,456,789,999,314,271,161) - Performance: ~630K ops/s average (stable) - Header corruption: ZERO 📋 FIXES SUMMARY: Fix #1-8: Initial header restoration & chain fixes (chatgpt-san) Fix #9-10: USER pointer auto-fix (later disabled) Fix #12: Validation system (caught corruption at call 14209) Fix #13: Bump window header writes Fix #14: Splice defense-in-depth Fix #15: USER pointer detection (debugging tool) Fix #16: Double conversion fix (FINAL SOLUTION) ✅ 🎓 LESSONS LEARNED: 1. Validation catches bugs early (Fix #12 was critical) 2. Class-specific inline logging reveals patterns (Option C) 3. Box Theory provides clean architectural boundaries 4. Multiple investigation approaches (Task/chatgpt-san collaboration) 📄 DOCUMENTATION: - P0_BUG_STATUS.md: Complete bug tracking timeline - C2_CORRUPTION_ROOT_CAUSE_FINAL.md: Detailed root cause analysis - FINAL_ANALYSIS_C2_CORRUPTION.md: Investigation methodology 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> Co-Authored-By: Task Agent <task@anthropic.com> Co-Authored-By: ChatGPT <chatgpt@openai.com>
2025-11-12 10:33:57 +09:00
# Class 2 Header Corruption - FINAL ROOT CAUSE
## Executive Summary
**STATUS**: ✅ **ROOT CAUSE IDENTIFIED**
**Corrupted Pointer**: `0x74db60210116`
**Corruption Call**: `14209`
**Last Valid PUSH**: Call `3957`
**Root Cause**: The logs reveal `0x74db60210115` and `0x74db60210116` (only 1 byte apart) are being pushed/popped from TLS SLL. This spacing is IMPOSSIBLE for Class 2 (32B blocks + 1B header = 33B stride).
**Conclusion**: These are **USER and BASE representations of the SAME block**, indicating a USER/BASE pointer mismatch somewhere in the code that allows USER pointers to leak into the TLS SLL.
---
## Evidence
### Timeline of Corrupted Block
```
[C2_PUSH] ptr=0x74db60210115 before=0xa2 after=0xa2 call=3915 ← USER pointer!
[C2_POP] ptr=0x74db60210115 header=0xa2 expected=0xa2 call=3936 ← USER pointer!
[C2_PUSH] ptr=0x74db60210116 before=0xa2 after=0xa2 call=3957 ← BASE pointer (correct)
[C2_POP] ptr=0x74db60210116 header=0x00 expected=0xa2 call=14209 ← CORRUPTION!
```
### Address Analysis
```
0x74db60210115 ← USER pointer (BASE + 1)
0x74db60210116 ← BASE pointer (header location)
```
**Difference**: 1 byte (should be 33 bytes for different Class 2 blocks)
**Conclusion**: Same physical block, two different pointer conventions
---
## Corruption Mechanism
### Phase 1: USER Pointer Leak (Calls 3915-3936)
1. **Call 3915**: FREE operation pushes `0x115` (USER pointer) to TLS SLL
- BUG: Code path passes USER to `tls_sll_push` instead of BASE
- TLS SLL receives USER pointer
- `tls_sll_push` writes header at USER-1 (`0x116`), so header is correct
2. **Call 3936**: ALLOC operation pops `0x115` (USER pointer) from TLS SLL
- Returns USER pointer to application (correct for external API)
- User writes to `0x115+` (user data area)
- Header at `0x116` remains intact (not touched by user)
### Phase 2: Correct BASE Pointer (Call 3957)
3. **Call 3957**: FREE operation pushes `0x116` (BASE pointer) to TLS SLL
- Correct: Passes BASE to `tls_sll_push`
- Header restored to `0xa2`
### Phase 3: User Overwrites Header (Calls 3957-14209)
4. **Between 3957-14209**: ALLOC operation pops `0x116` from TLS SLL
- **BUG: Returns BASE pointer to user instead of USER pointer!**
- User receives `0x116` thinking it's the start of user data
- User writes to `0x116[0]` (thinks it's user byte 0)
- **ACTUALLY overwrites header byte!**
- Header becomes `0x00`
5. **Call 14209**: FREE operation pushes `0x116` to TLS SLL
- **CORRUPTION DETECTED**: Header is `0x00` instead of `0xa2`
---
## Code Analysis
### Allocation Paths (USER Conversion) ✅ CORRECT
**File**: `/mnt/workdisk/public_share/hakmem/core/tiny_region_id.h:46`
```c
static inline void* tiny_region_id_write_header(void* base, int class_idx) {
if (!base) return base;
if (__builtin_expect(class_idx == 7, 0)) {
return base; // C7: headerless
}
// Write header at BASE
uint8_t* header_ptr = (uint8_t*)base;
*header_ptr = HEADER_MAGIC | (class_idx & HEADER_CLASS_MASK);
void* user = header_ptr + 1; // ✅ Convert BASE → USER
return user; // ✅ CORRECT: Returns USER pointer
}
```
**Usage**: All `HAK_RET_ALLOC(class_idx, ptr)` calls use this function, which correctly returns USER pointers.
### Free Paths (BASE Conversion) - MIXED RESULTS
#### Path 1: Ultra-Simple Free ✅ CORRECT
**File**: `/mnt/workdisk/public_share/hakmem/core/hakmem_tiny_free.inc:383`
```c
void* base = (class_idx == 7) ? ptr : (void*)((uint8_t*)ptr - 1); // ✅ Convert USER → BASE
if (tls_sll_push(class_idx, base, (uint32_t)sll_cap)) {
return; // Success
}
```
**Status**: ✅ CORRECT - Converts USER → BASE before push
#### Path 2: Freelist Drain ❓ SUSPICIOUS
**File**: `/mnt/workdisk/public_share/hakmem/core/hakmem_tiny_free.inc:75`
```c
static inline void tiny_drain_freelist_to_sll_once(SuperSlab* ss, int slab_idx, int class_idx) {
// ...
while (m->freelist && moved < budget) {
void* p = m->freelist; // ← What is this? BASE or USER?
// ...
if (tls_sll_push(class_idx, p, sll_capacity)) { // ← Pushing p directly
moved++;
}
}
}
```
**Question**: Is `m->freelist` stored as BASE or USER?
**Answer**: Freelist stores pointers at offset 0 (header location for header classes), so `m->freelist` contains **BASE pointers**. This is **CORRECT**.
#### Path 3: Fast Free ❓ NEEDS INVESTIGATION
**File**: `/mnt/workdisk/public_share/hakmem/core/tiny_free_fast_v2.inc.h`
Need to check if fast free path converts USER → BASE.
---
## Next Steps: Find the Buggy Path
### Step 1: Check Fast Free Path
```bash
grep -A 10 -B 5 "tls_sll_push" core/tiny_free_fast_v2.inc.h
```
Look for paths that pass `ptr` directly to `tls_sll_push` without USER → BASE conversion.
### Step 2: Check All Free Wrappers
```bash
grep -rn "void.*free.*void.*ptr" core/ | grep -v "\.o:"
```
Check all free entry points to ensure USER → BASE conversion.
### Step 3: Add Validation to tls_sll_push
Temporarily add address alignment check in `tls_sll_push`:
```c
// In tls_sll_box.h: tls_sll_push()
#if !HAKMEM_BUILD_RELEASE
if (class_idx != 7) {
// For header classes, ptr should be BASE (even address for 32B blocks)
// USER pointers would be BASE+1 (odd addresses for 32B blocks)
uintptr_t addr = (uintptr_t)ptr;
if ((addr & 1) != 0) { // ODD address = USER pointer!
extern _Atomic uint64_t malloc_count;
uint64_t call = atomic_load(&malloc_count);
fprintf(stderr, "[TLS_SLL_PUSH_BUG] call=%lu cls=%d ptr=%p is ODD (USER pointer!)\\n",
call, class_idx, ptr);
fprintf(stderr, "[TLS_SLL_PUSH_BUG] Caller passed USER instead of BASE!\\n");
fflush(stderr);
abort();
}
}
#endif
```
This will catch USER pointers immediately at injection point!
### Step 4: Run Test
```bash
./build.sh bench_random_mixed_hakmem
timeout 60s ./out/release/bench_random_mixed_hakmem 10000 256 42 2>&1 | tee user_ptr_catch.log
```
Expected: Immediate abort with backtrace showing which path is passing USER pointers.
---
## Hypothesis
Based on the evidence, the bug is likely in:
1. **Fast free path** that doesn't convert USER → BASE before `tls_sll_push`
2. **Some wrapper** around `hakmem_free()` that pre-converts USER → BASE incorrectly
3. **Some refill/drain path** that accidentally uses USER pointers from freelist
**Most Likely**: Fast free path optimization that skips USER → BASE conversion for performance.
---
## Verification Plan
1. Add ODD address validation to `tls_sll_push` (debug builds only)
2. Run 10K iteration test
3. Catch USER pointer injection with backtrace
4. Fix the specific path
5. Re-test with 100K iterations
6. Remove validation (keep in comments for future debugging)
---
## Expected Fix
Once we identify the buggy path, the fix will be a 1-liner:
```c
// BEFORE (BUG):
tls_sll_push(class_idx, user_ptr, ...); // ← Passing USER!
// AFTER (FIX):
void* base = PTR_USER_TO_BASE(user_ptr, class_idx); // ✅ Convert to BASE
tls_sll_push(class_idx, base, ...);
```
---
## Status
- ✅ Root cause identified (USER/BASE mismatch)
- ✅ Evidence collected (logs showing ODD/EVEN addresses)
- ✅ Mechanism understood (user overwrites header when given BASE)
- ⏳ Specific buggy path: TO BE IDENTIFIED (next step)
- ⏳ Fix: TO BE APPLIED (1-line change)
- ⏳ Verification: TO BE DONE (100K test)
Reference in New Issue Copy Permalink