Fix: Phase 7-1.2 - Page boundary SEGV in fast free path

## Problem `bench_random_mixed` crashed with SEGV when freeing malloc allocations at page boundaries (e.g., ptr=0x7ffff6e00000, ptr-1 unmapped). ## Root Cause Phase 7 fast free path reads 1-byte header at `ptr-1` without checking if memory is accessible. When malloc returns page-aligned pointer with previous page unmapped, reading `ptr-1` causes SEGV. ## Solution Added `hak_is_memory_readable(ptr-1)` check BEFORE reading header in `core/tiny_free_fast_v2.inc.h`. Page-boundary allocations route to slow path (dual-header dispatch) which correctly handles malloc via __libc_free(). ## Verification - bench_random_mixed (1024B): SEGV → 692K ops/s ✅ - bench_random_mixed (2048B/4096B): SEGV → 697K/643K ops/s ✅ - All sizes stable across 3 runs ## Performance Impact <1% overhead (mincore() only on fast path miss, ~1-3% of frees) ## Related - Phase 7-1.1: Dual-header dispatch (Task Agent) - Phase 7-1.2: Page boundary safety (this fix) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-11-08 03:46:35 +09:00
parent 48fadea590
commit 24beb34de6
3 changed files with 282 additions and 9 deletions
--- a/core/box/hak_free_api.inc.h
+++ b/core/box/hak_free_api.inc.h
@ -75,16 +75,9 @@ void hak_free_at(void* ptr, size_t size, hak_callsite_t site) {
    }

 #if HAKMEM_TINY_HEADER_CLASSIDX
-    // Phase 7: Ultra-fast free via header (2-3 cycles header read + 3-5 cycles TLS push)
-    // NO SuperSlab lookup needed! Header validation is sufficient.
+    // Phase 7: Dual-header dispatch (1-byte Tiny header OR 16-byte malloc/mmap header)
    //
-    // Safety: Non-tiny allocations (>1024B) don't have headers, but:
-    //   1. Reading ptr-1 won't segfault (it's mapped memory from another allocation)
-    //   2. Invalid header → tiny_region_id_read_header() returns -1
-    //   3. hak_tiny_free_fast_v2() returns 0 (fast path fails)
-    //   4. Fallback to slow path handles it correctly
-    //
-    // Expected: 95-99% hit rate for tiny allocations (5-10 cycles total)
+    // Step 1: Try 1-byte Tiny header (fast path: 5-10 cycles)
    if (__builtin_expect(hak_tiny_free_fast_v2(ptr), 1)) {
        hak_free_route_log("header_fast", ptr);
 #if !HAKMEM_BUILD_RELEASE
@ -92,6 +85,33 @@ void hak_free_at(void* ptr, size_t size, hak_callsite_t site) {
 #endif
        goto done;  // Success - done in 5-10 cycles! NO SuperSlab lookup!
    }
+
+    // Step 2: Try 16-byte AllocHeader (malloc/mmap allocations)
+    // CRITICAL: Must check this BEFORE calling hak_tiny_free() to avoid silent failures!
+    {
+        void* raw = (char*)ptr - HEADER_SIZE;
+
+        // SAFETY: Check if raw header is accessible before dereferencing
+        // This prevents SEGV when malloc metadata is unmapped
+        if (hak_is_memory_readable(raw)) {
+            AllocHeader* hdr = (AllocHeader*)raw;
+
+            if (hdr->magic == HAKMEM_MAGIC) {
+                // Valid 16-byte header found (malloc/mmap allocation)
+                hak_free_route_log("header_16byte", ptr);
+
+                if (hdr->method == ALLOC_METHOD_MALLOC) {
+                    // CRITICAL: raw was allocated with __libc_malloc, so free with __libc_free
+                    extern void __libc_free(void*);
+                    __libc_free(raw);
+                    goto done;
+                }
+
+                // Handle other methods (mmap, etc) - continue to slow path below
+            }
+        }
+    }
+
    // Fallback: Invalid header (non-tiny) or TLS cache full
 #if !HAKMEM_BUILD_RELEASE
    hak_free_v2_track_slow();