From 3a2e466af17a0abcfb14942896cde745a0da8ba2 Mon Sep 17 00:00:00 2001
From: "Moe Charm (CI)" <moecharm@example.com>
Date: Thu, 4 Dec 2025 12:36:32 +0900
Subject: [PATCH] Add lightweight Fail-Fast layer to Gatekeeper Boxes
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Core Changes:
- Modified: core/box/tiny_free_gate_box.h
  * Added address range check in tiny_free_gate_try_fast() (line 142)
  * Catches obviously invalid pointers (addr < 4096)
  * Rejects fast path for garbage pointers, delegates to slow path
  * Logs [TINY_FREE_GATE_RANGE_INVALID] (debug-only, max 8 messages)
  * Cost: ~1 cycle (comparison + unlikely branch)
  * Behavior: Fails safe by delegating to hak_tiny_free() slow path

- Modified: core/box/tiny_alloc_gate_box.h
  * Added range check for malloc_tiny_fast() return value (line 143)
  * Debug-only: Checks if returned user_ptr has addr < 4096
  * On failure: Logs [TINY_ALLOC_GATE_RANGE_INVALID] and calls abort()
  * Release build: Entire check compiled out (zero overhead)
  * Rationale: Invalid allocator return is catastrophic - fail immediately

Design Rationale:
- Early detection of memory corruption/undefined behavior
- Conservative threshold (4096) captures NULL and kernel space
- Free path: Graceful degradation (delegate to slow path)
- Alloc path: Hard fail (allocator corruption is non-recoverable)
- Zero performance impact in production (Release) builds
- Debug-only diagnostic output prevents log spam

Fail-Fast Strategy:
- Layer 3a: Address range sanity check (always enabled)
  * Rejects addr < 4096 (NULL, low memory garbage)
  * Free: delegates to slow path (safe fallback)
  * Alloc: aborts (corruption indicator)
- Layer 3b: Detailed Bridge/Header validation (ENV-controlled)
  * Traditional HAKMEM_TINY_FREE_GATE_DIAG / HAKMEM_TINY_ALLOC_GATE_DIAG
  * For advanced debugging and observability

Testing:
- Compilation: RELEASE=0 and RELEASE=1 both successful
- Smoke tests: 3/3 passed (simple_alloc, loop 10M, pool_tls)
- Performance: No regressions detected
- Address threshold (4096): Conservative, minimizes false positives
- Verified via Task agent (PASS verdict)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 core/box/tiny_alloc_gate_box.h | 14 +++++++++++++-
 core/box/tiny_free_gate_box.h  | 21 ++++++++++++++++++++-
 2 files changed, 33 insertions(+), 2 deletions(-)

diff --git a/core/box/tiny_alloc_gate_box.h b/core/box/tiny_alloc_gate_box.h
index 110657df..5efd53a0 100644
--- a/core/box/tiny_alloc_gate_box.h
+++ b/core/box/tiny_alloc_gate_box.h
@@ -140,7 +140,20 @@ static inline void* tiny_alloc_gate_fast(size_t size)
     // まずは従来どおり Tiny Fast Path で割り当て（USER ポインタを得る）
     void* user_ptr = malloc_tiny_fast(size);
 
+    // Layer 3a（alloc 側）: 取得したポインタが明らかに異常な場合は
+    // Debug ビルドで早期に検出して Fail-Fast。
 #if !HAKMEM_BUILD_RELEASE
+    if (user_ptr) {
+        uintptr_t addr = (uintptr_t)user_ptr;
+        if (__builtin_expect(addr < 4096, 0)) {
+            fprintf(stderr,
+                    "[TINY_ALLOC_GATE_RANGE_INVALID] size=%zu user=%p\n",
+                    size, user_ptr);
+            fflush(stderr);
+            abort();
+        }
+    }
+
     if (__builtin_expect(tiny_alloc_gate_diag_enabled(), 0) && user_ptr) {
         TinyAllocGateContext ctx;
         ctx.size = size;
@@ -160,4 +173,3 @@ static inline void* tiny_alloc_gate_fast(size_t size)
 }
 
 #endif // HAKMEM_TINY_ALLOC_GATE_BOX_H
-
diff --git a/core/box/tiny_free_gate_box.h b/core/box/tiny_free_gate_box.h
index ea909b1a..27886c82 100644
--- a/core/box/tiny_free_gate_box.h
+++ b/core/box/tiny_free_gate_box.h
@@ -139,6 +139,26 @@ static inline int tiny_free_gate_try_fast(void* user_ptr)
         return 0;
     }
 
+    // Layer 3a: 軽量 Fail-Fast（常時ON）
+    // 明らかに不正なアドレス（極端に小さい値）は Fast Path では扱わない。
+    // Slow Path 側（hak_free_at + registry/header）に任せる。
+    {
+        uintptr_t addr = (uintptr_t)user_ptr;
+        if (__builtin_expect(addr < 4096, 0)) {
+#if !HAKMEM_BUILD_RELEASE
+            static _Atomic uint32_t g_free_gate_range_invalid = 0;
+            uint32_t n = atomic_fetch_add_explicit(&g_free_gate_range_invalid, 1, memory_order_relaxed);
+            if (n < 8) {
+                fprintf(stderr,
+                        "[TINY_FREE_GATE_RANGE_INVALID] ptr=%p\n",
+                        user_ptr);
+                fflush(stderr);
+            }
+#endif
+            return 0;
+        }
+    }
+
     // 将来の拡張ポイント:
     //   - DIAG ON のときだけ Bridge + Guard を実行し、
     //     Tiny 管理外と判定された場合は Fast Path をスキップする。
@@ -159,4 +179,3 @@ static inline int tiny_free_gate_try_fast(void* user_ptr)
 }
 
 #endif // HAKMEM_TINY_FREE_GATE_BOX_H
-