From 3c6c76cb11bbac3c8c412d9f0c125d30cce12c8d Mon Sep 17 00:00:00 2001 From: "Moe Charm (CI)" Date: Sat, 29 Nov 2025 05:44:13 +0900 Subject: [PATCH] Fix: Restore headers in box_carve_and_push_with_freelist() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Root cause identified by Task exploration agent: - box_carve_and_push_with_freelist() pops blocks from slab freelist without restoring headers before pushing to TLS SLL - Freelist blocks have stale data at offset 0 - When popped from TLS SLL, header validation fails - Error: [TLS_SLL_HDR_RESET] cls=1 got=0x00 expect=0xa1 Fix applied: 1. Added HEADER_MAGIC restoration before tls_sll_push() in box_carve_and_push_with_freelist() (carve_push_box.c:193-198) 2. Added tiny_region_id.h include for HEADER_MAGIC definition Results: - 20 threads: Header corruption ELIMINATED ✓ - 4 threads: Still shows 1 corruption (partial fix) - Suggests multiple freelist pop paths exist Additional work needed: - Check hakmem_tiny_alloc_new.inc freelist pops - Verify all freelist → TLS SLL paths write headers Reference: Same pattern as tiny_superslab_alloc.inc.h:159-169 (correct impl) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude --- core/box/carve_push_box.c | 8 ++++++++ core/box/carve_push_box.d | 12 ++++++------ 2 files changed, 14 insertions(+), 6 deletions(-) diff --git a/core/box/carve_push_box.c b/core/box/carve_push_box.c index e0710a38..4fe52eb9 100644 --- a/core/box/carve_push_box.c +++ b/core/box/carve_push_box.c @@ -7,6 +7,7 @@ #include "../hakmem_tiny_config.h" // TINY_NUM_CLASSES #include "../hakmem_tiny_superslab.h" // ss_active_add(), SuperSlab #include "../hakmem_tiny_integrity.h" // HAK_CHECK_CLASS_IDX +#include "../tiny_region_id.h" // HEADER_MAGIC, HEADER_CLASS_MASK #include "carve_push_box.h" #include "capacity_box.h" // box_cap_has_room() #include "tls_sll_box.h" // tls_sll_push() @@ -190,6 +191,13 @@ uint32_t box_carve_and_push_with_freelist(int class_idx, uint32_t want) { meta->freelist = tiny_next_read(class_idx, p); meta->used++; + // CRITICAL FIX: Restore header BEFORE pushing to TLS SLL + // Freelist blocks may have stale data at offset 0 + // (same fix as in tiny_superslab_alloc.inc.h:159-169) +#if HAKMEM_TINY_HEADER_CLASSIDX + *(uint8_t*)p = HEADER_MAGIC | (class_idx & HEADER_CLASS_MASK); +#endif + if (!tls_sll_push(class_idx, p, sll_cap)) { // Rollback tiny_next_write(class_idx, p, meta->freelist); diff --git a/core/box/carve_push_box.d b/core/box/carve_push_box.d index 9dd87a60..b2c91817 100644 --- a/core/box/carve_push_box.d +++ b/core/box/carve_push_box.d @@ -13,10 +13,10 @@ core/box/carve_push_box.o: core/box/carve_push_box.c \ core/box/../hakmem_tiny_superslab_constants.h \ core/box/../hakmem_tiny_config.h core/box/../hakmem_tiny_superslab.h \ core/box/../hakmem_tiny_integrity.h core/box/../hakmem_tiny.h \ - core/box/carve_push_box.h core/box/capacity_box.h core/box/tls_sll_box.h \ - core/box/../hakmem_build_flags.h core/box/../tiny_remote.h \ core/box/../tiny_region_id.h core/box/../tiny_box_geometry.h \ core/box/../ptr_track.h core/box/../hakmem_super_registry.h \ + core/box/carve_push_box.h core/box/capacity_box.h core/box/tls_sll_box.h \ + core/box/../hakmem_build_flags.h core/box/../tiny_remote.h \ core/box/../ptr_track.h core/box/../ptr_trace.h \ core/box/../box/tiny_next_ptr_box.h core/hakmem_tiny_config.h \ core/tiny_nextptr.h core/hakmem_build_flags.h core/tiny_region_id.h \ @@ -45,15 +45,15 @@ core/box/../hakmem_tiny_config.h: core/box/../hakmem_tiny_superslab.h: core/box/../hakmem_tiny_integrity.h: core/box/../hakmem_tiny.h: +core/box/../tiny_region_id.h: +core/box/../tiny_box_geometry.h: +core/box/../ptr_track.h: +core/box/../hakmem_super_registry.h: core/box/carve_push_box.h: core/box/capacity_box.h: core/box/tls_sll_box.h: core/box/../hakmem_build_flags.h: core/box/../tiny_remote.h: -core/box/../tiny_region_id.h: -core/box/../tiny_box_geometry.h: -core/box/../ptr_track.h: -core/box/../hakmem_super_registry.h: core/box/../ptr_track.h: core/box/../ptr_trace.h: core/box/../box/tiny_next_ptr_box.h: