From 8355214135476a520713d0f851f5bf513c4136a7 Mon Sep 17 00:00:00 2001
From: "Moe Charm (CI)" <moecharm@example.com>
Date: Thu, 27 Nov 2025 13:31:46 +0900
Subject: [PATCH] Fix NULL pointer crash in unified_cache_refill ss_active_add
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

When superslab_refill() fails in the inner loop, tls->ss can remain
NULL even when produced > 0 (from earlier successful allocations).
This caused a segfault at high iteration counts (>500K) in the
random_mixed benchmark.

Root cause: Line 353 calls ss_active_add(tls->ss, ...) without
checking if tls->ss is NULL after a failed refill breaks the loop.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 core/front/tiny_unified_cache.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/core/front/tiny_unified_cache.c b/core/front/tiny_unified_cache.c
index dbf55293..6aedf0e9 100644
--- a/core/front/tiny_unified_cache.c
+++ b/core/front/tiny_unified_cache.c
@@ -350,7 +350,10 @@ void* unified_cache_refill(int class_idx) {
     if (produced == 0) return NULL;
 
     // Step 4: Update active counter
-    ss_active_add(tls->ss, (uint32_t)produced);
+    // Guard: tls->ss can be NULL if all SuperSlab refills failed
+    if (tls->ss) {
+        ss_active_add(tls->ss, (uint32_t)produced);
+    }
 
     // Step 5: Store blocks into unified cache (skip first, return it)
     void* first = out[0];