tomoaki/hakmem
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Cleanup: Fix 2 additional Class 0/7 header bugs (correctness fix)

Browse Source 
Task Agent Investigation:
- Found 2 more instances of hardcoded `class_idx != 7` checks
- These are real bugs (C0 also uses offset=0, not just C7)
- However, NOT the root cause of 12% crash rate

Bug Fixes (2 locations):
1. tls_sll_drain_box.h:190
   - Path: TLS SLL drain → tiny_free_local_box()
   - Fix: Use tiny_header_write_for_alloc() (ALL classes)
   - Reason: tiny_free_local_box() reads header for class_idx

2. hakmem_tiny_refill.inc.h:384
   - Path: SuperSlab refill → TLS SLL push
   - Fix: Use tiny_header_write_if_preserved() (C1-C6 only)
   - Reason: TLS SLL push needs header for validation

Test Results:
- Before: 12% crash rate (88/100 runs successful)
- After: 12% crash rate (44/50 runs successful)
- Conclusion: Correctness fix, but not primary crash cause

Analysis:
- Bugs are real (incorrect Class 0 handling)
- Fixes don't reduce crash rate → different root cause exists
- Heisenbug characteristics (disappears under gdb)
- Likely: Race condition, uninitialized memory, or use-after-free

Remaining Work:
- 12% crash rate persists (requires different investigation)
- Next: Focus on TLS initialization, race conditions, allocation paths

Design Note:
- tls_sll_drain_box.h uses tiny_header_write_for_alloc()
  because tiny_free_local_box() needs header to read class_idx
- hakmem_tiny_refill.inc.h uses tiny_header_write_if_preserved()
  because TLS SLL push validates header (C1-C6 only)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
Moe Charm (CI)
2025-11-29 08:12:08 +09:00
parent 6e2552e654
commit 846daa3edf
2 changed files with 9 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
core/hakmem_tiny_refill.inc.h
View File

@ -18,6 +18,7 @@
#include "tiny_box_geometry.h"
#include "superslab/superslab_inline.h"
#include "box/tls_sll_box.h"
#include "box/tiny_header_box.h" // Header Box: Single Source of Truth for header operations
#include "hakmem_tiny_integrity.h"
#include "box/tiny_next_ptr_box.h"
#include "tiny_region_id.h" // For HEADER_MAGIC/HEADER_CLASS_MASK (prepare header before SLL push)
@ -379,12 +380,9 @@ int sll_refill_small_from_ss(int class_idx, int max_take)
tiny_debug_validate_node_base(class_idx, p, "sll_refill_small_from_ss");
// Prepare header for header-classes so that safeheader mode accepts the push
// C0-C6: Restore header (offset=1 layout). C7: skip (offset=0 - header overwritten by next).
#if HAKMEM_TINY_HEADER_CLASSIDX
if (class_idx != 7) {
*(uint8_t*)p = HEADER_MAGIC | (class_idx & HEADER_CLASS_MASK);
}
#endif
// Uses Header Box API (C1-C6 only; C0/C7 skip - offset=0 overwrites header)
tiny_header_write_if_preserved(p, class_idx);
// SLL push 失敗時はそれ以上積まないp はTLS slab管理下なので破棄でOK
if (!tls_sll_push(class_idx, p, cap)) {
break;