Fix #16: Resolve double BASE→USER conversion causing header corruption

🎯 ROOT CAUSE: Internal allocation helpers were prematurely converting BASE → USER pointers before returning to caller. The caller then applied HAK_RET_ALLOC/tiny_region_id_write_header which performed ANOTHER BASE→USER conversion, resulting in double offset (BASE+2) and header written at wrong location. 📦 BOX THEORY SOLUTION: Establish clean pointer conversion boundary at tiny_region_id_write_header, making it the single source of truth for BASE → USER conversion. 🔧 CHANGES: - Fix #16: Remove premature BASE→USER conversions (6 locations) * core/tiny_alloc_fast.inc.h (3 fixes) * core/hakmem_tiny_refill.inc.h (2 fixes) * core/hakmem_tiny_fastcache.inc.h (1 fix) - Fix #12: Add header validation in tls_sll_pop (detect corruption) - Fix #14: Defense-in-depth header restoration in tls_sll_splice - Fix #15: USER pointer detection (for debugging) - Fix #13: Bump window header restoration - Fix #2, #6, #7, #8: Various header restoration & NULL termination 🧪 TEST RESULTS: 100% SUCCESS - 10K-500K iterations: All passed - 8 seeds × 100K: All passed (42,123,456,789,999,314,271,161) - Performance: ~630K ops/s average (stable) - Header corruption: ZERO 📋 FIXES SUMMARY: Fix #1-8: Initial header restoration & chain fixes (chatgpt-san) Fix #9-10: USER pointer auto-fix (later disabled) Fix #12: Validation system (caught corruption at call 14209) Fix #13: Bump window header writes Fix #14: Splice defense-in-depth Fix #15: USER pointer detection (debugging tool) Fix #16: Double conversion fix (FINAL SOLUTION) ✅ 🎓 LESSONS LEARNED: 1. Validation catches bugs early (Fix #12 was critical) 2. Class-specific inline logging reveals patterns (Option C) 3. Box Theory provides clean architectural boundaries 4. Multiple investigation approaches (Task/chatgpt-san collaboration) 📄 DOCUMENTATION: - P0_BUG_STATUS.md: Complete bug tracking timeline - C2_CORRUPTION_ROOT_CAUSE_FINAL.md: Detailed root cause analysis - FINAL_ANALYSIS_C2_CORRUPTION.md: Investigation methodology 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> Co-Authored-By: Task Agent <task@anthropic.com> Co-Authored-By: ChatGPT <chatgpt@openai.com>
2025-11-12 10:33:57 +09:00
parent af589c7169
commit 84dbd97fe9
13 changed files with 1270 additions and 72 deletions
--- a/core/hakmem_tiny_fastcache.inc.h
+++ b/core/hakmem_tiny_fastcache.inc.h
@ -148,12 +148,10 @@ static inline void* fastcache_pop(int class_idx) {
    TinyFastCache* fc = &g_fast_cache[class_idx];
    if (__builtin_expect(fc->top > 0, 1)) {
        void* base = fc->items[--fc->top];
-        // CRITICAL FIX: Convert base -> user pointer for classes 0-6
-        // FastCache stores base pointers, user needs base+1
-        if (class_idx == 7) {
-            return base;  // C7: headerless, return base
-        }
-        return (void*)((uint8_t*)base + 1);  // C0-C6: return user pointer
+        // ✅ FIX #16: Return BASE pointer (not USER)
+        // FastCache stores base pointers. Caller will apply HAK_RET_ALLOC
+        // which does BASE → USER conversion via tiny_region_id_write_header
+        return base;
    }
    return NULL;
 }