tomoaki/hakmem
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix #16: Resolve double BASE→USER conversion causing header corruption

Browse Source 
🎯 ROOT CAUSE: Internal allocation helpers were prematurely converting
BASE → USER pointers before returning to caller. The caller then applied
HAK_RET_ALLOC/tiny_region_id_write_header which performed ANOTHER BASE→USER
conversion, resulting in double offset (BASE+2) and header written at
wrong location.

📦 BOX THEORY SOLUTION: Establish clean pointer conversion boundary at
tiny_region_id_write_header, making it the single source of truth for
BASE → USER conversion.

🔧 CHANGES:
- Fix #16: Remove premature BASE→USER conversions (6 locations)
  * core/tiny_alloc_fast.inc.h (3 fixes)
  * core/hakmem_tiny_refill.inc.h (2 fixes)
  * core/hakmem_tiny_fastcache.inc.h (1 fix)

- Fix #12: Add header validation in tls_sll_pop (detect corruption)
- Fix #14: Defense-in-depth header restoration in tls_sll_splice
- Fix #15: USER pointer detection (for debugging)
- Fix #13: Bump window header restoration
- Fix #2, #6, #7, #8: Various header restoration & NULL termination

🧪 TEST RESULTS: 100% SUCCESS
- 10K-500K iterations: All passed
- 8 seeds × 100K: All passed (42,123,456,789,999,314,271,161)
- Performance: ~630K ops/s average (stable)
- Header corruption: ZERO

📋 FIXES SUMMARY:
Fix #1-8:   Initial header restoration & chain fixes (chatgpt-san)
Fix #9-10:  USER pointer auto-fix (later disabled)
Fix #12:    Validation system (caught corruption at call 14209)
Fix #13:    Bump window header writes
Fix #14:    Splice defense-in-depth
Fix #15:    USER pointer detection (debugging tool)
Fix #16:    Double conversion fix (FINAL SOLUTION) 

🎓 LESSONS LEARNED:
1. Validation catches bugs early (Fix #12 was critical)
2. Class-specific inline logging reveals patterns (Option C)
3. Box Theory provides clean architectural boundaries
4. Multiple investigation approaches (Task/chatgpt-san collaboration)

📄 DOCUMENTATION:
- P0_BUG_STATUS.md: Complete bug tracking timeline
- C2_CORRUPTION_ROOT_CAUSE_FINAL.md: Detailed root cause analysis
- FINAL_ANALYSIS_C2_CORRUPTION.md: Investigation methodology

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
Co-Authored-By: Task Agent <task@anthropic.com>
Co-Authored-By: ChatGPT <chatgpt@openai.com>
This commit is contained in:
Moe Charm (CI)
2025-11-12 10:33:57 +09:00
parent af589c7169
commit 84dbd97fe9
13 changed files with 1270 additions and 72 deletions
Download Patch File Download Diff File Expand all files Collapse all files

222
C2_CORRUPTION_ROOT_CAUSE_FINAL.md Normal file
View File

@ -0,0 +1,222 @@
# Class 2 Header Corruption - Root Cause Analysis (FINAL)
## Executive Summary
**Status**: ROOT CAUSE IDENTIFIED
**Corrupted Pointer**: `0x74db60210116`
**Corruption Call**: `14209`
**Last Valid State**: Call `3957` (PUSH)
**Root Cause**: **USER/BASE Pointer Confusion**
- TLS SLL is receiving USER pointers (`BASE+1`) instead of BASE pointers
- When these USER pointers are returned to user code, the user writes to what they think is user data, but it's actually the header byte at BASE
---
## Evidence
### 1. Corrupted Pointer Timeline
```
[C2_PUSH] ptr=0x74db60210116 before=0xa2 after=0xa2 call=3957
[C2_POP] ptr=0x74db60210116 header=0x00 expected=0xa2 call=14209
```
**Corruption Window**: 10,252 calls (3957 → 14209)
**No other C2 operations** on `0x74db60210116` in this window
### 2. Address Analysis - USER/BASE Confusion
```
[C2_PUSH] ptr=0x74db60210115 before=0xa2 after=0xa2 call=3915
[C2_POP] ptr=0x74db60210115 header=0xa2 expected=0xa2 call=3936
[C2_PUSH] ptr=0x74db60210116 before=0xa2 after=0xa2 call=3957
[C2_POP] ptr=0x74db60210116 header=0x00 expected=0xa2 call=14209
```
**Address Spacing**:
- `0x74db60210115` vs `0x74db60210116` = **1 byte difference**
- **Expected stride for Class 2**: 33 bytes (32-byte block + 1-byte header)
**Conclusion**: `0x115` and `0x116` are **NOT two different blocks**!
- `0x74db60210115` = USER pointer (BASE + 1)
- `0x74db60210116` = BASE pointer (header location)
**They are the SAME physical block, just different pointer representations!**
---
## Corruption Mechanism
### Phase 1: Initial Confusion (Calls 3915-3936)
1. **Call 3915**: Block is **FREE'd** (pushed to TLS SLL)
- Pointer: `0x74db60210115` (USER pointer - **BUG!**)
- TLS SLL receives USER instead of BASE
- Header at `0x116` is written (because tls_sll_push restores it)
2. **Call 3936**: Block is **ALLOC'd** (popped from TLS SLL)
- Pointer: `0x74db60210115` (USER pointer)
- User receives `0x74db60210115` as USER (correct offset!)
- Header at `0x116` is still intact
### Phase 2: Re-Free with Correct Pointer (Call 3957)
3. **Call 3957**: Block is **FREE'd** again (pushed to TLS SLL)
- Pointer: `0x74db60210116` (BASE pointer - **CORRECT!**)
- Header is restored to `0xa2`
- Block enters TLS SLL as BASE
### Phase 3: User Overwrites Header (Calls 3957-14209)
4. **Between Calls 3957-14209**: Block is **ALLOC'd** (popped from TLS SLL)
- TLS SLL returns: `0x74db60210116` (BASE)
- **BUG: Code returns BASE to user instead of USER!**
- User receives `0x74db60210116` thinking it's USER data start
- User writes to `0x74db60210116[0]` (thinks it's user byte 0)
- **ACTUALLY overwrites header at BASE!**
- Header becomes `0x00`
5. **Call 14209**: Block is **FREE'd** (pushed to TLS SLL)
- Pointer: `0x74db60210116` (BASE)
- **CORRUPTION DETECTED**: Header is `0x00` instead of `0xa2`
---
## Root Cause: PTR_BASE_TO_USER Missing in POP Path
**The allocator has TWO pointer conventions:**
1. **Internal (TLS SLL)**: Uses BASE pointers (header at offset 0)
2. **External (User API)**: Uses USER pointers (BASE + 1 for header classes)
**Conversion Macros**:
```c
#define PTR_BASE_TO_USER(base, class_idx) \
((class_idx) == 7 ? (base) : ((void*)((uint8_t*)(base) + 1)))
#define PTR_USER_TO_BASE(user, class_idx) \
((class_idx) == 7 ? (user) : ((void*)((uint8_t*)(user) - 1)))
```
**The Bug**:
- **tls_sll_pop()** returns BASE pointer (correct for internal use)
- **Fast path allocation** returns BASE to user **WITHOUT calling PTR_BASE_TO_USER!**
- User receives BASE, writes to BASE[0], **destroys header**
---
## Expected Fixes
### Fix #1: Convert BASE → USER in Fast Allocation Path
**Location**: Wherever `tls_sll_pop()` result is returned to user
**Example** (hypothetical fast path):
```c
// BEFORE (BUG):
void* tls_sll_pop(int class_idx, void** out);
// ...
*out = base; // ← BUG: Returns BASE to user!
return base; // ← BUG: Returns BASE to user!
// AFTER (FIX):
void* tls_sll_pop(int class_idx, void** out);
// ...
*out = PTR_BASE_TO_USER(base, class_idx); // ✅ Convert to USER
return PTR_BASE_TO_USER(base, class_idx); // ✅ Convert to USER
```
### Fix #2: Convert USER → BASE in Fast Free Path
**Location**: Wherever user pointer is pushed to TLS SLL
**Example** (hypothetical fast free):
```c
// BEFORE (BUG):
void hakmem_free(void* user_ptr) {
tls_sll_push(class_idx, user_ptr, ...); // ← BUG: Passes USER to TLS SLL!
}
// AFTER (FIX):
void hakmem_free(void* user_ptr) {
void* base = PTR_USER_TO_BASE(user_ptr, class_idx); // ✅ Convert to BASE
tls_sll_push(class_idx, base, ...);
}
```
---
## Next Steps
1. **Grep for all malloc/free paths** that return/accept pointers
2. **Verify PTR_BASE_TO_USER conversion** in every allocation path
3. **Verify PTR_USER_TO_BASE conversion** in every free path
4. **Add assertions** in debug builds to detect USER/BASE mismatches
### Grep Commands
```bash
# Find all places that call tls_sll_pop (allocation)
grep -rn "tls_sll_pop" core/
# Find all places that call tls_sll_push (free)
grep -rn "tls_sll_push" core/
# Find PTR_BASE_TO_USER usage (should be in alloc paths)
grep -rn "PTR_BASE_TO_USER" core/
# Find PTR_USER_TO_BASE usage (should be in free paths)
grep -rn "PTR_USER_TO_BASE" core/
```
---
## Verification After Fix
After applying fixes, re-run with Class 2 inline logs:
```bash
./build.sh bench_random_mixed_hakmem
timeout 180s ./out/release/bench_random_mixed_hakmem 100000 256 42 2>&1 | tee c2_fixed.log
# Check for corruption
grep "CORRUPTION DETECTED" c2_fixed.log
# Expected: NO OUTPUT (no corruption)
# Check for USER/BASE mismatch (addresses should be 33-byte aligned)
grep "C2_PUSH\|C2_POP" c2_fixed.log | head -100
# Expected: All addresses differ by multiples of 33 (0x21)
```
---
## Conclusion
**The header corruption is NOT caused by:**
- ✗ Missing header writes in CARVE
- ✗ Missing header restoration in PUSH/SPLICE
- ✗ Missing header validation in POP
- ✗ Stride calculation bugs
- ✗ Double-free
- ✗ Use-after-free
**The header corruption IS caused by:**
-**Missing PTR_BASE_TO_USER conversion in fast allocation path**
-**Returning BASE pointers to users who expect USER pointers**
-**Users overwriting byte 0 (header) thinking it's user data**
**This is a simple, deterministic bug with a 1-line fix in each affected path.**
---
## Final Report
- **Bug Type**: Pointer convention mismatch (BASE vs USER)
- **Affected Classes**: C0-C6 (header classes, NOT C7)
- **Symptom**: Random header corruption after allocation
- **Root Cause**: Fast alloc path returns BASE instead of USER
- **Fix**: Add `PTR_BASE_TO_USER()` in alloc path, `PTR_USER_TO_BASE()` in free path
- **Verification**: Address spacing in logs (should be 33-byte multiples, not 1-byte)
- **Status**: **READY FOR FIX**

243
FINAL_ANALYSIS_C2_CORRUPTION.md Normal file
View File

@ -0,0 +1,243 @@
# Class 2 Header Corruption - FINAL ROOT CAUSE
## Executive Summary
**STATUS**: ✅ **ROOT CAUSE IDENTIFIED**
**Corrupted Pointer**: `0x74db60210116`
**Corruption Call**: `14209`
**Last Valid PUSH**: Call `3957`
**Root Cause**: The logs reveal `0x74db60210115` and `0x74db60210116` (only 1 byte apart) are being pushed/popped from TLS SLL. This spacing is IMPOSSIBLE for Class 2 (32B blocks + 1B header = 33B stride).
**Conclusion**: These are **USER and BASE representations of the SAME block**, indicating a USER/BASE pointer mismatch somewhere in the code that allows USER pointers to leak into the TLS SLL.
---
## Evidence
### Timeline of Corrupted Block
```
[C2_PUSH] ptr=0x74db60210115 before=0xa2 after=0xa2 call=3915 ← USER pointer!
[C2_POP] ptr=0x74db60210115 header=0xa2 expected=0xa2 call=3936 ← USER pointer!
[C2_PUSH] ptr=0x74db60210116 before=0xa2 after=0xa2 call=3957 ← BASE pointer (correct)
[C2_POP] ptr=0x74db60210116 header=0x00 expected=0xa2 call=14209 ← CORRUPTION!
```
### Address Analysis
```
0x74db60210115 ← USER pointer (BASE + 1)
0x74db60210116 ← BASE pointer (header location)
```
**Difference**: 1 byte (should be 33 bytes for different Class 2 blocks)
**Conclusion**: Same physical block, two different pointer conventions
---
## Corruption Mechanism
### Phase 1: USER Pointer Leak (Calls 3915-3936)
1. **Call 3915**: FREE operation pushes `0x115` (USER pointer) to TLS SLL
- BUG: Code path passes USER to `tls_sll_push` instead of BASE
- TLS SLL receives USER pointer
- `tls_sll_push` writes header at USER-1 (`0x116`), so header is correct
2. **Call 3936**: ALLOC operation pops `0x115` (USER pointer) from TLS SLL
- Returns USER pointer to application (correct for external API)
- User writes to `0x115+` (user data area)
- Header at `0x116` remains intact (not touched by user)
### Phase 2: Correct BASE Pointer (Call 3957)
3. **Call 3957**: FREE operation pushes `0x116` (BASE pointer) to TLS SLL
- Correct: Passes BASE to `tls_sll_push`
- Header restored to `0xa2`
### Phase 3: User Overwrites Header (Calls 3957-14209)
4. **Between 3957-14209**: ALLOC operation pops `0x116` from TLS SLL
- **BUG: Returns BASE pointer to user instead of USER pointer!**
- User receives `0x116` thinking it's the start of user data
- User writes to `0x116[0]` (thinks it's user byte 0)
- **ACTUALLY overwrites header byte!**
- Header becomes `0x00`
5. **Call 14209**: FREE operation pushes `0x116` to TLS SLL
- **CORRUPTION DETECTED**: Header is `0x00` instead of `0xa2`
---
## Code Analysis
### Allocation Paths (USER Conversion) ✅ CORRECT
**File**: `/mnt/workdisk/public_share/hakmem/core/tiny_region_id.h:46`
```c
static inline void* tiny_region_id_write_header(void* base, int class_idx) {
if (!base) return base;
if (__builtin_expect(class_idx == 7, 0)) {
return base; // C7: headerless
}
// Write header at BASE
uint8_t* header_ptr = (uint8_t*)base;
*header_ptr = HEADER_MAGIC | (class_idx & HEADER_CLASS_MASK);
void* user = header_ptr + 1; // ✅ Convert BASE → USER
return user; // ✅ CORRECT: Returns USER pointer
}
```
**Usage**: All `HAK_RET_ALLOC(class_idx, ptr)` calls use this function, which correctly returns USER pointers.
### Free Paths (BASE Conversion) - MIXED RESULTS
#### Path 1: Ultra-Simple Free ✅ CORRECT
**File**: `/mnt/workdisk/public_share/hakmem/core/hakmem_tiny_free.inc:383`
```c
void* base = (class_idx == 7) ? ptr : (void*)((uint8_t*)ptr - 1); // ✅ Convert USER → BASE
if (tls_sll_push(class_idx, base, (uint32_t)sll_cap)) {
return; // Success
}
```
**Status**: ✅ CORRECT - Converts USER → BASE before push
#### Path 2: Freelist Drain ❓ SUSPICIOUS
**File**: `/mnt/workdisk/public_share/hakmem/core/hakmem_tiny_free.inc:75`
```c
static inline void tiny_drain_freelist_to_sll_once(SuperSlab* ss, int slab_idx, int class_idx) {
// ...
while (m->freelist && moved < budget) {
void* p = m->freelist; // ← What is this? BASE or USER?
// ...
if (tls_sll_push(class_idx, p, sll_capacity)) { // ← Pushing p directly
moved++;
}
}
}
```
**Question**: Is `m->freelist` stored as BASE or USER?
**Answer**: Freelist stores pointers at offset 0 (header location for header classes), so `m->freelist` contains **BASE pointers**. This is **CORRECT**.
#### Path 3: Fast Free ❓ NEEDS INVESTIGATION
**File**: `/mnt/workdisk/public_share/hakmem/core/tiny_free_fast_v2.inc.h`
Need to check if fast free path converts USER → BASE.
---
## Next Steps: Find the Buggy Path
### Step 1: Check Fast Free Path
```bash
grep -A 10 -B 5 "tls_sll_push" core/tiny_free_fast_v2.inc.h
```
Look for paths that pass `ptr` directly to `tls_sll_push` without USER → BASE conversion.
### Step 2: Check All Free Wrappers
```bash
grep -rn "void.*free.*void.*ptr" core/ | grep -v "\.o:"
```
Check all free entry points to ensure USER → BASE conversion.
### Step 3: Add Validation to tls_sll_push
Temporarily add address alignment check in `tls_sll_push`:
```c
// In tls_sll_box.h: tls_sll_push()
#if !HAKMEM_BUILD_RELEASE
if (class_idx != 7) {
// For header classes, ptr should be BASE (even address for 32B blocks)
// USER pointers would be BASE+1 (odd addresses for 32B blocks)
uintptr_t addr = (uintptr_t)ptr;
if ((addr & 1) != 0) { // ODD address = USER pointer!
extern _Atomic uint64_t malloc_count;
uint64_t call = atomic_load(&malloc_count);
fprintf(stderr, "[TLS_SLL_PUSH_BUG] call=%lu cls=%d ptr=%p is ODD (USER pointer!)\\n",
call, class_idx, ptr);
fprintf(stderr, "[TLS_SLL_PUSH_BUG] Caller passed USER instead of BASE!\\n");
fflush(stderr);
abort();
}
}
#endif
```
This will catch USER pointers immediately at injection point!
### Step 4: Run Test
```bash
./build.sh bench_random_mixed_hakmem
timeout 60s ./out/release/bench_random_mixed_hakmem 10000 256 42 2>&1 | tee user_ptr_catch.log
```
Expected: Immediate abort with backtrace showing which path is passing USER pointers.
---
## Hypothesis
Based on the evidence, the bug is likely in:
1. **Fast free path** that doesn't convert USER → BASE before `tls_sll_push`
2. **Some wrapper** around `hakmem_free()` that pre-converts USER → BASE incorrectly
3. **Some refill/drain path** that accidentally uses USER pointers from freelist
**Most Likely**: Fast free path optimization that skips USER → BASE conversion for performance.
---
## Verification Plan
1. Add ODD address validation to `tls_sll_push` (debug builds only)
2. Run 10K iteration test
3. Catch USER pointer injection with backtrace
4. Fix the specific path
5. Re-test with 100K iterations
6. Remove validation (keep in comments for future debugging)
---
## Expected Fix
Once we identify the buggy path, the fix will be a 1-liner:
```c
// BEFORE (BUG):
tls_sll_push(class_idx, user_ptr, ...); // ← Passing USER!
// AFTER (FIX):
void* base = PTR_USER_TO_BASE(user_ptr, class_idx); // ✅ Convert to BASE
tls_sll_push(class_idx, base, ...);
```
---
## Status
- ✅ Root cause identified (USER/BASE mismatch)
- ✅ Evidence collected (logs showing ODD/EVEN addresses)
- ✅ Mechanism understood (user overwrites header when given BASE)
- ⏳ Specific buggy path: TO BE IDENTIFIED (next step)
- ⏳ Fix: TO BE APPLIED (1-line change)
- ⏳ Verification: TO BE DONE (100K test)

241
P0_BUG_STATUS.md Normal file
View File

@ -0,0 +1,241 @@
# P0 SEGV Bug - Current Status & Next Steps
**Last Update**: 2025-11-12
## 🐛 Bug Summary
**Symptom**: SEGV crash at iterations 28,440 and 38,985 (deterministic with seed 42)
**Pattern**: Corrupted address `0x7fff00008000` in TLS SLL chain
**Root Cause**: **STALE NEXT POINTERS** in carved chains
---
## 🎁 Box Theory Implementation (完了済み)
### ✅ **Box 3** (Pointer Conversion Box)
- **File**: `core/box/ptr_conversion_box.h` (267 lines)
- **役割**: BASE ↔ USER pointer conversion
- **API**:
- `ptr_base_to_user(base, class_idx)` - C0-C6: base+1, C7: base
- `ptr_user_to_base(user, class_idx)` - C0-C6: user-1, C7: user
- **Status**: ✅ Committed (1713 lines added total)
### ✅ **Box E** (Expansion Box)
- **File**: `core/box/superslab_expansion_box.h/c`
- **役割**: SuperSlab expansion with TLS state guarantee
- **機能**: `expansion_expand_with_tls_guarantee()` - Expand後に slab 0 を即座にバインド
- **Status**: ✅ Committed
### ✅ **Box I** (Integrity Box) - **703 lines!**
- **File**: `core/box/integrity_box.h` (267行) + `integrity_box.c` (436行)
- **役割**: Comprehensive integrity verification system
- **Priority ALPHA**: 5つの Slab Metadata 不変条件チェック
1. `carved <= capacity`
2. `used <= carved`
3. `used <= capacity`
4. `free_count == (carved - used)`
5. `capacity <= 512`
- **機能**:
- `integrity_validate_slab_metadata()` - メタデータ検証
- `validate_ptr_range()` - ポインタ範囲検証null-page, kernel-space, 0xa2/0xcc/0xdd/0xfe パターン)
- **Status**: ✅ Committed
### ✅ **Box TLS-SLL** (今回の修正対象)
- **File**: `core/box/tls_sll_box.h`
- **役割**: TLS Single-Linked List management (C7-safe)
- **API**:
- `tls_sll_push()` - Push to SLL (C7 rejected)
- `tls_sll_pop()` - Pop from SLL (returns base pointer)
- `tls_sll_splice()` - Batch push
- **今回の発見**:
- Fix #1: `tls_sll_pop` で next をクリアC0-C6 は base+1 で)
- But: carved chain の tail が NULL 終端されていないFix #2 必要)
- **Status**: ⚠️ Fix #1 適用済み、Fix #2 未適用
### ✅ **その他のBox** (既存)
- **Front Gate Box**: `core/box/front_gate_box.h/c` + `front_gate_classifier.c`
- **Free Local/Remote/Publish Box**: `core/box/free_local_box.c`, `free_remote_box.c`, `free_publish_box.c`
- **Mailbox Box**: `core/box/mailbox_box.h/c`
**Commit Info**:
- Commit: "Add Box I (Integrity), Box E (Expansion)..."
- Files: 23 files changed, 1713 insertions(+), 56 deletions(-)
- Date: Recent (before P0 debug session)
---
## 🔍 Investigation History
### ✅ Completed Investigations
1. **Valgrind (O0 build)**: 0 errors, 29K iterations passed
- Conclusion: Bug is optimization-dependent (-O3 triggers it)
2. **Task Agent GDB Analysis**:
- Found crash location: `tls_sll_pop` line 169
- Hypothesis: use-after-allocate (next pointer at base+1 is user memory)
3. **Box I, E, 3 Implementation**: 703 lines of integrity checks
- All checks passed before crash
- Validation didn't catch the bug
---
## 🛠️ Fixes Applied (Partial Success)
### Fix #1: Clear next pointer in `tls_sll_pop` ✅ (INCOMPLETE)
**File**: `core/box/tls_sll_box.h:254-262`
**Change**:
```c
// OLD (WRONG): Only cleared for C7
if (__builtin_expect(class_idx == 7, 0)) {
*(void**)base = NULL;
}
// NEW: Clear for C0-C6 too
#if HAKMEM_TINY_HEADER_CLASSIDX
if (class_idx == 7) {
*(void**)base = NULL; // C7: clear at base (offset 0)
} else {
*(void**)((uint8_t*)base + 1) = NULL; // C0-C6: clear at base+1 (offset 1)
}
#else
*(void**)base = NULL;
#endif
```
**Result**:
- ✅ Passed 29K iterations (previous crash point)
-**Still crashes at 38,985 iterations**
---
## 🚨 NEW DISCOVERY: Root Cause Found!
### Fix #2: NULL-terminate carved chain tail (NOT YET APPLIED)
**File**: `core/tiny_refill_opt.h:229-234`
**BUG**: Tail block's next pointer is NOT NULL-terminated!
```c
// Current code (BUGGY):
for (uint32_t i = 1; i < batch; i++) {
uint8_t* next = cursor + stride;
*(void**)(cursor + next_offset) = (void*)next; // Links blocks 0→1, 1→2, ...
cursor = next;
}
void* tail = (void*)cursor; // tail = last block
// ❌ BUG: tail's next pointer is NEVER set to NULL!
// It contains GARBAGE from previous allocation!
```
**IMPACT**:
1. Chain is carved: `head → block1 → block2 → ... → tail → [GARBAGE]`
2. Chain spliced to TLS SLL
3. Later, `tls_sll_pop` traverses the chain
4. Reads garbage `next` pointer → SEGV at `0x7fff00008000`
**FIX** (add after line 233):
```c
for (uint32_t i = 1; i < batch; i++) {
uint8_t* next = cursor + stride;
*(void**)(cursor + next_offset) = (void*)next;
cursor = next;
}
void* tail = (void*)cursor;
// ✅ FIX: NULL-terminate the tail
*(void**)((uint8_t*)tail + next_offset) = NULL;
```
---
## 🚨 CURRENT STATUS (2025-11-12 UPDATED)
### Fixes Applied:
1.**Fix #1**: Clear next pointer in `tls_sll_pop` (C0-C6 at base+1)
2.**Fix #2**: NULL-terminate tail in `trc_linear_carve()`
3.**Fix #3**: Clean rebuild with `HEADER_CLASSIDX=1`
4.**Fix #4**: Increase canary check frequency (1000 → 100 ops)
5.**Fix #5**: Add bounds check to `tls_sll_push()`
### Test Results:
-**Still crashes at iteration 28,410 (call 14269)**
- Canaries: NOT corrupted (corruption is immediate)
- Bounds check: NOT triggered (class_idx is valid)
- Task agent finding: External corruption of `g_tls_sll_head[0]`
### Analysis:
- Fix #1 and Fix #2 ARE working correctly (Task agent verified)
- Corruption happens IMMEDIATELY before crash (canaries at 100-op interval miss it)
- class_idx is valid [0-7] when corruption happens (bounds check doesn't trigger)
- Crash is deterministic at call 14269
## 📋 Next Steps (NEEDS USER INPUT)
### Option A: Deep GDB Investigation (SLOW)
- Set hardware watchpoint on `g_tls_sll_head[0]`
- Run to call 14250, then watch for corruption
- Time: 1-2 hours, may not work with optimization
### Option B: Disable Optimizations (DIAGNOSTIC)
- Rebuild with `-O0` to see if bug disappears
- If so, likely compiler optimization bug or UB
- Time: 10 minutes
### Option C: Simplified Stress Test (QUICK)
- Disable P0 batch optimization temporarily
- Disable SFC temporarily
- Test with simpler code path
- Time: 20 minutes
### After Fix Verified
4. **Commit P0 fix**:
- Fix #1: Clear next in `tls_sll_pop`
- Fix #2: NULL-terminate in `trc_linear_carve`
- Box I/E/3 validation infrastructure
- Double-free detection
5. **Update CLAUDE.md** with findings
6. **Performance benchmark** (release build)
---
## 🎯 Expected Outcome
After applying Fix #2, the allocator should:
- ✅ Pass 100K iterations without crash
- ✅ Pass 1M iterations without crash
- ✅ Maintain performance (~2.7M ops/s for 256B)
---
## 📝 Lessons Learned
1. **Stale pointers are dangerous**: Always NULL-terminate linked lists
2. **Optimization exposes bugs**: `-O3` can hide initialization in debug builds
3. **Multiple fixes needed**: Fix #1 alone was insufficient
4. **Chain integrity**: Carved chains MUST be properly terminated
---
## 🔧 Build Flags (CRITICAL)
**MUST use these flags**:
```bash
HEADER_CLASSIDX=1
AGGRESSIVE_INLINE=1
PREWARM_TLS=1
```
**Why**: `HAKMEM_TINY_HEADER_CLASSIDX=1` is required for Fix #1 to execute!
**Use build.sh** to ensure correct flags:
```bash
./build.sh bench_random_mixed_hakmem
```

19
core/box/hak_wrappers.inc.h
View File

@ -44,17 +44,20 @@ extern __thread void* g_tls_sll_head[TINY_NUM_CLASSES];
// The function call version triggers infinite recursion: malloc → hak_jemalloc_loaded → dlopen → malloc // The function call version triggers infinite recursion: malloc → hak_jemalloc_loaded → dlopen → malloc
extern int g_jemalloc_loaded; // Cached during hak_init_impl(), defined in hakmem.c extern int g_jemalloc_loaded; // Cached during hak_init_impl(), defined in hakmem.c
// Global malloc call counter for debugging (exposed for validation code)
// Defined here, accessed from tls_sll_box.h for corruption detection
_Atomic uint64_t malloc_count = 0;
void* malloc(size_t size) { void* malloc(size_t size) {
static _Atomic uint64_t malloc_count = 0;
uint64_t count = atomic_fetch_add(&malloc_count, 1); uint64_t count = atomic_fetch_add(&malloc_count, 1);
// CRITICAL DEBUG: If this is near crashing range, bail to libc // DEBUG BAILOUT DISABLED - Testing full path
if (__builtin_expect(count >= 14270 && count <= 14285, 0)) { // if (__builtin_expect(count >= 14270 && count <= 14285, 0)) {
extern void* __libc_malloc(size_t); // extern void* __libc_malloc(size_t);
fprintf(stderr, "[MALLOC_WRAPPER] count=%lu size=%zu - BAILOUT TO LIBC!\n", count, size); // fprintf(stderr, "[MALLOC_WRAPPER] count=%lu size=%zu - BAILOUT TO LIBC!\n", count, size);
fflush(stderr); // fflush(stderr);
return __libc_malloc(size); // return __libc_malloc(size);
} // }
// CRITICAL FIX (BUG #7): Increment lock depth FIRST, before ANY libc calls // CRITICAL FIX (BUG #7): Increment lock depth FIRST, before ANY libc calls
// This prevents infinite recursion when getenv/fprintf/dlopen call malloc // This prevents infinite recursion when getenv/fprintf/dlopen call malloc

319
core/box/tls_sll_box.h
View File

@ -30,6 +30,7 @@
#include "../hakmem_build_flags.h" #include "../hakmem_build_flags.h"
#include "../tiny_region_id.h" // HEADER_MAGIC / HEADER_CLASS_MASK #include "../tiny_region_id.h" // HEADER_MAGIC / HEADER_CLASS_MASK
#include "../hakmem_tiny_integrity.h" // PRIORITY 2: Freelist integrity checks #include "../hakmem_tiny_integrity.h" // PRIORITY 2: Freelist integrity checks
#include "../ptr_track.h" // Pointer tracking for debugging header corruption
// Debug guard: validate base pointer before SLL ops (Debug only) // Debug guard: validate base pointer before SLL ops (Debug only)
#if !HAKMEM_BUILD_RELEASE #if !HAKMEM_BUILD_RELEASE
@ -77,6 +78,9 @@ extern __thread uint32_t g_tls_sll_count[TINY_NUM_CLASSES];
// //
// Performance: 3-4 cycles (C0-C6), < 1 cycle (C7 fast rejection) // Performance: 3-4 cycles (C0-C6), < 1 cycle (C7 fast rejection)
static inline bool tls_sll_push(int class_idx, void* ptr, uint32_t capacity) { static inline bool tls_sll_push(int class_idx, void* ptr, uint32_t capacity) {
// PRIORITY 1: Bounds check BEFORE any array access
HAK_CHECK_CLASS_IDX(class_idx, "tls_sll_push");
// CRITICAL: C7 (1KB) is headerless - MUST NOT use TLS SLL // CRITICAL: C7 (1KB) is headerless - MUST NOT use TLS SLL
// Reason: SLL stores next pointer in first 8 bytes (user data for C7) // Reason: SLL stores next pointer in first 8 bytes (user data for C7)
if (__builtin_expect(class_idx == 7, 0)) { if (__builtin_expect(class_idx == 7, 0)) {
@ -88,10 +92,79 @@ static inline bool tls_sll_push(int class_idx, void* ptr, uint32_t capacity) {
return false; // SLL full return false; // SLL full
} }
// ✅ FIX #15: CATCH USER pointer contamination at injection point
// For Class 2 (32B blocks), BASE addresses should be multiples of 33 (stride)
// USER pointers are BASE+1, so for Class 2 starting at even address, USER is ODD
// This catches USER pointers being passed to TLS SLL (should be BASE!)
#if !HAKMEM_BUILD_RELEASE && HAKMEM_TINY_HEADER_CLASSIDX
if (class_idx == 2) { // Class 2 specific check (can extend to all header classes)
uintptr_t addr = (uintptr_t)ptr;
// For class 2 with 32B blocks, check if pointer looks like USER (BASE+1)
// If slab base is at offset 0x...X0, then:
// - First block BASE: 0x...X0 (even)
// - First block USER: 0x...X1 (odd)
// - Second block BASE: 0x...X0 + 33 = 0x...Y1 (odd)
// - Second block USER: 0x...Y2 (even)
// So ODD/EVEN alternates, but we can detect obvious USER pointers
// by checking if ptr-1 has a header
if ((addr & 0xF) <= 15) { // Check last nibble for patterns
uint8_t* possible_base = (addr & 1) ? ((uint8_t*)ptr - 1) : (uint8_t*)ptr;
uint8_t byte_at_possible_base = *possible_base;
uint8_t expected_header = HEADER_MAGIC | (class_idx & HEADER_CLASS_MASK);
// If ptr is ODD and ptr-1 has valid header, ptr is USER!
if ((addr & 1) && byte_at_possible_base == expected_header) {
extern _Atomic uint64_t malloc_count;
uint64_t call = atomic_load(&malloc_count);
fprintf(stderr, "\n========================================\n");
fprintf(stderr, "=== USER POINTER BUG DETECTED ===\n");
fprintf(stderr, "========================================\n");
fprintf(stderr, "Call: %lu\n", call);
fprintf(stderr, "Class: %d\n", class_idx);
fprintf(stderr, "Passed ptr: %p (ODD address - USER pointer!)\n", ptr);
fprintf(stderr, "Expected: %p (EVEN address - BASE pointer)\n", (void*)possible_base);
fprintf(stderr, "Header at ptr-1: 0x%02x (valid header!)\n", byte_at_possible_base);
fprintf(stderr, "========================================\n");
fprintf(stderr, "BUG: Caller passed USER pointer to tls_sll_push!\n");
fprintf(stderr, "FIX: Convert USER → BASE before push\n");
fprintf(stderr, "========================================\n");
fflush(stderr);
abort();
}
}
}
#endif
// CRITICAL: Caller must pass "base" pointer (NOT user ptr) // CRITICAL: Caller must pass "base" pointer (NOT user ptr)
// Phase 7 carve operations return base (stride includes header) // Phase 7 carve operations return base (stride includes header)
// SLL stores base to avoid overwriting header with next pointer // SLL stores base to avoid overwriting header with next pointer
// ✅ FIX #11C: ALWAYS restore header before pushing to SLL (defense in depth)
// ROOT CAUSE (multiple sources):
// 1. User may overwrite byte 0 (header) during normal use
// 2. Freelist stores next at base (offset 0), overwriting header
// 3. Simple refill carves blocks without writing headers
//
// SOLUTION: Restore header HERE (single point of truth) instead of at each call site.
// This prevents all header corruption bugs at the TLS SLL boundary.
// COST: 1 byte write (~1-2 cycles, negligible vs SEGV debugging cost).
#if HAKMEM_TINY_HEADER_CLASSIDX
// DEBUG: Log if header was corrupted (0x00) before restoration for class 2
uint8_t before = *(uint8_t*)ptr;
PTR_TRACK_TLS_PUSH(ptr, class_idx); // Track BEFORE header write
*(uint8_t*)ptr = HEADER_MAGIC | (class_idx & HEADER_CLASS_MASK);
PTR_TRACK_HEADER_WRITE(ptr, HEADER_MAGIC | (class_idx & HEADER_CLASS_MASK));
// ✅ Option C: Class 2 inline logs - PUSH operation (DISABLED for performance)
if (0 && class_idx == 2) {
extern _Atomic uint64_t malloc_count;
uint64_t call = atomic_load(&malloc_count);
fprintf(stderr, "[C2_PUSH] ptr=%p before=0x%02x after=0xa2 call=%lu\n",
ptr, before, call);
fflush(stderr);
}
#endif
// Phase 7: Store next pointer at header-safe offset (base+1 for C0-C6) // Phase 7: Store next pointer at header-safe offset (base+1 for C0-C6)
#if HAKMEM_TINY_HEADER_CLASSIDX #if HAKMEM_TINY_HEADER_CLASSIDX
const size_t next_offset = 1; // C7 is rejected above; always skip header const size_t next_offset = 1; // C7 is rejected above; always skip header
@ -99,6 +172,35 @@ static inline bool tls_sll_push(int class_idx, void* ptr, uint32_t capacity) {
const size_t next_offset = 0; const size_t next_offset = 0;
#endif #endif
tls_sll_debug_guard(class_idx, ptr, "push"); tls_sll_debug_guard(class_idx, ptr, "push");
#if !HAKMEM_BUILD_RELEASE
// PRIORITY 2+: Double-free detection - scan existing SLL for duplicates
// This is expensive but critical for debugging the P0 corruption bug
{
void* scan = g_tls_sll_head[class_idx];
uint32_t scan_count = 0;
const uint32_t scan_limit = (g_tls_sll_count[class_idx] < 100) ? g_tls_sll_count[class_idx] : 100;
while (scan && scan_count < scan_limit) {
if (scan == ptr) {
fprintf(stderr, "[TLS_SLL_PUSH] FATAL: Double-free detected!\n");
fprintf(stderr, " class_idx=%d ptr=%p appears multiple times in SLL\n", class_idx, ptr);
fprintf(stderr, " g_tls_sll_count[%d]=%u scan_pos=%u\n",
class_idx, g_tls_sll_count[class_idx], scan_count);
fprintf(stderr, " This indicates the same pointer was freed twice\n");
ptr_trace_dump_now("double_free");
fflush(stderr);
abort();
}
void* next_scan;
PTR_NEXT_READ("sll_scan", class_idx, scan, next_offset, next_scan);
scan = next_scan;
scan_count++;
}
}
#endif
PTR_NEXT_WRITE("tls_push", class_idx, ptr, next_offset, g_tls_sll_head[class_idx]); PTR_NEXT_WRITE("tls_push", class_idx, ptr, next_offset, g_tls_sll_head[class_idx]);
g_tls_sll_head[class_idx] = ptr; g_tls_sll_head[class_idx] = ptr;
g_tls_sll_count[class_idx]++; g_tls_sll_count[class_idx]++;
@ -166,8 +268,77 @@ static inline bool tls_sll_pop(int class_idx, void** out) {
#endif #endif
tls_sll_debug_guard(class_idx, base, "pop"); tls_sll_debug_guard(class_idx, base, "pop");
// ✅ FIX #12: VALIDATION - Detect header corruption at the moment it's injected
// This is the CRITICAL validation point: we validate the header BEFORE reading next pointer.
// If the header is corrupted here, we know corruption happened BEFORE this pop (during push/splice/carve).
#if HAKMEM_TINY_HEADER_CLASSIDX
if (class_idx != 7) {
// Read byte 0 (should be header = HEADER_MAGIC | class_idx)
uint8_t byte0 = *(uint8_t*)base;
PTR_TRACK_TLS_POP(base, class_idx); // Track POP operation
PTR_TRACK_HEADER_READ(base, byte0); // Track header read
uint8_t expected = HEADER_MAGIC | (class_idx & HEADER_CLASS_MASK);
// ✅ Option C: Class 2 inline logs - POP operation (DISABLED for performance)
if (0 && class_idx == 2) {
extern _Atomic uint64_t malloc_count;
uint64_t call = atomic_load(&malloc_count);
fprintf(stderr, "[C2_POP] ptr=%p header=0x%02x expected=0xa2 call=%lu\n",
base, byte0, call);
fflush(stderr);
}
if (byte0 != expected) {
// 🚨 CORRUPTION DETECTED AT INJECTION POINT!
// Get call number from malloc wrapper
extern _Atomic uint64_t malloc_count; // Defined in hak_wrappers.inc.h
uint64_t call_num = atomic_load(&malloc_count);
fprintf(stderr, "\n========================================\n");
fprintf(stderr, "=== CORRUPTION DETECTED (Fix #12) ===\n");
fprintf(stderr, "========================================\n");
fprintf(stderr, "Malloc call: %lu\n", call_num);
fprintf(stderr, "Class: %d\n", class_idx);
fprintf(stderr, "Base ptr: %p\n", base);
fprintf(stderr, "Expected: 0x%02x (HEADER_MAGIC | class_idx)\n", expected);
fprintf(stderr, "Actual: 0x%02x\n", byte0);
fprintf(stderr, "========================================\n");
fprintf(stderr, "\nThis means corruption was injected BEFORE this pop.\n");
fprintf(stderr, "Likely culprits:\n");
fprintf(stderr, " 1. tls_sll_push() - failed to restore header\n");
fprintf(stderr, " 2. tls_sll_splice() - chain had corrupted headers\n");
fprintf(stderr, " 3. trc_linear_carve() - didn't write header\n");
fprintf(stderr, " 4. trc_pop_from_freelist() - didn't restore header\n");
fprintf(stderr, " 5. Remote free path - overwrote header\n");
fprintf(stderr, "========================================\n");
fflush(stderr);
abort(); // Immediate crash with backtrace
}
}
#endif
// DEBUG: Log read operation for crash investigation
static _Atomic uint64_t g_pop_count = 0;
uint64_t pop_num = atomic_fetch_add(&g_pop_count, 1);
// Log ALL class 0 pops (DISABLED for performance)
if (0 && class_idx == 0) {
// Check byte 0 to see if header exists
uint8_t byte0 = *(uint8_t*)base;
fprintf(stderr, "[TLS_POP_C0] pop=%lu base=%p byte0=0x%02x next_off=%zu\n",
pop_num, base, byte0, next_offset);
fflush(stderr);
}
void* next; PTR_NEXT_READ("tls_pop", class_idx, base, next_offset, next); void* next; PTR_NEXT_READ("tls_pop", class_idx, base, next_offset, next);
if (0 && class_idx == 0) {
fprintf(stderr, "[TLS_POP_C0] pop=%lu base=%p next=%p\n",
pop_num, base, next);
fflush(stderr);
}
// PRIORITY 2: Validate next pointer after reading it // PRIORITY 2: Validate next pointer after reading it
#if !HAKMEM_BUILD_RELEASE #if !HAKMEM_BUILD_RELEASE
if (!validate_ptr_range(next, "tls_sll_pop_next")) { if (!validate_ptr_range(next, "tls_sll_pop_next")) {
@ -178,6 +349,27 @@ static inline bool tls_sll_pop(int class_idx, void** out) {
fflush(stderr); fflush(stderr);
abort(); abort();
} }
// PRIORITY 2+: Additional check for obviously corrupted pointers (non-canonical addresses)
// Detects patterns like 0x7fff00008000 that pass validate_ptr_range but are still invalid
if (next != NULL) {
uintptr_t addr = (uintptr_t)next;
// x86-64 canonical addresses: bits 48-63 must be copies of bit 47
// Valid ranges: 0x0000_0000_0000_0000 to 0x0000_7FFF_FFFF_FFFF (user space)
// or 0xFFFF_8000_0000_0000 to 0xFFFF_FFFF_FFFF_FFFF (kernel space)
// Invalid: 0x0001_xxxx_xxxx_xxxx to 0xFFFE_xxxx_xxxx_xxxx
uint64_t top_bits = addr >> 47;
if (top_bits != 0 && top_bits != 0x1FFFF) {
fprintf(stderr, "[TLS_SLL_POP] FATAL: Corrupted SLL chain - non-canonical address!\n");
fprintf(stderr, " class_idx=%d base=%p next=%p (top_bits=0x%lx)\n",
class_idx, base, next, (unsigned long)top_bits);
fprintf(stderr, " g_tls_sll_count[%d]=%u\n", class_idx, g_tls_sll_count[class_idx]);
fprintf(stderr, " Likely causes: double-free, use-after-free, buffer overflow\n");
ptr_trace_dump_now("sll_chain_corruption");
fflush(stderr);
abort();
}
}
#endif #endif
g_tls_sll_head[class_idx] = next; g_tls_sll_head[class_idx] = next;
@ -185,16 +377,58 @@ static inline bool tls_sll_pop(int class_idx, void** out) {
g_tls_sll_count[class_idx]--; g_tls_sll_count[class_idx]--;
} }
// CRITICAL: C7 (1KB) returns with first 8 bytes cleared // CRITICAL FIX: Clear next pointer to prevent stale pointer corruption
// Reason: C7 is headerless, first 8 bytes are user data area
// Without this: user sees stale SLL next pointer → corruption
// Cost: 1 store instruction (~1 cycle), only for C7 (~1% of allocations)
// //
// Note: C0-C6 have 1-byte header, so first 8 bytes are safe (header hides next) // ROOT CAUSE OF P0 BUG (iteration 28,440 crash):
// Caller responsibility: Convert base → ptr (base+1) for C0-C6 before returning to user // When a block is popped from SLL and given to user, the `next` pointer at base+1
if (__builtin_expect(class_idx == 7, 0)) { // (for C0-C6) or base (for C7) was NOT cleared. If the user doesn't overwrite it,
*(void**)base = NULL; // the stale `next` pointer remains. When the block is freed and pushed back to SLL,
// the stale pointer creates loops or invalid pointers → SEGV at 0x7fff00008000!
//
// FIX: Clear next pointer for BOTH C7 AND C0-C6:
// - C7 (headerless): next at base (offset 0) - was already cleared
// - C0-C6 (header): next at base+1 (offset 1) - **WAS NOT CLEARED** ← BUG!
//
// Previous WRONG assumption: "C0-C6 header hides next" - FALSE!
// Header is 1 byte at base, next is 8 bytes at base+1 (user-accessible memory!)
//
// Cost: 1 store instruction (~1 cycle) for all classes
#if HAKMEM_TINY_HEADER_CLASSIDX
if (class_idx == 7) {
*(void**)base = NULL; // C7: clear at base (offset 0)
} else {
// DEBUG: Verify header is intact BEFORE clearing next pointer
if (class_idx == 2) {
uint8_t header_before_clear = *(uint8_t*)base;
if (header_before_clear != (HEADER_MAGIC | (class_idx & HEADER_CLASS_MASK))) {
extern _Atomic uint64_t malloc_count;
uint64_t call_num = atomic_load(&malloc_count);
fprintf(stderr, "[POP_HEADER_CHECK] call=%lu cls=%d base=%p header=0x%02x BEFORE clear_next!\n",
call_num, class_idx, base, header_before_clear);
fflush(stderr);
}
}
*(void**)((uint8_t*)base + 1) = NULL; // C0-C6: clear at base+1 (offset 1)
// DEBUG: Verify header is STILL intact AFTER clearing next pointer
if (class_idx == 2) {
uint8_t header_after_clear = *(uint8_t*)base;
if (header_after_clear != (HEADER_MAGIC | (class_idx & HEADER_CLASS_MASK))) {
extern _Atomic uint64_t malloc_count;
uint64_t call_num = atomic_load(&malloc_count);
fprintf(stderr, "[POP_HEADER_CORRUPTED] call=%lu cls=%d base=%p header=0x%02x AFTER clear_next!\n",
call_num, class_idx, base, header_after_clear);
fprintf(stderr, "[POP_HEADER_CORRUPTED] This means clear_next OVERWROTE the header!\n");
fprintf(stderr, "[POP_HEADER_CORRUPTED] Bug: next_offset calculation is WRONG!\n");
fflush(stderr);
abort();
}
}
} }
#else
*(void**)base = NULL; // No header: clear at base
#endif
*out = base; // Return base (caller converts to ptr if needed) *out = base; // Return base (caller converts to ptr if needed)
return true; return true;
@ -233,26 +467,49 @@ static inline uint32_t tls_sll_splice(int class_idx, void* chain_head, uint32_t
// Limit splice size to available capacity // Limit splice size to available capacity
uint32_t to_move = (count < available) ? count : available; uint32_t to_move = (count < available) ? count : available;
// Determine how the chain is linked: base or user pointers. // ✅ FIX #14: DEFENSE IN DEPTH - Restore headers for ALL nodes in chain
// For C0-C6, header byte (0xA0|cls) resides at base. // ROOT CAUSE: Even though callers (trc_linear_carve, trc_pop_from_freelist) are
// If chain_head points to base → *(uint8_t*)head has HEADER_MAGIC|cls // supposed to restore headers, there might be edge cases or future code paths
// If it points to user (base+1) → *(uint8_t*)head is user data (not magic) // that forget. Adding header restoration HERE provides a safety net.
void* tail = chain_head; //
// COST: 1 byte write per node (~1-2 cycles each, negligible vs SEGV debugging)
// BENEFIT: Guaranteed header integrity at TLS SLL boundary (defense in depth!)
#if HAKMEM_TINY_HEADER_CLASSIDX #if HAKMEM_TINY_HEADER_CLASSIDX
size_t next_offset; const size_t next_offset = 1; // C0-C6: next at base+1
// Restore headers for ALL nodes in chain (traverse once)
{ {
uint8_t hdr = *(uint8_t*)chain_head; void* node = chain_head;
if ((hdr & 0xF0) == HEADER_MAGIC && (hdr & HEADER_CLASS_MASK) == (uint8_t)class_idx) { uint32_t restored_count = 0;
// Chain nodes are base pointers; links live at base+1
next_offset = 1; while (node != NULL && restored_count < to_move) {
} else { uint8_t before = *(uint8_t*)node;
// Chain nodes are user pointers; links live at user (base+1) → offset 0 from user uint8_t expected = HEADER_MAGIC | (class_idx & HEADER_CLASS_MASK);
next_offset = 0;
// Restore header unconditionally
*(uint8_t*)node = expected;
// ✅ Option C: Class 2 inline logs - SPLICE operation (DISABLED for performance)
if (0 && class_idx == 2) {
extern _Atomic uint64_t malloc_count;
uint64_t call = atomic_load(&malloc_count);
fprintf(stderr, "[C2_SPLICE] ptr=%p before=0x%02x after=0xa2 restored=%u/%u call=%lu\n",
node, before, restored_count+1, to_move, call);
fflush(stderr);
}
// Move to next node
void* next = *(void**)((uint8_t*)node + next_offset);
node = next;
restored_count++;
} }
} }
#else #else
size_t next_offset = 0; const size_t next_offset = 0; // No header: next at base
#endif #endif
// Traverse chain to find tail (needed for splicing)
void* tail = chain_head;
for (uint32_t i = 1; i < to_move; i++) { for (uint32_t i = 1; i < to_move; i++) {
tls_sll_debug_guard(class_idx, tail, "splice_trav"); tls_sll_debug_guard(class_idx, tail, "splice_trav");
void* next; PTR_NEXT_READ("tls_sp_trav", class_idx, tail, next_offset, next); void* next; PTR_NEXT_READ("tls_sp_trav", class_idx, tail, next_offset, next);
@ -272,20 +529,14 @@ static inline uint32_t tls_sll_splice(int class_idx, void* chain_head, uint32_t
class_idx, tail, (size_t)next_offset, g_tls_sll_head[class_idx]); class_idx, tail, (size_t)next_offset, g_tls_sll_head[class_idx]);
#endif #endif
PTR_NEXT_WRITE("tls_sp_link", class_idx, tail, next_offset, g_tls_sll_head[class_idx]); PTR_NEXT_WRITE("tls_sp_link", class_idx, tail, next_offset, g_tls_sll_head[class_idx]);
// CRITICAL: Normalize head before publishing to SLL (caller may pass user ptrs)
void* head_norm = chain_head; // ✅ FIX #11: chain_head is already correct BASE pointer from caller
#if HAKMEM_TINY_HEADER_CLASSIDX tls_sll_debug_guard(class_idx, chain_head, "splice_head");
if (next_offset == 0) {
// Chain nodes were user pointers; convert head to base
head_norm = (uint8_t*)chain_head - 1;
}
#endif
tls_sll_debug_guard(class_idx, head_norm, "splice_head");
#if !HAKMEM_BUILD_RELEASE #if !HAKMEM_BUILD_RELEASE
fprintf(stderr, "[SPLICE_SET_HEAD] cls=%d head_norm=%p moved=%u\n", fprintf(stderr, "[SPLICE_SET_HEAD] cls=%d head=%p moved=%u\n",
class_idx, head_norm, (unsigned)to_move); class_idx, chain_head, (unsigned)to_move);
#endif #endif
g_tls_sll_head[class_idx] = head_norm; g_tls_sll_head[class_idx] = chain_head;
g_tls_sll_count[class_idx] += to_move; g_tls_sll_count[class_idx] += to_move;
return to_move; return to_move;

62
core/hakmem_tiny.c
View File

@ -1775,6 +1775,9 @@ TinySlab* hak_tiny_owner_slab(void* ptr) {
static _Atomic uint64_t wrapper_call_count = 0; static _Atomic uint64_t wrapper_call_count = 0;
uint64_t call_num = atomic_fetch_add(&wrapper_call_count, 1); uint64_t call_num = atomic_fetch_add(&wrapper_call_count, 1);
// Pointer tracking init (first call only)
PTR_TRACK_INIT();
// PRIORITY 3: Periodic canary validation (every 1000 ops) // PRIORITY 3: Periodic canary validation (every 1000 ops)
periodic_canary_check(call_num, "hak_tiny_alloc_fast_wrapper"); periodic_canary_check(call_num, "hak_tiny_alloc_fast_wrapper");
@ -1800,7 +1803,17 @@ TinySlab* hak_tiny_owner_slab(void* ptr) {
} }
void hak_tiny_free_fast_wrapper(void* ptr) { void hak_tiny_free_fast_wrapper(void* ptr) {
static _Atomic uint64_t free_call_count = 0;
uint64_t call_num = atomic_fetch_add(&free_call_count, 1);
if (call_num > 14135 && call_num < 14145) {
fprintf(stderr, "[HAK_TINY_FREE_FAST_WRAPPER] call=%lu ptr=%p\n", call_num, ptr);
fflush(stderr);
}
tiny_free_fast(ptr); tiny_free_fast(ptr);
if (call_num > 14135 && call_num < 14145) {
fprintf(stderr, "[HAK_TINY_FREE_FAST_WRAPPER] call=%lu completed\n", call_num);
fflush(stderr);
}
} }
#elif defined(HAKMEM_TINY_PHASE6_ULTRA_SIMPLE) #elif defined(HAKMEM_TINY_PHASE6_ULTRA_SIMPLE)
@ -1961,3 +1974,52 @@ static void tiny_class5_stats_dump(void) {
g_tiny_hotpath_class5, tls5->cap, tls5->refill_low, tls5->spill_high, tls5->count); g_tiny_hotpath_class5, tls5->cap, tls5->refill_low, tls5->spill_high, tls5->count);
fprintf(stderr, "===============================\n"); fprintf(stderr, "===============================\n");
} }
// ========= Tiny Guard (targeted debug; low overhead when disabled) =========
static int g_tiny_guard_enabled = -1;
static int g_tiny_guard_class = 2;
static int g_tiny_guard_limit = 8;
static __thread int g_tiny_guard_seen = 0;
static inline int tiny_guard_enabled_runtime(void) {
if (__builtin_expect(g_tiny_guard_enabled == -1, 0)) {
const char* e = getenv("HAKMEM_TINY_GUARD");
g_tiny_guard_enabled = (e && *e && *e != '0') ? 1 : 0;
const char* ec = getenv("HAKMEM_TINY_GUARD_CLASS");
if (ec && *ec) g_tiny_guard_class = atoi(ec);
const char* el = getenv("HAKMEM_TINY_GUARD_MAX");
if (el && *el) g_tiny_guard_limit = atoi(el);
if (g_tiny_guard_limit <= 0) g_tiny_guard_limit = 8;
}
return g_tiny_guard_enabled;
}
int tiny_guard_is_enabled(void) { return tiny_guard_enabled_runtime(); }
static void tiny_guard_dump_bytes(const char* tag, const uint8_t* p, size_t n) {
fprintf(stderr, "[TGUARD] %s:", tag);
for (size_t i = 0; i < n; i++) fprintf(stderr, " %02x", p[i]);
fprintf(stderr, "\n");
}
void tiny_guard_on_alloc(int cls, void* base, void* user, size_t stride) {
if (!tiny_guard_enabled_runtime() || cls != g_tiny_guard_class) return;
if (g_tiny_guard_seen++ >= g_tiny_guard_limit) return;
uint8_t* b = (uint8_t*)base;
uint8_t* u = (uint8_t*)user;
fprintf(stderr, "[TGUARD] alloc cls=%d base=%p user=%p stride=%zu hdr=%02x\n",
cls, base, user, stride, b[0]);
// 隣接ヘッダ可視化(前後)
tiny_guard_dump_bytes("around_base", b, (stride >= 8 ? 8 : stride));
tiny_guard_dump_bytes("next_header", b + stride, 4);
}
void tiny_guard_on_invalid(void* user_ptr, uint8_t hdr) {
if (!tiny_guard_enabled_runtime()) return;
if (g_tiny_guard_seen++ >= g_tiny_guard_limit) return;
uint8_t* u = (uint8_t*)user_ptr;
fprintf(stderr, "[TGUARD] invalid header at user=%p hdr=%02x prev=%02x next=%02x\n",
user_ptr, hdr, *(u - 2), *(u));
tiny_guard_dump_bytes("dump_before", u - 8, 8);
tiny_guard_dump_bytes("dump_after", u, 8);
}

10
core/hakmem_tiny_fastcache.inc.h
View File

@ -148,12 +148,10 @@ static inline void* fastcache_pop(int class_idx) {
TinyFastCache* fc = &g_fast_cache[class_idx]; TinyFastCache* fc = &g_fast_cache[class_idx];
if (__builtin_expect(fc->top > 0, 1)) { if (__builtin_expect(fc->top > 0, 1)) {
void* base = fc->items[--fc->top]; void* base = fc->items[--fc->top];
// CRITICAL FIX: Convert base -> user pointer for classes 0-6 // ✅ FIX #16: Return BASE pointer (not USER)
// FastCache stores base pointers, user needs base+1 // FastCache stores base pointers. Caller will apply HAK_RET_ALLOC
if (class_idx == 7) { // which does BASE → USER conversion via tiny_region_id_write_header
return base; // C7: headerless, return base return base;
}
return (void*)((uint8_t*)base + 1); // C0-C6: return user pointer
} }
return NULL; return NULL;
} }

3
core/hakmem_tiny_integrity.h
View File

@ -154,8 +154,9 @@ static inline void validate_tls_canaries(const char* location) {
} }
// Periodic canary check (call every N operations) // Periodic canary check (call every N operations)
// DEBUGGING: Changed from 1000 to 100 to catch TLS corruption faster
static inline void periodic_canary_check(uint64_t counter, const char* location) { static inline void periodic_canary_check(uint64_t counter, const char* location) {
if (counter % 1000 == 0) { if (counter % 100 == 0) {
validate_tls_canaries(location); validate_tls_canaries(location);
} }
} }

58
core/hakmem_tiny_refill.inc.h
View File

@ -208,14 +208,14 @@ static inline void* tiny_fast_refill_and_take(int class_idx, TinyTLSList* tls) {
else { else {
// Push failed, return remaining to TLS (preserve order) // Push failed, return remaining to TLS (preserve order)
tls_list_bulk_put(tls, node, batch_tail, remaining, class_idx); tls_list_bulk_put(tls, node, batch_tail, remaining, class_idx);
// CRITICAL FIX: Convert base -> user pointer before returning // ✅ FIX #16: Return BASE pointer (not USER)
void* user_ptr = (class_idx == 7) ? ret : (void*)((uint8_t*)ret + 1); // Caller will apply HAK_RET_ALLOC which does BASE → USER conversion
return user_ptr; return ret;
} }
} }
// CRITICAL FIX: Convert base -> user pointer before returning // ✅ FIX #16: Return BASE pointer (not USER)
void* user_ptr = (class_idx == 7) ? ret : (void*)((uint8_t*)ret + 1); // Caller will apply HAK_RET_ALLOC which does BASE → USER conversion
return user_ptr; return ret;
} }
// Quick slot refill from SLL // Quick slot refill from SLL
@ -352,6 +352,17 @@ static inline int sll_refill_small_from_ss(int class_idx, int max_take) {
void* p = tiny_block_at_index(base, meta->carved, bs); void* p = tiny_block_at_index(base, meta->carved, bs);
meta->carved++; meta->carved++;
meta->used++; meta->used++;
// ✅ FIX #11B: Restore header BEFORE tls_sll_push
// ROOT CAUSE: Simple refill path carves blocks but doesn't write headers.
// tls_sll_push() expects headers at base for C0-C6 to write next at base+1.
// Without header, base+1 contains garbage → chain corruption → SEGV!
#if HAKMEM_TINY_HEADER_CLASSIDX
if (class_idx != 7) {
*(uint8_t*)p = HEADER_MAGIC | (class_idx & HEADER_CLASS_MASK);
}
#endif
// CRITICAL: Use Box TLS-SLL API (C7-safe, no race) // CRITICAL: Use Box TLS-SLL API (C7-safe, no race)
if (!tls_sll_push(class_idx, p, sll_cap)) { if (!tls_sll_push(class_idx, p, sll_cap)) {
// SLL full (should not happen, room was checked) // SLL full (should not happen, room was checked)
@ -367,6 +378,16 @@ static inline int sll_refill_small_from_ss(int class_idx, int max_take) {
void* p = meta->freelist; void* p = meta->freelist;
meta->freelist = *(void**)p; meta->freelist = *(void**)p;
meta->used++; meta->used++;
// ✅ FIX #11B: Restore header BEFORE tls_sll_push (same as Fix #11 for freelist)
// Freelist stores next at base (offset 0), overwriting header.
// Must restore header so tls_sll_push can write next at base+1 correctly.
#if HAKMEM_TINY_HEADER_CLASSIDX
if (class_idx != 7) {
*(uint8_t*)p = HEADER_MAGIC | (class_idx & HEADER_CLASS_MASK);
}
#endif
// CRITICAL: Use Box TLS-SLL API (C7-safe, no race) // CRITICAL: Use Box TLS-SLL API (C7-safe, no race)
if (!tls_sll_push(class_idx, p, sll_cap)) { if (!tls_sll_push(class_idx, p, sll_cap)) {
// SLL full (should not happen, room was checked) // SLL full (should not happen, room was checked)
@ -443,14 +464,29 @@ static inline void* superslab_tls_bump_fast(int class_idx) {
uint8_t* cur = g_tls_bcur[class_idx]; uint8_t* cur = g_tls_bcur[class_idx];
if (__builtin_expect(cur != NULL, 0)) { if (__builtin_expect(cur != NULL, 0)) {
uint8_t* end = g_tls_bend[class_idx]; uint8_t* end = g_tls_bend[class_idx];
// ✅ FIX #13B: Use stride (not user size) to match window arming (line 516)
// ROOT CAUSE: Window is carved with stride spacing, but fast path advanced by user size,
// causing misalignment and missing headers on blocks after the first one.
size_t bs = g_tiny_class_sizes[class_idx]; size_t bs = g_tiny_class_sizes[class_idx];
#if HAKMEM_TINY_HEADER_CLASSIDX
if (class_idx != 7) bs += 1; // stride = user_size + header
#endif
if (__builtin_expect(cur <= end - bs, 1)) { if (__builtin_expect(cur <= end - bs, 1)) {
g_tls_bcur[class_idx] = cur + bs; g_tls_bcur[class_idx] = cur + bs;
#if HAKMEM_DEBUG_COUNTERS #if HAKMEM_DEBUG_COUNTERS
g_bump_hits[class_idx]++; g_bump_hits[class_idx]++;
#endif #endif
HAK_TP1(bump_hit, class_idx); HAK_TP1(bump_hit, class_idx);
return (void*)cur; // ✅ FIX #13: Write header and return BASE pointer
// ROOT CAUSE: Bump allocations didn't write headers, causing corruption when freed.
// SOLUTION: Write header to carved block before returning BASE.
// IMPORTANT: Return BASE (not USER) - caller will convert via HAK_RET_ALLOC.
#if HAKMEM_TINY_HEADER_CLASSIDX
if (class_idx != 7) {
*cur = HEADER_MAGIC | (class_idx & HEADER_CLASS_MASK);
}
#endif
return (void*)cur; // Return BASE (caller converts to USER via HAK_RET_ALLOC)
} }
// Window exhausted // Window exhausted
g_tls_bcur[class_idx] = NULL; g_tls_bcur[class_idx] = NULL;
@ -484,7 +520,13 @@ static inline void* superslab_tls_bump_fast(int class_idx) {
#endif #endif
g_tls_bcur[class_idx] = start + bs; g_tls_bcur[class_idx] = start + bs;
g_tls_bend[class_idx] = start + (size_t)chunk * bs; g_tls_bend[class_idx] = start + (size_t)chunk * bs;
return (void*)start; // ✅ FIX #13: Write header and return BASE pointer
#if HAKMEM_TINY_HEADER_CLASSIDX
if (class_idx != 7) {
*start = HEADER_MAGIC | (class_idx & HEADER_CLASS_MASK);
}
#endif
return (void*)start; // Return BASE (caller converts to USER via HAK_RET_ALLOC)
} }
// Frontend: refill FastCache directly from TLS active slab (owner-only) or adopt a slab // Frontend: refill FastCache directly from TLS active slab (owner-only) or adopt a slab

40
core/tiny_alloc_fast.inc.h
View File

@ -91,8 +91,9 @@ static inline void* tiny_class5_minirefill_take(void) {
// Fast pop if available // Fast pop if available
void* base = tls_list_pop_fast(tls5, 5); void* base = tls_list_pop_fast(tls5, 5);
if (base) { if (base) {
// CRITICAL FIX: Convert base -> user pointer for class 5 // ✅ FIX #16: Return BASE pointer (not USER)
return (void*)((uint8_t*)base + 1); // Caller will apply HAK_RET_ALLOC which does BASE → USER conversion
return base;
} }
// Robust refill via generic helperheader対応・境界検証済み // Robust refill via generic helperheader対応・境界検証済み
return tiny_fast_refill_and_take(5, tls5); return tiny_fast_refill_and_take(5, tls5);
@ -189,6 +190,15 @@ static inline void* tiny_alloc_fast_pop(int class_idx) {
HAK_CHECK_CLASS_IDX(class_idx, "tiny_alloc_fast_pop"); HAK_CHECK_CLASS_IDX(class_idx, "tiny_alloc_fast_pop");
atomic_fetch_add(&g_integrity_check_class_bounds, 1); atomic_fetch_add(&g_integrity_check_class_bounds, 1);
// DEBUG: Log class 2 pops (DISABLED for performance)
static _Atomic uint64_t g_fast_pop_count = 0;
uint64_t pop_call = atomic_fetch_add(&g_fast_pop_count, 1);
if (0 && class_idx == 2 && pop_call > 5840 && pop_call < 5900) {
fprintf(stderr, "[FAST_POP_C2] call=%lu cls=%d head=%p count=%u\n",
pop_call, class_idx, g_tls_sll_head[class_idx], g_tls_sll_count[class_idx]);
fflush(stderr);
}
// CRITICAL: C7 (1KB) is headerless - delegate to slow path completely // CRITICAL: C7 (1KB) is headerless - delegate to slow path completely
// Reason: Fast path uses SLL which stores next pointer in user data area // Reason: Fast path uses SLL which stores next pointer in user data area
// C7's headerless design is incompatible with fast path assumptions // C7's headerless design is incompatible with fast path assumptions
@ -246,9 +256,10 @@ static inline void* tiny_alloc_fast_pop(int class_idx) {
g_tiny_alloc_hits++; g_tiny_alloc_hits++;
} }
#endif #endif
// CRITICAL FIX: Convert base -> user pointer for classes 0-6 // ✅ FIX #16: Return BASE pointer (not USER)
void* user_ptr = (class_idx == 7) ? base : (void*)((uint8_t*)base + 1); // Caller (tiny_alloc_fast) will call HAK_RET_ALLOC → tiny_region_id_write_header
return user_ptr; // which does the BASE → USER conversion. Double conversion was causing corruption!
return base;
} }
// SFC miss → try SLL (Layer 1) // SFC miss → try SLL (Layer 1)
} }
@ -277,9 +288,10 @@ static inline void* tiny_alloc_fast_pop(int class_idx) {
g_tiny_alloc_hits++; g_tiny_alloc_hits++;
} }
#endif #endif
// CRITICAL FIX: Convert base -> user pointer for classes 0-6 // ✅ FIX #16: Return BASE pointer (not USER)
void* user_ptr = (class_idx == 7) ? base : (void*)((uint8_t*)base + 1); // Caller (tiny_alloc_fast) will call HAK_RET_ALLOC → tiny_region_id_write_header
return user_ptr; // which does the BASE → USER conversion. Double conversion was causing corruption!
return base;
} }
} }
@ -535,9 +547,11 @@ static inline void* tiny_alloc_fast(size_t size) {
abort(); abort();
} }
// Debug logging near crash point // Debug logging (DISABLED for performance)
if (call_num > 14250 && call_num < 14280) { if (0 && call_num > 14250 && call_num < 14280) {
fprintf(stderr, "[TINY_ALLOC] call=%lu size=%zu class=%d\n", call_num, size, class_idx); fprintf(stderr, "[TINY_ALLOC] call=%lu size=%zu class=%d sll_head[%d]=%p count=%u\n",
call_num, size, class_idx, class_idx,
g_tls_sll_head[class_idx], g_tls_sll_count[class_idx]);
fflush(stderr); fflush(stderr);
} }
@ -563,12 +577,12 @@ static inline void* tiny_alloc_fast(size_t size) {
} }
// Generic front (FastCache/SFC/SLL) // Generic front (FastCache/SFC/SLL)
if (call_num > 14250 && call_num < 14280) { if (0 && call_num > 14250 && call_num < 14280) {
fprintf(stderr, "[TINY_ALLOC] call=%lu before fast_pop\n", call_num); fprintf(stderr, "[TINY_ALLOC] call=%lu before fast_pop\n", call_num);
fflush(stderr); fflush(stderr);
} }
ptr = tiny_alloc_fast_pop(class_idx); ptr = tiny_alloc_fast_pop(class_idx);
if (call_num > 14250 && call_num < 14280) { if (0 && call_num > 14250 && call_num < 14280) {
fprintf(stderr, "[TINY_ALLOC] call=%lu after fast_pop ptr=%p\n", call_num, ptr); fprintf(stderr, "[TINY_ALLOC] call=%lu after fast_pop ptr=%p\n", call_num, ptr);
fflush(stderr); fflush(stderr);
} }

17
core/tiny_alloc_fast_inline.h
View File

@ -11,6 +11,7 @@
#include "hakmem_build_flags.h" #include "hakmem_build_flags.h"
#include "tiny_remote.h" // for TINY_REMOTE_SENTINEL (defense-in-depth) #include "tiny_remote.h" // for TINY_REMOTE_SENTINEL (defense-in-depth)
#include "tiny_nextptr.h" #include "tiny_nextptr.h"
#include "tiny_region_id.h" // For HEADER_MAGIC, HEADER_CLASS_MASK (Fix #7)
// External TLS variables (defined in hakmem_tiny.c) // External TLS variables (defined in hakmem_tiny.c)
extern __thread void* g_tls_sll_head[TINY_NUM_CLASSES]; extern __thread void* g_tls_sll_head[TINY_NUM_CLASSES];
@ -83,12 +84,26 @@ extern __thread uint32_t g_tls_sll_count[TINY_NUM_CLASSES];
// mov %rax, (%rsi) // mov %rax, (%rsi)
// mov %rsi, g_tls_sll_head(%rdi) // mov %rsi, g_tls_sll_head(%rdi)
// //
#if HAKMEM_TINY_HEADER_CLASSIDX
// ✅ FIX #7: Restore header on FREE (header-mode enabled)
// ROOT CAUSE: User may have overwritten byte 0 (header). tls_sll_splice() checks
// byte 0 for HEADER_MAGIC. Without restoration, it finds 0x00 → uses wrong offset → SEGV.
// COST: 1 byte write (~1-2 cycles per free, negligible).
#define TINY_ALLOC_FAST_PUSH_INLINE(class_idx, ptr) do { \ #define TINY_ALLOC_FAST_PUSH_INLINE(class_idx, ptr) do { \
/* Safe store of header-aware next (avoid UB on unaligned) */ \ if ((class_idx) != 7) { \
*(uint8_t*)(ptr) = HEADER_MAGIC | ((class_idx) & HEADER_CLASS_MASK); \
} \
tiny_next_store((ptr), (class_idx), g_tls_sll_head[(class_idx)]); \ tiny_next_store((ptr), (class_idx), g_tls_sll_head[(class_idx)]); \
g_tls_sll_head[(class_idx)] = (ptr); \ g_tls_sll_head[(class_idx)] = (ptr); \
g_tls_sll_count[(class_idx)]++; \ g_tls_sll_count[(class_idx)]++; \
} while(0) } while(0)
#else
#define TINY_ALLOC_FAST_PUSH_INLINE(class_idx, ptr) do { \
tiny_next_store((ptr), (class_idx), g_tls_sll_head[(class_idx)]); \
g_tls_sll_head[(class_idx)] = (ptr); \
g_tls_sll_count[(class_idx)]++; \
} while(0)
#endif
// ========== Performance Notes ========== // ========== Performance Notes ==========
// //

91
core/tiny_refill_opt.h
View File

@ -6,6 +6,8 @@
#include <stdio.h> #include <stdio.h>
#include <stdatomic.h> #include <stdatomic.h>
#include <stdlib.h> #include <stdlib.h>
#include "tiny_region_id.h" // For HEADER_MAGIC, HEADER_CLASS_MASK (Fix #6)
#include "ptr_track.h" // Pointer tracking for debugging header corruption
#ifndef HAKMEM_TINY_REFILL_OPT #ifndef HAKMEM_TINY_REFILL_OPT
#define HAKMEM_TINY_REFILL_OPT 1 #define HAKMEM_TINY_REFILL_OPT 1
@ -74,6 +76,30 @@ static inline void trc_splice_to_sll(int class_idx, TinyRefillChain* c,
class_idx, c->head, c->tail, c->count); class_idx, c->head, c->tail, c->count);
} }
// DEBUG: Validate chain is properly NULL-terminated BEFORE splicing
static _Atomic uint64_t g_splice_count = 0;
uint64_t splice_num = atomic_fetch_add(&g_splice_count, 1);
if (splice_num > 40 && splice_num < 80 && class_idx == 0) {
fprintf(stderr, "[SPLICE_DEBUG] splice=%lu cls=%d head=%p tail=%p count=%u\n",
splice_num, class_idx, c->head, c->tail, c->count);
// Walk chain to verify NULL termination
void* cursor = c->head;
uint32_t walked = 0;
while (cursor && walked < c->count + 5) {
void* next = *(void**)((uint8_t*)cursor + 1); // offset 1 for C0
fprintf(stderr, "[SPLICE_WALK] node=%p next=%p walked=%u/%u\n",
cursor, next, walked, c->count);
if (walked == c->count - 1 && next != NULL) {
fprintf(stderr, "[SPLICE_ERROR] Tail not NULL-terminated! tail=%p next=%p\n",
cursor, next);
abort();
}
cursor = next;
walked++;
}
fflush(stderr);
}
// CRITICAL: Use Box TLS-SLL API for splice (C7-safe, no race) // CRITICAL: Use Box TLS-SLL API for splice (C7-safe, no race)
// Note: tls_sll_splice() requires capacity parameter (use large value for refill) // Note: tls_sll_splice() requires capacity parameter (use large value for refill)
uint32_t moved = tls_sll_splice(class_idx, c->head, c->count, 4096); uint32_t moved = tls_sll_splice(class_idx, c->head, c->count, 4096);
@ -175,6 +201,35 @@ static inline uint32_t trc_pop_from_freelist(struct TinySlabMeta* meta,
trc_failfast_abort("freelist_next", class_idx, ss_base, ss_limit, next); trc_failfast_abort("freelist_next", class_idx, ss_base, ss_limit, next);
} }
meta->freelist = next; meta->freelist = next;
// ✅ FIX #11: Restore header BEFORE trc_push_front
// ROOT CAUSE: Freelist stores next at base (offset 0), overwriting header.
// trc_push_front() uses offset=1 for C0-C6, expecting header at base.
// Without restoration, offset=1 contains garbage → chain corruption → SEGV!
//
// SOLUTION: Restore header AFTER reading freelist next, BEFORE chain push.
// Cost: 1 byte write per freelist block (~1-2 cycles, negligible).
#if HAKMEM_TINY_HEADER_CLASSIDX
if (class_idx != 7) {
// DEBUG: Log header restoration for class 2
uint8_t before = *(uint8_t*)p;
PTR_TRACK_FREELIST_POP(p, class_idx);
*(uint8_t*)p = HEADER_MAGIC | (class_idx & HEADER_CLASS_MASK);
PTR_TRACK_HEADER_WRITE(p, HEADER_MAGIC | (class_idx & HEADER_CLASS_MASK));
static _Atomic uint64_t g_freelist_count_c2 = 0;
if (class_idx == 2) {
uint64_t fl_num = atomic_fetch_add(&g_freelist_count_c2, 1);
if (fl_num < 100) { // Log first 100 freelist pops
extern _Atomic uint64_t malloc_count;
uint64_t call_num = atomic_load(&malloc_count);
fprintf(stderr, "[FREELIST_HEADER_RESTORE] fl#%lu call=%lu cls=%d ptr=%p before=0x%02x after=0x%02x\n",
fl_num, call_num, class_idx, p, before, HEADER_MAGIC | (class_idx & HEADER_CLASS_MASK));
fflush(stderr);
}
}
}
#endif
trc_push_front(out, p, class_idx); trc_push_front(out, p, class_idx);
taken++; taken++;
} }
@ -217,6 +272,34 @@ static inline uint32_t trc_linear_carve(uint8_t* base, size_t bs,
(void*)base, meta->carved, batch, (void*)cursor); (void*)base, meta->carved, batch, (void*)cursor);
} }
// ✅ FIX #6: Write headers to carved blocks BEFORE linking
// ROOT CAUSE: tls_sll_splice() checks byte 0 for header magic to determine
// next_offset. Without headers, it finds 0x00 and uses next_offset=0 (WRONG!),
// reading garbage pointers from wrong offset, causing SEGV.
// SOLUTION: Write headers to all carved blocks so splice detection works correctly.
#if HAKMEM_TINY_HEADER_CLASSIDX
if (class_idx != 7) {
// Write headers to all batch blocks (C0-C6 only, C7 is headerless)
static _Atomic uint64_t g_carve_count = 0;
for (uint32_t i = 0; i < batch; i++) {
uint8_t* block = cursor + (i * stride);
PTR_TRACK_CARVE((void*)block, class_idx);
*block = HEADER_MAGIC | (class_idx & HEADER_CLASS_MASK);
PTR_TRACK_HEADER_WRITE((void*)block, HEADER_MAGIC | (class_idx & HEADER_CLASS_MASK));
// ✅ Option C: Class 2 inline logs - CARVE operation
if (class_idx == 2) {
uint64_t carve_id = atomic_fetch_add(&g_carve_count, 1);
extern _Atomic uint64_t malloc_count;
uint64_t call = atomic_load(&malloc_count);
fprintf(stderr, "[C2_CARVE] ptr=%p header=0xa2 batch_idx=%u/%u carve_id=%lu call=%lu\n",
(void*)block, i+1, batch, carve_id, call);
fflush(stderr);
}
}
}
#endif
// CRITICAL FIX (Phase 7): header-aware next pointer placement // CRITICAL FIX (Phase 7): header-aware next pointer placement
// For header classes (C0-C6), the first byte at base is the 1-byte header. // For header classes (C0-C6), the first byte at base is the 1-byte header.
// Store the SLL next pointer at base+1 to avoid clobbering the header. // Store the SLL next pointer at base+1 to avoid clobbering the header.
@ -232,6 +315,14 @@ static inline uint32_t trc_linear_carve(uint8_t* base, size_t bs,
cursor = next; cursor = next;
} }
void* tail = (void*)cursor; void* tail = (void*)cursor;
// ✅ FIX #2: NULL-terminate the tail to prevent garbage pointer traversal
// ROOT CAUSE: Without this, tail's next pointer contains GARBAGE from previous
// allocation, causing SEGV when TLS SLL is traversed (crash at iteration 38,985).
// The loop above only links blocks 0→1, 1→2, ..., (batch-2)→(batch-1).
// It does NOT write to tail's next pointer, leaving stale data!
*(void**)((uint8_t*)tail + next_offset) = NULL;
// Debug: validate first link // Debug: validate first link
#if !HAKMEM_BUILD_RELEASE #if !HAKMEM_BUILD_RELEASE
if (batch >= 2) { if (batch >= 2) {

17
core/tiny_region_id.h
View File

@ -11,6 +11,8 @@
#include <stdint.h> #include <stdint.h>
#include <stddef.h> #include <stddef.h>
#include "hakmem_build_flags.h" #include "hakmem_build_flags.h"
#include "tiny_box_geometry.h"
#include "ptr_track.h"
// Feature flag: Enable header-based class_idx lookup // Feature flag: Enable header-based class_idx lookup
#ifndef HAKMEM_TINY_HEADER_CLASSIDX #ifndef HAKMEM_TINY_HEADER_CLASSIDX
@ -55,7 +57,17 @@ static inline void* tiny_region_id_write_header(void* base, int class_idx) {
// Write header at block start // Write header at block start
uint8_t* header_ptr = (uint8_t*)base; uint8_t* header_ptr = (uint8_t*)base;
*header_ptr = HEADER_MAGIC | (class_idx & HEADER_CLASS_MASK); *header_ptr = HEADER_MAGIC | (class_idx & HEADER_CLASS_MASK);
return header_ptr + 1; // skip header for user pointer PTR_TRACK_HEADER_WRITE(base, HEADER_MAGIC | (class_idx & HEADER_CLASS_MASK));
void* user = header_ptr + 1; // skip header for user pointer
PTR_TRACK_MALLOC(base, 0, class_idx); // Track at BASE (where header is)
// Optional guard: log stride/base/user for targeted class
extern int tiny_guard_is_enabled(void);
extern void tiny_guard_on_alloc(int cls, void* base, void* user, size_t stride);
if (tiny_guard_is_enabled()) {
size_t stride = tiny_stride_for_class(class_idx);
tiny_guard_on_alloc(class_idx, base, user, stride);
}
return user;
} }
// ========== Read Header (Free) ========== // ========== Read Header (Free) ==========
@ -100,6 +112,9 @@ static inline int tiny_region_id_read_header(void* ptr) {
invalid_count++; invalid_count++;
} }
#endif #endif
// Optional guard hook for invalid header
extern void tiny_guard_on_invalid(void* user_ptr, uint8_t hdr);
if (tiny_guard_is_enabled()) tiny_guard_on_invalid(ptr, header);
return -1; return -1;
} }
#else #else