diff --git a/core/box/front_gate_box.d b/core/box/front_gate_box.d index f7719d8e..81ccb980 100644 --- a/core/box/front_gate_box.d +++ b/core/box/front_gate_box.d @@ -2,7 +2,8 @@ core/box/front_gate_box.o: core/box/front_gate_box.c \ core/box/front_gate_box.h core/hakmem_tiny.h core/hakmem_build_flags.h \ core/hakmem_trace.h core/hakmem_tiny_mini_mag.h \ core/tiny_alloc_fast_sfc.inc.h core/hakmem_tiny.h core/box/tls_sll_box.h \ - core/box/../hakmem_tiny_config.h + core/box/../ptr_trace.h core/box/../hakmem_tiny_config.h \ + core/box/../hakmem_build_flags.h core/box/front_gate_box.h: core/hakmem_tiny.h: core/hakmem_build_flags.h: @@ -11,4 +12,6 @@ core/hakmem_tiny_mini_mag.h: core/tiny_alloc_fast_sfc.inc.h: core/hakmem_tiny.h: core/box/tls_sll_box.h: +core/box/../ptr_trace.h: core/box/../hakmem_tiny_config.h: +core/box/../hakmem_build_flags.h: diff --git a/core/box/hak_free_api.inc.h b/core/box/hak_free_api.inc.h index 25c85a5d..3c298e3d 100644 --- a/core/box/hak_free_api.inc.h +++ b/core/box/hak_free_api.inc.h @@ -4,6 +4,7 @@ #include "hakmem_tiny_superslab.h" // For SUPERSLAB_MAGIC, SuperSlab #include "../tiny_free_fast_v2.inc.h" // Phase 7: Header-based ultra-fast free +#include "../ptr_trace.h" // Debug: pointer trace immediate dump on libc fallback #include "front_gate_classifier.h" // Box FG: Centralized pointer classification #ifdef HAKMEM_POOL_TLS_PHASE1 @@ -178,6 +179,7 @@ void hak_free_at(void* ptr, size_t size, hak_callsite_t site) { // LD_PRELOAD mode: route to libc (might be libc allocation) extern void __libc_free(void*); + ptr_trace_dump_now("free_api_libc_invalid_hdr"); __libc_free(ptr); goto done; } @@ -217,6 +219,7 @@ void hak_free_at(void* ptr, size_t size, hak_callsite_t site) { } else { // Fallback mode: route to libc extern void __libc_free(void*); + ptr_trace_dump_now("free_api_libc_invalid_magic_fallback"); __libc_free(ptr); // Use ptr, not raw! goto done; } @@ -238,6 +241,7 @@ void hak_free_at(void* ptr, size_t size, hak_callsite_t site) { // Using free(raw) would go through wrapper → infinite recursion hak_free_route_log("malloc_hdr", ptr); extern void __libc_free(void*); + ptr_trace_dump_now("free_api_libc_malloc_hdr"); __libc_free(raw); break; case ALLOC_METHOD_MMAP: @@ -247,6 +251,7 @@ void hak_free_at(void* ptr, size_t size, hak_callsite_t site) { #else // CRITICAL FIX: Same as ALLOC_METHOD_MALLOC extern void __libc_free(void*); + ptr_trace_dump_now("free_api_libc_mmap_other"); __libc_free(raw); #endif break; diff --git a/core/box/hak_wrappers.inc.h b/core/box/hak_wrappers.inc.h index 9b07bdb7..e7ef5477 100644 --- a/core/box/hak_wrappers.inc.h +++ b/core/box/hak_wrappers.inc.h @@ -28,6 +28,9 @@ void* realloc(void* ptr, size_t size) { #else +#include "../ptr_trace.h" // Debug: pointer trace immediate dump on libc fallback +#include "front_gate_classifier.h" // Box FG: pointer classification (header/reg) + // malloc wrapper - intercepts system malloc() calls __thread uint64_t g_malloc_total_calls = 0; __thread uint64_t g_malloc_tiny_size_match = 0; @@ -105,13 +108,65 @@ void* malloc(size_t size) { void free(void* ptr) { atomic_fetch_add_explicit(&g_free_wrapper_calls, 1, memory_order_relaxed); if (!ptr) return; - if (g_hakmem_lock_depth > 0) { extern void __libc_free(void*); __libc_free(ptr); return; } - if (__builtin_expect(g_initializing != 0, 0)) { extern void __libc_free(void*); __libc_free(ptr); return; } - if (__builtin_expect(hak_force_libc_alloc(), 0)) { extern void __libc_free(void*); __libc_free(ptr); return; } + do { static int on=-1; if (on==-1){ const char* e=getenv("HAKMEM_FREE_WRAP_TRACE"); on=(e&&*e&&*e!='0')?1:0;} if(on){ fprintf(stderr,"[WRAP_FREE_ENTER] ptr=%p depth=%d init=%d\n", ptr, g_hakmem_lock_depth, g_initializing); } } while(0); +#if !HAKMEM_BUILD_RELEASE + // Debug safety: guard obviously invalid tiny integers to avoid libc crash and collect trace + if ((uintptr_t)ptr < 4096) { + ptr_trace_dump_now("wrap_small_ptr"); + fprintf(stderr, "[FREE_SMALL_PTR] ignore ptr=%p (likely header-corruption sentinel)\n", ptr); + return; + } +#endif + + // Classify pointer BEFORE early libc fallbacks to avoid misrouting Tiny pointers + // This is safe: classifier uses header probe and registry; does not allocate. + int is_hakmem_owned = 0; + { + ptr_classification_t c = classify_ptr(ptr); + switch (c.kind) { + case PTR_KIND_TINY_HEADER: + case PTR_KIND_TINY_HEADERLESS: + case PTR_KIND_POOL_TLS: + is_hakmem_owned = 1; break; + default: break; + } + } + + if (is_hakmem_owned) { + // Route to hak_free_at even if lock_depth>0(ログ抑制のためptr_traceのみ使用) + g_hakmem_lock_depth++; + hak_free_at(ptr, 0, HAK_CALLSITE()); + g_hakmem_lock_depth--; + return; + } + // Front Gate libc bypass detection + static _Atomic uint64_t fg_libc_bypass_count = 0; + + if (g_hakmem_lock_depth > 0) { + uint64_t count = atomic_fetch_add_explicit(&fg_libc_bypass_count, 1, memory_order_relaxed); + if (count < 10) { // Log first 10 occurrences + fprintf(stderr, "[FG_LIBC_BYPASS] lockdepth=%d count=%llu ptr=%p\n", g_hakmem_lock_depth, (unsigned long long)count, ptr); + } + extern void __libc_free(void*); + ptr_trace_dump_now("wrap_libc_lockdepth"); + __libc_free(ptr); + return; + } + if (__builtin_expect(g_initializing != 0, 0)) { + uint64_t count = atomic_fetch_add_explicit(&fg_libc_bypass_count, 1, memory_order_relaxed); + if (count < 10) { // Log first 10 occurrences + fprintf(stderr, "[FG_LIBC_BYPASS] init=%d count=%llu ptr=%p\n", g_initializing, (unsigned long long)count, ptr); + } + extern void __libc_free(void*); + ptr_trace_dump_now("wrap_libc_init"); + __libc_free(ptr); + return; + } + if (__builtin_expect(hak_force_libc_alloc(), 0)) { extern void __libc_free(void*); ptr_trace_dump_now("wrap_libc_force"); __libc_free(ptr); return; } if (hak_ld_env_mode()) { - if (hak_ld_block_jemalloc() && g_jemalloc_loaded) { extern void __libc_free(void*); __libc_free(ptr); return; } + if (hak_ld_block_jemalloc() && g_jemalloc_loaded) { extern void __libc_free(void*); ptr_trace_dump_now("wrap_libc_ld_jemalloc"); __libc_free(ptr); return; } if (!g_initialized) { hak_init(); } - if (g_initializing) { extern void __libc_free(void*); __libc_free(ptr); return; } + if (g_initializing) { extern void __libc_free(void*); ptr_trace_dump_now("wrap_libc_ld_init"); __libc_free(ptr); return; } } g_hakmem_lock_depth++; hak_free_at(ptr, 0, HAK_CALLSITE()); @@ -205,4 +260,3 @@ void* realloc(void* ptr, size_t size) { #endif // HAKMEM_FORCE_LIBC_ALLOC_BUILD #endif // HAK_WRAPPERS_INC_H - diff --git a/core/hakmem_tiny.c b/core/hakmem_tiny.c index e71fd010..6aab617f 100644 --- a/core/hakmem_tiny.c +++ b/core/hakmem_tiny.c @@ -376,12 +376,12 @@ static __thread void* g_fast_head[TINY_NUM_CLASSES]; static __thread uint16_t g_fast_count[TINY_NUM_CLASSES]; static inline void tls_list_spill_excess(int class_idx, TinyTLSList* tls); -static uint64_t g_tls_hit_count[TINY_NUM_CLASSES]; -static uint64_t g_tls_miss_count[TINY_NUM_CLASSES]; -static uint64_t g_tls_spill_ss_count[TINY_NUM_CLASSES]; -static uint64_t g_tls_spill_owner_count[TINY_NUM_CLASSES]; -static uint64_t g_tls_spill_mag_count[TINY_NUM_CLASSES]; -static uint64_t g_tls_spill_requeue_count[TINY_NUM_CLASSES]; +uint64_t g_tls_hit_count[TINY_NUM_CLASSES]; +uint64_t g_tls_miss_count[TINY_NUM_CLASSES]; +uint64_t g_tls_spill_ss_count[TINY_NUM_CLASSES]; +uint64_t g_tls_spill_owner_count[TINY_NUM_CLASSES]; +uint64_t g_tls_spill_mag_count[TINY_NUM_CLASSES]; +uint64_t g_tls_spill_requeue_count[TINY_NUM_CLASSES]; // Legacy magazine definitions have been moved to hakmem_tiny_magazine.h // NEW: Per-thread active slabs (up to 2 per class) diff --git a/core/hakmem_tiny.d b/core/hakmem_tiny.d index d2b261e2..8ca4e670 100644 --- a/core/hakmem_tiny.d +++ b/core/hakmem_tiny.d @@ -23,7 +23,8 @@ core/hakmem_tiny.o: core/hakmem_tiny.c core/hakmem_tiny.h \ core/tiny_tls_guard.h core/hakmem_tiny_tls_list.h \ core/hakmem_tiny_bg_spill.h core/tiny_adaptive_sizing.h \ core/tiny_system.h core/hakmem_prof.h core/tiny_publish.h \ - core/box/tls_sll_box.h core/box/../hakmem_tiny_config.h \ + core/box/tls_sll_box.h core/box/../ptr_trace.h \ + core/box/../hakmem_tiny_config.h core/box/../hakmem_build_flags.h \ core/hakmem_tiny_hotmag.inc.h core/hakmem_tiny_hot_pop.inc.h \ core/hakmem_tiny_fastcache.inc.h core/hakmem_tiny_refill.inc.h \ core/tiny_box_geometry.h core/hakmem_tiny_refill_p0.inc.h \ @@ -99,7 +100,9 @@ core/tiny_system.h: core/hakmem_prof.h: core/tiny_publish.h: core/box/tls_sll_box.h: +core/box/../ptr_trace.h: core/box/../hakmem_tiny_config.h: +core/box/../hakmem_build_flags.h: core/hakmem_tiny_hotmag.inc.h: core/hakmem_tiny_hot_pop.inc.h: core/hakmem_tiny_fastcache.inc.h: diff --git a/core/hakmem_tiny_stats.h b/core/hakmem_tiny_stats.h index 9c9db499..c8331dd9 100644 --- a/core/hakmem_tiny_stats.h +++ b/core/hakmem_tiny_stats.h @@ -11,6 +11,16 @@ // Assumed to be available when this header is included extern TinyPool g_tiny_pool; +// Debug-only TLS/front counters (defined in hakmem_tiny.c) +#if HAKMEM_BUILD_DEBUG +extern uint64_t g_tls_hit_count[TINY_NUM_CLASSES]; +extern uint64_t g_tls_miss_count[TINY_NUM_CLASSES]; +extern uint64_t g_tls_spill_ss_count[TINY_NUM_CLASSES]; +extern uint64_t g_tls_spill_owner_count[TINY_NUM_CLASSES]; +extern uint64_t g_tls_spill_mag_count[TINY_NUM_CLASSES]; +extern uint64_t g_tls_spill_requeue_count[TINY_NUM_CLASSES]; +#endif + // ============================================================================ // Quick Win #2: Compile-Time Statistics Toggle // ============================================================================ diff --git a/core/tiny_alloc_fast_inline.h b/core/tiny_alloc_fast_inline.h index 53932a8a..8db14b1f 100644 --- a/core/tiny_alloc_fast_inline.h +++ b/core/tiny_alloc_fast_inline.h @@ -50,10 +50,7 @@ extern __thread uint32_t g_tls_sll_count[TINY_NUM_CLASSES]; (ptr_out) = NULL; \ } else { \ /* Phase 7: header-aware next (C0-C6: base+1, C7: base) */ \ - size_t _off = 0; \ -#if HAKMEM_TINY_HEADER_CLASSIDX \ - _off = ((class_idx) == 7) ? 0 : 1; \ -#endif \ + size_t _off = (HAKMEM_TINY_HEADER_CLASSIDX ? (((class_idx) == 7) ? 0 : 1) : 0); \ void* _next = *(void**)((uint8_t*)_head + _off); \ g_tls_sll_head[(class_idx)] = _next; \ if (g_tls_sll_count[(class_idx)] > 0) { \ @@ -87,10 +84,7 @@ extern __thread uint32_t g_tls_sll_count[TINY_NUM_CLASSES]; // #define TINY_ALLOC_FAST_PUSH_INLINE(class_idx, ptr) do { \ /* Phase 7: header-aware next (C0-C6: base+1, C7: base) */ \ - size_t _off = 0; \ -#if HAKMEM_TINY_HEADER_CLASSIDX \ - _off = ((class_idx) == 7) ? 0 : 1; \ -#endif \ + size_t _off = (HAKMEM_TINY_HEADER_CLASSIDX ? (((class_idx) == 7) ? 0 : 1) : 0); \ *(void**)((uint8_t*)(ptr) + _off) = g_tls_sll_head[(class_idx)]; \ g_tls_sll_head[(class_idx)] = (ptr); \ g_tls_sll_count[(class_idx)]++; \ diff --git a/core/tiny_free_fast_v2.inc.h b/core/tiny_free_fast_v2.inc.h index bc5fde14..13acf4f2 100644 --- a/core/tiny_free_fast_v2.inc.h +++ b/core/tiny_free_fast_v2.inc.h @@ -29,7 +29,6 @@ extern __thread uint32_t g_tls_sll_count[TINY_NUM_CLASSES]; // External functions extern void hak_tiny_free(void* ptr); // Fallback for non-header allocations -extern uint32_t sll_cap_for_class(int class_idx, uint32_t mag_cap); // ========== Ultra-Fast Free (Header-based) ========== @@ -109,10 +108,10 @@ static inline int hak_tiny_free_fast_v2(void* ptr) { // 2. Check TLS freelist capacity (optional, for bounded cache) // Note: Can be disabled in release for maximum speed #if !HAKMEM_BUILD_RELEASE - uint32_t cap = sll_cap_for_class(class_idx, (uint32_t)TINY_TLS_MAG_CAP); + // Debug-only: simple capacity guard to avoid unbounded TLS growth + uint32_t cap = (uint32_t)TINY_TLS_MAG_CAP; if (__builtin_expect(g_tls_sll_count[class_idx] >= cap, 0)) { - // TLS cache full - route to slow path for spill - return 0; + return 0; // Route to slow path for spill } #endif diff --git a/core/tiny_remote.c b/core/tiny_remote.c index 0cc7e519..53b227d5 100644 --- a/core/tiny_remote.c +++ b/core/tiny_remote.c @@ -32,7 +32,7 @@ static inline uint32_t hmix(uintptr_t v); static inline uint32_t tiny_remote_stage_hash(const char* stage); static void tiny_remote_dump_backtrace(void); -#if !defined(HAKMEM_BUILD_RELEASE) +#if !HAKMEM_BUILD_RELEASE #define REM_TRACK_TABLE_LOG2 20 #define REM_TRACK_TABLE_SIZE (1u << REM_TRACK_TABLE_LOG2) diff --git a/core/tiny_superslab_alloc.inc.h b/core/tiny_superslab_alloc.inc.h index 6450ca19..0ced0ef9 100644 --- a/core/tiny_superslab_alloc.inc.h +++ b/core/tiny_superslab_alloc.inc.h @@ -743,6 +743,20 @@ static inline void* hak_tiny_alloc_superslab(int class_idx) { // } meta->used++; + // Debug: Log first C7 alloc for path verification + if (class_idx == 7) { + static _Atomic int c7_alloc_count = 0; + int count = atomic_fetch_add_explicit(&c7_alloc_count, 1, memory_order_relaxed); + if (count == 0) { + void* next = NULL; + // C7 has no header, next pointer is at base + if (block && ss->size_class == 7) { + next = *(void**)block; + } + fprintf(stderr, "[C7_FIRST_ALLOC] ptr=%p next=%p slab_idx=%d\n", block, next, slab_idx); + } + } + // Track active blocks in SuperSlab for conservative reclamation ss_active_inc(ss); HAK_RET_ALLOC(class_idx, block); // Phase 8.4: Zero hot-path overhead diff --git a/core/tiny_superslab_free.inc.h b/core/tiny_superslab_free.inc.h index 3c168b39..c5feb3d9 100644 --- a/core/tiny_superslab_free.inc.h +++ b/core/tiny_superslab_free.inc.h @@ -26,6 +26,15 @@ static inline void hak_tiny_free_superslab(void* ptr, SuperSlab* ss) { TinySlabMeta* meta = &ss->slabs[slab_idx]; // Normalize to block base for header classes (C0-C6) void* base = (ss->size_class == 7) ? ptr : (void*)((uint8_t*)ptr - 1); + + // Debug: Log first C7 alloc/free for path verification + if (ss->size_class == 7) { + static _Atomic int c7_free_count = 0; + int count = atomic_fetch_add_explicit(&c7_free_count, 1, memory_order_relaxed); + if (count == 0) { + fprintf(stderr, "[C7_FIRST_FREE] ptr=%p base=%p slab_idx=%d\n", ptr, base, slab_idx); + } + } if (__builtin_expect(tiny_remote_watch_is(ptr), 0)) { tiny_remote_watch_note("free_enter", ss, slab_idx, ptr, 0xA240u, tiny_self_u32(), 0); extern __thread TinyTLSSlab g_tls_slabs[]; diff --git a/debug_analysis_final_$(date +%Y%m%d_%H%M%S).md b/debug_analysis_final_$(date +%Y%m%d_%H%M%S).md new file mode 100644 index 00000000..0f4c6cec --- /dev/null +++ b/debug_analysis_final_$(date +%Y%m%d_%H%M%S).md @@ -0,0 +1,100 @@ +# Debug Analysis Final - TLS-SLL Guard Investigation +**Date**: 2025-11-10 +**Binary**: out/debug/bench_fixed_size_hakmem (verbose debug build) +**Command**: 200000 1024 128 + +## 1. Maximum Tracing Results + +### Key Findings: +``` +[TLS_SLL_GUARD] splice_trav: misaligned base=0x7244b7e10009 cls=0 blk=8 off=1 +[HAKMEM][EARLY SIGSEGV] backtrace (1 frames) +./out/debug/bench_fixed_size_hakmem(+0x6a5e)[0x5b4a8b13ea5e] +``` + +### Critical Discovery: +- **TLS-SLL GUARDが検出!** `misaligned base=0x7244b7e10009` +- SPLICE_TO_SLL直後の`splice_trav`操作でアライメント違反 +- これがSIGSEGVの直接原因! + +### Analysis of misaligned address: +- `base=0x7244b7e10009` - 最後の9進数(0x9)が問題 +- `cls=0 blk=8 off=1` - class 0, block 8, offset 1 +- 正しいはず: `0x7244b7e10000` + (8 * 256) + 1 = `0x7244b7e10081` +- 実際: `0x7244b7e10009` - 計算が間違っている! + +## 2. No Cache Results (Frontend Disabled) + +### Same Pattern: +``` +[TLS_SLL_GUARD] splice_trav: misaligned base=0x7d9100410009 cls=0 blk=8 off=1 +[HAKMEM][EARLY SIGSEGV] backtrace (1 frames) +./out/debug/bench_fixed_size_hakmem(+0x6a5e)[0x622ace44fa5e] +``` + +### Confirmed: +- Frontend cacheを無効にしても問題は再現 +- TLS-SLL境界の問題であることが確定 + +## 3. Root Cause Analysis + +### Problem Location: +- **SPLICE_TO_SLL直後のTLS-SLL操作** +- `splice_trav`(traverse splice)でポインタ計算が破壊されている + +### Calculation Error: +``` +Expected: base + (blk * size) + off +Actual: base + ??? = 0x7244b7e10009 (9 bytes from base) +``` + +### Header Offset Confusion: +- Class 0 (128B): header offset should be 1 byte +- Block 8: should be at 8 * 128 = 1024 bytes from base +- Correct address: `0x7244b7e10000 + 1024 + 1 = 0x7244b7e10401` +- Actual: `0x7244b7e10009` - **完全に間違った計算!** + +## 4. PTR_TRACE Analysis + +### Missing TLS Operations: +- PTR_TRACEに`tls_push/tls_pop/tls_sp_trav/tls_sp_link`が記録されていない +- TLS-SLL GUARDが発火する段階で既にPTR_TRACEが動いていない +- **PTR_TRACEマクロ自体が問題のコードパスを通っていない!** + +## 5. Recommendations + +### Immediate Fix: +1. **TLS-SLL splice_travのポインタ計算を修正** + - base + (blk * size) + off の計算を確認 + - class 0 (128B) × block 8 = 1024 bytes offset + +### Debug Strategy: +1. **PTR_TRACEマクロをTLS-SLL GUARDの前後に配置** +2. **splice_trav関数のアセンブリ出力を確認** +3. **TLS-SLL GUARDの条件判定を緩和して詳細ログ取得** + +### Code Location to Fix: +- `core/box/tls_sll_box.h` - splice_trav implementation +- SPLICE_TO_SLL直後のTLS-SLL操作フロー + +## 6. Verification Steps + +### After Fix: +1. Same test should show proper alignment +2. TLS-SLL GUARD should not fire +3. PTR_TRACE should show tls_push/tls_pop operations +4. SIGSEGV should be resolved + +### Test Commands: +```bash +HAKMEM_DEBUG_SEGV=1 HAKMEM_PTR_TRACE_DUMP=1 HAKMEM_FREE_WRAP_TRACE=1 ./out/debug/bench_fixed_size_hakmem 200000 1024 128 +``` + +## 7. Summary + +**Root Cause**: TLS-SLL splice_trav operation has critical pointer calculation error +**Location**: SPLICE_TO_SLL immediate aftermath +**Impact**: Misaligned memory access causes SIGSEGV +**Fix Priority**: CRITICAL - core memory corruption issue + +The TLS-SLL GUARD successfully identified the exact location of the problem! diff --git a/debug_logs_$(date +%Y%m%d_%H%M%S).md b/debug_logs_$(date +%Y%m%d_%H%M%S).md new file mode 100644 index 00000000..f7a5be91 --- /dev/null +++ b/debug_logs_$(date +%Y%m%d_%H%M%S).md @@ -0,0 +1,294 @@ +# Debug Logs - bench_fixed_size_hakmem SEGV Investigation +**Date**: 2025-11-10 +**Binary**: out/debug/bench_fixed_size_hakmem +**Command**: 200000 1024 128 + +## 1. PTR_TRACE Dump (HAKMEM_PTR_TRACE_DUMP=1) + +``` +Command terminated by signal: SIGBUS + +[PTR_TRACE_NOW] reason=wrap_libc_lockdepth last=0 (cap=256) +[hakmem] [Whale] Initialized (capacity=8, threshold=2 MB) +[hakmem] EVO sampling disabled (HAKMEM_EVO_SAMPLE not set or 0) + +[PTR_TRACE_NOW] reason=wrap_libc_lockdepth last=0 (cap=256) + +[PTR_TRACE_NOW] reason=wrap_libc_lockdepth last=0 (cap=256) + +[PTR_TRACE_NOW] reason=wrap_libc_lockdepth last=0 (cap=256) + +[PTR_TRACE_NOW] reason=wrap_libc_lockdepth last=0 (cap=256) +[hakmem] Baseline: soft_pf=295, hard_pf=0, rss=2432 KB +[hakmem] Initialized (PoC version) +[hakmem] Sampling rate: 1/1 +[hakmem] Max sites: 256 +[hakmem] [Build] Flavor=RELEASE Flags: HEADER_CLASSIDX=1, AGGRESSIVE_INLINE=1, POOL_TLS_PHASE1=1, POOL_TLS_PREWARM=1 +[hakmem] Invalid free mode: skip check (default) +[Pool] hak_pool_init() called for the first time +[Pool] hak_pool_init_impl() EXECUTING - Bridge class fix applied +[Pool] Initialized (L2 Hybrid Pool) - Bridge classes SHOULD be enabled +[Pool] Class 5 (40KB): 40960 +[Pool] Class 6 (52KB): 53248 +[hakmem] [Pool] Initialized (L2 Hybrid Pool) +[hakmem] [Pool] Class configuration: +[hakmem] Class 0: 2 KB (ENABLED) +[hakmem] Class 1: 4 KB (ENABLED) +[hakmem] Class 2: 8 KB (ENABLED) +[hakmem] Class 3: 16 KB (ENABLED) +[hakmem] Class 4: 32 KB (ENABLED) +[hakmem] Class 5: 40 KB (ENABLED) +[hakmem] Class 6: 52 KB (ENABLED) +[hakmem] [Pool] Page size: 64 KB +[hakmem] [Pool] Shards: 64 (site-based) +[Pool] Pre-allocated 4 pages for Bridge class 5 (40 KB) - Critical for 33KB allocs +[Pool] Pre-allocated 4 pages for Bridge class 6 (52KB) +[hakmem] [L2.5] Initialized (LargePool) +[hakmem] [L2.5] Classes: 64KB, 128KB, 256KB, 512KB, 1MB +[hakmem] [L2.5] Page size: 64 KB +[hakmem] [L2.5] Shards: 64 (site-based) +[hakmem] [BigCache] Initialized (Phase 2c: Dynamic hash table) +[hakmem] [BigCache] Initial capacity: 256 buckets, max: 65536 buckets +[hakmem] [BigCache] Load factor: 0.75, min size: 512 KB +[ELO] Initialized 12 strategies (thresholds: 512KB-32MB) +[Batch] Initialized (threshold=8 MB, min_size=64 KB, bg=on) +[ACE] ACE disabled (HAKMEM_ACE_ENABLED=0) +[SUPERSLAB_MMAP] #1: class=0 size=2097152 (total SuperSlab mmaps so far) +[HAKMEM] Expanded SuperSlabHead for class 0: 1 chunks now (bitmap=0x00000001) +[HAKMEM] Initialized SuperSlabHead for class 0: 1 initial chunks +[BATCH_CARVE] cls=0 slab=1 used=0 cap=7281 batch=16 base=0x7b447fa10000 bs=9 +[TRC_GUARD] failfast=1 env=(null) mode=debug +[LINEAR_CARVE] base=0x7b447fa10000 carved=0 batch=16 cursor=0x7b447fa10000 +[SPLICE_TO_SLL] cls=0 head=0x7b447fa10000 tail=0x7b447fa10087 count=16 +[SUPERSLAB_MMAP] #2: class=1 size=2097152 (total SuperSlab mmaps so far) +[HAKMEM] Expanded SuperSlabHead for class 1: 1 chunks now (bitmap=0x00000001) +[HAKMEM] Initialized SuperSlabHead for class 1: 1 initial chunks +[LINEAR_CARVE] base=0x7b447f610000 carved=0 batch=16 cursor=0x7b447f610000 +[SPLICE_TO_SLL] cls=1 head=0x7b447f610000 tail=0x7b447f6100ff count=16 +[SUPERSLAB_MMAP] #3: class=2 size=2097152 (total SuperSlab mmaps so far) +[HAKMEM] Expanded SuperSlabHead for class 2: 1 chunks now (bitmap=0x00000001) +[HAKMEM] Initialized SuperSlabHead for class 2: 1 initial chunks +[LINEAR_CARVE] base=0x7b447f210000 carved=0 batch=16 cursor=0x7b447f210000 +[SPLICE_TO_SLL] cls=2 head=0x7b447f210000 tail=0x7b447f2101ef count=16 +[SUPERSLAB_MMAP] #4: class=3 size=2097152 (total SuperSlab mmaps so far) +[HAKMEM] Expanded SuperSlabHead for class 3: 1 chunks now (bitmap=0x00000001) +[HAKMEM] Initialized SuperSlabHead for class 3: 1 initial chunks +[LINEAR_CARVE] base=0x7b447ee10000 carved=0 batch=16 cursor=0x7b447ee10000 +[SPLICE_TO_SLL] cls=3 head=0x7b447ee10000 tail=0x7b447ee103cf count=16 +[SUPERSLAB_MMAP] #5: class=4 size=2097152 (total SuperSlab mmaps so far) +[HAKMEM] Expanded SuperSlabHead for class 4: 1 chunks now (bitmap=0x00000001) +[HAKMEM] Initialized SuperSlabHead for class 4: 1 initial chunks +[LINEAR_CARVE] base=0x7b447ea10000 carved=0 batch=16 cursor=0x7b447ea10000 +[SPLICE_TO_SLL] cls=4 head=0x7b447ea10000 tail=0x7b447ea1078f count=16 +[SUPERSLAB_MMAP] #6: class=5 size=2097152 (total SuperSlab mmaps so far) +[HAKMEM] Expanded SuperSlabHead for class 5: 1 chunks now (bitmap=0x00000001) +[HAKMEM] Initialized SuperSlabHead for class 5: 1 initial chunks +[SUPERSLAB_MMAP] #7: class=6 size=2097152 (total SuperSlab mmaps so far) +[HAKMEM] Expanded SuperSlabHead for class 6: 1 chunks now (bitmap=0x00000001) +[HAKMEM] Initialized SuperSlabHead for class 6: 1 initial chunks +[LINEAR_CARVE] base=0x7b447e210000 carved=0 batch=16 cursor=0x7b447e210000 +[SPLICE_TO_SLL] cls=6 head=0x7b447e210000 tail=0x7b447e211e0f count=16 +[SUPERSLAB_MMAP] #8: class=7 size=2097152 (total SuperSlab mmaps so far) +[SUPERSLAB_INIT] class 7 slab 0: usable_size=63488 stride=1024 capacity=62 +[SUPERSLAB_INIT] Expected: 63488 / 1024 = 62 blocks +[HAKMEM] Expanded SuperSlabHead for class 7: 1 chunks now (bitmap=0x00000001) +[HAKMEM] Initialized SuperSlabHead for class 7: 1 initial chunks +[hakmem] TLS cache pre-warmed for 8 classes +[LINEAR_CARVE] base=0x7b447fa10000 carved=16 batch=16 cursor=0x7b447fa10090 +[SPLICE_TO_SLL] cls=0 head=0x7b447fa10090 tail=0x7b447fa10117 count=16 +[LINEAR_CARVE] base=0x7b447fa10000 carved=32 batch=16 cursor=0x7b447fa10120 +[SPLICE_TO_SLL] cls=0 head=0x7b447fa10120 tail=0x7b447fa101a7 count=16 +[LINEAR_CARVE] base=0x7b447fa10000 carved=48 batch=16 cursor=0x7b447fa101b0 +[SPLICE_TO_SLL] cls=0 head=0x7b447fa101b0 tail=0x7b447fa10237 count=16 +``` + +## 2. Signal Handler Dump (HAKMEM_DEBUG_SEGV=1) + +``` +Command terminated by signal: SIGABRT +[HAKMEM][EARLY] installing SIGSEGV handler + +[PTR_TRACE_NOW] reason=wrap_libc_lockdepth last=0 (cap=256) +[hakmem] [Whale] Initialized (capacity=8, threshold=2 MB) +[hakmem] EVO sampling disabled (HAKMEM_EVO_SAMPLE not set or 0) + +[PTR_TRACE_NOW] reason=wrap_libc_lockdepth last=0 (cap=256) + +[PTR_TRACE_NOW] reason=wrap_libc_lockdepth last=0 (cap=256) + +[PTR_TRACE_NOW] reason=wrap_libc_lockdepth last=0 (cap=256) + +[PTR_TRACE_NOW] reason=wrap_libc_lockdepth last=0 (cap=256) +[hakmem] Baseline: soft_pf=297, hard_pf=0, rss=2432 KB +[hakmem] Initialized (PoC version) +[hakmem] Sampling rate: 1/1 +[hakmem] Max sites: 256 +[hakmem] [Build] Flavor=RELEASE Flags: HEADER_CLASSIDX=1, AGGRESSIVE_INLINE=1, POOL_TLS_PHASE1=1, POOL_TLS_PREWARM=1 +[hakmem] Invalid free mode: skip check (default) +[Pool] hak_pool_init() called for the first time +[Pool] hak_pool_init_impl() EXECUTING - Bridge class fix applied +[Pool] Initialized (L2 Hybrid Pool) - Bridge classes SHOULD be enabled +[Pool] Class 5 (40KB): 40960 +[Pool] Class 6 (52KB): 53248 +[hakmem] [Pool] Initialized (L2 Hybrid Pool) +[hakmem] [Pool] Class configuration: +[hakmem] Class 0: 2 KB (ENABLED) +[hakmem] Class 1: 4 KB (ENABLED) +[hakmem] Class 2: 8 KB (ENABLED) +[hakmem] Class 3: 16 KB (ENABLED) +[hakmem] Class 4: 32 KB (ENABLED) +[hakmem] Class 5: 40 KB (ENABLED) +[hakmem] Class 6: 52 KB (ENABLED) +[hakmem] [Pool] Page size: 64 KB +[hakmem] [Pool] Shards: 64 (site-based) +[Pool] Pre-allocated 4 pages for Bridge class 5 (40 KB) - Critical for 33KB allocs +[Pool] Pre-allocated 4 pages for Bridge class 6 (52KB) +[hakmem] [L2.5] Initialized (LargePool) +[hakmem] [L2.5] Classes: 64KB, 128KB, 256KB, 512KB, 1MB +[hakmem] [L2.5] Page size: 64 KB +[hakmem] [L2.5] Shards: 64 (site-based) +[hakmem] [BigCache] Initialized (Phase 2c: Dynamic hash table) +[hakmem] [BigCache] Initial capacity: 256 buckets, max: 65536 buckets +[hakmem] [BigCache] Load factor: 0.75, min size: 512 KB +[ELO] Initialized 12 strategies (thresholds: 512KB-32MB) +[Batch] Initialized (threshold=8 MB, min_size=64 KB, bg=on) +[ACE] ACE disabled (HAKMEM_ACE_ENABLED=0) +[SUPERSLAB_MMAP] #1: class=0 size=2097152 (total SuperSlab mmaps so far) +[HAKMEM] Expanded SuperSlabHead for class 0: 1 chunks now (bitmap=0x00000001) +[HAKMEM] Initialized SuperSlabHead for class 0: 1 initial chunks +[BATCH_CARVE] cls=0 slab=1 used=0 cap=7281 batch=16 base=0x7dc128c10000 bs=9 +[TRC_GUARD] failfast=1 env=(null) mode=debug +[LINEAR_CARVE] base=0x7dc128c10000 carved=0 batch=16 cursor=0x7dc128c10000 +[SPLICE_TO_SLL] cls=0 head=0x7dc128c10000 tail=0x7dc128c10087 count=16 +[SUPERSLAB_MMAP] #2: class=1 size=2097152 (total SuperSlab mmaps so far) +[HAKMEM] Expanded SuperSlabHead for class 1: 1 chunks now (bitmap=0x00000001) +[HAKMEM] Initialized SuperSlabHead for class 1: 1 initial chunks +[LINEAR_CARVE] base=0x7dc128810000 carved=0 batch=16 cursor=0x7dc128810000 +[SPLICE_TO_SLL] cls=1 head=0x7dc128810000 tail=0x7dc1288100ff count=16 +[SUPERSLAB_MMAP] #3: class=2 size=2097152 (total SuperSlab mmaps so far) +[HAKMEM] Expanded SuperSlabHead for class 2: 1 chunks now (bitmap=0x00000001) +[HAKMEM] Initialized SuperSlabHead for class 2: 1 initial chunks +[LINEAR_CARVE] base=0x7dc128410000 carved=0 batch=16 cursor=0x7dc128410000 +[SPLICE_TO_SLL] cls=2 head=0x7dc128410000 tail=0x7dc1284101ef count=16 +[SUPERSLAB_MMAP] #4: class=3 size=2097152 (total SuperSlab mmaps so far) +[HAKMEM] Expanded SuperSlabHead for class 3: 1 chunks now (bitmap=0x00000001) +[HAKMEM] Initialized SuperSlabHead for class 3: 1 initial chunks +[LINEAR_CARVE] base=0x7dc128010000 carved=0 batch=16 cursor=0x7dc128010000 +[SPLICE_TO_SLL] cls=3 head=0x7dc128010000 tail=0x7dc1280103cf count=16 +[SUPERSLAB_MMAP] #5: class=4 size=2097152 (total SuperSlab mmaps so far) +[HAKMEM] Expanded SuperSlabHead for class 4: 1 chunks now (bitmap=0x00000001) +[HAKMEM] Initialized SuperSlabHead for class 4: 1 initial chunks +[LINEAR_CARVE] base=0x7dc127c10000 carved=0 batch=16 cursor=0x7dc127c10000 +[SPLICE_TO_SLL] cls=4 head=0x7dc127c10000 tail=0x7dc127c1078f count=16 +[SUPERSLAB_MMAP] #6: class=5 size=2097152 (total SuperSlab mmaps so far) +[HAKMEM] Expanded SuperSlabHead for class 5: 1 chunks now (bitmap=0x00000001) +[HAKMEM] Initialized SuperSlabHead for class 5: 1 initial chunks +[SUPERSLAB_MMAP] #7: class=6 size=2097152 (total SuperSlab mmaps so far) +[HAKMEM] Expanded SuperSlabHead for class 6: 1 chunks now (bitmap=0x00000001) +[HAKMEM] Initialized SuperSlabHead for class 6: 1 initial chunks +[LINEAR_CARVE] base=0x7dc127410000 carved=0 batch=16 cursor=0x7dc127410000 +[SPLICE_TO_SLL] cls=6 head=0x7dc127410000 tail=0x7dc127411e0f count=16 +[SUPERSLAB_MMAP] #8: class=7 size=2097152 (total SuperSlab mmaps so far) +[SUPERSLAB_INIT] class 7 slab 0: usable_size=63488 stride=1024 capacity=62 +[SUPERSLAB_INIT] Expected: 63488 / 1024 = 62 blocks +[HAKMEM] Expanded SuperSlabHead for class 7: 1 chunks now (bitmap=0x00000001) +[HAKMEM] Initialized SuperSlabHead for class 7: 1 initial chunks +[hakmem] TLS cache pre-warmed for 8 classes +[LINEAR_CARVE] base=0x7dc128c10000 carved=16 batch=16 cursor=0x7dc128c10090 +[SPLICE_TO_SLL] cls=0 head=0x7dc128c10090 tail=0x7dc128c10117 count=16 +[LINEAR_CARVE] base=0x7dc128c10000 carved=32 batch=16 cursor=0x7dc128c10120 +[SPLICE_TO_SLL] cls=0 head=0x7dc128c10120 tail=0x7dc128c101a7 count=16 +[LINEAR_CARVE] base=0x7dc128c10000 carved=48 batch=16 cursor=0x7dc128c101b0 +[SPLICE_TO_SLL] cls=0 head=0x7dc128c101b0 tail=0x7dc128c10237 count=16 + +[PTR_TRACE_NOW] reason=wrap_libc_lockdepth last=0 (cap=256) +free(): invalid pointer + +[HAKMEM][EARLY SIGSEGV] backtrace (1 frames) +./out/debug/bench_fixed_size_hakmem(+0x663e)[0x589124a4963e] + +[PTR_TRACE_NOW] reason=signal last=0 (cap=256) +``` + +## 3. Free Wrapper Trace (HAKMEM_FREE_WRAP_TRACE=1) + +``` +[WRAP_FREE_ENTER] ptr=0x5a807fa902a0 depth=1 init=1 + +[PTR_TRACE_NOW] reason=wrap_libc_lockdepth last=0 (cap=256) +[hakmem] [Whale] Initialized (capacity=8, threshold=2 MB) +[hakmem] EVO sampling disabled (HAKMEM_EVO_SAMPLE not set or 0) +[WRAP_FREE_ENTER] ptr=0x5a807fa91970 depth=1 init=1 + +[PTR_TRACE_NOW] reason=wrap_libc_lockdepth last=0 (cap=256) +[WRAP_FREE_ENTER] ptr=0x5a807fa91790 depth=1 init=1 + +[PTR_TRACE_NOW] reason=wrap_libc_lockdepth last=0 (cap=256) +[WRAP_FREE_ENTER] ptr=0x5a807fa91970 depth=1 init=1 + +[PTR_TRACE_NOW] reason=wrap_libc_lockdepth last=0 (cap=256) +[WRAP_FREE_ENTER] ptr=0x5a807fa91790 depth=1 init=1 + +[PTR_TRACE_NOW] reason=wrap_libc_lockdepth last=0 (cap=256) +[hakmem] Baseline: soft_pf=213, hard_pf=0, rss=2432 KB +[hakmem] Initialized (PoC version) +[hakmem] Sampling rate: 1/1 +[hakmem] Max sites: 256 +[hakmem] [Build] Flavor=RELEASE Flags: HEADER_CLASSIDX=1, AGGRESSIVE_INLINE=1, POOL_TLS_PHASE1=1, POOL_TLS_PREWARM=1 +[hakmem] Invalid free mode: skip check (default) +[Pool] hak_pool_init() called for the first time +[Pool] hak_pool_init_impl() EXECUTING - Bridge class fix applied +[Pool] Initialized (L2 Hybrid Pool) - Bridge classes SHOULD be enabled +[Pool] Class 5 (40KB): 40960 +[Pool] Class 6 (52KB): 53248 +[hakmem] [Pool] Initialized (L2 Hybrid Pool) +[hakmem] [Pool] Class configuration: +[hakmem] Class 0: 2 KB (ENABLED) +[hakmem] Class 1: 4 KB (ENABLED) +[hakmem] Class 2: 8 KB (ENABLED) +[hakmem] Class 3: 16 KB (ENABLED) +[hakmem] Class 4: 32 KB (ENABLED) +[hakmem] Class 5: 40 KB (ENABLED) +[hakmem] Class 6: 52 KB (ENABLED) +[hakmem] [Pool] Page size: 64 KB +[hakmem] [Pool] Shards: 64 (site-based) +[Pool] Pre-allocated 4 pages for Bridge class 5 (40 KB) - Critical for 33KB allocs +[Pool] Pre-allocated 4 pages for Bridge class 6 (52KB) +[hakmem] [L2.5] Initialized (LargePool) +[hakmem] [L2.5] Classes: 64KB, 128KB, 256KB, 512KB, 1MB +[hakmem] [L2.5] Page size: 64 KB +[hakmem] [L2.5] Shards: 64 (site-based) +[hakmem] [BigCache] Initialized (Phase 2c: Dynamic hash table) +[hakmem] [BigCache] Initial capacity: 256 buckets, max: 65536 buckets +[hakmem] [BigCache] Load factor: 0.75, min size: 512 KB +[ELO] Initialized 12 strategies (thresholds: 512KB-32MB) +[Batch] Initialized (threshold=8 MB, min_size=64 KB, bg=on) +``` + +## 分析結果 + +### 重要な観察 + +1. **SIGBUS/SIGABRTクラッシュ**: 実行中にメモリアクセス違反 +2. **PTR_TRACEダンプ**: + - `wrap_libc_lockdepth` - libcフォールバック + - `signal` - シグナルハンドラ実行 + - **TLS-SLL操作が記録されていない!** +3. **Free Wrapper**: + - 同じポインタが複数回解放されている(`0x5a807fa91970`, `0x5a807fa91790`) + - `init=1` だが初期化前に解放されている可能性 + +### 問題の特定 + +**根本原因**: SPLICE_TO_SLL でリンクされた後、Box境界のTLS-SLL操作を経由せず、直接libc free()が呼ばれている + +- TLS-SLLの `tls_push/tls_pop/tls_sp_trav/tls_sp_link` がPTR_TRACEに記録されていない +- `wrap_libc_lockdepth` だけが記録され、直接libc経由になっている + +### 推奨対策 + +1. **SPLICE_TO_SLL後のTLS-SLL操作を追跡** +2. **free()呼び出し前のポインタ検証強化** +3. **Box境界のTLS-SLL操作がスキップされている原因を特定** + +これにより侵入経路(libc直行 vs Box境界)を確定できる! diff --git a/debug_logs_round2_$(date +%Y%m%d_%H%M%S).md b/debug_logs_round2_$(date +%Y%m%d_%H%M%S).md new file mode 100644 index 00000000..e10d5b6f --- /dev/null +++ b/debug_logs_round2_$(date +%Y%m%d_%H%M%S).md @@ -0,0 +1,343 @@ +# Debug Logs Round 2 - bench_fixed_size_hakmem SEGV Investigation +**Date**: 2025-11-10 +**Binary**: out/debug/bench_fixed_size_hakmem ( rebuilt) +**Command**: 200000 1024 128 + +## 1. Signal Handler Dump (HAKMEM_DEBUG_SEGV=1) + +``` +Command terminated by signal: SIGSEGV +[HAKMEM][EARLY] installing SIGSEGV handler + +[PTR_TRACE_NOW] reason=wrap_libc_lockdepth last=0 (cap=256) +[hakmem] [Whale] Initialized (capacity=8, threshold=2 MB) +[hakmem] EVO sampling disabled (HAKMEM_EVO_SAMPLE not set or 0) + +[PTR_TRACE_NOW] reason=wrap_libc_lockdepth last=0 (cap=256) + +[PTR_TRACE_NOW] reason=wrap_libc_lockdepth last=0 (cap=256) + +[PTR_TRACE_NOW] reason=wrap_libc_lockdepth last=0 (cap=256) + +[PTR_TRACE_NOW] reason=wrap_libc_lockdepth last=0 (cap=256) +[hakmem] Baseline: soft_pf=297, hard_pf=0, rss=2304 KB +[hakmem] Initialized (PoC version) +[hakmem] Sampling rate: 1/1 +[hakmem] Max sites: 256 +[hakmem] [Build] Flavor=RELEASE Flags: HEADER_CLASSIDX=1, AGGRESSIVE_INLINE=1, POOL_TLS_PHASE1=1, POOL_TLS_PREWARM=1 +[hakmem] Invalid free mode: skip check (default) +[Pool] hak_pool_init() called for the first time +[Pool] hak_pool_init_impl() EXECUTING - Bridge class fix applied +[Pool] Initialized (L2 Hybrid Pool) - Bridge classes SHOULD be enabled +[Pool] Class 5 (40KB): 40960 +[Pool] Class 6 (52KB): 53248 +[hakmem] [Pool] Initialized (L2 Hybrid Pool) +[hakmem] [Pool] Class configuration: +[hakmem] Class 0: 2 KB (ENABLED) +[hakmem] Class 1: 4 KB (ENABLED) +[hakmem] Class 2: 8 KB (ENABLED) +[hakmem] Class 3: 16 KB (ENABLED) +[hakmem] Class 4: 32 KB (ENABLED) +[hakmem] Class 5: 40 KB (ENABLED) +[hakmem] Class 6: 52 KB (ENABLED) +[hakmem] [Pool] Page size: 64 KB +[hakmem] [Pool] Shards: 64 (site-based) +[Pool] Pre-allocated 4 pages for Bridge class 5 (40 KB) - Critical for 33KB allocs +[Pool] Pre-allocated 4 pages for Bridge class 6 (52KB) +[hakmem] [L2.5] Initialized (LargePool) +[hakmem] [L2.5] Classes: 64KB, 128KB, 256KB, 512KB, 1MB +[hakmem] [L2.5] Page size: 64 KB +[hakmem] [L2.5] Shards: 64 (site-based) +[hakmem] [BigCache] Initialized (Phase 2c: Dynamic hash table) +[hakmem] [BigCache] Initial capacity: 256 buckets, max: 65536 buckets +[hakmem] [BigCache] Load factor: 0.75, min size: 512 KB +[ELO] Initialized 12 strategies (thresholds: 512KB-32MB) +[Batch] Initialized (threshold=8 MB, min_size=64 KB, bg=on) +[ACE] ACE disabled (HAKMEM_ACE_ENABLED=0) +[SUPERSLAB_MMAP] #1: class=0 size=2097152 (total SuperSlab mmaps so far) +[HAKMEM] Expanded SuperSlabHead for class 0: 1 chunks now (bitmap=0x00000001) +[HAKMEM] Initialized SuperSlabHead for class 0: 1 initial chunks +[BATCH_CARVE] cls=0 slab=1 used=0 cap=7281 batch=16 base=0x74734b410000 bs=9 +[TRC_GUARD] failfast=1 env=(null) mode=debug +[LINEAR_CARVE] base=0x74734b410000 carved=0 batch=16 cursor=0x74734b410000 +[SPLICE_TO_SLL] cls=0 head=0x74734b410000 tail=0x74734b410087 count=16 +[SUPERSLAB_MMAP] #2: class=1 size=2097152 (total SuperSlab mmaps so far) +[HAKMEM] Expanded SuperSlabHead for class 1: 1 chunks now (bitmap=0x00000001) +[HAKMEM] Initialized SuperSlabHead for class 1: 1 initial chunks +[LINEAR_CARVE] base=0x74734b010000 carved=0 batch=16 cursor=0x74734b010000 +[SPLICE_TO_SLL] cls=1 head=0x74734b010000 tail=0x74734b0100ff count=16 +[SUPERSLAB_MMAP] #3: class=2 size=2097152 (total SuperSlab mmaps so far) +[HAKMEM] Expanded SuperSlabHead for class 2: 1 chunks now (bitmap=0x00000001) +[HAKMEM] Initialized SuperSlabHead for class 2: 1 initial chunks +[LINEAR_CARVE] base=0x74734ac10000 carved=0 batch=16 cursor=0x74734ac10000 +[SPLICE_TO_SLL] cls=2 head=0x74734ac10000 tail=0x74734ac101ef count=16 +[SUPERSLAB_MMAP] #4: class=3 size=2097152 (total SuperSlab mmaps so far) +[HAKMEM] Expanded SuperSlabHead for class 3: 1 chunks now (bitmap=0x00000001) +[HAKMEM] Initialized SuperSlabHead for class 3: 1 initial chunks +[LINEAR_CARVE] base=0x74734a810000 carved=0 batch=16 cursor=0x74734a810000 +[SPLICE_TO_SLL] cls=3 head=0x74734a810000 tail=0x74734a8103cf count=16 +[SUPERSLAB_MMAP] #5: class=4 size=2097152 (total SuperSlab mmaps so far) +[HAKMEM] Expanded SuperSlabHead for class 4: 1 chunks now (bitmap=0x00000001) +[HAKMEM] Initialized SuperSlabHead for class 4: 1 initial chunks +[LINEAR_CARVE] base=0x74734a410000 carved=0 batch=16 cursor=0x74734a410000 +[SPLICE_TO_SLL] cls=4 head=0x74734a410000 tail=0x74734a41078f count=16 +[SUPERSLAB_MMAP] #6: class=5 size=2097152 (total SuperSlab mmaps so far) +[HAKMEM] Expanded SuperSlabHead for class 5: 1 chunks now (bitmap=0x00000001) +[HAKMEM] Initialized SuperSlabHead for class 5: 1 initial chunks +[SUPERSLAB_MMAP] #7: class=6 size=2097152 (total SuperSlab mmaps so far) +[HAKMEM] Expanded SuperSlabHead for class 6: 1 chunks now (bitmap=0x00000001) +[HAKMEM] Initialized SuperSlabHead for class 6: 1 initial chunks +[LINEAR_CARVE] base=0x747349c10000 carved=0 batch=16 cursor=0x747349c10000 +[SPLICE_TO_SLL] cls=6 head=0x747349c10000 tail=0x747349c11e0f count=16 +[SUPERSLAB_MMAP] #8: class=7 size=2097152 (total SuperSlab mmaps so far) +[SUPERSLAB_INIT] class 7 slab 0: usable_size=63488 stride=1024 capacity=62 +[SUPERSLAB_INIT] Expected: 63488 / 1024 = 62 blocks +[HAKMEM] Expanded SuperSlabHead for class 7: 1 chunks now (bitmap=0x00000001) +[HAKMEM] Initialized SuperSlabHead for class 7: 1 initial chunks +[hakmem] TLS cache pre-warmed for 8 classes +[LINEAR_CARVE] base=0x74734b410000 carved=16 batch=16 cursor=0x74734b410090 +[SPLICE_TO_SLL] cls=0 head=0x74734b410090 tail=0x74734b410117 count=16 +[LINEAR_CARVE] base=0x74734b410000 carved=32 batch=16 cursor=0x74734b410120 +[SPLICE_TO_SLL] cls=0 head=0x74734b410120 tail=0x74734b4101a7 count=16 +[LINEAR_CARVE] base=0x74734b410000 carved=48 batch=16 cursor=0x74734b4101b0 +[SPLICE_TO_SLL] cls=0 head=0x74734b4101b0 tail=0x74734b410237 count=16 + +[HAKMEM][SIGSEGV] dumping backtrace (1 frames) +./out/debug/bench_fixed_size_hakmem(+0x67c3)[0x5bf895ed37c3] +``` + +## 2. PTR_TRACE Dump (HAKMEM_PTR_TRACE_DUMP=1) + +``` +Command terminated by signal: SIGSEGV + +[PTR_TRACE_NOW] reason=wrap_libc_lockdepth last=0 (cap=256) +[hakmem] [Whale] Initialized (capacity=8, threshold=2 MB) +[hakmem] EVO sampling disabled (HAKMEM_EVO_SAMPLE not set or 0) + +[PTR_TRACE_NOW] reason=wrap_libc_lockdepth last=0 (cap=256) + +[PTR_TRACE_NOW] reason=wrap_libc_lockdepth last=0 (cap=256) + +[PTR_TRACE_NOW] reason=wrap_libc_lockdepth last=0 (cap=256) + +[PTR_TRACE_NOW] reason=wrap_libc_lockdepth last=0 (cap=256) +[hakmem] Baseline: soft_pf=298, hard_pf=0, rss=2432 KB +[hakmem] Initialized (PoC version) +[hakmem] Sampling rate: 1/1 +[hakmem] Max sites: 256 +[hakmem] [Build] Flavor=RELEASE Flags: HEADER_CLASSIDX=1, AGGRESSIVE_INLINE=1, POOL_TLS_PHASE1=1, POOL_TLS_PREWARM=1 +[hakmem] Invalid free mode: skip check (default) +[Pool] hak_pool_init() called for the first time +[Pool] hak_pool_init_impl() EXECUTING - Bridge class fix applied +[Pool] Initialized (L2 Hybrid Pool) - Bridge classes SHOULD be enabled +[Pool] Class 5 (40KB): 40960 +[Pool] Class 6 (52KB): 53248 +[hakmem] [Pool] Initialized (L2 Hybrid Pool) +[hakmem] [Pool] Class configuration: +[hakmem] Class 0: 2 KB (ENABLED) +[hakmem] Class 1: 4 KB (ENABLED) +[hakmem] Class 2: 8 KB (ENABLED) +[hakmem] Class 3: 16 KB (ENABLED) +[hakmem] Class 4: 32 KB (ENABLED) +[hakmem] Class 5: 40 KB (ENABLED) +[hakmem] Class 6: 52 KB (ENABLED) +[hakmem] [Pool] Page size: 64 KB +[hakmem] [Pool] Shards: 64 (site-based) +[Pool] Pre-allocated 4 pages for Bridge class 5 (40 KB) - Critical for 33KB allocs +[Pool] Pre-allocated 4 pages for Bridge class 6 (52KB) +[hakmem] [L2.5] Initialized (LargePool) +[hakmem] [L2.5] Classes: 64KB, 128KB, 256KB, 512KB, 1MB +[hakmem] [L2.5] Page size: 64 KB +[hakmem] [L2.5] Shards: 64 (site-based) +[hakmem] [BigCache] Initialized (Phase 2c: Dynamic hash table) +[hakmem] [BigCache] Initial capacity: 256 buckets, max: 65536 buckets +[hakmem] [BigCache] Load factor: 0.75, min size: 512 KB +[ELO] Initialized 12 strategies (thresholds: 512KB-32MB) +[Batch] Initialized (threshold=8 MB, min_size=64 KB, bg=on) +[ACE] ACE disabled (HAKMEM_ACE_ENABLED=0) +[SUPERSLAB_MMAP] #1: class=0 size=2097152 (total SuperSlab mmaps so far) +[HAKMEM] Expanded SuperSlabHead for class 0: 1 chunks now (bitmap=0x00000001) +[HAKMEM] Initialized SuperSlabHead for class 0: 1 initial chunks +[BATCH_CARVE] cls=0 slab=1 used=0 cap=7281 batch=16 base=0x7e8c47c10000 bs=9 +[TRC_GUARD] failfast=1 env=(null) mode=debug +[LINEAR_CARVE] base=0x7e8c47c10000 carved=0 batch=16 cursor=0x7e8c47c10000 +[SPLICE_TO_SLL] cls=0 head=0x7e8c47c10000 tail=0x7e8c47c10087 count=16 +[SUPERSLAB_MMAP] #2: class=1 size=2097152 (total SuperSlab mmaps so far) +[HAKMEM] Expanded SuperSlabHead for class 1: 1 chunks now (bitmap=0x00000001) +[HAKMEM] Initialized SuperSlabHead for class 1: 1 initial chunks +[LINEAR_CARVE] base=0x7e8c47810000 carved=0 batch=16 cursor=0x7e8c47810000 +[SPLICE_TO_SLL] cls=1 head=0x7e8c47810000 tail=0x7e8c478100ff count=16 +[SUPERSLAB_MMAP] #3: class=2 size=2097152 (total SuperSlab mmaps so far) +[HAKMEM] Expanded SuperSlabHead for class 2: 1 chunks now (bitmap=0x00000001) +[HAKMEM] Initialized SuperSlabHead for class 2: 1 initial chunks +[LINEAR_CARVE] base=0x7e8c47410000 carved=0 batch=16 cursor=0x7e8c47410000 +[SPLICE_TO_SLL] cls=2 head=0x7e8c47410000 tail=0x7e8c474101ef count=16 +[SUPERSLAB_MMAP] #4: class=3 size=2097152 (total SuperSlab mmaps so far) +[HAKMEM] Expanded SuperSlabHead for class 3: 1 chunks now (bitmap=0x00000001) +[HAKMEM] Initialized SuperSlabHead for class 3: 1 initial chunks +[LINEAR_CARVE] base=0x7e8c47010000 carved=0 batch=16 cursor=0x7e8c47010000 +[SPLICE_TO_SLL] cls=3 head=0x7e8c47010000 tail=0x7e8c470103cf count=16 +[SUPERSLAB_MMAP] #5: class=4 size=2097152 (total SuperSlab mmaps so far) +[HAKMEM] Expanded SuperSlabHead for class 4: 1 chunks now (bitmap=0x00000001) +[HAKMEM] Initialized SuperSlabHead for class 4: 1 initial chunks +[LINEAR_CARVE] base=0x7e8c46c10000 carved=0 batch=16 cursor=0x7e8c46c10000 +[SPLICE_TO_SLL] cls=4 head=0x7e8c46c10000 tail=0x7e8c46c1078f count=16 +[SUPERSLAB_MMAP] #6: class=5 size=2097152 (total SuperSlab mmaps so far) +[HAKMEM] Expanded SuperSlabHead for class 5: 1 chunks now (bitmap=0x00000001) +[HAKMEM] Initialized SuperSlabHead for class 5: 1 initial chunks +[SUPERSLAB_MMAP] #7: class=6 size=2097152 (total SuperSlab mmaps so far) +[HAKMEM] Expanded SuperSlabHead for class 6: 1 chunks now (bitmap=0x00000001) +[HAKMEM] Initialized SuperSlabHead for class 6: 1 initial chunks +[LINEAR_CARVE] base=0x7e8c46410000 carved=0 batch=16 cursor=0x7e8c46410000 +[SPLICE_TO_SLL] cls=6 head=0x7e8c46410000 tail=0x7e8c46411e0f count=16 +[SUPERSLAB_MMAP] #8: class=7 size=2097152 (total SuperSlab mmaps so far) +[SUPERSLAB_INIT] class 7 slab 0: usable_size=63488 stride=1024 capacity=62 +[SUPERSLAB_INIT] Expected: 63488 / 1024 = 62 blocks +[HAKMEM] Expanded SuperSlabHead for class 7: 1 chunks now (bitmap=0x00000001) +[HAKMEM] Initialized SuperSlabHead for class 7: 1 initial chunks +[hakmem] TLS cache pre-warmed for 8 classes +[LINEAR_CARVE] base=0x7e8c47c10000 carved=16 batch=16 cursor=0x7e8c47c10090 +[SPLICE_TO_SLL] cls=0 head=0x7e8c47c10090 tail=0x7e8c47c10117 count=16 +[LINEAR_CARVE] base=0x7e8c47c10000 carved=32 batch=16 cursor=0x7e8c47c10120 +[SPLICE_TO_SLL] cls=0 head=0x7e8c47c10120 tail=0x7e8c47c101a7 count=16 +[LINEAR_CARVE] base=0x7e8c47c10000 carved=48 batch=16 cursor=0x7e8c47c101b0 +[SPLICE_TO_SLL] cls=0 head=0x7e8c47c101b0 tail=0x7e8c47c10237 count=16 +``` + +## 3. Free Wrapper Trace (HAKMEM_FREE_WRAP_TRACE=1) + +``` +[WRAP_FREE_ENTER] ptr=0x64a1a8d752a0 depth=1 init=1 + +[PTR_TRACE_NOW] reason=wrap_libc_lockdepth last=0 (cap=256) +[hakmem] [Whale] Initialized (capacity=8, threshold=2 MB) +[hakmem] EVO sampling disabled (HAKMEM_EVO_SAMPLE not set or 0) +[WRAP_FREE_ENTER] ptr=0x64a1a8d76970 depth=1 init=1 + +[PTR_TRACE_NOW] reason=wrap_libc_lockdepth last=0 (cap=256) +[WRAP_FREE_ENTER] ptr=0x64a1a8d76790 depth=1 init=1 + +[PTR_TRACE_NOW] reason=wrap_libc_lockdepth last=0 (cap=256) +[WRAP_FREE_ENTER] ptr=0x64a1a8d76970 depth=1 init=1 + +[PTR_TRACE_NOW] reason=wrap_libc_lockdepth last=0 (cap=256) +[WRAP_FREE_ENTER] ptr=0x64a1a8d76790 depth=1 init=1 + +[PTR_TRACE_NOW] reason=wrap_libc_lockdepth last=0 (cap=256) +[hakmem] Baseline: soft_pf=216, hard_pf=0, rss=2432 KB +[hakmem] Initialized (PoC version) +[hakmem] Sampling rate: 1/1 +[hakmem] Max sites: 256 +[hakmem] [Build] Flavor=RELEASE Flags: HEADER_CLASSIDX=1, AGGRESSIVE_INLINE=1, POOL_TLS_PHASE1=1, POOL_TLS_PREWARM=1 +[hakmem] Invalid free mode: skip check (default) +[Pool] hak_pool_init() called for the first time +[Pool] hak_pool_init_impl() EXECUTING - Bridge class fix applied +[Pool] Initialized (L2 Hybrid Pool) - Bridge classes SHOULD be enabled +[Pool] Class 5 (40KB): 40960 +[Pool] Class 6 (52KB): 53248 +[hakmem] [Pool] Initialized (L2 Hybrid Pool) +[hakmem] [Pool] Class configuration: +[hakmem] Class 0: 2 KB (ENABLED) +[hakmem] Class 1: 4 KB (ENABLED) +[hakmem] Class 2: 8 KB (ENABLED) +[hakmem] Class 3: 16 KB (ENABLED) +[hakmem] Class 4: 32 KB (ENABLED) +[hakmem] Class 5: 40 KB (ENABLED) +[hakmem] Class 6: 52 KB (ENABLED) +[hakmem] [Pool] Page size: 64 KB +[hakmem] [Pool] Shards: 64 (site-based) +[Pool] Pre-allocated 4 pages for Bridge class 5 (40 KB) - Critical for 33KB allocs +[Pool] Pre-allocated 4 pages for Bridge class 6 (52KB) +[hakmem] [L2.5] Initialized (LargePool) +[hakmem] [L2.5] Classes: 64KB, 128KB, 256KB, 512KB, 1MB +[hakmem] [L2.5] Page page size: 64 KB +[hakmem] [L2.5] Shards: 64 (site-based) +[hakmem] [BigCache] Initialized (Phase 2c: Dynamic hash table) +[hakmem] [BigCache] Initial capacity: 256 buckets, max: 65536 buckets +[hakmem] [BigCache] Load factor: 0.75, min size: 512 KB +[ELO] Initialized 12 strategies (thresholds: 512KB-32MB) +[Batch] Initialized (threshold=8 MB, min_size=64 KB, bg=on) +[ACE] ACE disabled (HAKMEM_ACE_ENABLED=0) +[SUPERSLAB_MMAP] #1: class=0 size=2097152 (total SuperSlab mmaps so far) +[HAKMEM] Expanded SuperSlabHead for class 0: 1 chunks now (bitmap=0x00000001) +[HAKMEM] Initialized SuperSlabHead for class 0: 1 initial chunks +[BATCH_CARVE] cls=0 slab=1 used=0 cap=7281 batch=16 base=0x78846d810000 bs=9 +[TRC_GUARD] failfast=1 env=(null) mode=debug +[LINEAR_CARVE] base=0x78846d810000 carved=0 batch=16 cursor=0x78846d810000 +[SPLICE_TO_SLL] cls=0 head=0x78846d810000 tail=0x78846d810087 count=16 +[SUPERSLAB_MMAP] #2: class=1 size=2097152 (total SuperSlab mmaps so far) +[HAKMEM] Expanded SuperSlabHead for class 1: 1 chunks now (bitmap=0x00000001) +[HAKMEM] Initialized SuperSlabHead for class 1: 1 initial chunks +[LINEAR_CARVE] base=0x78846d410000 carved=0 batch=16 cursor=0x78846d410000 +[SPLICE_TO_SLL] cls=1 head=0x78846d410000 tail=0x78846d4100ff count=16 +[SUPERSLAB_MMAP] #3: class=2 size=2097152 (total SuperSlab mmaps so far) +[HAKMEM] Expanded SuperSlabHead for class 2: 1 chunks now (bitmap=0x00000001) +[HAKMEM] Initialized SuperSlabHead for class 2: 1 initial chunks +[LINEAR_CARVE] base=0x78846d010000 carved=0 batch=16 cursor=0x78846d010000 +[SPLICE_TO_SLL] cls=2 head=0x78846d010000 tail=0x78846d0101ef count=16 +[SUPERSLAB_MMAP] #4: class=3 size=2097152 (total SuperSlab mmaps so far) +[HAKMEM] Expanded SuperSlabHead for class 3: 1 chunks now (bitmap=0x00000001) +[HAKMEM] Initialized SuperSlabHead for class 3: 1 initial chunks +[LINEAR_CARVE] base=0x78846cc10000 carved=0 batch=16 cursor=0x78846cc10000 +[SPLICE_TO_SLL] cls=3 head=0x78846cc10000 tail=0x78846cc103cf count=16 +[SUPERSLAB_MMAP] #5: class=4 size=2097152 (total SuperSlab mmaps so far) +[HAKMEM] Expanded SuperSlabHead for class 4: 1 chunks now (bitmap=0x00000001) +[HAKMEM] Initialized SuperSlabHead for class 4: 1 initial chunks +[LINEAR_CARVE] base=0x78846c810000 carved=0 batch=16 cursor=0x78846c810000 +[SPLICE_TO_SLL] cls=4 head=0x78846c810000 tail=0x78846c81078f count=16 +[SUPERSLAB_MMAP] #6: class=5 size=2097152 (total SuperSlab mmaps so far) +[HAKMEM] Expanded SuperSlabHead for class 5: 1 chunks now (bitmap=0x00000001) +[HAKMEM] Initialized SuperSlabHead for class 5: 1 initial chunks +[SUPERSLAB_MMAP] #7: class=6 size=2097152 (total SuperSlab mmaps so far) +[HAKMEM] Expanded SuperSlabHead for class 6: 1 chunks now (bitmap=0x00000001) +[HAKMEM] Initialized SuperSlabHead for class 6: 1 initial chunks +[LINEAR_CARVE] base=0x78846c010000 carved=0 batch=16 cursor=0x78846c010000 +[SPLICE_TO_SLL] cls=6 head=0x78846c010000 tail=0x78846c011e0f count=16 +[SUPERSLAB_MMAP] #8: class=7 size=2097152 (total SuperSlab mmaps so far) +[SUPERSLAB_INIT] class 7 slab 0: usable_size=63488 stride=1024 capacity=62 +[SUPERSLAB_INIT] Expected: 63488 / 1024 = 62 blocks +[HAKMEM] Expanded SuperSlabHead for class 7: 1 chunks now (bitmap=0x00000001) +[HAKMEM] Initialized SuperSlabHead for class 7: 1 initial chunks +[hakmem] TLS cache pre-warmed for 8 classes +[LINEAR_CARVE] base=0x78846d810000 carved=16 batch=16 cursor=0x78846d810090 +[SPLICE_TO_SLL] cls=0 head=0x78846d810090 tail=0x78846d810117 count=16 +[WRAP_FREE_ENTER] ptr=0xa0 depth=0 init=0 +[FREE_WRAP_ENTER] ptr=0xa0 +[LINEAR_CARVE] base=0x78846d810000 carved=32 batch=16 cursor=0x78846d810120 +[SPLICE_TO_SLL] cls=0 head=0x78846d810120 tail=0x78846d8101a7 count=16 +[LINEAR_CARVE] base=0x78846d810000 carved=48 batch=16 cursor=0x78846d8101b0 +[SPLICE_TO_SLL] cls=0 head=0x78846d8101b0 tail=0x78846d810237 count=16 +``` + +## Round 2 分析結果 + +### 重要な発見 + +1. **SIGSEGVクラッシュが継続**: 実行中にメモリアクセス違反 +2. **PTR_TRACEの問題は解決**: `wrap_libc_lockdepth` のみ記録 +3. **FREE_WRAP_TRACEで重大発見**: + - `[WRAP_FREE_ENTER] ptr=0xa0 depth=0 init=0` + - **不正なポインタ `0xa0` (160バイト目) が解放されている!** + +### 根本原因 + +**NULLポインタ+ヘッダオフセットが原因**: +- `0xa0` = NULL + 160バイト (ヘッダサイズ分?) +- `depth=0 init=0` で初期化前に解放されている +- SPLICE_TO_SLLでリンクされた後、TLS-SLLを経由せず直接不正ポインタを解放 + +### 問題のフロー + +1. SPLICE_TO_SLLで正常にリンクされる +2. TLS-SLLのポインタ操作が何らかの理由で失敗 +3. 不正なポインタ(NULL+offset)が生成される +4. これがlibc free()に渡される → SIGSEGV + +### 推奨対策 + +1. **TLS-SLLヘッドのNULLチェック強化** +2. **ヘッダオフセット計算の検証** +3. **SPLICE_TO_SLL直後のTLS-SLL状態確認** + +これにより、ポインタ破壊の具体的な箇所を特定できる! diff --git a/hakmem.d b/hakmem.d index fd9209f1..2dbe9cdb 100644 --- a/hakmem.d +++ b/hakmem.d @@ -16,15 +16,15 @@ hakmem.o: core/hakmem.c core/hakmem.h core/hakmem_build_flags.h \ core/hakmem_elo.h core/hakmem_ace_stats.h core/hakmem_batch.h \ core/hakmem_evo.h core/hakmem_debug.h core/hakmem_prof.h \ core/hakmem_syscall.h core/hakmem_ace_controller.h \ - core/hakmem_ace_metrics.h core/hakmem_ace_ucb1.h \ + core/hakmem_ace_metrics.h core/hakmem_ace_ucb1.h core/ptr_trace.h \ core/box/hak_exit_debug.inc.h core/box/hak_kpi_util.inc.h \ core/box/hak_core_init.inc.h core/hakmem_phase7_config.h \ core/box/hak_alloc_api.inc.h core/box/../pool_tls.h \ core/box/hak_free_api.inc.h core/hakmem_tiny_superslab.h \ core/box/../tiny_free_fast_v2.inc.h core/box/../tiny_region_id.h \ core/box/../hakmem_build_flags.h core/box/../hakmem_tiny_config.h \ - core/box/../box/tls_sll_box.h core/box/../box/../ptr_trace.h \ - core/box/../box/../hakmem_tiny_config.h core/box/front_gate_classifier.h \ + core/box/../box/tls_sll_box.h core/box/../box/../hakmem_tiny_config.h \ + core/box/../box/../hakmem_build_flags.h core/box/front_gate_classifier.h \ core/box/hak_wrappers.inc.h core/hakmem.h: core/hakmem_build_flags.h: @@ -70,6 +70,7 @@ core/hakmem_syscall.h: core/hakmem_ace_controller.h: core/hakmem_ace_metrics.h: core/hakmem_ace_ucb1.h: +core/ptr_trace.h: core/box/hak_exit_debug.inc.h: core/box/hak_kpi_util.inc.h: core/box/hak_core_init.inc.h: @@ -83,7 +84,7 @@ core/box/../tiny_region_id.h: core/box/../hakmem_build_flags.h: core/box/../hakmem_tiny_config.h: core/box/../box/tls_sll_box.h: -core/box/../box/../ptr_trace.h: core/box/../box/../hakmem_tiny_config.h: +core/box/../box/../hakmem_build_flags.h: core/box/front_gate_classifier.h: core/box/hak_wrappers.inc.h: