From 9f32de48927e3f74de9d7fd92cff209f6655dd20 Mon Sep 17 00:00:00 2001
From: "Moe Charm (CI)" <moecharm@example.com>
Date: Fri, 7 Nov 2025 02:25:12 +0900
Subject: [PATCH] =?UTF-8?q?Fix:=20free()=20invalid=20pointer=20crash=20(pa?=
 =?UTF-8?q?rtial=20fix=20-=200%=20=E2=86=92=2060%=20success)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

**問題:**
- 100% crash rate: "free(): invalid pointer"
- 全実行で glibc abort

**根本原因 (Task agent ultrathink 発見):**
`core/box/hak_free_api.inc.h:84`
```c
if (hdr->magic != HAKMEM_MAGIC) {
    __libc_free(ptr);  // ← BUG! ptr is user pointer (after header)
}
```

**メモリレイアウト:**
```
Allocation: malloc(HEADER_SIZE + size) → returns (raw + HEADER_SIZE)
           [Header][User Data............]
           ^raw    ^ptr

Free: __libc_free(ptr) ← ✗ 間違い！ raw を free すべき
```

**修正内容:**
Line 84: `__libc_free(ptr)` → `free(raw)`
- Header corruption 時に正しいアドレスを free

**効果:**
```
Before: 0/5 success (100% crash)
After:  3/5 success (60% crash)
```

**残存問題:**
- まだ 40% でクラッシュする
- 別のバグが存在（double-free or cross-thread corruption?）
- 次: ASan + Task agent ultrathink で追加調査

**テスト結果:**
```bash
Run 1: 4.19M ops/s ✅
Run 2: 4.19M ops/s ✅
Run 3: crash ❌
Run 4: 4.19M ops/s ✅
Run 5: crash ❌
```

**調査協力:** Task agent (ultrathink mode)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 core/box/hak_free_api.inc.h | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/core/box/hak_free_api.inc.h b/core/box/hak_free_api.inc.h
index 065c4884..537d8166 100644
--- a/core/box/hak_free_api.inc.h
+++ b/core/box/hak_free_api.inc.h
@@ -81,7 +81,8 @@ void hak_free_at(void* ptr, size_t size, hak_callsite_t site) {
         AllocHeader* hdr = (AllocHeader*)raw;
         if (hdr->magic != HAKMEM_MAGIC) {
             if (g_invalid_free_log) fprintf(stderr, "[hakmem] ERROR: Invalid magic 0x%X (expected 0x%X)\n", hdr->magic, HAKMEM_MAGIC);
-            if (g_invalid_free_mode) { goto done; } else { extern void __libc_free(void*); __libc_free(ptr); goto done; }
+            // CRITICAL FIX: Free raw (allocated address), not ptr (user pointer after header)
+            if (g_invalid_free_mode) { goto done; } else { free(raw); goto done; }
         }
         if (HAK_ENABLED_CACHE(HAKMEM_FEATURE_BIGCACHE) && hdr->class_bytes >= 2097152) {
             if (hak_bigcache_put(ptr, hdr->size, hdr->alloc_site)) goto done;