From a94344c1aa7750abe154c8cc1c124e14d43a4c75 Mon Sep 17 00:00:00 2001
From: "Moe Charm (CI)" <moecharm@example.com>
Date: Sat, 29 Nov 2025 06:11:48 +0900
Subject: [PATCH] Fix: Restore headers in tiny_drain_freelist_to_sll_once()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Second freelist path identified by Task exploration agent:
- tiny_drain_freelist_to_sll_once() in hakmem_tiny_free.inc
- Activated via HAKMEM_TINY_DRAIN_TO_SLL environment variable
- Pops blocks from freelist without restoring headers
- Missing header restoration before tls_sll_push() call

Fix applied:
1. Added HEADER_MAGIC restoration before tls_sll_push()
   in tiny_drain_freelist_to_sll_once() (lines 74-79)
2. Added tiny_region_id.h include for HEADER_MAGIC definition

This completes the header restoration fixes for all known
freelist → TLS SLL code paths:
1. box_carve_and_push_with_freelist() ✓ (commit 3c6c76cb1)
2. tiny_drain_freelist_to_sll_once() ✓ (this commit)

Expected result:
- Eliminates remaining 4-thread header corruption error
- All freelist blocks now have valid headers before TLS SLL push

Note: Encountered segfault in larson_hakmem during testing,
but this appears to be a pre-existing issue unrelated to
header restoration fixes (verified by testing without changes).

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 core/hakmem_tiny_free.inc | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/core/hakmem_tiny_free.inc b/core/hakmem_tiny_free.inc
index 01e89960..a0cf484b 100644
--- a/core/hakmem_tiny_free.inc
+++ b/core/hakmem_tiny_free.inc
@@ -7,6 +7,7 @@
 #include "box/free_publish_box.h"
 #include "box/tls_sll_box.h"  // Box TLS-SLL: C7-safe push/pop/splice
 #include "box/tiny_next_ptr_box.h"  // Box API: next pointer read/write
+#include "tiny_region_id.h"  // HEADER_MAGIC, HEADER_CLASS_MASK for freelist header restoration
 #include "mid_tcache.h"
 #include "front/tiny_heap_v2.h"
 // Phase 3d-B: TLS Cache Merge - Unified TLS SLL structure
@@ -70,6 +71,13 @@ static inline void tiny_drain_freelist_to_sll_once(SuperSlab* ss, int slab_idx,
 
         m->freelist = tiny_next_read(class_idx, p);  // Phase E1-CORRECT: Box API
 
+        // CRITICAL FIX: Restore header BEFORE pushing to TLS SLL
+        // Freelist blocks may have stale data at offset 0
+        // (same fix as in box_carve_and_push_with_freelist and tiny_superslab_alloc.inc.h)
+#if HAKMEM_TINY_HEADER_CLASSIDX
+        *(uint8_t*)p = HEADER_MAGIC | (class_idx & HEADER_CLASS_MASK);
+#endif
+
         // Use Box TLS-SLL API (C7-safe push)
         // Note: C7 already rejected at line 34, so this always succeeds
         uint32_t sll_capacity = 256;  // Conservative limit