Box TLS-SLL + free boundary hardening: normalize C0–C6 to base (ptr-1) at free boundary; route all caches/freelists via base; replace remaining g_tls_sll_head direct writes with Box API (tls_sll_push/splice) in refill/magazine/ultra; keep C7 excluded. Fixes rbp=0xa0 free crash by preventing header overwrite and centralizing TLS-SLL invariants.

2025-11-10 16:48:20 +09:00
parent 1b6624dec4
commit b09ba4d40d
26 changed files with 1079 additions and 354 deletions
--- a/core/box/front_gate_box.c
+++ b/core/box/front_gate_box.c
@ -1,6 +1,7 @@
 // front_gate_box.c - Front Gate Box (SFC/SLL priority and helpers)
 #include "front_gate_box.h"
 #include "tiny_alloc_fast_sfc.inc.h"
+#include "tls_sll_box.h"  // Box TLS-SLL API

 // TLS SLL state (extern from hakmem_tiny.c)
 extern __thread void* g_tls_sll_head[TINY_NUM_CLASSES];
@ -29,11 +30,9 @@ int front_gate_try_pop(int class_idx, void** out_ptr) {

    // Layer 1: TLS SLL
    if (__builtin_expect(g_tls_sll_enable, 1)) {
-        void* head = g_tls_sll_head[class_idx];
-        if (__builtin_expect(head != NULL, 1)) {
+        void* head = NULL;
+        if (tls_sll_pop(class_idx, &head)) {
            g_front_sll_hit[class_idx]++;
-            g_tls_sll_head[class_idx] = *(void**)head;  // pop
-            if (g_tls_sll_count[class_idx] > 0) g_tls_sll_count[class_idx]--;
            *out_ptr = head;
            return 1;
        }
@ -51,10 +50,8 @@ void front_gate_after_refill(int class_idx, int refilled_count) {

    while (to_move-- > 0 && g_tls_sll_count[class_idx] > 0) {
        // SLL pop
-        void* ptr = g_tls_sll_head[class_idx];
-        if (!ptr) break;
-        g_tls_sll_head[class_idx] = *(void**)ptr;
-        g_tls_sll_count[class_idx]--;
+        void* ptr = NULL;
+        if (!tls_sll_pop(class_idx, &ptr)) break;

        // SFC push (capacity-guarded inside sfc_free_push)
        if (!sfc_free_push(class_idx, ptr)) {
@ -65,8 +62,11 @@ void front_gate_after_refill(int class_idx, int refilled_count) {
 }

 void front_gate_push_tls(int class_idx, void* ptr) {
-    *(void**)ptr = g_tls_sll_head[class_idx];
-    g_tls_sll_head[class_idx] = ptr;
-    g_tls_sll_count[class_idx]++;
+    // Use Box TLS-SLL API (C7-safe)
+    if (!tls_sll_push(class_idx, ptr, UINT32_MAX)) {
+        // C7 rejected or capacity exceeded - should not happen in front gate
+        // but handle gracefully (silent discard)
+        return;
+    }
 }