Box TLS-SLL + free boundary hardening: normalize C0–C6 to base (ptr-1) at free boundary; route all caches/freelists via base; replace remaining g_tls_sll_head direct writes with Box API (tls_sll_push/splice) in refill/magazine/ultra; keep C7 excluded. Fixes rbp=0xa0 free crash by preventing header overwrite and centralizing TLS-SLL invariants.

2025-11-10 16:48:20 +09:00
parent 1b6624dec4
commit b09ba4d40d
26 changed files with 1079 additions and 354 deletions
--- a/core/hakmem_tiny_ultra_simple.inc
+++ b/core/hakmem_tiny_ultra_simple.inc
@ -15,6 +15,7 @@

 // SFC integration
 #include "tiny_alloc_fast_sfc.inc.h"
+#include "box/tls_sll_box.h"  // Box TLS-SLL API

 // ============================================================================
 // Phase 6-1.5: Ultra-Simple Allocator (uses existing infrastructure)
@ -47,10 +48,8 @@ void* hak_tiny_alloc_ultra_simple(size_t size) {

    // 2. Ultra-fast path: Pop from existing TLS SLL (Phase 6-1 style!)
    //    This is IDENTICAL to Phase 6-1 but uses existing g_tls_sll_head[]
-    void* head = g_tls_sll_head[class_idx];
-    if (__builtin_expect(head != NULL, 1)) {
-        g_tls_sll_head[class_idx] = *(void**)head;  // 1-instruction pop!
-        if (g_tls_sll_count[class_idx] > 0) g_tls_sll_count[class_idx]--;
+    void* head = NULL;
+    if (tls_sll_pop(class_idx, &head)) {
        HAK_RET_ALLOC(class_idx, head);
    }

@ -72,10 +71,7 @@ void* hak_tiny_alloc_ultra_simple(size_t size) {
 #else
    if (sll_refill_small_from_ss(class_idx, refill_count) > 0) {
 #endif
-        head = g_tls_sll_head[class_idx];
-        if (head) {
-            g_tls_sll_head[class_idx] = *(void**)head;
-            if (g_tls_sll_count[class_idx] > 0) g_tls_sll_count[class_idx]--;
+        if (tls_sll_pop(class_idx, &head)) {
            HAK_RET_ALLOC(class_idx, head);
        }
    }
@ -182,10 +178,12 @@ void hak_tiny_free_ultra_simple(void* ptr) {
                        return;
                    }
                } else {
-                    // Old SLL path (16 slots)
-                    *(void**)ptr = g_tls_sll_head[class_idx];
-                    g_tls_sll_head[class_idx] = ptr;
-                    g_tls_sll_count[class_idx]++;
+                    // Old SLL path (16 slots) - Use Box TLS-SLL API
+                    if (!tls_sll_push(class_idx, ptr, UINT32_MAX)) {
+                        // C7 rejected or capacity exceeded - fallback to slow path
+                        hak_tiny_free(ptr);
+                        return;
+                    }
                }

                // Active accounting on free
@ -215,10 +213,12 @@ void hak_tiny_free_ultra_simple(void* ptr) {
                    return;
                }
            } else {
-                // Old SLL path (16 slots)
-                *(void**)ptr = g_tls_sll_head[class_idx];
-                g_tls_sll_head[class_idx] = ptr;
-                g_tls_sll_count[class_idx]++;
+                // Old SLL path (16 slots) - Use Box TLS-SLL API
+                if (!tls_sll_push(class_idx, ptr, UINT32_MAX)) {
+                    // C7 rejected or capacity exceeded - fallback to slow path
+                    hak_tiny_free_with_slab(ptr, slab);
+                    return;
+                }
            }
            return;
        }