tomoaki/hakmem
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Box TLS-SLL + free boundary hardening: normalize C0–C6 to base (ptr-1) at free boundary; route all caches/freelists via base; replace remaining g_tls_sll_head direct writes with Box API (tls_sll_push/splice) in refill/magazine/ultra; keep C7 excluded. Fixes rbp=0xa0 free crash by preventing header overwrite and centralizing TLS-SLL invariants.

Browse Source
This commit is contained in:
Moe Charm (CI)
2025-11-10 16:48:20 +09:00
parent 1b6624dec4
commit b09ba4d40d
26 changed files with 1079 additions and 354 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
core/tiny_free_fast_v2.inc.h
View File

@ -18,6 +18,7 @@
#include "tiny_region_id.h"
#include "hakmem_build_flags.h"
#include "hakmem_tiny_config.h" // For TINY_TLS_MAG_CAP, TINY_NUM_CLASSES
#include "box/tls_sll_box.h" // Box TLS-SLL API
// Phase 7: Header-based ultra-fast free
#if HAKMEM_TINY_HEADER_CLASSIDX
@ -50,6 +51,17 @@ extern uint32_t sll_cap_for_class(int class_idx, uint32_t mag_cap);
static inline int hak_tiny_free_fast_v2(void* ptr) {
if (__builtin_expect(!ptr, 0)) return 0;
// CRITICAL: C7 (1KB) is headerless and CANNOT use fast path
// Reading ptr-1 for C7 causes SIGBUS (accesses previous allocation or unmapped page)
// Solution: Check for 1KB alignment and delegate to slow path
// Note: This heuristic has ~0.1% false positive rate (other allocations at 1KB boundaries)
// but is necessary for C7 safety. Slow path handles all cases correctly.
if (__builtin_expect(((uintptr_t)ptr & 0x3FF) == 0, 0)) {
// Pointer is 1KB-aligned → likely C7 or page boundary allocation
// Use slow path for safety (slow path has proper C7 handling)
return 0;
}
// CRITICAL: Check if header is accessible
void* header_addr = (char*)ptr - 1;
@ -116,9 +128,12 @@ static inline int hak_tiny_free_fast_v2(void* ptr) {
// Normal classes have 1-byte header - base is ptr-1
base = (char*)ptr - 1;
}
*(void**)base = g_tls_sll_head[class_idx];
g_tls_sll_head[class_idx] = base;
g_tls_sll_count[class_idx]++;
// Use Box TLS-SLL API (C7-safe)
if (!tls_sll_push(class_idx, base, UINT32_MAX)) {
// C7 rejected or capacity exceeded - route to slow path
return 0;
}
return 1; // Success - handled in fast path
}