Fix: CRITICAL double-allocation bug in trc_linear_carve()

Root Cause: trc_linear_carve() used meta->used as cursor, but meta->used decrements on free, causing already-allocated blocks to be re-carved. Evidence: - [LINEAR_CARVE] used=61 batch=1 → block 61 created - (blocks freed, used decrements 62→59) - [LINEAR_CARVE] used=59 batch=3 → blocks 59,60,61 RE-CREATED! - Result: double-allocation → memory corruption → SEGV Fix Implementation: 1. Added TinySlabMeta.carved (monotonic counter, never decrements) 2. Changed trc_linear_carve() to use carved instead of used 3. carved tracks carve progress, used tracks active count Files Modified: - core/superslab/superslab_types.h: Add carved field - core/tiny_refill_opt.h: Use carved in trc_linear_carve() - core/hakmem_tiny_superslab.c: Initialize carved=0 - core/tiny_alloc_fast.inc.h: Add next pointer validation - core/hakmem_tiny_free.inc: Add drain/free validation Test Results: ✅ bench_random_mixed: 950,037 ops/s (no crash) ✅ Fail-fast mode: 651,627 ops/s (with diagnostic logs) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-11-08 01:18:37 +09:00
parent a430545820
commit b7021061b8
12 changed files with 2236 additions and 1854 deletions
--- a/core/hakmem_tiny_superslab.c
+++ b/core/hakmem_tiny_superslab.c
@ -547,6 +547,21 @@ void superslab_init_slab(SuperSlab* ss, int slab_idx, size_t block_size, uint32_
    size_t usable_size = (slab_idx == 0) ? SUPERSLAB_SLAB0_USABLE_SIZE : SUPERSLAB_SLAB_USABLE_SIZE;
    int capacity = (int)(usable_size / block_size);

+    // Diagnostic: Verify capacity for class 7 slab 0 (one-shot)
+    if (ss->size_class == 7 && slab_idx == 0) {
+        static _Atomic int g_cap_log_printed = 0;
+        if (atomic_load(&g_cap_log_printed) == 0 &&
+            atomic_exchange(&g_cap_log_printed, 1) == 0) {
+            fprintf(stderr, "[SUPERSLAB_INIT] class 7 slab 0: usable_size=%zu block_size=%zu capacity=%d\n",
+                    usable_size, block_size, capacity);
+            fprintf(stderr, "[SUPERSLAB_INIT] Expected: 63488 / 1024 = 62 blocks\n");
+            if (capacity != 62) {
+                fprintf(stderr, "[SUPERSLAB_INIT] WARNING: capacity=%d (expected 62!)\n", capacity);
+            }
+            fflush(stderr);
+        }
+    }
+
    // Phase 6.24: Lazy freelist initialization
    // NO freelist build here! (saves 4000-8000 cycles per slab init)
    // freelist will be built on-demand when first free() is called
@ -557,7 +572,8 @@ void superslab_init_slab(SuperSlab* ss, int slab_idx, size_t block_size, uint32_
    meta->freelist = NULL;  // NULL = linear allocation mode
    meta->used = 0;
    meta->capacity = (uint16_t)capacity;
-    meta->owner_tid = owner_tid;
+    meta->carved = 0;  // FIX: Initialize carved counter (monotonic carve progress)
+    meta->owner_tid = (uint16_t)owner_tid;  // FIX: Cast to uint16_t (changed from uint32_t)

    // Store slab_start in SuperSlab for later use
    // (We need this for linear allocation)