Fix ptr_user_to_base_blind regression: use class-aware base calculation and correct slab index lookup

2025-12-03 12:29:31 +09:00
parent c2716f5c01
commit c91602f181
4 changed files with 65 additions and 55 deletions
--- a/core/tiny_free_magazine.inc.h
+++ b/core/tiny_free_magazine.inc.h
@ -127,6 +127,7 @@
            if (owner_ss && owner_ss->magic == SUPERSLAB_MAGIC) {
                // Direct freelist push (same as old hak_tiny_free_superslab)
                // Phase 10: it.ptr is BASE.
+                // FIX: it.ptr is BASE, use it directly (do not subtract 1)
                void* base = it.ptr;
                int slab_idx = slab_index_for(owner_ss, base);
                // BUGFIX: Validate slab_idx before array access (prevents OOB)
@ -320,8 +321,8 @@
            SuperSlab* ss_owner = hak_super_lookup(it.ptr);
            if (ss_owner && ss_owner->magic == SUPERSLAB_MAGIC) {
                // SuperSlab spill - return to freelist
-                // ✅ FIX: Phase E1-CORRECT - Convert USER → BASE before slab index calculation
-                void* base = (void*)((uint8_t*)it.ptr - 1);
+                // FIX: it.ptr is BASE, use directly
+                void* base = it.ptr;
                int slab_idx = slab_index_for(ss_owner, base);
                // BUGFIX: Validate slab_idx before array access (prevents OOB)
                if (slab_idx < 0 || slab_idx >= ss_slabs_capacity(ss_owner)) {
@ -430,7 +431,7 @@
                            mag->top++;
                        }
                    }
-                } else if (!tiny_optional_push(class_idx, (void*)((uint8_t*)ptr - 1))) {  // Phase E1-CORRECT
+                } else if (!tiny_optional_push(class_idx, HAK_BASE_TO_RAW(hak_user_to_base(HAK_USER_FROM_RAW(ptr))))) {  // FIX: use ptr_user_to_base
                    // Phase 10: Use hak_base_ptr_t
                    hak_base_ptr_t base_ptr = hak_user_to_base(HAK_USER_FROM_RAW(ptr));
                    mag->items[mag->top].ptr = HAK_BASE_TO_RAW(base_ptr);
@ -467,7 +468,7 @@
                            mag->top++;
                        }
                    }
-                } else if (!tiny_optional_push(class_idx, (void*)((uint8_t*)ptr - 1))) {  // Phase E1-CORRECT
+                } else if (!tiny_optional_push(class_idx, HAK_BASE_TO_RAW(hak_user_to_base(HAK_USER_FROM_RAW(ptr))))) {  // FIX: use ptr_user_to_base
                    // Phase 10: Use hak_base_ptr_t
                    hak_base_ptr_t base_ptr = hak_user_to_base(HAK_USER_FROM_RAW(ptr));
                    mag->items[mag->top].ptr = HAK_BASE_TO_RAW(base_ptr);
@ -497,7 +498,8 @@
        return;
    } else if (slab) {
        // Phase E1-CORRECT: ALL classes (C0-C7) have 1-byte header
-        void* base = (void*)((uint8_t*)ptr - 1);
+        // FIX: Use ptr_user_to_base to get correct base
+        void* base = HAK_BASE_TO_RAW(hak_user_to_base(HAK_USER_FROM_RAW(ptr)));
        tiny_remote_push(slab, base);
    }
 }