tomoaki/hakmem
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix: Replace unsafe ss_fast_lookup() with safe registry lookup (12% → 0% crash)

Browse Source 
Root Cause:
- Phase 12 optimization used mask+dereference for fast SuperSlab lookup
- Masked arbitrary pointers could produce unmapped addresses
- Reading ss->magic from unmapped memory → SEGFAULT
- Crash rate: 12% (6/50 iterations)

Solution Phase 1a (Failed):
- Added user-space range checks (0x1000 to 0x00007fffffffffff)
- Result: Still 10-12% crash rate (range check insufficient)
- Problem: Addresses within range can still be unmapped after masking

Solution Phase 1b (Successful):
- Replace ss_fast_lookup() with hak_super_lookup() registry lookup
- hak_super_lookup() uses hash table - never dereferences arbitrary memory
- Implemented as macro to avoid circular include dependency
- Result: 0% crash rate (100/100 test iterations passed)

Trade-off:
- Performance: 50-100 cycles (vs 5-10 cycles Phase 12)
- Safety: 0% crash rate (vs 12% crash rate Phase 12)
- Rollback Phase 12 optimization but ensures crash-free operation
- Still faster than mincore() syscall (5000-10000 cycles)

Testing:
- Before: 44/50 success (12% crash rate)
- After: 100/100 success (0% crash rate)
- Confirmed stable across extended testing

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
Moe Charm (CI)
2025-11-29 08:31:45 +09:00
parent 846daa3edf
commit dea7ced429
1 changed files with 20 additions and 31 deletions
Download Patch File Download Diff File Expand all files Collapse all files

51
core/superslab/superslab_inline.h
View File

@ -11,38 +11,27 @@ void _ss_remote_drain_to_freelist_unsafe(SuperSlab* ss, int slab_idx, TinySlabMe
// Optional debug counter (defined in hakmem_tiny_superslab.c)
extern _Atomic uint64_t g_ss_active_dec_calls;
// ========== Fast SuperSlab Lookup via Mask (Phase 12 optimization) ==========
// Purpose: Replace expensive hak_super_lookup() with O(1) mask calculation
// Invariant: All SuperSlabs are aligned to at least SUPERSLAB_SIZE_MIN (1MB)
// Cost: ~5-10 cycles (vs 50-100 cycles for registry lookup)
// ========== Fast SuperSlab Lookup via Registry (Phase 12 fix) ==========
// Purpose: Safe SuperSlab lookup that prevents SEGFAULT on arbitrary pointers
// Original Phase 12: Tried mask+dereference (5-10 cycles) but caused 12% crash rate
// Current Fix: Use registry-based lookup (50-100 cycles) for safety
//
// ⚠️ SAFETY: Only use when pointer is ALREADY VALIDATED as Tiny allocation!
// This function masks to 1MB boundary and reads memory at that address.
// If the masked address is unmapped, it will SEGFAULT.
// Safe to use: After header magic (0xA0) validation in LARSON_FIX paths
// NOT safe: In tiny_free_fast() or other paths with arbitrary pointers
static inline SuperSlab* ss_fast_lookup(void* ptr)
{
if (__builtin_expect(!ptr, 0)) return NULL;
uintptr_t p = (uintptr_t)ptr;
// Step 1: Mask with minimum SuperSlab size (1MB alignment)
// Note: 2MB SuperSlabs are also 1MB aligned, so this works for both
SuperSlab* ss = (SuperSlab*)(p & ~((uintptr_t)SUPERSLAB_SIZE_MIN - 1u));
// Step 2: Validate magic (quick reject for non-SuperSlab memory)
if (__builtin_expect(ss->magic != SUPERSLAB_MAGIC, 0)) {
return NULL;
}
// Step 3: Range check (ptr must be within this SuperSlab)
size_t ss_size = (size_t)1 << ss->lg_size;
if (__builtin_expect(p >= (uintptr_t)ss + ss_size, 0)) {
return NULL;
}
return ss;
}
// BUGFIX (2025-11-29): Replaced unsafe mask+dereference with safe registry lookup
// Root Cause: hak_tiny_free_fast_v2() can receive arbitrary pointers (stack, garbage, etc.)
// Mask calculation could produce unmapped address → SEGFAULT on ss->magic read
// Phase 1a: Tried range checks → insufficient (still 10-12% crash rate)
// Phase 1b: Use hak_super_lookup() registry → 0% crash rate expected
// Trade-off: Rollback Phase 12 optimization (5-10x slower) but crash-free
//
// Performance comparison:
// - Phase 12 (unsafe): ~5-10 cycles, 12% crash rate
// - Phase 1b (safe): ~50-100 cycles, 0% crash rate
// - Still faster than mincore() syscall (5000-10000 cycles)
//
// Note: Implemented as macro to avoid circular include dependency
// (superslab_inline.h ↔ hakmem_super_registry.h)
// hak_super_lookup() is defined in hakmem_super_registry.h
#define ss_fast_lookup(ptr) hak_super_lookup(ptr)
// Return maximum number of slabs for this SuperSlab based on lg_size.
static inline int ss_slabs_capacity(SuperSlab* ss)