hakmem

Author SHA1 Message Date

Author	SHA1	Message	Date
Moe Charm (CI)	8553894171	Larson double-free investigation: Enhanced diagnostics + Remove buggy drain pushback Problem: Larson benchmark crashes with TLS_SLL_DUP (double-free), 100% crash rate in debug Root Cause: TLS drain pushback code (commit `c2f104618`) created duplicates by pushing pointers back to TLS SLL while they were still in the linked list chain. Diagnostic Enhancements (ChatGPT + Claude collaboration): 1. Callsite Tracking: Track file:line for each TLS SLL push (debug only) - Arrays: g_tls_sll_push_file[], g_tls_sll_push_line[] - Macro: tls_sll_push() auto-records __FILE__, __LINE__ 2. Enhanced Duplicate Detection: - Scan depth: 64 → 256 nodes (deep duplicate detection) - Error message shows BOTH current and previous push locations - Calls ptr_trace_dump_now() for detailed analysis 3. Evidence Captured: - Both duplicate pushes from same line (221) - Pointer at position 11 in TLS SLL (count=18, scanned=11) - Confirms pointer allocated without being popped from TLS SLL Fix: - core/box/tls_sll_drain_box.h: Remove pushback code entirely - Old: Push back to TLS SLL on validation failure → duplicates! - New: Skip pointer (accept rare leak) to avoid duplicates - Rationale: SuperSlab lookup failures are transient/rare Status: Fix implemented, ready for testing Updated: - LARSON_DOUBLE_FREE_INVESTIGATION.md: Root cause confirmed	2025-11-27 07:30:32 +09:00
Moe Charm (CI)	c2f104618f	Fix critical TLS drain memory leak causing potential double-free ## Root Cause TLS drain was dropping pointers when SuperSlab lookup or slab_idx validation failed: - Pop pointer from TLS SLL - Lookup/validation fails - continue → LEAK! Pointer never returned to any freelist ## Impact Memory leak + potential double allocation: 1. Pointer P popped but leaked 2. Same address P reallocated from carve/other source 3. User frees P again → duplicate detection → ABORT ## Fix Before (BUGGY): ```c if (!ss \|\| invalid_slab_idx) { continue; // ← LEAK! } ``` After (FIXED): ```c if (!ss \|\| invalid_slab_idx) { // Push back to TLS SLL head (retry later) tiny_next_write(class_idx, base, g_tls_sll[class_idx].head); g_tls_sll[class_idx].head = base; g_tls_sll[class_idx].count++; break; // Stop draining to avoid infinite retry } ``` ## Files Changed - core/box/tls_sll_drain_box.h: Fix 2 leak sites (SS lookup + slab_idx validation) - docs/analysis/LARSON_DOUBLE_FREE_INVESTIGATION.md: Investigation report ## Related - Larson double-free investigation (47% crash rate) - Commit `e4868bf23`: Freelist header write + abort() on duplicate - ChatGPT analysis: Larson benchmark code is correct (no user bug)	2025-11-27 06:49:38 +09:00

8553894171

Larson double-free investigation: Enhanced diagnostics + Remove buggy drain pushback

**Problem**: Larson benchmark crashes with TLS_SLL_DUP (double-free), 100% crash rate in debug

**Root Cause**: TLS drain pushback code (commit c2f104618) created duplicates by
pushing pointers back to TLS SLL while they were still in the linked list chain.

**Diagnostic Enhancements** (ChatGPT + Claude collaboration):
1. **Callsite Tracking**: Track file:line for each TLS SLL push (debug only)
   - Arrays: g_tls_sll_push_file[], g_tls_sll_push_line[]
   - Macro: tls_sll_push() auto-records __FILE__, __LINE__

2. **Enhanced Duplicate Detection**:
   - Scan depth: 64 → 256 nodes (deep duplicate detection)
   - Error message shows BOTH current and previous push locations
   - Calls ptr_trace_dump_now() for detailed analysis

3. **Evidence Captured**:
   - Both duplicate pushes from same line (221)
   - Pointer at position 11 in TLS SLL (count=18, scanned=11)
   - Confirms pointer allocated without being popped from TLS SLL

**Fix**:
- **core/box/tls_sll_drain_box.h**: Remove pushback code entirely
  - Old: Push back to TLS SLL on validation failure → duplicates!
  - New: Skip pointer (accept rare leak) to avoid duplicates
  - Rationale: SuperSlab lookup failures are transient/rare

**Status**: Fix implemented, ready for testing

**Updated**:
- LARSON_DOUBLE_FREE_INVESTIGATION.md: Root cause confirmed

2025-11-27 07:30:32 +09:00

Moe Charm (CI)

c2f104618f

Fix critical TLS drain memory leak causing potential double-free

## Root Cause

TLS drain was dropping pointers when SuperSlab lookup or slab_idx validation failed:
- Pop pointer from TLS SLL
- Lookup/validation fails
- continue → LEAK! Pointer never returned to any freelist

## Impact

Memory leak + potential double allocation:
1. Pointer P popped but leaked
2. Same address P reallocated from carve/other source
3. User frees P again → duplicate detection → ABORT

## Fix

**Before (BUGGY)**:
```c
if (!ss || invalid_slab_idx) {
    continue;  // ← LEAK!
}
```

**After (FIXED)**:
```c
if (!ss || invalid_slab_idx) {
    // Push back to TLS SLL head (retry later)
    tiny_next_write(class_idx, base, g_tls_sll[class_idx].head);
    g_tls_sll[class_idx].head = base;
    g_tls_sll[class_idx].count++;
    break;  // Stop draining to avoid infinite retry
}
```

## Files Changed

- core/box/tls_sll_drain_box.h: Fix 2 leak sites (SS lookup + slab_idx validation)
- docs/analysis/LARSON_DOUBLE_FREE_INVESTIGATION.md: Investigation report

## Related

- Larson double-free investigation (47% crash rate)
- Commit e4868bf23: Freelist header write + abort() on duplicate
- ChatGPT analysis: Larson benchmark code is correct (no user bug)

2025-11-27 06:49:38 +09:00

2 Commits