hakmem

Author SHA1 Message Date

Author	SHA1	Message	Date
Moe Charm (CI)	d8168a2021	Fix C7 TLS SLL header restoration regression + Document Larson MT race condition ## Bug Fix: Restore C7 Exception in TLS SLL Push File: `core/box/tls_sll_box.h:309` Problem: Commit `25d963a4a` (Code Cleanup) accidentally reverted the C7 fix by changing: ```c if (class_idx != 0 && class_idx != 7) { // CORRECT (commit `8b67718bf`) if (class_idx != 0) { // BROKEN (commit `25d963a4a`) ``` Impact: C7 (1024B class) header restoration in TLS SLL push overwrote next pointer at base[0], causing corruption. Fix: Restored `&& class_idx != 7` check to prevent header restoration for C7. Why C7 Needs Exception: - C7 uses offset=0 (stores next pointer at base[0]) - User pointer is at base+1 - Next pointer MUST NOT be overwritten by header restoration - C1-C6 use offset=1 (next at base[1]), so base[0] header restoration is safe ## Investigation: Larson MT Race Condition (SEPARATE ISSUE) Finding: Larson still crashes with 3+ threads due to UNRELATED multi-threading race condition in unified cache freelist management. Root Cause: Non-atomic freelist operations in `TinySlabMeta`: ```c typedef struct TinySlabMeta { void* freelist; // ❌ NOT ATOMIC uint16_t used; // ❌ NOT ATOMIC } TinySlabMeta; ``` Evidence: ``` 1 thread: ✅ PASS (1.88M - 41.8M ops/s) 2 threads: ✅ PASS (24.6M ops/s) 3 threads: ❌ SEGV (race condition) 4+ threads: ❌ SEGV (race condition) ``` Status: C7 fix is CORRECT. Larson crash is separate MT issue requiring atomic freelist implementation. ## Documentation Added Created comprehensive investigation reports: - `LARSON_CRASH_ROOT_CAUSE_REPORT.md` - Full technical analysis - `LARSON_DIAGNOSTIC_PATCH.md` - Implementation guide - `LARSON_INVESTIGATION_SUMMARY.md` - Executive summary - `LARSON_QUICK_REF.md` - Quick reference - `verify_race_condition.sh` - Automated verification script ## Next Steps Implement atomic freelist operations for full MT safety (7-9 hour effort): 1. Make `TinySlabMeta.freelist` atomic with CAS loop 2. Audit 87 freelist access sites 3. Test with Larson 8+ threads 🔧 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>	2025-11-22 02:15:34 +09:00
Moe Charm (CI)	1010a961fb	Tiny: fix header/stride mismatch and harden refill paths - Root cause: header-based class indexing (HEADER_CLASSIDX=1) wrote a 1-byte header during allocation, but linear carve/refill and initial slab capacity still used bare class block sizes. This mismatch could overrun slab usable space and corrupt freelists, causing reproducible SEGV at ~100k iters. Changes - Superslab: compute capacity with effective stride (block_size + header for classes 0..6; class7 remains headerless) in superslab_init_slab(). Add a debug-only bound check in superslab_alloc_from_slab() to fail fast if carve would exceed usable bytes. - Refill (non-P0 and P0): use header-aware stride for all linear carving and TLS window bump operations. Ensure alignment/validation in tiny_refill_opt.h also uses stride, not raw class size. - Drain: keep existing defense-in-depth for remote sentinel and sanitize nodes before splicing into freelist (already present). Notes - This unifies the memory layout across alloc/linear-carve/refill with a single stride definition and keeps class7 (1024B) headerless as designed. - Debug builds add fail-fast checks; release builds remain lean. Next - Re-run Tiny benches (256/1024B) in debug to confirm stability, then in release. If any remaining crash persists, bisect with HAKMEM_TINY_P0_BATCH_REFILL=0 to isolate P0 batch carve, and continue reducing branch-miss as planned.	2025-11-09 18:55:50 +09:00

d8168a2021

Fix C7 TLS SLL header restoration regression + Document Larson MT race condition

## Bug Fix: Restore C7 Exception in TLS SLL Push

**File**: `core/box/tls_sll_box.h:309`

**Problem**: Commit 25d963a4a (Code Cleanup) accidentally reverted the C7 fix by changing:
```c
if (class_idx != 0 && class_idx != 7) {  // CORRECT (commit 8b67718bf)
if (class_idx != 0) {                     // BROKEN (commit 25d963a4a)
```

**Impact**: C7 (1024B class) header restoration in TLS SLL push overwrote next pointer at base[0], causing corruption.

**Fix**: Restored `&& class_idx != 7` check to prevent header restoration for C7.

**Why C7 Needs Exception**:
- C7 uses offset=0 (stores next pointer at base[0])
- User pointer is at base+1
- Next pointer MUST NOT be overwritten by header restoration
- C1-C6 use offset=1 (next at base[1]), so base[0] header restoration is safe

## Investigation: Larson MT Race Condition (SEPARATE ISSUE)

**Finding**: Larson still crashes with 3+ threads due to UNRELATED multi-threading race condition in unified cache freelist management.

**Root Cause**: Non-atomic freelist operations in `TinySlabMeta`:
```c
typedef struct TinySlabMeta {
    void* freelist;    // ❌ NOT ATOMIC
    uint16_t used;     // ❌ NOT ATOMIC
} TinySlabMeta;
```

**Evidence**:
```
1 thread:  ✅ PASS (1.88M - 41.8M ops/s)
2 threads: ✅ PASS (24.6M ops/s)
3 threads: ❌ SEGV (race condition)
4+ threads: ❌ SEGV (race condition)
```

**Status**: C7 fix is CORRECT. Larson crash is separate MT issue requiring atomic freelist implementation.

## Documentation Added

Created comprehensive investigation reports:
- `LARSON_CRASH_ROOT_CAUSE_REPORT.md` - Full technical analysis
- `LARSON_DIAGNOSTIC_PATCH.md` - Implementation guide
- `LARSON_INVESTIGATION_SUMMARY.md` - Executive summary
- `LARSON_QUICK_REF.md` - Quick reference
- `verify_race_condition.sh` - Automated verification script

## Next Steps

Implement atomic freelist operations for full MT safety (7-9 hour effort):
1. Make `TinySlabMeta.freelist` atomic with CAS loop
2. Audit 87 freelist access sites
3. Test with Larson 8+ threads

🔧 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

2025-11-22 02:15:34 +09:00

Moe Charm (CI)

1010a961fb

Tiny: fix header/stride mismatch and harden refill paths

- Root cause: header-based class indexing (HEADER_CLASSIDX=1) wrote a 1-byte
  header during allocation, but linear carve/refill and initial slab capacity
  still used bare class block sizes. This mismatch could overrun slab usable
  space and corrupt freelists, causing reproducible SEGV at ~100k iters.

Changes
- Superslab: compute capacity with effective stride (block_size + header for
  classes 0..6; class7 remains headerless) in superslab_init_slab(). Add a
  debug-only bound check in superslab_alloc_from_slab() to fail fast if carve
  would exceed usable bytes.
- Refill (non-P0 and P0): use header-aware stride for all linear carving and
  TLS window bump operations. Ensure alignment/validation in tiny_refill_opt.h
  also uses stride, not raw class size.
- Drain: keep existing defense-in-depth for remote sentinel and sanitize nodes
  before splicing into freelist (already present).

Notes
- This unifies the memory layout across alloc/linear-carve/refill with a single
  stride definition and keeps class7 (1024B) headerless as designed.
- Debug builds add fail-fast checks; release builds remain lean.

Next
- Re-run Tiny benches (256/1024B) in debug to confirm stability, then in
  release. If any remaining crash persists, bisect with HAKMEM_TINY_P0_BATCH_REFILL=0
  to isolate P0 batch carve, and continue reducing branch-miss as planned.

2025-11-09 18:55:50 +09:00

2 Commits