Major breakthrough: sh8bench now completes without SIGSEGV!
Added defensive refcounting and failsafe mechanisms to prevent
use-after-free and corruption propagation.
Changes:
1. SuperSlab Refcount Pinning (core/box/tls_sll_box.h)
- tls_sll_push_impl: increment refcount before adding to list
- tls_sll_pop_impl: decrement refcount when removing from list
- Prevents SuperSlab from being freed while TLS SLL holds pointers
2. SuperSlab Release Guards (core/superslab_allocate.c, shared_pool_release.c)
- Check refcount > 0 before freeing SuperSlab
- If refcount > 0, defer release instead of freeing
- Prevents use-after-free when TLS/remote/freelist hold stale pointers
3. TLS SLL Next Pointer Validation (core/box/tls_sll_box.h)
- Detect invalid next pointer during traversal
- Log [TLS_SLL_NEXT_INVALID] when detected
- Drop list to prevent corruption propagation
4. Unified Cache Freelist Validation (core/front/tiny_unified_cache.c)
- Validate freelist head before use
- Log [UNIFIED_FREELIST_INVALID] for corrupted lists
- Defensive drop to prevent bad allocations
5. Early Refcount Decrement Fix (core/tiny_free_fast.inc.h)
- Removed ss_active_dec_one from fast path
- Prevents premature refcount depletion
- Defers decrement to proper cleanup path
Test Results:
✅ sh8bench completes successfully (exit code 0)
✅ No SIGSEGV or ABORT signals
✅ Short runs (5s) crash-free
⚠️ Multiple [TLS_SLL_NEXT_INVALID] / [UNIFIED_FREELIST_INVALID] logged
⚠️ Invalid pointers still present (stale references exist)
Status Analysis:
- Stability: ACHIEVED (no crashes)
- Root Cause: NOT FULLY SOLVED (invalid pointers remain)
- Approach: Defensive + refcount guards working well
Remaining Issues:
❌ Why does SuperSlab get unregistered while TLS SLL holds pointers?
❌ SuperSlab lifecycle: remote_queue / adopt / LRU interactions?
❌ Stale pointers indicate improper SuperSlab lifetime management
Performance Impact:
- Refcount operations: +1-3 cycles per push/pop (minor)
- Validation checks: +2-5 cycles (minor)
- Overall: < 5% overhead estimated
Next Investigation:
- Trace SuperSlab lifecycle (allocation → registration → unregister → free)
- Check remote_queue handling
- Verify adopt/LRU mechanisms
- Correlate stale pointer logs with SuperSlab unregister events
Log Volume Warning:
- May produce many diagnostic logs on long runs
- Consider ENV gating for production
Technical Notes:
- Refcount is per-SuperSlab, not global
- Guards prevent symptom propagation, not root cause
- Root cause is in SuperSlab lifecycle management
🤖 Generated with Claude Code (https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Removed Legacy Backend fallback; Shared Pool is now the sole backend.
- Removed Soft Cap limit in Shared Pool to allow full memory management.
- Implemented EMPTY slab recycling with batched meta->used decrement in remote drain.
- Updated tiny_free_local_box to return is_empty status for safe recycling.
- Fixed race condition in release path by removing from legacy list early.
- Achieved 50.3M ops/s in WS8192 benchmark (+200% vs baseline).
- Split core/hakmem_shared_pool.c into acquire/release modules for maintainability.
- Introduced core/hakmem_shared_pool_internal.h for shared internal API.
- Fixed incorrect function name usage (superslab_alloc -> superslab_allocate).
- Increased SUPER_REG_SIZE to 1M to support large working sets (Phase 9-2 fix).
- Updated Makefile.
- Verified with benchmarks.
