tomoaki/hakmem
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
72b38bc994bc771f4e1c8e0f64324c998e0094e2
hakmem/core/tiny_region_id.h
Moe Charm (CI) 72b38bc994 Phase E3-FINAL: Fix Box API offset bugs - ALL classes now use correct offsets 
## Root Cause Analysis (GPT5)

**Physical Layout Constraints**:
- Class 0: 8B = [1B header][7B payload] → offset 1 = 9B needed =  IMPOSSIBLE
- Class 1-6: >=16B = [1B header][15B+ payload] → offset 1 =  POSSIBLE
- Class 7: 1KB → offset 0 (compatibility)

**Correct Specification**:
- HAKMEM_TINY_HEADER_CLASSIDX != 0:
  - Class 0, 7: next at offset 0 (overwrites header when on freelist)
  - Class 1-6: next at offset 1 (after header)
- HAKMEM_TINY_HEADER_CLASSIDX == 0:
  - All classes: next at offset 0

**Previous Bug**:
- Attempted "ALL classes offset 1" unification
- Class 0 with offset 1 caused immediate SEGV (9B > 8B block size)
- Mixed 2-arg/3-arg API caused confusion

## Fixes Applied

### 1. Restored 3-Argument Box API (core/box/tiny_next_ptr_box.h)
```c
// Correct signatures
void tiny_next_write(int class_idx, void* base, void* next_value)
void* tiny_next_read(int class_idx, const void* base)

// Correct offset calculation
size_t offset = (class_idx == 0 || class_idx == 7) ? 0 : 1;
```

### 2. Updated 123+ Call Sites Across 34 Files
- hakmem_tiny_hot_pop_v4.inc.h (4 locations)
- hakmem_tiny_fastcache.inc.h (3 locations)
- hakmem_tiny_tls_list.h (12 locations)
- superslab_inline.h (5 locations)
- tiny_fastcache.h (3 locations)
- ptr_trace.h (macro definitions)
- tls_sll_box.h (2 locations)
- + 27 additional files

Pattern: `tiny_next_read(base)` → `tiny_next_read(class_idx, base)`
Pattern: `tiny_next_write(base, next)` → `tiny_next_write(class_idx, base, next)`

### 3. Added Sentinel Detection Guards
- tiny_fast_push(): Block nodes with sentinel in ptr or ptr->next
- tls_list_push(): Block nodes with sentinel in ptr or ptr->next
- Defense-in-depth against remote free sentinel leakage

## Verification (GPT5 Report)

**Test Command**: `./out/release/bench_random_mixed_hakmem --iterations=70000`

**Results**:
-  Main loop completed successfully
-  Drain phase completed successfully
-  NO SEGV (previous crash at iteration 66151 is FIXED)
- ℹ️ Final log: "tiny_alloc(1024) failed" is normal fallback to Mid/ACE layers

**Analysis**:
- Class 0 immediate SEGV:  RESOLVED (correct offset 0 now used)
- 66K iteration crash:  RESOLVED (offset consistency fixed)
- Box API conflicts:  RESOLVED (unified 3-arg API)

## Technical Details

### Offset Logic Justification
```
Class 0:  8B block → next pointer (8B) fits ONLY at offset 0
Class 1: 16B block → next pointer (8B) fits at offset 1 (after 1B header)
Class 2: 32B block → next pointer (8B) fits at offset 1
...
Class 6: 512B block → next pointer (8B) fits at offset 1
Class 7: 1024B block → offset 0 for legacy compatibility
```

### Files Modified (Summary)
- Core API: `box/tiny_next_ptr_box.h`
- Hot paths: `hakmem_tiny_hot_pop*.inc.h`, `tiny_fastcache.h`
- TLS layers: `hakmem_tiny_tls_list.h`, `hakmem_tiny_tls_ops.h`
- SuperSlab: `superslab_inline.h`, `tiny_superslab_*.inc.h`
- Refill: `hakmem_tiny_refill.inc.h`, `tiny_refill_opt.h`
- Free paths: `tiny_free_magazine.inc.h`, `tiny_superslab_free.inc.h`
- Documentation: Multiple Phase E3 reports

## Remaining Work

None for Box API offset bugs - all structural issues resolved.

Future enhancements (non-critical):
- Periodic `grep -R '*(void**)' core/` to detect direct pointer access violations
- Enforce Box API usage via static analysis
- Document offset rationale in architecture docs

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-11-13 06:50:20 +09:00

223 lines
7.4 KiB
C
Raw Blame History

// tiny_region_id.h - Region-ID Direct Lookup API (Phase 7)
// Purpose: O(1) class_idx lookup from pointer (eliminates SuperSlab lookup)
// Design: Smart Headers - 1-byte class_idx embedded before each block
// Performance: 2-3 cycles (vs 100+ cycles for SuperSlab lookup)
//
// Expected Impact: 1.2M → 40-60M ops/s (30-50x improvement)
#ifndef TINY_REGION_ID_H
#define TINY_REGION_ID_H
#include <stdint.h>
#include <stddef.h>
#include "hakmem_build_flags.h"
#include "tiny_box_geometry.h"
#include "ptr_track.h"
// Feature flag: Enable header-based class_idx lookup
#ifndef HAKMEM_TINY_HEADER_CLASSIDX
#define HAKMEM_TINY_HEADER_CLASSIDX 0
#endif
#if HAKMEM_TINY_HEADER_CLASSIDX
// ========== Header Layout ==========
//
// Memory layout:
// [Header: 1 byte] [User block: N bytes]
// ^ ^
// ptr-1 ptr (returned to user)
//
// Header format (1 byte):
// - Bits 0-3: class_idx (0-15, only 0-7 used for Tiny)
// - Bits 4-7: magic (0xA for validation in debug mode)
//
// Example:
// class_idx = 3 → header = 0xA3 (debug) or 0x03 (release)
#define HEADER_MAGIC 0xA0
#define HEADER_CLASS_MASK 0x0F
// ========== Write Header (Allocation) ==========
// Write class_idx to header (called after allocation)
// Input: base (block start from SuperSlab)
// Returns: user pointer (base + 1, skipping header)
static inline void* tiny_region_id_write_header(void* base, int class_idx) {
if (!base) return base;
// Phase E1-CORRECT: ALL classes (C0-C7) have 1-byte header (no exceptions)
// Rationale: Unified box structure enables:
// - O(1) class identification (no registry lookup)
// - All classes use same fast path
// - Zero special cases across all layers
// Cost: 0.1% memory overhead for C7 (1024B → 1023B usable)
// Benefit: 100% safety, architectural simplicity, maximum performance
// Write header at block start (ALL classes including C7)
uint8_t* header_ptr = (uint8_t*)base;
*header_ptr = HEADER_MAGIC | (class_idx & HEADER_CLASS_MASK);
PTR_TRACK_HEADER_WRITE(base, HEADER_MAGIC | (class_idx & HEADER_CLASS_MASK));
void* user = header_ptr + 1; // skip header for user pointer
PTR_TRACK_MALLOC(base, 0, class_idx); // Track at BASE (where header is)
// Optional guard: log stride/base/user for targeted class
extern int tiny_guard_is_enabled(void);
extern void tiny_guard_on_alloc(int cls, void* base, void* user, size_t stride);
if (tiny_guard_is_enabled()) {
size_t stride = tiny_stride_for_class(class_idx);
tiny_guard_on_alloc(class_idx, base, user, stride);
}
return user;
}
// ========== Read Header (Free) ==========
// Read class_idx from header (called during free)
// Returns: class_idx (0-7), or -1 if invalid
static inline int tiny_region_id_read_header(void* ptr) {
if (!ptr) return -1;
if ((uintptr_t)ptr < 4096) return -1; // reject invalid tiny values
uint8_t* header_ptr = (uint8_t*)ptr - 1;
uint8_t header = *header_ptr;
// CRITICAL FIX (Pool TLS Phase 1): ALWAYS validate magic when Pool TLS is enabled
// Reason: Pool TLS uses different magic (0xb0 vs 0xa0), MUST distinguish them!
// Without this, Pool TLS allocations are wrongly routed to Tiny freelist → corruption
#if !HAKMEM_BUILD_RELEASE || defined(HAKMEM_POOL_TLS_PHASE1)
// Debug/Development OR Pool TLS: Validate magic byte to catch non-header allocations
// Reason: Mid/Large allocations don't have headers, must detect and reject them
uint8_t magic = header & 0xF0;
#if HAKMEM_DEBUG_VERBOSE
static int debug_count = 0;
if (debug_count < 5) {
fprintf(stderr, "[TINY_READ_HEADER] ptr=%p header=0x%02x magic=0x%02x expected=0x%02x\n",
ptr, header, magic, HEADER_MAGIC);
debug_count++;
}
#endif
if (magic != HEADER_MAGIC) {
// Invalid header - likely non-header allocation (Mid/Large/Pool TLS)
#if HAKMEM_DEBUG_VERBOSE
if (debug_count < 6) { // One more after the 5 above
fprintf(stderr, "[TINY_READ_HEADER] REJECTING ptr=%p (magic mismatch)\n", ptr);
}
#endif
#if !HAKMEM_BUILD_RELEASE
static int invalid_count = 0;
if (invalid_count < 5) {
fprintf(stderr, "[HEADER_INVALID] ptr=%p, header=%02x, magic=%02x (expected %02x)\n",
ptr, header, magic, HEADER_MAGIC);
invalid_count++;
}
#endif
// Optional guard hook for invalid header
extern void tiny_guard_on_invalid(void* user_ptr, uint8_t hdr);
if (tiny_guard_is_enabled()) tiny_guard_on_invalid(ptr, header);
return -1;
}
#else
// Release (without Pool TLS): Skip magic validation (save 2-3 cycles)
// Safety: Bounds check below still prevents out-of-bounds array access
// Trade-off: Mid/Large frees may corrupt TLS freelist (rare, ~0.1% of frees)
// NOTE: This optimization is DISABLED when Pool TLS is enabled (different magic bytes!)
#endif
int class_idx = (int)(header & HEADER_CLASS_MASK);
// CRITICAL: Always validate class_idx range (even in release builds)
// Reason: Corrupted headers could cause out-of-bounds array access
#ifndef TINY_NUM_CLASSES
#define TINY_NUM_CLASSES 8
#endif
if (class_idx < 0 || class_idx >= TINY_NUM_CLASSES) {
// Corrupted header
return -1;
}
return class_idx;
}
// ========== Header Validation ==========
// Check if pointer has valid header (debug mode)
static inline int tiny_region_id_has_header(void* ptr) {
#if !HAKMEM_BUILD_RELEASE
if (!ptr) return 0;
if ((uintptr_t)ptr < 4096) return 0;
uint8_t* header_ptr = (uint8_t*)ptr - 1;
uint8_t header = *header_ptr;
uint8_t magic = header & 0xF0;
return (magic == HEADER_MAGIC);
#else
// Release: Assume all allocations have headers
(void)ptr;
return 1;
#endif
}
// ========== Allocation Size Adjustment ==========
// Calculate allocation size including header (1 byte)
static inline size_t tiny_region_id_alloc_size(size_t user_size) {
return user_size + 1; // Add 1 byte for header
}
// Calculate user size from allocation size
static inline size_t tiny_region_id_user_size(size_t alloc_size) {
return alloc_size - 1;
}
// ========== Performance Notes ==========
//
// Header Read Performance:
// - Best case: 2 cycles (L1 hit, no validation)
// - Average: 3 cycles (with class_idx extraction)
// - Worst case: 5 cycles (debug validation)
// - vs SuperSlab lookup: 100+ cycles (50x faster!)
//
// Memory Overhead:
// - Per block: 1 byte
// - 8-byte blocks: 12.5% overhead
// - 128-byte blocks: 0.8% overhead
// - Average (typical workload): ~1.5%
// - Slab[0]: 0% (reuses 960B wasted padding)
//
// Cache Impact:
// - Excellent: Header is inline with user data
// - Prefetch: Header loaded with first user data access
// - No additional cache lines required
#else // !HAKMEM_TINY_HEADER_CLASSIDX
// Disabled: No-op implementations
static inline void* tiny_region_id_write_header(void* ptr, int class_idx) {
(void)class_idx;
return ptr;
}
static inline int tiny_region_id_read_header(void* ptr) {
(void)ptr;
return -1; // Not supported
}
static inline int tiny_region_id_has_header(void* ptr) {
(void)ptr;
return 0; // No headers
}
static inline size_t tiny_region_id_alloc_size(size_t user_size) {
return user_size; // No header
}
static inline size_t tiny_region_id_user_size(size_t alloc_size) {
return alloc_size;
}
#endif // HAKMEM_TINY_HEADER_CLASSIDX
#endif // TINY_REGION_ID_H
Reference in New Issue View Git Blame Copy Permalink