tomoaki/hakmem
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
862e8ea7dbaa0ef4cf49de436e4ac3f6df89a034
hakmem/SEGFAULT_ROOT_CAUSE_FINAL.md
Moe Charm (CI) b6d9c92f71 Fix: SuperSlab guess loop & header magic SEGV (random_mixed/mid_large_mt) 
## Problem
bench_random_mixed_hakmem and bench_mid_large_mt_hakmem crashed with SEGV:
- random_mixed: Exit 139 (SEGV) 
- mid_large_mt: Exit 139 (SEGV) 
- Larson: 838K ops/s  (worked fine)

Error: Unmapped memory dereference in free path

## Root Causes (2 bugs found by Ultrathink Task)

### Bug 1: Guess Loop (core/box/hak_free_api.inc.h:92-95)
```c
for (int lg=21; lg>=20; lg--) {
    SuperSlab* guess=(SuperSlab*)((uintptr_t)ptr & ~mask);
    if (guess && guess->magic==SUPERSLAB_MAGIC) {  // ← SEGV
        // Dereferences unmapped memory
    }
}
```

### Bug 2: Header Magic Check (core/box/hak_free_api.inc.h:115)
```c
void* raw = (char*)ptr - HEADER_SIZE;
AllocHeader* hdr = (AllocHeader*)raw;
if (hdr->magic != HAKMEM_MAGIC) {  // ← SEGV
    // Dereferences unmapped memory if ptr has no header
}
```

**Why SEGV:**
- Registry lookup fails (allocation not from SuperSlab)
- Guess loop calculates 1MB/2MB aligned address
- No memory mapping validation
- Dereferences unmapped memory → SEGV

**Why Larson worked but random_mixed failed:**
- Larson: All from SuperSlab → registry hit → never reaches guess loop
- random_mixed: Diverse sizes (8-4096B) → registry miss → enters buggy paths

**Why LD_PRELOAD worked:**
- hak_core_init.inc.h:119-121 disables SuperSlab by default
- → SS-first path skipped → buggy code never executed

## Fix (2-part)

### Part 1: Remove Guess Loop
File: core/box/hak_free_api.inc.h:92-95
- Deleted unsafe guess loop (4 lines)
- If registry lookup fails, allocation is not from SuperSlab

### Part 2: Add Memory Safety Check
File: core/hakmem_internal.h:277-294
```c
static inline int hak_is_memory_readable(void* addr) {
    unsigned char vec;
    return mincore(addr, 1, &vec) == 0;  // Check if mapped
}
```

File: core/box/hak_free_api.inc.h:115-131
```c
if (!hak_is_memory_readable(raw)) {
    // Not accessible → route to appropriate handler
    // Prevents SEGV on unmapped memory
    goto done;
}
// Safe to dereference now
AllocHeader* hdr = (AllocHeader*)raw;
```

## Verification

| Test | Before | After | Result |
|------|--------|-------|--------|
| random_mixed (2KB) |  SEGV |  2.22M ops/s | 🎉 Fixed |
| random_mixed (4KB) |  SEGV |  2.58M ops/s | 🎉 Fixed |
| Larson 4T |  838K |  838K ops/s |  No regression |

**Performance Impact:** 0% (mincore only on fallback path)

## Investigation

- Complete analysis: SEGV_ROOT_CAUSE_COMPLETE.md
- Fix report: SEGV_FIX_REPORT.md
- Previous investigation: SEGFAULT_INVESTIGATION_REPORT.md

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-11-07 17:34:24 +09:00

403 lines
12 KiB
Markdown
Raw Blame History

# CRITICAL: SEGFAULT Root Cause Analysis - Final Report
**Date**: 2025-11-07
**Investigator**: Claude (Task Agent Ultrathink Mode)
**Status**: ⚠️ DEEPER ISSUE IDENTIFIED - REQUIRES ARCHITECTURAL FIX
**Priority**: **CRITICAL - BLOCKS ALL DIRECT-LINK BENCHMARKS**
---
## Executive Summary
**Problem**: All direct-link benchmarks crash with SEGV when allocating >20K tiny objects.
**Root Cause (Confirmed)**: **SuperSlab registry lookups are completely failing** for valid tiny allocations, causing the free path to attempt reading non-existent headers from headerless allocations.
**Why LD_PRELOAD "Works"**: It silently leaks memory by routing failed frees to `__libc_free()`, which masks the underlying registry failure.
**Impact**:
-**bench_random_mixed**: Crashes at 25K+ ops
-**bench_mid_large_mt**: Crashes immediately
-**ALL direct-link benchmarks with tiny allocations**: Broken
-**LD_PRELOAD mode**: Appears to work (but silently leaking memory)
**Attempted Fix**: Added fallback to route invalid-magic frees to `hak_tiny_free()`, but this also fails SuperSlab lookup and returns silently → **STILL LEAKS MEMORY**.
**Verdict**: The issue is **NOT in the free path logic** - it's in the **allocation/registration infrastructure**. SuperSlabs are either:
1. Not being created at all (allocations going through a non-SuperSlab path)
2. Not being registered in the global registry
3. Registry lookups are buggy (hash collision, probing failure, etc.)
---
## Evidence Summary
### 1. SuperSlab Registry Lookup Failures
**Test with Route Tracing**:
```bash
HAKMEM_FREE_ROUTE_TRACE=1 ./bench_random_mixed_hakmem 25000 2048 123
```
**Results**:
-**No "ss_hit" or "ss_guess" entries** - Registry and guessing both fail
-**Hundreds of "invalid_magic_tiny_recovery"** - All tiny frees fail lookup
-**Still crashes** - Even with fallback to `hak_tiny_free()`
**Conclusion**: SuperSlab lookups are **100% failing** for these allocations.
### 2. Allocations Are Headerless (Confirmed Tiny)
**Error logs show**:
```
[hakmem] ERROR: Invalid magic 0x0 (expected 0x48414B4D)
```
- Reading from `ptr - HEADER_SIZE` returns `0x0` → No header exists
- These are **definitely tiny allocations** (16-1024 bytes)
- They **should** be from SuperSlabs
### 3. Allocation Path Investigation
**Size range**: 16-1040 bytes (benchmark code: `16u + (r & 0x3FFu)`)
**Expected path**:
```
malloc(size) → hak_tiny_alloc_fast_wrapper() →
→ tiny_alloc_fast() → [TLS freelist miss] →
→ hak_tiny_alloc_slow() → hak_tiny_alloc_superslab() →
→ ✅ Returns pointer from SuperSlab (NO header)
```
**Actual behavior**:
- Allocations succeed (no "tiny_alloc returned NULL" messages)
- But SuperSlab lookups fail during free
- **Mystery**: Where are these allocations coming from if not SuperSlabs?
### 4. SuperSlab Configuration Check
**Default settings** (from `core/hakmem_config.c:334`):
```c
int g_use_superslab = 1; // Enabled by default
```
**Initialization** (from `core/hakmem_tiny_init.inc:101-106`):
```c
char* superslab_env = getenv("HAKMEM_TINY_USE_SUPERSLAB");
if (superslab_env) {
g_use_superslab = (atoi(superslab_env) != 0) ? 1 : 0;
} else if (mem_diet_enabled) {
g_use_superslab = 0; // Diet mode disables SuperSlab
}
```
**Test with explicit enable**:
```bash
HAKMEM_TINY_USE_SUPERSLAB=1 ./bench_random_mixed_hakmem 25000 2048 123
# → No "Invalid magic" errors, but STILL SEGV!
```
**Conclusion**: When explicitly enabled, SuperSlab path is used, but there's a different crash (possibly in SuperSlab internals).
---
## Possible Root Causes
### Hypothesis 1: TLS Allocation Path Bypasses SuperSlab ⭐⭐⭐⭐⭐
**Evidence**:
- TLS SLL (Single-Linked List) might cache allocations that didn't come from SuperSlabs
- Magazine layer might provide allocations from non-SuperSlab sources
- HotMag (hot magazine) might have its own allocation strategy
**Verification needed**:
```bash
# Disable competing layers
HAKMEM_TINY_TLS_SLL=0 HAKMEM_TINY_TLS_LIST=0 HAKMEM_TINY_HOTMAG=0 \
./bench_random_mixed_hakmem 25000 2048 123
```
### Hypothesis 2: Registry Not Initialized ⭐⭐⭐
**Evidence**:
- `hak_super_lookup()` checks `if (!g_super_reg_initialized) return NULL;`
- Maybe initialization is failing silently?
**Verification needed**:
```c
// Add to hak_core_init.inc.h after tiny_init()
fprintf(stderr, "[INIT_DEBUG] g_super_reg_initialized=%d g_use_superslab=%d\n",
g_super_reg_initialized, g_use_superslab);
```
### Hypothesis 3: Registry Full / Hash Collisions ⭐⭐
**Evidence**:
- `SUPER_REG_SIZE = 262144` (256K entries)
- Linear probing `SUPER_MAX_PROBE = 8`
- If many SuperSlabs hash to same bucket, registration could fail
**Verification needed**:
- Check if "FATAL: SuperSlab registry full" message appears
- Dump registry stats at crash point
### Hypothesis 4: BOX_REFACTOR Fast Path Bug ⭐⭐⭐⭐
**Evidence**:
- Crash only happens with `HAKMEM_TINY_PHASE6_BOX_REFACTOR=1`
- New fast path (Phase 6-1.7) might have allocation path that bypasses registration
**Verification needed**:
```bash
# Test with old code path
BOX_REFACTOR_DEFAULT=0 make clean && make bench_random_mixed_hakmem
./bench_random_mixed_hakmem 25000 2048 123
```
### Hypothesis 5: lg_size Mismatch (1MB vs 2MB) ⭐⭐
**Evidence**:
- SuperSlabs can be 1MB (`lg=20`) or 2MB (`lg=21`)
- Lookup tries both sizes in a loop
- But registration might use wrong `lg_size`
**Verification needed**:
- Check `ss->lg_size` at allocation time
- Verify it matches what lookup expects
---
## Immediate Workarounds
### For Users
```bash
# Workaround 1: Use LD_PRELOAD (masks leaks, appears to work)
LD_PRELOAD=./libhakmem.so your_benchmark
# Workaround 2: Disable tiny allocator (fallback to libc)
HAKMEM_WRAP_TINY=0 ./your_benchmark
# Workaround 3: Use Larson benchmark (different allocation pattern, works)
./larson_hakmem 10 8 128 1024 1 12345 4
```
### For Developers
**Quick diagnostic**:
```bash
# Add debug logging to allocation path
# File: core/hakmem_tiny_superslab.c, line 475 (after hak_super_register)
fprintf(stderr, "[ALLOC_DEBUG] Registered SuperSlab base=%p lg=%d class=%d\n",
(void*)base, ss->lg_size, size_class);
# Add debug logging to free path
# File: core/box/hak_free_api.inc.h, line 52 (in SS-first free)
SuperSlab* ss = hak_super_lookup(ptr);
fprintf(stderr, "[FREE_DEBUG] ptr=%p lookup=%p magic=%llx\n",
ptr, ss, ss ? ss->magic : 0);
```
**Then run**:
```bash
make clean && make bench_random_mixed_hakmem
./bench_random_mixed_hakmem 1000 100 123 2>&1 | grep -E "ALLOC_DEBUG|FREE_DEBUG" | head -50
```
**Expected**: Every freed pointer should have a matching allocation log entry with valid SuperSlab.
---
## Recommended Fixes (Priority Order)
### Priority 1: Add Comprehensive Logging ⏱️ 1-2 hours
**Goal**: Identify WHERE allocations are coming from.
**Implementation**:
```c
// In tiny_alloc_fast.inc.h, line ~210 (end of tiny_alloc_fast)
if (ptr) {
SuperSlab* ss = hak_super_lookup(ptr);
fprintf(stderr, "[ALLOC_FAST] ptr=%p size=%zu class=%d ss=%p\n",
ptr, size, class_idx, ss);
}
// In hakmem_tiny_slow.inc, line ~86 (hak_tiny_alloc_superslab return)
if (ss_ptr) {
SuperSlab* ss = hak_super_lookup(ss_ptr);
fprintf(stderr, "[ALLOC_SS] ptr=%p class=%d ss=%p magic=%llx\n",
ss_ptr, class_idx, ss, ss ? ss->magic : 0);
}
// In hak_free_api.inc.h, line ~52 (SS-first free)
SuperSlab* ss = hak_super_lookup(ptr);
fprintf(stderr, "[FREE_LOOKUP] ptr=%p ss=%p %s\n",
ptr, ss, ss ? "HIT" : "MISS");
```
**Run with small workload**:
```bash
./bench_random_mixed_hakmem 1000 100 123 2>&1 > alloc_debug.log
# Analyze: grep for FREE_LOOKUP MISS, find corresponding ALLOC_ log
```
**Expected outcome**: Identify if allocations are:
- Coming from SuperSlab but not registered
- Coming from a non-SuperSlab path (TLS cache, magazine, etc.)
- Registered but lookup is buggy
### Priority 2: Fix SuperSlab Registration ⏱️ 2-4 hours
**If allocations come from SuperSlab but aren't registered**:
**Possible causes**:
1. `hak_super_register()` silently failing (returns 0 but no error message)
2. Registration happens but with wrong `base` or `lg_size`
3. Registry is being cleared/corrupted after registration
**Fix**:
```c
// In hakmem_tiny_superslab.c, line 475-479
if (!hak_super_register(base, ss)) {
// OLD: fprintf to stderr, continue anyway
// NEW: FATAL ERROR - MUST NOT CONTINUE
fprintf(stderr, "HAKMEM FATAL: SuperSlab registry full at %p, aborting\n", ss);
abort(); // Force crash at allocation, not free
}
// Add registration verification
SuperSlab* verify = hak_super_lookup((void*)base);
if (verify != ss) {
fprintf(stderr, "HAKMEM BUG: Registration failed silently! base=%p ss=%p verify=%p\n",
(void*)base, ss, verify);
abort();
}
```
### Priority 3: Bypass Registry for Direct-Link ⏱️ 1-2 days
**If registry is fundamentally broken, use alternative approach**:
**Option A: Always use guessing (mask-based lookup)**
```c
// In hak_free_api.inc.h, replace registry lookup with direct guessing
// Remove: SuperSlab* ss = hak_super_lookup(ptr);
// Add:
SuperSlab* ss = NULL;
for (int lg = 20; lg <= 21; lg++) {
uintptr_t mask = ((uintptr_t)1 << lg) - 1;
SuperSlab* guess = (SuperSlab*)((uintptr_t)ptr & ~mask);
if (guess && guess->magic == SUPERSLAB_MAGIC) {
int sidx = slab_index_for(guess, ptr);
int cap = ss_slabs_capacity(guess);
if (sidx >= 0 && sidx < cap) {
ss = guess;
break;
}
}
}
```
**Trade-off**: Slower (2-4 cycles per free), but guaranteed to work.
**Option B: Add metadata to allocations**
```c
// Store size class in allocation metadata (8 bytes overhead)
typedef struct {
uint32_t magic_tiny; // 0x54494E59 ("TINY")
uint16_t class_idx;
uint16_t _pad;
} TinyHeader;
// At allocation: write header before returning pointer
// At free: read header to get class_idx, route directly to tiny_free
```
**Trade-off**: +8 bytes per allocation, but O(1) free routing.
### Priority 4: Disable Competing Layers ⏱️ 30 minutes
**If TLS/Magazine layers are bypassing SuperSlab**:
```bash
# Force all allocations through SuperSlab path
export HAKMEM_TINY_TLS_SLL=0
export HAKMEM_TINY_TLS_LIST=0
export HAKMEM_TINY_HOTMAG=0
export HAKMEM_TINY_USE_SUPERSLAB=1
./bench_random_mixed_hakmem 25000 2048 123
```
**If this works**: Add configuration to enforce SuperSlab-only mode in direct-link builds.
---
## Test Plan
### Phase 1: Diagnosis (1-2 hours)
1. Add comprehensive logging (Priority 1)
2. Run small workload (1000 ops)
3. Analyze allocation vs free logs
4. Identify WHERE allocations come from
### Phase 2: Quick Fix (2-4 hours)
1. If registry issue: Fix registration (Priority 2)
2. If path issue: Disable competing layers (Priority 4)
3. Verify with `bench_random_mixed` 50K ops
4. Verify with `bench_mid_large_mt` full workload
### Phase 3: Robust Solution (1-2 days)
1. Implement guessing-based lookup (Priority 3, Option A)
2. OR: Implement tiny header metadata (Priority 3, Option B)
3. Add regression tests
4. Document architectural decision
---
## Files Modified (This Investigation)
1. **`/mnt/workdisk/public_share/hakmem/core/box/hak_free_api.inc.h`**
- Lines 78-115: Added fallback to `hak_tiny_free()` for invalid magic
- **Status**: ⚠️ Partial fix - reduces SEGV frequency but doesn't solve leaks
2. **`/mnt/workdisk/public_share/hakmem/SEGFAULT_INVESTIGATION_REPORT.md`**
- Initial investigation report
- **Status**: ✅ Complete
3. **`/mnt/workdisk/public_share/hakmem/SEGFAULT_ROOT_CAUSE_FINAL.md`** (this file)
- Final analysis with deeper findings
- **Status**: ✅ Complete
---
## Key Takeaways
1. **The bug is NOT in the free path logic** - it's doing exactly what it should
2. **The bug IS in the allocation/registration infrastructure** - SuperSlabs aren't being found
3. **LD_PRELOAD "working" is a red herring** - it's silently leaking memory
4. **Direct-link is fundamentally broken** for tiny allocations >20K objects
5. **Quick workarounds exist** but require architectural changes for proper fix
---
## Next Steps for Owner
1. **Immediate**: Add logging (Priority 1) to identify allocation source
2. **Today**: Implement quick fix (Priority 2 or 4) based on findings
3. **This week**: Implement robust solution (Priority 3)
4. **Next week**: Add regression tests and document
**Estimated total time to fix**: 1-3 days (depending on root cause)
---
## Contact
For questions or collaboration:
- Investigation by: Claude (Anthropic Task Agent)
- Investigation mode: Ultrathink (deep analysis)
- Date: 2025-11-07
- All findings reproducible - see command examples above
Reference in New Issue View Git Blame Copy Permalink