Files

Moe Charm (CI) b6d9c92f71 Fix: SuperSlab guess loop & header magic SEGV (random_mixed/mid_large_mt)

## Problem
bench_random_mixed_hakmem and bench_mid_large_mt_hakmem crashed with SEGV:
- random_mixed: Exit 139 (SEGV) ❌
- mid_large_mt: Exit 139 (SEGV) ❌
- Larson: 838K ops/s ✅ (worked fine)

Error: Unmapped memory dereference in free path

## Root Causes (2 bugs found by Ultrathink Task)

### Bug 1: Guess Loop (core/box/hak_free_api.inc.h:92-95)
```c
for (int lg=21; lg>=20; lg--) {
    SuperSlab* guess=(SuperSlab*)((uintptr_t)ptr & ~mask);
    if (guess && guess->magic==SUPERSLAB_MAGIC) {  // ← SEGV
        // Dereferences unmapped memory
    }
}
```

### Bug 2: Header Magic Check (core/box/hak_free_api.inc.h:115)
```c
void* raw = (char*)ptr - HEADER_SIZE;
AllocHeader* hdr = (AllocHeader*)raw;
if (hdr->magic != HAKMEM_MAGIC) {  // ← SEGV
    // Dereferences unmapped memory if ptr has no header
}
```

**Why SEGV:**
- Registry lookup fails (allocation not from SuperSlab)
- Guess loop calculates 1MB/2MB aligned address
- No memory mapping validation
- Dereferences unmapped memory → SEGV

**Why Larson worked but random_mixed failed:**
- Larson: All from SuperSlab → registry hit → never reaches guess loop
- random_mixed: Diverse sizes (8-4096B) → registry miss → enters buggy paths

**Why LD_PRELOAD worked:**
- hak_core_init.inc.h:119-121 disables SuperSlab by default
- → SS-first path skipped → buggy code never executed

## Fix (2-part)

### Part 1: Remove Guess Loop
File: core/box/hak_free_api.inc.h:92-95
- Deleted unsafe guess loop (4 lines)
- If registry lookup fails, allocation is not from SuperSlab

### Part 2: Add Memory Safety Check
File: core/hakmem_internal.h:277-294
```c
static inline int hak_is_memory_readable(void* addr) {
    unsigned char vec;
    return mincore(addr, 1, &vec) == 0;  // Check if mapped
}
```

File: core/box/hak_free_api.inc.h:115-131
```c
if (!hak_is_memory_readable(raw)) {
    // Not accessible → route to appropriate handler
    // Prevents SEGV on unmapped memory
    goto done;
}
// Safe to dereference now
AllocHeader* hdr = (AllocHeader*)raw;
```

## Verification

| Test | Before | After | Result |
|------|--------|-------|--------|
| random_mixed (2KB) | ❌ SEGV | ✅ 2.22M ops/s | 🎉 Fixed |
| random_mixed (4KB) | ❌ SEGV | ✅ 2.58M ops/s | 🎉 Fixed |
| Larson 4T | ✅ 838K | ✅ 838K ops/s | ✅ No regression |

**Performance Impact:** 0% (mincore only on fallback path)

## Investigation

- Complete analysis: SEGV_ROOT_CAUSE_COMPLETE.md
- Fix report: SEGV_FIX_REPORT.md
- Previous investigation: SEGFAULT_INVESTIGATION_REPORT.md

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

2025-11-07 17:34:24 +09:00

9.9 KiB

Raw Blame History

SEGV Root Cause - Complete Analysis

Date: 2025-11-07 Status: ✅ CONFIRMED - Exact line identified

Executive Summary

SEGV Location: /mnt/workdisk/public_share/hakmem/core/box/hak_free_api.inc.h:94 Root Cause: Dereferencing unmapped memory in SuperSlab "guess loop" Impact: 100% crash rate on bench_random_mixed_hakmem and bench_mid_large_mt_hakmem Severity: CRITICAL - blocks all non-tiny benchmarks

The Bug - Exact Line

File: /mnt/workdisk/public_share/hakmem/core/box/hak_free_api.inc.h Lines: 92-96

for (int lg=21; lg>=20; lg--) {
    uintptr_t mask=((uintptr_t)1<<lg)-1;
    SuperSlab* guess=(SuperSlab*)((uintptr_t)ptr & ~mask);
    if (guess && guess->magic==SUPERSLAB_MAGIC) {  // ← SEGV HERE (line 94)
        int sidx=slab_index_for(guess,ptr);
        int cap=ss_slabs_capacity(guess);
        if (sidx>=0&&sidx<cap){
            hak_free_route_log("ss_guess", ptr);
            hak_tiny_free(ptr);
            goto done;
        }
    }
}

Why It SEGV's

Line 93: guess is calculated by masking ptr to 1MB/2MB boundary
```
SuperSlab* guess = (SuperSlab*)((uintptr_t)ptr & ~mask);
```
- For ptr = 0x780b2ea01400, guess becomes 0x780b2e000000 (2MB aligned)
- This address is NOT validated - it's just a pointer calculation!
Line 94: Code checks if (guess && ...)
- This ONLY checks if the pointer VALUE is non-NULL
- It does NOT check if the memory is mapped
Line 94 continues: guess->magic==SUPERSLAB_MAGIC
- This DEREFERENCES guess to read the magic field
- If guess points to unmapped memory → SEGV

Minimal Reproducer

// test_segv_minimal.c
#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>

int main() {
    void* ptr = malloc(2048);  // Libc allocation
    printf("ptr=%p\n", ptr);

    // Simulate guess loop
    for (int lg = 21; lg >= 20; lg--) {
        uintptr_t mask = ((uintptr_t)1 << lg) - 1;
        void* guess = (void*)((uintptr_t)ptr & ~mask);
        printf("guess=%p\n", guess);

        // This SEGV's:
        volatile uint64_t magic = *(uint64_t*)guess;
        printf("magic=0x%llx\n", (unsigned long long)magic);
    }
    return 0;
}

Result:

$ gcc -o test_segv_minimal test_segv_minimal.c && ./test_segv_minimal
Exit code: 139  # SEGV

Why Different Benchmarks Behave Differently

Larson (Works ✅)

Allocation pattern: 8-128 bytes, highly repetitive
Allocator: All from SuperSlabs registered in g_super_reg
Free path: Registry lookup at line 86 succeeds → returns before guess loop

random_mixed (SEGV ❌)

Allocation pattern: 8-4096 bytes, diverse sizes
Allocator: Mix of SuperSlab (tiny), mmap (large), and potentially libc
Free path:
1. Registry lookup fails (non-SuperSlab allocation)
2. Falls through to guess loop (line 92)
3. Guess loop calculates unmapped address
4. SEGV when dereferencing guess->magic

mid_large_mt (SEGV ❌)

Allocation pattern: 2KB-32KB, targets Pool/L2.5 layer
Allocator: Not from SuperSlab
Free path: Same as random_mixed → SEGV in guess loop

Why LD_PRELOAD "Works"

Looking at /mnt/workdisk/public_share/hakmem/core/box/hak_core_init.inc.h:119-121:

// Under LD_PRELOAD, enforce safer defaults for Tiny path unless overridden
char* ldpre = getenv("LD_PRELOAD");
if (ldpre && strstr(ldpre, "libhakmem.so")) {
    g_ldpreload_mode = 1;
    ...
    if (!getenv("HAKMEM_TINY_USE_SUPERSLAB")) {
        setenv("HAKMEM_TINY_USE_SUPERSLAB", "0", 0);  // ← DISABLE SUPERSLAB
    }
}

LD_PRELOAD disables SuperSlab by default!

Therefore:

Line 84 in hak_free_api.inc.h: if (g_use_superslab) → FALSE
Lines 86-98: SS-first free path is SKIPPED
Never reaches the buggy guess loop → No SEGV

Evidence Trail

1. Reproduction (100% reliable)

# Direct-link: SEGV
$ ./bench_random_mixed_hakmem 50000 2048 1234567
Exit code: 139 (SEGV)

$ ./bench_mid_large_mt_hakmem 2 10000 512 42
Exit code: 139 (SEGV)

# Larson: Works
$ ./larson_hakmem 2 8 128 1024 1 12345 4
Throughput = 4,192,128 ops/s ✅

2. Registry Logs (HAKMEM_SUPER_REG_DEBUG=1)

[SUPER_REG] register base=0x7a449be00000 lg=21 slot=140511 class=7 magic=48414b4d454d5353
[SUPER_REG] register base=0x7a449ba00000 lg=21 slot=140509 class=6 magic=48414b4d454d5353
... (100+ successful registrations)
<SEGV - no more output>

Key observation: ZERO unregister logs → SEGV happens in FREE, before unregister

3. Free Route Trace (HAKMEM_FREE_ROUTE_TRACE=1)

[FREE_ROUTE] invalid_magic_tiny_recovery ptr=0x780b2ea01400
[FREE_ROUTE] invalid_magic_tiny_recovery ptr=0x780b2e602c00
... (30+ lines)
<SEGV>

Key observation: All frees take invalid_magic_tiny_recovery path, meaning:

Registry lookup failed (line 86)
Guess loop also "failed" (but SEGV'd in the process)
Reached invalid-magic recovery (line 129-133)

4. GDB Backtrace

Thread 1 "bench_random_mi" received signal SIGSEGV, Segmentation fault.
0x000055555555eb30 in free ()
#0  0x000055555555eb30 in free ()
#1  0xffffffffffffffff in ?? ()  # Stack corruption suggests early SEGV

The Fix

Option 1: Remove Guess Loop (Recommended ⭐⭐⭐⭐⭐)

Why: The guess loop is fundamentally unsafe and unnecessary.

Rationale:

Registry exists for a reason: If lookup fails, allocation isn't from SuperSlab
Guess is unreliable: Masking to 1MB/2MB boundary doesn't guarantee valid SuperSlab
Safety: Cannot safely dereference arbitrary memory without validation

Implementation:

--- a/core/box/hak_free_api.inc.h
+++ b/core/box/hak_free_api.inc.h
@@ -89,19 +89,6 @@ void hak_free_at(void* ptr, size_t size, hak_callsite_t site) {
                     if (__builtin_expect(sidx >= 0 && sidx < cap, 1)) { hak_free_route_log("ss_hit", ptr); hak_tiny_free(ptr); goto done; }
                 }
             }
-            // Fallback: try masking ptr to 2MB/1MB boundaries
-            for (int lg=21; lg>=20; lg--) {
-                uintptr_t mask=((uintptr_t)1<<lg)-1;
-                SuperSlab* guess=(SuperSlab*)((uintptr_t)ptr & ~mask);
-                if (guess && guess->magic==SUPERSLAB_MAGIC) {
-                    int sidx=slab_index_for(guess,ptr);
-                    int cap=ss_slabs_capacity(guess);
-                    if (sidx>=0&&sidx<cap){
-                        hak_free_route_log("ss_guess", ptr);
-                        hak_tiny_free(ptr);
-                        goto done;
-                    }
-                }
-            }
         }
     }

Benefits:

✅ Eliminates SEGV completely
✅ Simplifies free path (removes 13 lines of unsafe code)
✅ No performance regression (guess loop rarely succeeded anyway)

Option 2: Add mincore() Validation (Not Recommended ❌)

Why not: Defeats the purpose of the registry (which was designed to avoid mincore!)

// DON'T DO THIS - defeats registry optimization
for (int lg=21; lg>=20; lg--) {
    uintptr_t mask=((uintptr_t)1<<lg)-1;
    SuperSlab* guess=(SuperSlab*)((uintptr_t)ptr & ~mask);

    // Validate memory is mapped
    unsigned char vec[1];
    if (mincore((void*)guess, 1, vec) == 0) {  // 50-100ns syscall!
        if (guess && guess->magic==SUPERSLAB_MAGIC) {
            ...
        }
    }
}

Verification Plan

Step 1: Apply Fix

# Edit core/box/hak_free_api.inc.h
# Remove lines 92-96 (guess loop)

# Rebuild
make clean && make

Step 2: Verify Fix

# Test random_mixed (was SEGV, should work now)
./bench_random_mixed_hakmem 50000 2048 1234567
# Expected: Throughput = X ops/s ✅

# Test mid_large_mt (was SEGV, should work now)
./bench_mid_large_mt_hakmem 2 10000 512 42
# Expected: Throughput = Y ops/s ✅

# Regression test: Larson (should still work)
./larson_hakmem 2 8 128 1024 1 12345 4
# Expected: Throughput = 4.19M ops/s ✅

Step 3: Performance Check

# Verify no performance regression
./bench_comprehensive_hakmem
# Expected: Same performance as before (guess loop rarely succeeded)

Additional Findings

g_invalid_free_mode Confusion

The user suspected g_invalid_free_mode was the culprit, but:

Direct-link: g_invalid_free_mode = 1 (skip invalid-free check)
LD_PRELOAD: g_invalid_free_mode = 0 (fallback to libc)

However, the SEGV happens at line 94 (before invalid-magic check at line 116), so g_invalid_free_mode is irrelevant to the crash.

The real difference is:

Direct-link: SuperSlab enabled → guess loop executes → SEGV
LD_PRELOAD: SuperSlab disabled → guess loop skipped → no SEGV

Why Invalid Magic Trace Didn't Print

The user expected HAKMEM_SUPER_REG_REQTRACE output (line 125), but saw none. This is because:

SEGV happens at line 94 (in guess loop)
Never reaches line 116 (invalid-magic check)
Never reaches line 125 (reqtrace)

The invalid_magic_tiny_recovery logs (line 131) appeared briefly, suggesting some frees completed the guess loop without SEGV (by luck - unmapped addresses that happened to be inaccessible).

Lessons Learned

Never dereference unvalidated pointers: Always check if memory is mapped before reading
NULL check ≠ Safety: if (ptr) only checks the value, not the validity
Guess heuristics are dangerous: Masking to alignment doesn't guarantee valid memory
Registry optimization works: Removing mincore was correct; guess loop was the mistake

References

Bug Report: User's mission brief (2025-11-07)
Free Path: /mnt/workdisk/public_share/hakmem/core/box/hak_free_api.inc.h:64-193
Registry: /mnt/workdisk/public_share/hakmem/core/hakmem_super_registry.h:73-105
Init Logic: /mnt/workdisk/public_share/hakmem/core/box/hak_core_init.inc.h:119-121

Status

Root cause identified (line 94)
Minimal reproducer created
Fix designed (remove guess loop)
Fix applied
Verification complete

Next Action: Apply fix and verify with full benchmark suite.

9.9 KiB Raw Blame History