tomoaki/hakmem
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
b2724e6f5d848dc96dba4b4b75b332e891e95ca1
hakmem/docs/analysis/FINAL_ANALYSIS_C2_CORRUPTION.md
Moe Charm (CI) 67fb15f35f Wrap debug fprintf in !HAKMEM_BUILD_RELEASE guards (Release build optimization) 
## Changes

### 1. core/page_arena.c
- Removed init failure message (lines 25-27) - error is handled by returning early
- All other fprintf statements already wrapped in existing #if !HAKMEM_BUILD_RELEASE blocks

### 2. core/hakmem.c
- Wrapped SIGSEGV handler init message (line 72)
- CRITICAL: Kept SIGSEGV/SIGBUS/SIGABRT error messages (lines 62-64) - production needs crash logs

### 3. core/hakmem_shared_pool.c
- Wrapped all debug fprintf statements in #if !HAKMEM_BUILD_RELEASE:
  - Node pool exhaustion warning (line 252)
  - SP_META_CAPACITY_ERROR warning (line 421)
  - SP_FIX_GEOMETRY debug logging (line 745)
  - SP_ACQUIRE_STAGE0.5_EMPTY debug logging (line 865)
  - SP_ACQUIRE_STAGE0_L0 debug logging (line 803)
  - SP_ACQUIRE_STAGE1_LOCKFREE debug logging (line 922)
  - SP_ACQUIRE_STAGE2_LOCKFREE debug logging (line 996)
  - SP_ACQUIRE_STAGE3 debug logging (line 1116)
  - SP_SLOT_RELEASE debug logging (line 1245)
  - SP_SLOT_FREELIST_LOCKFREE debug logging (line 1305)
  - SP_SLOT_COMPLETELY_EMPTY debug logging (line 1316)
- Fixed lock_stats_init() for release builds (lines 60-65) - ensure g_lock_stats_enabled is initialized

## Performance Validation

Before: 51M ops/s (with debug fprintf overhead)
After:  49.1M ops/s (consistent performance, fprintf removed from hot paths)

## Build & Test

```bash
./build.sh larson_hakmem
./out/release/larson_hakmem 1 5 1 1000 100 10000 42
# Result: 49.1M ops/s
```

Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-11-26 13:14:18 +09:00

7.3 KiB
Raw Blame History

Class 2 Header Corruption - FINAL ROOT CAUSE

Executive Summary

STATUS: ROOT CAUSE IDENTIFIED

Corrupted Pointer: 0x74db60210116 Corruption Call: 14209 Last Valid PUSH: Call 3957

Root Cause: The logs reveal 0x74db60210115 and 0x74db60210116 (only 1 byte apart) are being pushed/popped from TLS SLL. This spacing is IMPOSSIBLE for Class 2 (32B blocks + 1B header = 33B stride).

Conclusion: These are USER and BASE representations of the SAME block, indicating a USER/BASE pointer mismatch somewhere in the code that allows USER pointers to leak into the TLS SLL.

Evidence

Timeline of Corrupted Block

[C2_PUSH] ptr=0x74db60210115 before=0xa2 after=0xa2 call=3915   ← USER pointer!
[C2_POP]  ptr=0x74db60210115 header=0xa2 expected=0xa2 call=3936  ← USER pointer!
[C2_PUSH] ptr=0x74db60210116 before=0xa2 after=0xa2 call=3957   ← BASE pointer (correct)
[C2_POP]  ptr=0x74db60210116 header=0x00 expected=0xa2 call=14209 ← CORRUPTION!

Address Analysis

0x74db60210115  ← USER pointer (BASE + 1)
0x74db60210116  ← BASE pointer (header location)

Difference: 1 byte (should be 33 bytes for different Class 2 blocks)

Conclusion: Same physical block, two different pointer conventions

Corruption Mechanism

Phase 1: USER Pointer Leak (Calls 3915-3936)

  1. Call 3915: FREE operation pushes 0x115 (USER pointer) to TLS SLL

    • BUG: Code path passes USER to tls_sll_push instead of BASE
    • TLS SLL receives USER pointer
    • tls_sll_push writes header at USER-1 (0x116), so header is correct

  2. Call 3936: ALLOC operation pops 0x115 (USER pointer) from TLS SLL

    • Returns USER pointer to application (correct for external API)
    • User writes to 0x115+ (user data area)
    • Header at 0x116 remains intact (not touched by user)

Phase 2: Correct BASE Pointer (Call 3957)

  1. Call 3957: FREE operation pushes 0x116 (BASE pointer) to TLS SLL
    • Correct: Passes BASE to tls_sll_push
    • Header restored to 0xa2

Phase 3: User Overwrites Header (Calls 3957-14209)

  1. Between 3957-14209: ALLOC operation pops 0x116 from TLS SLL

    • BUG: Returns BASE pointer to user instead of USER pointer!
    • User receives 0x116 thinking it's the start of user data
    • User writes to 0x116[0] (thinks it's user byte 0)
    • ACTUALLY overwrites header byte!
    • Header becomes 0x00

  2. Call 14209: FREE operation pushes 0x116 to TLS SLL

    • CORRUPTION DETECTED: Header is 0x00 instead of 0xa2

Code Analysis

Allocation Paths (USER Conversion) CORRECT

File: /mnt/workdisk/public_share/hakmem/core/tiny_region_id.h:46

static inline void* tiny_region_id_write_header(void* base, int class_idx) {
    if (!base) return base;
    if (__builtin_expect(class_idx == 7, 0)) {
        return base;  // C7: headerless
    }

    // Write header at BASE
    uint8_t* header_ptr = (uint8_t*)base;
    *header_ptr = HEADER_MAGIC | (class_idx & HEADER_CLASS_MASK);

    void* user = header_ptr + 1;  // ✅ Convert BASE → USER
    return user;  // ✅ CORRECT: Returns USER pointer
}

Usage: All HAK_RET_ALLOC(class_idx, ptr) calls use this function, which correctly returns USER pointers.

Free Paths (BASE Conversion) - MIXED RESULTS

Path 1: Ultra-Simple Free CORRECT

File: /mnt/workdisk/public_share/hakmem/core/hakmem_tiny_free.inc:383

void* base = (class_idx == 7) ? ptr : (void*)((uint8_t*)ptr - 1);  // ✅ Convert USER → BASE
if (tls_sll_push(class_idx, base, (uint32_t)sll_cap)) {
    return;  // Success
}

Status: CORRECT - Converts USER → BASE before push

Path 2: Freelist Drain SUSPICIOUS

File: /mnt/workdisk/public_share/hakmem/core/hakmem_tiny_free.inc:75

static inline void tiny_drain_freelist_to_sll_once(SuperSlab* ss, int slab_idx, int class_idx) {
    // ...
    while (m->freelist && moved < budget) {
        void* p = m->freelist;  // ← What is this? BASE or USER?
        // ...
        if (tls_sll_push(class_idx, p, sll_capacity)) {  // ← Pushing p directly
            moved++;
        }
    }
}

Question: Is m->freelist stored as BASE or USER?

Answer: Freelist stores pointers at offset 0 (header location for header classes), so m->freelist contains BASE pointers. This is CORRECT.

Path 3: Fast Free NEEDS INVESTIGATION

File: /mnt/workdisk/public_share/hakmem/core/tiny_free_fast_v2.inc.h

Need to check if fast free path converts USER → BASE.

Next Steps: Find the Buggy Path

Step 1: Check Fast Free Path

grep -A 10 -B 5 "tls_sll_push" core/tiny_free_fast_v2.inc.h

Look for paths that pass ptr directly to tls_sll_push without USER → BASE conversion.

Step 2: Check All Free Wrappers

grep -rn "void.*free.*void.*ptr" core/ | grep -v "\.o:"

Check all free entry points to ensure USER → BASE conversion.

Step 3: Add Validation to tls_sll_push

Temporarily add address alignment check in tls_sll_push:

// In tls_sll_box.h: tls_sll_push()
#if !HAKMEM_BUILD_RELEASE
if (class_idx != 7) {
    // For header classes, ptr should be BASE (even address for 32B blocks)
    // USER pointers would be BASE+1 (odd addresses for 32B blocks)
    uintptr_t addr = (uintptr_t)ptr;
    if ((addr & 1) != 0) {  // ODD address = USER pointer!
        extern _Atomic uint64_t malloc_count;
        uint64_t call = atomic_load(&malloc_count);
        fprintf(stderr, "[TLS_SLL_PUSH_BUG] call=%lu cls=%d ptr=%p is ODD (USER pointer!)\\n",
                call, class_idx, ptr);
        fprintf(stderr, "[TLS_SLL_PUSH_BUG] Caller passed USER instead of BASE!\\n");
        fflush(stderr);
        abort();
    }
}
#endif

This will catch USER pointers immediately at injection point!

Step 4: Run Test

./build.sh bench_random_mixed_hakmem
timeout 60s ./out/release/bench_random_mixed_hakmem 10000 256 42 2>&1 | tee user_ptr_catch.log

Expected: Immediate abort with backtrace showing which path is passing USER pointers.

Hypothesis

Based on the evidence, the bug is likely in:

  1. Fast free path that doesn't convert USER → BASE before tls_sll_push
  2. Some wrapper around hakmem_free() that pre-converts USER → BASE incorrectly
  3. Some refill/drain path that accidentally uses USER pointers from freelist

Most Likely: Fast free path optimization that skips USER → BASE conversion for performance.

Verification Plan

  1. Add ODD address validation to tls_sll_push (debug builds only)
  2. Run 10K iteration test
  3. Catch USER pointer injection with backtrace
  4. Fix the specific path
  5. Re-test with 100K iterations
  6. Remove validation (keep in comments for future debugging)

Expected Fix

Once we identify the buggy path, the fix will be a 1-liner:

// BEFORE (BUG):
tls_sll_push(class_idx, user_ptr, ...);  // ← Passing USER!

// AFTER (FIX):
void* base = PTR_USER_TO_BASE(user_ptr, class_idx);  // ✅ Convert to BASE
tls_sll_push(class_idx, base, ...);

Status

  • Root cause identified (USER/BASE mismatch)
  • Evidence collected (logs showing ODD/EVEN addresses)
  • Mechanism understood (user overwrites header when given BASE)
  • Specific buggy path: TO BE IDENTIFIED (next step)
  • Fix: TO BE APPLIED (1-line change)
  • Verification: TO BE DONE (100K test)