2.1 KiB
2.1 KiB
Critical Bug Report: P0 Batch Refill Active Counter Double-Decrement
Date: 2025-11-07 Severity: Critical (4T immediate crash)
Summary
free(): invalid pointercrash at startup on 4T Larson when P0 batch refill is active.- Root cause: Missing active counter increment when moving blocks from SuperSlab freelist to TLS SLL during P0 batch refill, causing a subsequent double-decrement on free leading to counter underflow → perceived OOM → crash.
Reproduction
./larson_hakmem 10 8 128 1024 1 12345 4
# → Exit 134 with free(): invalid pointer
Root Cause Analysis
- Free path decrements active → correct
- Remote drain places nodes into SuperSlab freelist → no active change (by design)
- P0 batch refill moved nodes from freelist → TLS SLL, but failed to increment SuperSlab active
- Next free decremented active again → double-decrement → underflow → OOM conditions in refill → crash
Fix
- File:
core/hakmem_tiny_refill_p0.inc.h - Change: In freelist transfer branch, increment active with the exact number taken.
Patch (excerpt)
@@ static inline int sll_refill_batch_from_ss(int class_idx, int max_take)
uint32_t from_freelist = trc_pop_from_freelist(meta, want, &chain);
if (from_freelist > 0) {
trc_splice_to_sll(class_idx, &chain, &g_tls_sll_head[class_idx], &g_tls_sll_count[class_idx]);
// FIX: Blocks from freelist were decremented when freed, must increment when allocated
ss_active_add(tls->ss, from_freelist);
g_rf_freelist_items[class_idx] += from_freelist;
total_taken += from_freelist;
want -= from_freelist;
if (want == 0) break;
}
Verification
- Default 4T: stable at ~0.84M ops/s (twice repeated, identical score).
- Additional guard: Ensure linear carve path also calls
ss_active_add(tls->ss, batch).
Open Items
- With
HAKMEM_TINY_REFILL_COUNT_HOT=64, a crash reappears under class 4 pressure.- Hypothesis: excessive hot-class refill → memory pressure on mid-class → OOM path.
- Next: Investigate interaction with
HAKMEM_TINY_FAST_CAPand run Valgrind leak checks.