DebugAllocator: Fix bucket removal logic causing segfault/leak

[SuperAuguste]

Hey Ziguanas 0/

Ran into this one while at work and it drove me crazy for a good couple hours until a coworker and I realized it was a bug in the DebugAllocator rather than in our own code!

Here's a repro; the first test will not error when it should, and the second will segfault:

const std = @import("std");

const size_class_0_slot_count = 1308;

test "Head erasure" {
    var debug_allocator: std.heap.DebugAllocator(.{}) = .init;
    defer _ = debug_allocator.deinit();

    const allocator = debug_allocator.allocator();

    // Current bucket linked list: [null]

    for (0..size_class_0_slot_count) |_| {
        _ = try allocator.create(u8);
    }

    // Current bucket linked list: [null <- bucket_0]

    const new_bucket = try allocator.create(u8);

    // Current bucket linked list: [null <- bucket_0 <- bucket_1]

    allocator.destroy(new_bucket);

    // Current bucket linked list: [null]

    // No errors despite clearly leaking memory due to our `prev` (and thus the existence of
    // bucket_0 within the DebugAllocator) being erased!
}

test "Intermediate erasure" {
    var debug_allocator: std.heap.DebugAllocator(.{}) = .init;
    defer _ = debug_allocator.deinit();

    const allocator = debug_allocator.allocator();

    // Current bucket linked list: [null]

    for (0..size_class_0_slot_count) |_| {
        _ = try allocator.create(u8);
    }

    // Current bucket linked list: [null <- bucket_0]

    var bucket_1_items: [size_class_0_slot_count]*u8 = undefined;
    for (&bucket_1_items) |*item| {
        item.* = try allocator.create(u8);
    }

    // Current bucket linked list: [null <- bucket_0 <- bucket_1]

    _ = try allocator.create(u8);

    // Current bucket linked list: [null <- bucket_0 <- bucket_1 <- bucket_2]

    for (bucket_1_items) |item| {
        allocator.destroy(item);
    }

    // Current bucket linked list: [freed memory <- bucket_2]

    // Causes a segfault on deinit!
}

My proposed patch is strictly less performant (though not significantly unless you're freeing rather old buckets on a specific size class on the regular I'd imagine) and could be made inexpensive by making the buckets doubly-linked list, though that of course has its own space tradeoffs.

Let me know if you'd like to go the doubly-linked route instead (or something else entirely). Cheers! :)

[squeek502]

I believe using a linear search over the buckets will (partially, since it's only done in free here) reintroduce the performance problems described/fixed in #17383 (before the GPA/DebugAllocator was entirely rewritten in #20511)

Don't have any recommendations on how to avoid the linear scan yet, will try to come up with some, just wanted to mention this now. A doubly linked list seems pretty reasonable, though.

[andrewrk]

Oof that's a silly mistake I made, isn't it?

Thanks for the bug report.

As @squeek502 pointed out, this should be solved instead by adding a next pointer to buckets so that it is O(1) instead of O(N).

Also, this is the kind of thing I want to start finding via integrated fuzzing!

[SuperAuguste]

Addressed y'alls feedback :)

[andrewrk]

Thanks!