Phase E3-FINAL: Fix Box API offset bugs - ALL classes now use correct offsets

## Root Cause Analysis (GPT5)

**Physical Layout Constraints**:
- Class 0: 8B = [1B header][7B payload] → offset 1 = 9B needed = ❌ IMPOSSIBLE
- Class 1-6: >=16B = [1B header][15B+ payload] → offset 1 = ✅ POSSIBLE
- Class 7: 1KB → offset 0 (compatibility)

**Correct Specification**:
- HAKMEM_TINY_HEADER_CLASSIDX != 0:
  - Class 0, 7: next at offset 0 (overwrites header when on freelist)
  - Class 1-6: next at offset 1 (after header)
- HAKMEM_TINY_HEADER_CLASSIDX == 0:
  - All classes: next at offset 0

**Previous Bug**:
- Attempted "ALL classes offset 1" unification
- Class 0 with offset 1 caused immediate SEGV (9B > 8B block size)
- Mixed 2-arg/3-arg API caused confusion

## Fixes Applied

### 1. Restored 3-Argument Box API (core/box/tiny_next_ptr_box.h)
```c
// Correct signatures
void tiny_next_write(int class_idx, void* base, void* next_value)
void* tiny_next_read(int class_idx, const void* base)

// Correct offset calculation
size_t offset = (class_idx == 0 || class_idx == 7) ? 0 : 1;
```

### 2. Updated 123+ Call Sites Across 34 Files
- hakmem_tiny_hot_pop_v4.inc.h (4 locations)
- hakmem_tiny_fastcache.inc.h (3 locations)
- hakmem_tiny_tls_list.h (12 locations)
- superslab_inline.h (5 locations)
- tiny_fastcache.h (3 locations)
- ptr_trace.h (macro definitions)
- tls_sll_box.h (2 locations)
- + 27 additional files

Pattern: `tiny_next_read(base)` → `tiny_next_read(class_idx, base)`
Pattern: `tiny_next_write(base, next)` → `tiny_next_write(class_idx, base, next)`

### 3. Added Sentinel Detection Guards
- tiny_fast_push(): Block nodes with sentinel in ptr or ptr->next
- tls_list_push(): Block nodes with sentinel in ptr or ptr->next
- Defense-in-depth against remote free sentinel leakage

## Verification (GPT5 Report)

**Test Command**: `./out/release/bench_random_mixed_hakmem --iterations=70000`

**Results**:
- ✅ Main loop completed successfully
- ✅ Drain phase completed successfully
- ✅ NO SEGV (previous crash at iteration 66151 is FIXED)
- ℹ️ Final log: "tiny_alloc(1024) failed" is normal fallback to Mid/ACE layers

**Analysis**:
- Class 0 immediate SEGV: ✅ RESOLVED (correct offset 0 now used)
- 66K iteration crash: ✅ RESOLVED (offset consistency fixed)
- Box API conflicts: ✅ RESOLVED (unified 3-arg API)

## Technical Details

### Offset Logic Justification
```
Class 0:  8B block → next pointer (8B) fits ONLY at offset 0
Class 1: 16B block → next pointer (8B) fits at offset 1 (after 1B header)
Class 2: 32B block → next pointer (8B) fits at offset 1
...
Class 6: 512B block → next pointer (8B) fits at offset 1
Class 7: 1024B block → offset 0 for legacy compatibility
```

### Files Modified (Summary)
- Core API: `box/tiny_next_ptr_box.h`
- Hot paths: `hakmem_tiny_hot_pop*.inc.h`, `tiny_fastcache.h`
- TLS layers: `hakmem_tiny_tls_list.h`, `hakmem_tiny_tls_ops.h`
- SuperSlab: `superslab_inline.h`, `tiny_superslab_*.inc.h`
- Refill: `hakmem_tiny_refill.inc.h`, `tiny_refill_opt.h`
- Free paths: `tiny_free_magazine.inc.h`, `tiny_superslab_free.inc.h`
- Documentation: Multiple Phase E3 reports

## Remaining Work

None for Box API offset bugs - all structural issues resolved.

Future enhancements (non-critical):
- Periodic `grep -R '*(void**)' core/` to detect direct pointer access violations
- Enforce Box API usage via static analysis
- Document offset rationale in architecture docs

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

core/hakmem_tiny_tls_ops.h

@@ -5,6 +5,7 @@
 #include "hakmem_tiny_superslab.h"
 #include "hakmem_super_registry.h"
 #include "tiny_remote.h"
+#include "box/tiny_next_ptr_box.h"
 #include <stdint.h>
 
 // Forward declarations for external dependencies
@@ -61,7 +62,8 @@ static inline int tls_refill_from_tls_slab(int class_idx, TinyTLSList* tls, uint
     size_t block_stride = tiny_stride_for_class(class_idx);
     // Header-aware TLS list next offset for chains we build here
 #if HAKMEM_TINY_HEADER_CLASSIDX
-    const size_t next_off_tls = (class_idx == 7) ? 0 : 1;
+    // Phase E1-CORRECT: ALL classes have 1-byte header, next ptr at offset 1
+    const size_t next_off_tls = 1;
 #else
     const size_t next_off_tls = 0;
 #endif
@@ -80,8 +82,9 @@ static inline int tls_refill_from_tls_slab(int class_idx, TinyTLSList* tls, uint
             uint32_t need = want - total;
             while (local < need && meta->freelist) {
                 void* node = meta->freelist;
-                meta->freelist = *(void**)node; // freelist is base-linked
-                *(void**)((uint8_t*)node + next_off_tls) = local_head;
+                // BUG FIX: Use Box API to read next pointer at correct offset
+                meta->freelist = tiny_next_read(class_idx, node); // freelist is base-linked
+                tiny_next_write(class_idx, node, local_head);
                 local_head = node;
                 if (!local_tail) local_tail = node;
                 local++;
@@ -93,7 +96,7 @@ static inline int tls_refill_from_tls_slab(int class_idx, TinyTLSList* tls, uint
                     accum_head = local_head;
                     accum_tail = local_tail;
                 } else {
-                    *(void**)((uint8_t*)local_tail + next_off_tls) = accum_head;
+                    tiny_next_write(class_idx, local_tail, accum_head);
                     accum_head = local_head;
                 }
                 total += local;
@@ -127,7 +130,7 @@ static inline int tls_refill_from_tls_slab(int class_idx, TinyTLSList* tls, uint
         uint8_t* cursor = base_cursor;
         for (uint32_t i = 1; i < need; ++i) {
             uint8_t* next = cursor + block_stride;
-            *(void**)(cursor + next_off_tls) = (void*)next;
+            tiny_next_write(class_idx, (void*)cursor, (void*)next);
             cursor = next;
         }
         void* local_tail = (void*)cursor;
@@ -138,7 +141,7 @@ static inline int tls_refill_from_tls_slab(int class_idx, TinyTLSList* tls, uint
             accum_head = local_head;
             accum_tail = local_tail;
         } else {
-            *(void**)((uint8_t*)local_tail + next_off_tls) = accum_head;
+            tiny_next_write(class_idx, local_tail, accum_head);
             accum_head = local_head;
         }
         total += need;
@@ -182,13 +185,8 @@ static inline void tls_list_spill_excess(int class_idx, TinyTLSList* tls) {
 
     uint32_t self_tid = tiny_self_u32();
     void* node = head;
-#if HAKMEM_TINY_HEADER_CLASSIDX
-    const size_t next_off_tls = (class_idx == 7) ? 0 : 1;
-#else
-    const size_t next_off_tls = 0;
-#endif
     while (node) {
-        void* next = *(void**)((uint8_t*)node + next_off_tls);
+        void* next = tiny_next_read(class_idx, node);
         int handled = 0;
 
         // Phase 1: Try SuperSlab first (registry-based lookup, no false positives)
@@ -202,7 +200,8 @@ static inline void tls_list_spill_excess(int class_idx, TinyTLSList* tls) {
                 handled = 1;
             } else {
                 void* prev = meta->freelist;
-            *(void**)((uint8_t*)node + 0) = prev; // freelist within slab uses base link
+                // BUG FIX: Use Box API to write next pointer at correct offset
+                tiny_next_write(class_idx, node, prev); // freelist within slab uses base link
                 meta->freelist = node;
                 tiny_failfast_log("tls_spill_ss", ss->size_class, ss, meta, node, prev);
                 if (meta->used > 0) meta->used--;
@@ -248,7 +247,7 @@ static inline void tls_list_spill_excess(int class_idx, TinyTLSList* tls) {
         }
 #endif
         if (!handled) {
-            *(void**)((uint8_t*)node + next_off_tls) = requeue_head;
+            tiny_next_write(class_idx, node, requeue_head);
             if (!requeue_head) requeue_tail = node;
             requeue_head = node;
             requeue_count++;