Restrict ss_fast_lookup to validated Tiny pointer paths only

Safety fix: ss_fast_lookup masks pointer to 1MB boundary and reads
memory at that address. If called with arbitrary (non-Tiny) pointers,
the masked address could be unmapped → SEGFAULT.

Changes:
- tiny_free_fast(): Reverted to safe hak_super_lookup (can receive
  arbitrary pointers without prior validation)
- ss_fast_lookup(): Added safety warning in comments documenting when
  it's safe to use (after header magic 0xA0 validation)

ss_fast_lookup remains in LARSON_FIX paths where header magic is
already validated before the SuperSlab lookup.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

core/tiny_free_fast.inc.h

@@ -215,11 +215,12 @@ static inline void tiny_free_fast(void* ptr) {
     }
     // 1. SuperSlab-backed tiny pointer?
     if (__builtin_expect(g_use_superslab != 0, 1)) {
-        // Phase 12 optimization: Use fast mask-based lookup instead of registry
-        // ss_fast_lookup does: mask + magic check + range check (~5-10 cycles vs 50-100)
-        void* base = (void*)((uint8_t*)ptr - 1);  // Convert USER → BASE first
-        SuperSlab* ss = ss_fast_lookup(base);
-        if (__builtin_expect(ss != NULL, 1)) {
+        // NOTE: Use safe hak_super_lookup here (not ss_fast_lookup) because
+        // tiny_free_fast() can receive arbitrary pointers without prior validation.
+        // ss_fast_lookup masks to 1MB boundary and reads magic - would crash on unmapped memory.
+        SuperSlab* ss = hak_super_lookup(ptr);
+        if (__builtin_expect(ss != NULL && ss->magic == SUPERSLAB_MAGIC, 0)) {
+            void* base = (void*)((uint8_t*)ptr - 1);  // Convert USER → BASE
             int slab_idx = slab_index_for(ss, base);
             uint32_t self_tid = tiny_self_u32();