Box TLS-SLL + free boundary hardening: normalize C0–C6 to base (ptr-1) at free boundary; route all caches/freelists via base; replace remaining g_tls_sll_head direct writes with Box API (tls_sll_push/splice) in refill/magazine/ultra; keep C7 excluded. Fixes rbp=0xa0 free crash by preventing header overwrite and centralizing TLS-SLL invariants.

core/hakmem_tiny.c

@@ -1212,6 +1212,7 @@ static uint8_t g_hotmag_class_en[TINY_NUM_CLASSES];       // 0=disabled for clas
 static __thread TinyHotMag g_tls_hot_mag[TINY_NUM_CLASSES];
 // Inline helpers
 
+#include "box/tls_sll_box.h"  // Box TLS-SLL: Safe SLL operations API (needed by hotmag)
 #include "hakmem_tiny_hotmag.inc.h"
 
 // Size-specialized tiny alloc (32B/64B) via function pointers (A/B用)
@@ -1241,6 +1242,14 @@ void hak_tiny_prewarm_tls_cache(void) {
     // Pre-warm each class with HAKMEM_TINY_PREWARM_COUNT blocks
     // This reduces the first-allocation miss penalty by populating TLS cache
     for (int class_idx = 0; class_idx < TINY_NUM_CLASSES; class_idx++) {
+        // CRITICAL: C7 (1KB) is headerless - skip TLS SLL refill, but create SuperSlab
+        if (class_idx == 7) {
+            // Create C7 SuperSlab explicitly (refill functions skip C7)
+            // Note: superslab_refill is already declared in hakmem_tiny_refill.inc.h
+            (void)superslab_refill(class_idx);
+            continue;
+        }
+
         int count = HAKMEM_TINY_PREWARM_COUNT;  // Default: 16 blocks per class
 
         // Trigger refill to populate TLS cache