Box TLS-SLL + free boundary hardening: normalize C0–C6 to base (ptr-1) at free boundary; route all caches/freelists via base; replace remaining g_tls_sll_head direct writes with Box API (tls_sll_push/splice) in refill/magazine/ultra; keep C7 excluded. Fixes rbp=0xa0 free crash by preventing header overwrite and centralizing TLS-SLL invariants.

core/tiny_alloc_fast_inline.h

@@ -55,6 +55,9 @@ extern __thread uint32_t g_tls_sll_count[TINY_NUM_CLASSES];
                 g_tls_sll_count[(class_idx)]--; \
             } \
             (ptr_out) = _head; \
+            if (__builtin_expect((class_idx) == 7, 0)) { \
+                *(void**)(ptr_out) = NULL; \
+            } \
         } \
     } else { \
         (ptr_out) = NULL; \