Box TLS-SLL + free boundary hardening: normalize C0–C6 to base (ptr-1) at free boundary; route all caches/freelists via base; replace remaining g_tls_sll_head direct writes with Box API (tls_sll_push/splice) in refill/magazine/ultra; keep C7 excluded. Fixes rbp=0xa0 free crash by preventing header overwrite and centralizing TLS-SLL invariants.

core/tiny_refill_opt.h

@@ -52,7 +52,10 @@ static inline void trc_push_front(TinyRefillChain* c, void* node) {
 // Forward declaration of guard function
 static inline int trc_refill_guard_enabled(void);
 
-// Splice local chain into TLS SLL (single meta write)
+// Forward declare Box TLS-SLL API
+#include "box/tls_sll_box.h"
+
+// Splice local chain into TLS SLL using Box TLS-SLL API (C7-safe)
 static inline void trc_splice_to_sll(int class_idx, TinyRefillChain* c,
                                      void** sll_head, uint32_t* sll_count) {
     if (!c || c->head == NULL) return;
@@ -65,11 +68,20 @@ static inline void trc_splice_to_sll(int class_idx, TinyRefillChain* c,
                 class_idx, c->head, c->tail, c->count);
     }
 
-    if (c->tail) {
-        *(void**)c->tail = *sll_head;
+    // CRITICAL: Use Box TLS-SLL API for splice (C7-safe, no race)
+    // Note: tls_sll_splice() requires capacity parameter (use large value for refill)
+    uint32_t moved = tls_sll_splice(class_idx, c->head, c->count, 4096);
+
+    // Update sll_count if provided (Box API already updated g_tls_sll_count internally)
+    // Note: sll_count parameter is typically &g_tls_sll_count[class_idx], already updated
+    (void)sll_count;  // Suppress unused warning
+    (void)sll_head;   // Suppress unused warning
+
+    // If splice was partial, warn (should not happen in refill path)
+    if (__builtin_expect(moved < c->count, 0)) {
+        fprintf(stderr, "[SPLICE_WARNING] Only moved %u/%u blocks (SLL capacity limit)\n",
+                moved, c->count);
     }
-    *sll_head = c->head;
-    if (sll_count) *sll_count += c->count;
 }
 
 static inline int trc_refill_guard_enabled(void) {