Fix: CRITICAL double-allocation bug in trc_linear_carve()

Root Cause:
trc_linear_carve() used meta->used as cursor, but meta->used decrements
on free, causing already-allocated blocks to be re-carved.

Evidence:
- [LINEAR_CARVE] used=61 batch=1 → block 61 created
- (blocks freed, used decrements 62→59)
- [LINEAR_CARVE] used=59 batch=3 → blocks 59,60,61 RE-CREATED!
- Result: double-allocation → memory corruption → SEGV

Fix Implementation:
1. Added TinySlabMeta.carved (monotonic counter, never decrements)
2. Changed trc_linear_carve() to use carved instead of used
3. carved tracks carve progress, used tracks active count

Files Modified:
- core/superslab/superslab_types.h: Add carved field
- core/tiny_refill_opt.h: Use carved in trc_linear_carve()
- core/hakmem_tiny_superslab.c: Initialize carved=0
- core/tiny_alloc_fast.inc.h: Add next pointer validation
- core/hakmem_tiny_free.inc: Add drain/free validation

Test Results:
✅ bench_random_mixed: 950,037 ops/s (no crash)
✅ Fail-fast mode: 651,627 ops/s (with diagnostic logs)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

core/tiny_alloc_fast.inc.h

@@ -53,6 +53,8 @@ extern __thread uint32_t g_tls_sll_count[TINY_NUM_CLASSES];
 extern int sll_refill_small_from_ss(int class_idx, int max_take);
 extern void* hak_tiny_alloc_slow(size_t size, int class_idx);
 extern int hak_tiny_size_to_class(size_t size);
+extern int tiny_refill_failfast_level(void);
+extern const size_t g_tiny_class_sizes[];
 
 // Global Front refill config (parsed at init; defined in hakmem_tiny.c)
 extern int g_refill_count_global;
@@ -182,10 +184,38 @@ static inline void* tiny_alloc_fast_pop(int class_idx) {
     if (__builtin_expect(g_tls_sll_enable, 1)) {
         void* head = g_tls_sll_head[class_idx];
         if (__builtin_expect(head != NULL, 1)) {
+            // CORRUPTION DEBUG: Validate TLS SLL head before popping
+            if (__builtin_expect(tiny_refill_failfast_level() >= 2, 0)) {
+                size_t blk = g_tiny_class_sizes[class_idx];
+                // Check alignment (must be multiple of block size)
+                if (((uintptr_t)head % blk) != 0) {
+                    fprintf(stderr, "[TLS_SLL_CORRUPT] cls=%d head=%p misaligned (blk=%zu offset=%zu)\n",
+                            class_idx, head, blk, (uintptr_t)head % blk);
+                    fprintf(stderr, "[TLS_SLL_CORRUPT] TLS freelist head is corrupted!\n");
+                    abort();
+                }
+            }
+
             // Front Gate: SLL hit (fast path 3 instructions)
             extern unsigned long long g_front_sll_hit[];
             g_front_sll_hit[class_idx]++;
-            g_tls_sll_head[class_idx] = *(void**)head;  // Pop: next = *head
+
+            // CORRUPTION DEBUG: Validate next pointer before updating head
+            void* next = *(void**)head;
+            if (__builtin_expect(tiny_refill_failfast_level() >= 2, 0)) {
+                size_t blk = g_tiny_class_sizes[class_idx];
+                if (next != NULL && ((uintptr_t)next % blk) != 0) {
+                    fprintf(stderr, "[ALLOC_POP_CORRUPT] Reading next from head=%p got corrupted next=%p!\n",
+                            head, next);
+                    fprintf(stderr, "[ALLOC_POP_CORRUPT] cls=%d blk=%zu next_offset=%zu (expected 0)\n",
+                            class_idx, blk, (uintptr_t)next % blk);
+                    fprintf(stderr, "[ALLOC_POP_CORRUPT] TLS SLL head block was corrupted (use-after-free/double-free)!\n");
+                    abort();
+                }
+                fprintf(stderr, "[ALLOC_POP] cls=%d head=%p next=%p\n", class_idx, head, next);
+            }
+
+            g_tls_sll_head[class_idx] = next;  // Pop: next = *head
 
             // Optional: update count (for stats, can be disabled)
             if (g_tls_sll_count[class_idx] > 0) {