Fix: CRITICAL double-allocation bug in trc_linear_carve()

Root Cause:
trc_linear_carve() used meta->used as cursor, but meta->used decrements
on free, causing already-allocated blocks to be re-carved.

Evidence:
- [LINEAR_CARVE] used=61 batch=1 → block 61 created
- (blocks freed, used decrements 62→59)
- [LINEAR_CARVE] used=59 batch=3 → blocks 59,60,61 RE-CREATED!
- Result: double-allocation → memory corruption → SEGV

Fix Implementation:
1. Added TinySlabMeta.carved (monotonic counter, never decrements)
2. Changed trc_linear_carve() to use carved instead of used
3. carved tracks carve progress, used tracks active count

Files Modified:
- core/superslab/superslab_types.h: Add carved field
- core/tiny_refill_opt.h: Use carved in trc_linear_carve()
- core/hakmem_tiny_superslab.c: Initialize carved=0
- core/tiny_alloc_fast.inc.h: Add next pointer validation
- core/hakmem_tiny_free.inc: Add drain/free validation

Test Results:
✅ bench_random_mixed: 950,037 ops/s (no crash)
✅ Fail-fast mode: 651,627 ops/s (with diagnostic logs)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

core/tiny_superslab_alloc.inc.h

@@ -82,6 +82,27 @@ static inline void* superslab_alloc_from_slab(SuperSlab* ss, int slab_idx) {
     // Freelist mode (after first free())
     if (meta->freelist) {
         void* block = meta->freelist;
+
+        // CORRUPTION DEBUG: Validate freelist head before popping
+        if (__builtin_expect(tiny_refill_failfast_level() >= 2, 0)) {
+            size_t blk = g_tiny_class_sizes[ss->size_class];
+            uint8_t* slab_base = tiny_slab_base_for(ss, slab_idx);
+            uintptr_t block_addr = (uintptr_t)block;
+            uintptr_t slab_addr = (uintptr_t)slab_base;
+            uintptr_t offset = block_addr - slab_addr;
+
+            fprintf(stderr, "[ALLOC_POP] cls=%u slab=%d block=%p offset=%zu (used=%u cap=%u)\n",
+                    ss->size_class, slab_idx, block, offset, meta->used, meta->capacity);
+
+            if (offset % blk != 0) {
+                fprintf(stderr, "[ALLOC_CORRUPT] Freelist head is misaligned! block=%p offset=%zu blk=%zu\n",
+                        block, offset, blk);
+                fprintf(stderr, "[ALLOC_CORRUPT] Expected alignment: %zu, actual: %zu\n",
+                        blk, offset % blk);
+                tiny_failfast_abort_ptr("alloc_pop_misalign", ss, slab_idx, block, "freelist_head_corrupt");
+            }
+        }
+
         meta->freelist = *(void**)block;  // Pop from freelist
         meta->used++;
         tiny_remote_track_on_alloc(ss, slab_idx, block, "freelist_alloc", 0);
@@ -520,6 +541,14 @@ static inline void* hak_tiny_alloc_superslab(int class_idx) {
             int aligned = ((p - (uintptr_t)base) % block_size) == 0;
             int idx_ok = (tls->slab_idx >= 0) && (tls->slab_idx < ss_slabs_capacity(tls->ss));
             if (!in_range || !aligned || !idx_ok || meta->used > (uint32_t)meta->capacity) {
+                // Diagnostic log before abort
+                fprintf(stderr, "[ALLOC_CARVE_BUG] cls=%u slab=%d used=%u cap=%u base=%p bs=%zu ptr=%p offset=%zu\n",
+                        tls->ss->size_class, tls->slab_idx, meta->used, meta->capacity,
+                        (void*)base, block_size, block, off);
+                fprintf(stderr, "[ALLOC_CARVE_BUG] in_range=%d aligned=%d idx_ok=%d used_check=%d\n",
+                        in_range, aligned, idx_ok, meta->used > (uint32_t)meta->capacity);
+                fflush(stderr);
+
                 tiny_failfast_abort_ptr("alloc_ret_align",
                                         tls->ss,
                                         tls->slab_idx,