SLL triage step 2: use safe tls_sll_pop for classes >=4 in alloc fast path; add optional safe header mode for tls_sll_push (HAKMEM_TINY_SLL_SAFEHEADER). Shared SS stable with SLL C0..C4; class5 hotpath causes crash, can be bypassed with HAKMEM_TINY_HOTPATH_CLASS5=0.

core/box/tls_sll_box.h

@@ -113,14 +113,28 @@ static inline bool tls_sll_push(int class_idx, void* ptr, uint32_t capacity)
     }
 
 #if HAKMEM_TINY_HEADER_CLASSIDX
-    // Restore header defensively for header classes (class != 0,7 use header byte).
+    // Header handling for header classes (class != 0,7).
+    // Safe mode (HAKMEM_TINY_SLL_SAFEHEADER=1): never overwrite header; reject on magic mismatch.
+    // Default mode: restore expected header.
     if (class_idx != 0 && class_idx != 7) {
+        static int g_sll_safehdr = -1;
+        if (__builtin_expect(g_sll_safehdr == -1, 0)) {
+            const char* e = getenv("HAKMEM_TINY_SLL_SAFEHEADER");
+            g_sll_safehdr = (e && *e && *e != '0') ? 1 : 0;
+        }
         uint8_t* b = (uint8_t*)ptr;
         uint8_t expected = (uint8_t)(HEADER_MAGIC | (class_idx & HEADER_CLASS_MASK));
-        // Always set; any mismatch is effectively healed here.
-        PTR_TRACK_TLS_PUSH(ptr, class_idx);
-        PTR_TRACK_HEADER_WRITE(ptr, expected);
-        *b = expected;
+        if (g_sll_safehdr) {
+            uint8_t got = *b;
+            if ((got & 0xF0u) != HEADER_MAGIC) {
+                // Reject push silently (fall back to slow path at caller)
+                return false;
+            }
+        } else {
+            PTR_TRACK_TLS_PUSH(ptr, class_idx);
+            PTR_TRACK_HEADER_WRITE(ptr, expected);
+            *b = expected;
+        }
     }
 #endif