fix(macos): drop overly-broad *NamedStruct heap-promotion; cross-platform stacktrace filter helper

- codegen/funcs.go: revert auto-promote of every *NamedStruct return as
  heap-owned. The check (added in e174b34) was too broad: user code that
  allocates via raw mem::calloc and returns *Tin-struct (e.g. an explicit
  list_node[T]::cons constructor) was treated as RC-owned, then ARC's
  scope-exit release_ptr ran on memory the user had already manually
  freed via mem::free -- double-free, intermittent hangs in test
  sequences (manifested on macOS recursive_generic_structs.tin). The
  await-call-site path (stmts.go from the same commit) still covers the
  channel-of-pointer leak that motivated the original change. Verified
  arc_stress + fiber + channel-pointer-stress valgrind output unchanged.

- stdlib/source/source.tin: add is_program_entry to recognise main /
  start / _start / __libc_start_main as the OS-tail frames. On Linux
  these surface as libc.so.6:__libc_start_main and is_in_lib catches
  them; on macOS dladdr returns the program binary itself (no .dylib
  suffix) so the same frames slipped through.

- examples/stacktrace_filter_pipe.tin: thread is_program_entry through
  in_user_code so the strict-subset assertion holds on macOS too.

Author: Azer0s

codegen/funcs.go

@@ -2165,25 +2165,6 @@ func (cg *CodeGen) genFuncDeclAs(n *ast.FuncDecl, scopeName string) error {
 
 	heapPromoting := len(cg.curFnEscapingVars) > 0 || hasDirectHeapReturn(n.Body, cg.heapPromotingFns)
 
-	// Functions that return *NamedStruct transfer RC ownership to the
-	// caller -- the most common cases are constructor-like methods
-	// (`Cell.alloc`), container reads (`Channel.recv`, `Atomic.load`,
-	// `List.pop`), and parser/builder helpers. Mark them as heap-
-	// promoting so the call-site let-binding gets isHeapOwned=true and
-	// release_ptr fires at scope exit. Without this, `let c = ch.recv()`
-	// where ch is `Channel[*Cell[i64]]` would leak every dequeued cell.
-	if !heapPromoting && n.RetType != nil {
-		if rt, terr := cg.tinTypeToLLVM(n.RetType); terr == nil {
-			if pt, isPtr := rt.(*irtypes.PointerType); isPtr {
-				if innerSt, isStruct := pt.ElemType.(*irtypes.StructType); isStruct && innerSt.Name() != "" {
-					if _, isTinStruct := cg.structTypes[innerSt.Name()]; isTinStruct {
-						heapPromoting = true
-					}
-				}
-			}
-		}
-	}
-
 	if heapPromoting {
 		cg.heapPromotingFns[scopeName] = true
 		// Also store under the actual IR function name (which may include a

examples/stacktrace_filter_pipe.tin

@@ -25,15 +25,17 @@ fn filter[t](pred fn(i t) bool) fn([t]) [t] =
 
 fn{#no_inline} probe() [atom] = return stacktrace()
 
-// Keep frames that have ANY identifying info (symbol or file) and are
-// NOT inside a shared library. Works on both Linux (libdwfl resolves
-// file:line:col) and macOS (no elfutils, frames are bare symbol+offset
-// with empty `file`) - the libc / libsystem tail is dropped via
-// `is_in_lib` on both platforms.
+// Keep frames that have ANY identifying info (symbol or file), are
+// NOT inside a shared library, and are NOT the libc/dyld program-entry
+// tail. The is_program_entry check is what makes the recipe portable:
+// on Linux dladdr returns libc.so.6 for __libc_start_main so is_in_lib
+// already catches it, but on macOS dladdr returns the program binary
+// (no .dylib suffix) for `start` and `main`, so they pass is_in_lib.
 fn in_user_code(f atom) bool =
   let p = source::parse_sourcepos(f)
-  if source::is_unknown(p): return false
-  if source::is_in_lib(p):  return false
+  if source::is_unknown(p):       return false
+  if source::is_in_lib(p):        return false
+  if source::is_program_entry(p): return false
   return source::is_resolved(p)
 
 fn print_frames(label string, fs [atom]) =

stdlib/source/source.tin

@@ -241,10 +241,24 @@ fn is_resolved(p SrcPos) bool =
 // (lib basename present). Useful for filtering libc / vendor frames.
 fn is_in_lib(p SrcPos) bool = return p.lib != ""
 
+// is_program_entry reports whether the symbol is one of the standard
+// program-entry / loader frames that bracket every user trace. On Linux
+// these usually surface as `libc.so.6:__libc_start_main+0xN` (so
+// `is_in_lib` already drops them) but on macOS dladdr returns the
+// program binary itself (no .dylib suffix), so they pass `is_in_lib`.
+// Use this alongside `is_in_lib` when filtering out the system tail
+// in an OS-agnostic way.
+fn is_program_entry(p SrcPos) bool =
+  if p.symbol == "main": return true
+  if p.symbol == "_start": return true
+  if p.symbol == "start": return true
+  if strings::has_prefix(p.symbol, "__libc_start"): return true
+  return false
+
 // is_unknown reports whether the atom was the "??+0x<addr>" sentinel.
 fn is_unknown(p SrcPos) bool =
   return p.symbol == "" && p.file == "" && p.address != 0 as i64
 
 export {
-  SrcPos, parse_sourcepos, is_resolved, is_in_lib, is_unknown
+  SrcPos, parse_sourcepos, is_resolved, is_in_lib, is_program_entry, is_unknown
 } as source