Fix overflow/underflow bugs in bitset allocator, RtServer replenish, and IndexMap iterator

[Copilot]

Four arithmetic bugs exposed by panicking tests, covering integer overflow and underflow in the PFA bitset allocator marking phase, RT budget replenishment, and the IndexMap cycle iterator.

Fixes

• bitset.rs marking underflow — rem = len.min(BITS_PER_WORD) - skip underflowed when a free run started at the last bit of a word (skip=63, len=1 → 1 - 63). Replaced with rem = (BITS_PER_WORD - skip).min(count) using a dedicated count = page_count variable for the marking loop, keeping search-phase len untouched.

• thread.rs replenish overflow — budget_left += budget overflowed when both values approached u32::MAX. Changed to saturating_add.

• array.rs iter_from_cycle / next() overflow — K::to_index(idx) + 1 panicked when idx = usize::MAX. Fixed with .wrapping_add(1) % N in iter_from_cycle and the same wrapping arithmetic in the next() index computation.

• array.rs reserve() OOM in tests — reserve() legitimately needs to grow extra heap storage (e.g. len=7, N=8, additional=2 requires 1 extra slot), but GLOBAL_ALLOCATOR is uninitialized in the test environment. Added #[cfg(test)] pub(crate) init_test_heap() to mem.rs that seeds the global allocator with 64 KiB of host memory via std::alloc::alloc, called from the affected test.

[Copilot]

Just as a heads up, I was blocked by some firewall rules while working on your feedback. Expand below for details.