Poison freed objects such that double-free is detected

Poison freed objects such that double-free is detected

Previously we were setting refcount of freed objects to the inert value, which
was harmful because it caused further destroy()s of the freed object to NOT
call free() and hence hide the bug.  Indeed, after eb0bf3ae6688b7 test-object
was double-free'ing objects and this was never caught on Linux.  It only was
caught as crashing on Mac.

Now we poison refcount upon freeing and check that it's valid whenever reading
it.  Makes test-object fail now.