In `runBuilderTxProvider`, a tx T can appear in both `batch` (from `collectPlanBatch`) and `bonus` (from `scanOverflow`) within the same 2ms loop iteration, causing `forwardTxs` to send T twice and dispatch two workers to execute identical EVM paths on separate throwaway state copies. The `sentThisPhase` fix added in commit 88c4e44 only guards against cross-iteration re-emission (T forwarded in iteration N, re-emitted in N+1); it provides no protection within iteration N itself because `sentThis

In scanOverflow, when an account's head tx has gas > remaining, h.Pop() permanently removes that account from the overflowHeap. Because overflowHeap is constructed once in runBuilderTxProvider and scanOverflow is called on it in every 2ms loop iteration with a growing extendedBudget, accounts popped in early iterations (when budget is small) are gone by the time the budget grows large enough to accommodate them. This directly undermines the PR's stated design: freed-gas budget accumulates across