malloc returns the same pointer as a previous unfreed malloc on win64 with lg-tiny-min=4

[glandium]

STR:

• Build jemalloc on win64 (only tried msvc) with --with-lg-tiny-min=4 --enable-debug
• Build the following testcase against jemalloc:

#include <stdio.h>

extern void *je_malloc(size_t);

int main() {
  void *cur, *prev = NULL;
  for (int i = 0; ; i++) {
    void *cur = je_malloc(40);
    if (prev == cur) {
      printf("%d\n", i);
      return 1;
    }
    prev = cur;
  }
  return 0;
}

The output is:

<jemalloc>: z:\jemalloc\include\jemalloc/internal/bitmap.h:173: Failed assertion
: "!bitmap_get(bitmap, binfo, bit)"

The output without --enable-debug is 33.

Git bisect points at b8823ab as the first commit that fails, and sure enough, if I force USE_TREE, it works properly.