Look here :
https://github.com/Hackerpilot/experimental_allocator/blob/master/src/std/experimental/allocator/building_blocks/free_tree.d#L297
It tries to find a block inside the tree. If it fails, it
allocates n bytes passed to the function.
Look a little down and you see a deallocate method.
It casts previousli allocated block to internal Node struct and
then tries to set some fields in it.
Suppose we called allocate(1) and it'll call parent allocator
with size 1. So size of returned block will be 1. Then we
deallocate such a block, and FreeTree corrupts memory.
Am-I wrong and missed something ?
