Hey Stephan,
We have the MallocVerify proxy which does the same thing as you have hacked in - you can just enable it via the MALLOC_VERIFY macro at the top of MallocVerify.h.
The pointer value you have is absolutely invalid - you can tell as it’s not aligned. This suggests that it’s not merely stale, but has been corrupted somehow. This could, as you and others have suggested above, have occurred as a result of bad pointers coming in and out of the allocator. Another simple thing to add would be to check that the pointers coming into Free and Realloc are aligned to 16.
I notice that tracing pops up in both callstacks so I agree that it could be coming from there. I will ask around for someone more familiar with that code.
Steve