The problem is that UString::sharedBuffer() is using the length of the BaseString which is 256 for SmallStrings as opposed to Rep::len, the length of the string being shared (which is 1 for SmallStrings).
Created attachment 31220 [details] Proposed fix.
Committed as http://trac.webkit.org/changeset/44641. And a follow up change to fix the dll exports on windows: http://trac.webkit.org/changeset/44642