This is a garbage-collect crash in a built-from-CVS emacs tree
checked out tonight (Nov 8, 2007).

I had originally experienced this crash in 22.1, both on Windows
and Linux, but wanted to make sure the bug existed in the latest
version before reporting it.

I've written some functions which issue Shell Commands to interact
with our perforce server at work; these commands parse the *Shell Output
Buffer* to pick up bits of information.  These have been working very
well for me, but today I got a reproducible case that crashes Emacs.
Unfortunately, it is only reproducible after issuing many commands
against our perforce server.

So I built from sources, ran with gdb, and captured the following information.
The object it trips over is always a misc free cell and it always
hits the default leg of the case statement in mark_object.

Let me know if you need me to collect more information.

$ gdb ./emacs
gdb ./emacs
GNU gdb Red Hat Linux (5.3.90-0.20030710.41.2.1rh)
Copyright 2003 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-redhat-linux"...Using host libthread_db library "/lib/libthread_db.so.1".

DISPLAY = :1.0
TERM = dumb
Breakpoint 1 at 0x80e039a: file emacs.c, line 431.
Breakpoint 2 at 0x80f7145: file sysdep.c, line 1435.
(gdb) run
Starting program: /u/kreti/gnuemacs-linux11/emacs/src/emacs -geometry 80x40+0+0

Breakpoint 1, abort () at emacs.c:431
431	  kill (getpid (), SIGABRT);
(gdb) where
#0  abort () at emacs.c:431
#1  0x0812b179 in mark_object (arg=147211050) at alloc.c:5734
#2  0x0812b1da in mark_object (arg=141537485) at alloc.c:5751
#3  0x0812b1da in mark_object (arg=141537437) at alloc.c:5751
#4  0x0812b2b2 in mark_buffer (buf=146936428) at alloc.c:5808
#5  0x0812ae48 in mark_object (arg=146936428) at alloc.c:5558
#6  0x0812b0ec in mark_object (arg=138283458) at alloc.c:5679
#7  0x0812b026 in mark_object (arg=137558905) at alloc.c:5639
#8  0x0812b1da in mark_object (arg=137859549) at alloc.c:5751
#9  0x0812b1da in mark_object (arg=137859861) at alloc.c:5751
#10 0x0812b0e3 in mark_object (arg=137640922) at alloc.c:5678
#11 0x0812b026 in mark_object (arg=137728969) at alloc.c:5639
#12 0x0812b1da in mark_object (arg=137854981) at alloc.c:5751
#13 0x0812b1da in mark_object (arg=137400253) at alloc.c:5751
#14 0x0812b038 in mark_object (arg=141380333) at alloc.c:5641
#15 0x0812aec3 in mark_object (arg=141391156) at alloc.c:5581
#16 0x0812b02f in mark_object (arg=137826961) at alloc.c:5640
#17 0x0812b1da in mark_object (arg=141380237) at alloc.c:5751
#18 0x0812b038 in mark_object (arg=137459345) at alloc.c:5641
#19 0x0812b1da in mark_object (arg=139297181) at alloc.c:5751
#20 0x0812b038 in mark_object (arg=139297133) at alloc.c:5641
#21 0x0812b1da in mark_object (arg=137860261) at alloc.c:5751
#22 0x0812b038 in mark_object (arg=137678425) at alloc.c:5641
#23 0x0812b1da in mark_object (arg=141473229) at alloc.c:5751
#24 0x0812aec3 in mark_object (arg=141688156) at alloc.c:5581
#25 0x0812b02f in mark_object (arg=144524753) at alloc.c:5640
#26 0x0812b1da in mark_object (arg=144499205) at alloc.c:5751
#27 0x0812b1da in mark_object (arg=144499437) at alloc.c:5751
#28 0x0812b02f in mark_object (arg=144524729) at alloc.c:5640
#29 0x0812ad6f in mark_vectorlike (ptr=0x830c968) at alloc.c:5456
#30 0x0812b004 in mark_object (arg=137415020) at alloc.c:5628
#31 0x0812a786 in Fgarbage_collect () at alloc.c:5141
#32 0x0813df5a in Ffuncall (nargs=1, args=0xbffec420) at eval.c:3021
#33 0x081619b4 in Fbyte_code (bytestr=144658787, vector=144663148, maxdepth=56)
    at bytecode.c:679
#34 0x0813e46a in funcall_lambda (fun=144663356, nargs=3, 
    arg_vector=0xbffec4e0) at eval.c:3211
#35 0x0813e1b6 in apply_lambda (fun=144663356, args=146885917, eval_flag=1)
    at eval.c:3135
#36 0x0813d703 in Feval (form=146885909) at eval.c:2415
#37 0x0813b089 in Fsetq (args=146885901) at eval.c:552
#38 0x0813d43a in Feval (form=146885893) at eval.c:2302
#39 0x0813d50d in Feval (form=146885885) at eval.c:2340
#40 0x0813df6f in Ffuncall (nargs=2, args=0xbffec834) at eval.c:3024
#41 0x081619b4 in Fbyte_code (bytestr=136524459, vector=136524476, maxdepth=24)
    at bytecode.c:679
#42 0x0813e46a in funcall_lambda (fun=136524420, nargs=1, 
    arg_vector=0xbffec944) at eval.c:3211
#43 0x0813e089 in Ffuncall (nargs=2, args=0xbffec940) at eval.c:3081
#44 0x081619b4 in Fbyte_code (bytestr=136524707, vector=136524724, maxdepth=24)
    at bytecode.c:679
#45 0x0813e46a in funcall_lambda (fun=136524668, nargs=1, 
    arg_vector=0xbffeca54) at eval.c:3211
#46 0x0813e089 in Ffuncall (nargs=2, args=0xbffeca50) at eval.c:3081
#47 0x081619b4 in Fbyte_code (bytestr=136522907, vector=136522924, maxdepth=16)
    at bytecode.c:679
#48 0x0813e46a in funcall_lambda (fun=136522876, nargs=0, 
    arg_vector=0xbffecb84) at eval.c:3211
#49 0x0813e089 in Ffuncall (nargs=1, args=0xbffecb80) at eval.c:3081
#50 0x0813dc34 in apply1 (fn=138307105, arg=137413969) at eval.c:2765
#51 0x081398fc in Fcall_interactively (function=138307105, 
    record_flag=137413969, keys=137462244) at callint.c:385
#52 0x080edb15 in Fcommand_execute (cmd=138307105, record_flag=137413969, 
    keys=137413969, special=137413969) at keyboard.c:10363
#53 0x080e3c65 in command_loop_1 () at keyboard.c:1939
#54 0x0813c422 in internal_condition_case (bfun=0x80e2f70 <command_loop_1>, 
    handlers=137480609, hfun=0x80e2a3c <cmd_error>) at eval.c:1493
#55 0x080e2d0e in command_loop_2 () at keyboard.c:1396
#56 0x0813bf93 in internal_catch (tag=137462905, 
    func=0x80e2cf0 <command_loop_2>, arg=137413969) at eval.c:1229
#57 0x080e2c9c in command_loop () at keyboard.c:1375
#58 0x080e26c0 in recursive_edit_1 () at keyboard.c:984
#59 0x080e2800 in Frecursive_edit () at keyboard.c:1046
#60 0x080e1695 in main (argc=3, argv=0xbffed334) at emacs.c:1777

Lisp Backtrace:
"garbage-collect" (0xbffec424)
"changesets-between" (0xbffec4e0)
"setq" (0xbffec668)
"length" (0xbffec728)
"eval" (0xbffec838)
"eval-last-sexp-1" (0xbffec944)
"eval-last-sexp" (0xbffeca54)
"eval-print-last-sexp" (0xbffecb84)
"call-interactively" (0xbffecd30)
(gdb) print 146936428
$1 = 146936428
(gdb) pr
#<buffer >
(gdb) print 141537437
$2 = 141537437
(gdb) pr
((1 . 73) ("//depot/release-13-30/src/Makefile#42 - edit change 227204 (text)
" . 1) (#<misc free cell> . -58) (#<misc free cell> . -65) (#<marker in no buffer> . -58) (#<marker in no buffer> . -64) (1 . 73) ("//depot/V13-30-patch/src/Makefile
... #1 change 227756 branch on 2007/11/02 by majormajor@majormajor-p4branch-auto521 (text) 'Create'
... ... branch from //depot/release-13-30/src/Makefile#1,#42
" . 1) (#<marker in no buffer> . -143) (#<marker in no buffer> . -202) (#<misc free cell> . -164) (#<misc free cell> . -176) (#<marker in no buffer> . -200) (#<marker in no buffer> . -202) (1 . 204) ("//depot/V13-30-patch/src/Makefile#1 - branch change 227756 (text)
" . 1) (#<marker in no buffer> . -58) (#<marker in no buffer> . -65) (#<marker in no buffer> . -58) (#<marker in no buffer> . -64) (1 . 73))
(gdb) print 141537485
$3 = 141537485
(gdb) pr
(#<misc free cell> . -58)
(gdb) print 147211050
$4 = 147211050
(gdb) pr
#<misc free cell>
(gdb) xmiscfree 147211050
$5 = (struct Lisp_Free *) 0x8c64328
(gdb) pr
18401381