Eli Zaretskii writes: >> also crashes, due to the head of the stream being referenced from the C >> stack somewhere (I can get the address from gdb, but I can't figure out >> how to get to the corresponding C variable from there). > > Did you try "info symbol ADDRESS"? (I'm not sure this will work for > automatic variables, though.) Doesn't seem to work. I guess it wouldn't work if the address was in the middle of an array either. > You could also try "info locals" after "set print address on" and/or > "set print symbol on". Those settings don't seem to help. I first guessed that the problem is due to saving function arguments during funcall, so I tried the following to check it: --- i/src/bytecode.c +++ w/src/bytecode.c @@ -387,7 +387,10 @@ exec_byte_code (Lisp_Object bytestr, Lisp_Object vector, Lisp_Object maxdepth, make_number (nargs))); ptrdiff_t pushedargs = min (nonrest, nargs); for (ptrdiff_t i = 0; i < pushedargs; i++, args++) - PUSH (*args); + { + PUSH (*args); + *args = Qnil; + } if (nonrest < nargs) PUSH (Flist (nargs - nonrest, args)); else This did change the backtrace (from starting with mark_specpdl to mark_stack), meaning I did find one reference, but it still crashes, so there must be more.