Thanks, Maritn! I have now compiled emacs with your patch, and with --enable-checking, and will let you know if I get a hit.

I got another crash (before compiling with Martin's patch and without --enable-checking, but with Pip's patch and -fno-tree-sra). I got the crash after rapidly pressing 2 keystrokes. I am not sure exactly which keystrokes, but I think it was ' followed by Del. It could be completely unrelated to this bug, but the trace seems pretty weird, as the m pointer represents ASCII text for "ganap/u/", which is the reversed start of my home directory "/u/panagopo". Could it be that we have some sort of memory corruption that is throwing us in different directions?

In any case, I will try to find a reproducer for this. Here is the trace:

Thread 1 "emacs" received signal SIGSEGV, Segmentation fault.
adjust_markers_for_insert (from=11354, from_byte=11354, to=11355, to_byte=11355, before_markers=before_markers@entry=false) at insdel.c:301
warning: 301 insdel.c: No such file or directory
(gdb) bt full
#0  adjust_markers_for_insert (from=11354, from_byte=11354, to=11355, to_byte=11355, before_markers=before_markers@entry=false) at insdel.c:301
        m = 0x67616e61702f752f
        nchars = 1
        nbytes = 1
#1  0x000000000055660c in insert_1_both (string=string@entry=0x7fffffffdac3 "t\377\177", nchars=nchars@entry=1, nbytes=nbytes@entry=1, inherit=inherit@entry=true, prepare=prepare@entry=true, before_markers=before_markers@entry=false) at insdel.c:935
No locals.
#2  0x00000000005574d8 in insert_and_inherit (string=string@entry=0x7fffffffdac3 "t\377\177", nbytes=nbytes@entry=1) at insdel.c:694
        len = 1
        opoint = <optimized out>
#3  0x000000000056b3f4 in internal_self_insert (c=116, n=n@entry=1) at cmds.c:475
        hairy = 1
        tem = <optimized out>
        synt = <optimized out>
        overwrite = <optimized out>
        len = 1
        str = "t\377\177\000"
        chars_to_delete = 0
        spaces_to_insert = 0
#4  0x000000000056b4f7 in Fself_insert_command (n=<optimized out>, c=0x1d2) at cmds.c:297
        character = <optimized out>
        val = <optimized out>
#5  0x00000000005aa44b in funcall_subr (subr=subr@entry=0xc6ea40 <Sself_insert_command>, numargs=numargs@entry=2, args=args@entry=0x7fffffffddd0) at eval.c:3168
        argbuf = {0x7fffffffdbf0, 0x5d4359 <read0+4885>, 0x15553b93d160 <d_reloc>, 0x100, 0x0, 0xd08be0 <lispsym+77952>, 0x30, 0xe0}
        a = <optimized out>
        maxargs = 2
        keepalive = 0xc6ea45 <Sself_insert_command+5>
        ret = <optimized out>
        fun = <optimized out>
#6  0x00000000005abdeb in funcall_general (fun=0xc6ea45 <Sself_insert_command+5>, numargs=numargs@entry=2, args=args@entry=0x7fffffffddd0) at /build/source/src/lisp.h:2243
        original_fun = 0x10770
#7  0x00000000005a903e in Ffuncall (nargs=nargs@entry=3, args=args@entry=0x7fffffffddc8) at eval.c:3093
        count = {bytes = 256}
        val = <optimized out>
#8  0x00000000005a4b51 in Ffuncall_interactively (nargs=3, args=0x7fffffffddc8) at callint.c:250
        speccount = <optimized out>
#9  0x00000000005aa540 in funcall_subr (subr=subr@entry=0xc754c0 <Sfuncall_interactively>, numargs=numargs@entry=3, args=args@entry=0x7fffffffddc8) at eval.c:3198
        maxargs = -2
        keepalive = 0xc754c5 <Sfuncall_interactively+5>
        ret = <optimized out>
        fun = <optimized out>
#10 0x00000000005abdeb in funcall_general (fun=0xc754c5 <Sfuncall_interactively+5>, numargs=numargs@entry=3, args=args@entry=0x7fffffffddc8) at /build/source/src/lisp.h:2243
        original_fun = 0x9510
#11 0x00000000005a903e in Ffuncall (nargs=nargs@entry=4, args=args@entry=0x7fffffffddc0) at eval.c:3093
        count = {bytes = 192}
        val = <optimized out>
#12 0x00000000005a94e2 in Fapply (nargs=nargs@entry=3, args=args@entry=0x7fffffffdf40) at eval.c:2765
        i = 4
        funcall_nargs = 4
        funcall_args = 0x7fffffffddc0
        spread_arg = 0x0
        fun = <optimized out>
        sa_avail = <optimized out>
        sa_count = <optimized out>
--Type <RET> for more, q to quit, c to continue without paging--c
        numargs = <optimized out>
        retval = <optimized out>
#13 0x00000000005a535b in Fcall_interactively (function=0x10770, record_flag=0x0, keys=0x364076d) at callint.c:342
        funval = <optimized out>
        events = <optimized out>
        env = <optimized out>
        speccount = <optimized out>
        arg_from_tty = false
        key_count = 1
        record_then_fail = false
        save_this_command = 0x10770
        save_this_original_command = 0x10770
        save_real_this_command = 0x10770
        save_last_command = 0x15554e3484b0
        prefix_arg = 0x0
        enable = 0x0
        up_event = 0x0
        form = <optimized out>
        specs = 0x35ad6e13
        sa_avail = <optimized out>
        sa_count = <optimized out>
        string_len = <optimized out>
        string = <optimized out>
        string_end = <optimized out>
        next_event = <optimized out>
        nargs = <optimized out>
        args = <optimized out>
        visargs = <optimized out>
        varies = <optimized out>
        tem = <optimized out>
        val = <optimized out>
#14 0x000015554e73a93d in F636f6d6d616e642d65786563757465_command_execute_0 () from /nix/store/cs45kvg1k756hvp50xvxspixr7gfv1im-emacs-30.1/bin/../lib/emacs/30.1/native-lisp/30.1-4f74827b/preloaded/simple-fab5b0cf-4a9a0458.eln
No symbol table info available.
#15 0x00000000005aa47b in funcall_subr (subr=subr@entry=0x15554f51d4b8, numargs=numargs@entry=1, args=args@entry=0x7fffffffe1c8) at eval.c:3174
        argbuf = {0x10770, 0x0, 0x0, 0x0, 0x401d4c0, 0x607166 <start_atimer+161>, 0x0, 0x4054b15}
        a = <optimized out>
        maxargs = 4
        keepalive = 0x15554f51d4bd
        ret = <optimized out>
        fun = <optimized out>
#16 0x00000000005abdeb in funcall_general (fun=0x15554f51d4bd, numargs=numargs@entry=1, args=args@entry=0x7fffffffe1c8) at /build/source/src/lisp.h:2243
        original_fun = 0x5b80
#17 0x00000000005a903e in Ffuncall (nargs=nargs@entry=2, args=args@entry=0x7fffffffe1c0) at eval.c:3093
        count = {bytes = 128}
        val = <optimized out>
#18 0x000000000053aeac in command_loop_1 () at keyboard.c:1550
        scount = <optimized out>
        cmd = <optimized out>
        keybuf = {0x1d2, 0x2e, 0xfa2, 0x5982d3 <set_default_internal+530>, 0x7fffffffe260, 0x2, 0x30, 0x929cedd, 0x0, 0x5a770f <do_one_unbind+319>, 0x9723cd60, 0x60, 0x0, 0x0, 0x0, 0x5a8d59 <unbind_to+105>, 0xb, 0x111c0, 0x30, 0x929cedd, 0x7bc0, 0x105ecaab80e9e00, 0xcf32a0 <globals>, 0x1ca924f3, 0x60,
          0x52f4c6 <cmd_error+363>, 0x0, 0x105ecaab80e9e00, 0x60, 0x15554edf4d83}
        i = <optimized out>
        last_pt = 11354
        prev_modiff = 387358
        prev_buffer = 0x4054b10
#19 0x00000000005a7e25 in internal_condition_case (bfun=bfun@entry=0x53a9ce <command_loop_1>, handlers=handlers@entry=0x90, hfun=hfun@entry=0x52f35b <cmd_error>) at eval.c:1613
        val = <optimized out>
        c = 0xe0fc60
#20 0x00000000005292ae in command_loop_2 (handlers=handlers@entry=0x90) at keyboard.c:1168
        val = <optimized out>
#21 0x00000000005a7d42 in internal_catch (tag=tag@entry=0x122d0, func=func@entry=0x529294 <command_loop_2>, arg=arg@entry=0x90) at eval.c:1292
        val = <optimized out>
        c = 0xea0f40
#22 0x000000000052926b in command_loop () at keyboard.c:1146
No locals.
#23 0x000000000052eec4 in recursive_edit_1 () at keyboard.c:754
        count = <optimized out>
        val = <optimized out>
#24 0x000000000052f25c in Frecursive_edit () at keyboard.c:837
        count = <optimized out>
        buffer = <optimized out>
#25 0x0000000000528660 in main (argc=<optimized out>, argv=0x7fffffffe5a8) at emacs.c:2635
        stack_bottom_variable = 0x155553f84458 <_gnutls_lib_state>
        old_argc = <optimized out>
        dump_file = 0x0
        no_loadup = false
        junk = 0x0
        dname_arg = 0x0
        ch_to_dir = 0x0
        original_pwd = 0x0
        dump_mode = <optimized out>
        skip_args = 1
        temacs = 0x0
        attempt_load_pdump = <optimized out>
        only_version = false
        rlim = {rlim_cur = 18446744073709551615, rlim_max = 18446744073709551615}
        lc_all = <optimized out>
        sockfd = -1
        module_assertions = <optimized out>
(gdb) p *(struct Lisp_Marker *) m
Cannot access memory at address 0x67616e61702f752f


On Mon, Jun 16, 2025 at 4:34 AM martin rudalics <rudalics@gmx.at> wrote:
 > Can you try
[...)
 > and get us a backtrace when it's hit.

... which was a very silly proposal.  Please try

diff --git a/src/window.c b/src/window.c
index 1ac004af5e0..92e215fc9be 100644
--- a/src/window.c
+++ b/src/window.c
@@ -303,6 +303,14 @@ wset_buffer (struct window *w, Lisp_Object val)
      /* Make sure that we do not assign the buffer
         to an internal window.  */
      eassert (MARKERP (w->start) && MARKERP (w->pointm));
+  else
+    {
+      if (MARKERP (w->start))
+       eassert (!XMARKER (w->start)->buffer);
+      if (MARKERP (w->pointm))
+       eassert (!XMARKER (w->pointm)->buffer);
+    }
+
    w->contents = val;
    adjust_window_count (w, 1);
  }

instead.  If it does not work either, I will have to think of something
more elaborate.

Thanks, martin