with setting active_bitmap_buffer 0xc1c4 (which I think should be correct) it crashes at the 7 second mark.
This probably means it's still wrong. The correct active_bitmap_buffer variable will toggle between 0 and 1 when the screen updates. Anything that has different values isn't the correct variable.
I'm not clear if you are getting anything CHDK related on the display when active_bitmap_buffer is forced to zero? If the other stuff is right, you should see something, but it will not refresh correctly. Doing things that update the canon display cause the buffers to swap.
Since you have spytask running (with the faked active_bitmap_buffer) the ptp task should also be started now, so you may be able to use chdkptp rmem command to peek at memory. (see
http://chdk.wikia.com/wiki/PTP_Extension and
https://www.assembla.com/spaces/chdkptp/wiki)
To get most other ptp commands working, you need kdb_task running as well. I recommend getting ptp working early, since it's helpful for debugging and lets you install new builds without swapping the card.
I confess to not understanding how you narrowed it down to code referring to the opacity_buffer
First, I just searched for the PC address in the dump. This gives
003a9f84 <draw_test_guard>:
3a9f84: 4b05 ldr r3, [pc, #20] ; (3a9f9c <draw_test_guard+0x18>)
3a9f86: 681a ldr r2, [r3, #0]
3a9f88: 4b05 ldr r3, [pc, #20] ; (3a9fa0 <draw_test_guard+0x1c>)
3a9f8a: f853 3022 ldr.w r3, [r3, r2, lsl #2]
3a9f8e: 7818 ldrb r0, [r3, #0]
3a9f90: f1b0 0342 subs.w r3, r0, #66 ; 0x42
3a9f94: 4258 negs r0, r3
3a9f96: 4158 adcs r0, r3
3a9f98: 4770 bx lr
The exception is at 3a9f8e. Since this is the last memory access in the function, and is a single byte load (ldrb), it must correspond to the outermost memory access in the expression. So the value in R3 when the ldrb happens is opacity_buffer + active_bitmap_buffer*sizeof(pointer). Since opacity buffer is defined by you and looks correct, this implies that active_bitmap_buffer out of bounds.
Interestingly, the momentary blink, is a "busy" image. It doesn't crash. If i move the int active_bitmap_buffer = 0 to stubs_min.S using FAKEDEF, it crashes.
Are you using FAKEDEF(active_bitmap_buffer,0) ? If so this is incorrect, the second value is the size to reserve, not the initial value. I had this wrong in early versions of the g7x code.
