Just to confirm, you haven't seen this error in the builds after > 2761? If this is correct
Yes, I have downloaded both revisions 2761 and 2762 and compiled them. 2762 works well and 2761 failed.
I finally made some time to look at this. I'm pretty sure it was caused by the same bug that was fixed in 2762.
shooting_get_prop() was vulnerable to the same problem, and called indirectly when calculating the img value because of the unneeded aspect ratio code. I haven't gone through and verified that the exact bogus value we see could be produced, but it certainly looks like it could. So unless the problem shows up again, I think we can say case closed.
03c2a530 <shooting_get_prop>:
3c2a530: b510 push {r4, lr}
3c2a532: b081 sub sp, #4
3c2a534: 466c mov r4, sp
3c2a536: 3402 adds r4, #2
3c2a538: 1c21 adds r1, r4, #0
3c2a53a: 2202 movs r2, #2
3c2a53c: f013 fc14 bl 3c3dd68 <__get_property_case_from_thumb>
3c2a540: b001 add sp, #4 <<< Free stack
3c2a542: 2300 movs r3, #0
3c2a544: 5ee0 ldrsh r0, [r4, r3] <<< value from freed stack
3c2a546: bc10 pop {r4}
3c2a548: bc02 pop {r1}
3c2a54a: 4708 bx r1
This probably caused a few other mysterious problems
The unneeded propcase calls were removed in r2773, so even if the optimization bug hadn't been fixed, this particular instance would have gone away.
Thanks for your help debugging.