Committed fixes to both 8.1 and 8.0.
The symptoms I had was that during a read_cstring(), the range_error()
at times was called with a negative number.
At that point, the cstring was already partially consumed and gone from the
buffer (below offset = 0).
I then scrutinised the Stdio.Buffer code to look for race conditions, and the
only thing I could come up with is that because of the excursion to
range_error(), somehow the buffer content changes and/or the
locked_move lock is accidentally removed, and read_cstring() subsequently
doesn't understand what happened.
The fix avoids the use of io_rewind() after range_error() calls and is modelled
after that what sscanf() does, i.e. call range_error(0) to indicate the amount
we need is unknown.