Committed fixes to both 8.1 and 8.0. The symptoms I had was that during a read_cstring(), the range_error() at times was called with a negative number. At that point, the cstring was already partially consumed and gone from the buffer (below offset = 0).
I then scrutinised the Stdio.Buffer code to look for race conditions, and the only thing I could come up with is that because of the excursion to range_error(), somehow the buffer content changes and/or the locked_move lock is accidentally removed, and read_cstring() subsequently doesn't understand what happened. The fix avoids the use of io_rewind() after range_error() calls and is modelled after that what sscanf() does, i.e. call range_error(0) to indicate the amount we need is unknown. -- Stephen.
