[using binary package recompiled from source on slink box]

mgp writes the following and then segfaults:
=====
undefined directive 248 at page 6 line 24:
        0x824fab8:
=====

Directive number varies.

Bug appears to be triggered by:
* run "mgp -o"
* edit/save page being viewed
* have page refreshed by expose event
* next page

Next page is drawn, then message is printed and core is dumped.
Not easy to reproduce, maybe the random directive is sometimes valid
- I often have my "next-slide" command duplicated :|

GDB backtrace:

#0  0x4011ca8e in vfprintf () from /lib/libc.so.6
#1  0x4011fab3 in vfprintf () from /lib/libc.so.6
#2  0x4011b426 in vfprintf () from /lib/libc.so.6
#3  0x401222c1 in fprintf () from /lib/libc.so.6
#4  0x8056b17 in debug0 (p=0x824fb78) at parse.c:1237
#5  0x804e8d0 in process_direc (state=0x8093b2c, seenpause=0xbfffd998)
    at draw.c:755
#6  0x804dd7d in draw_one (state=0x8093b2c, e=0xbfffdb08) at draw.c:347
#7  0x804c735 in main_loop (start_page=1) at mgp.c:709
#8  0x804bf0b in main (argc=1, argv=0xbffffc6c) at mgp.c:418
(gdb) f 4
#4  0x8056b17 in debug0 (p=0x824fb78) at parse.c:1237
1237            fprintf(stderr, " %s ", ctl_words[p->ct_op].ctl_string);
(gdb) p p->ct_op
$1 = 176 '°'


It appears this value is a bit high...

FWIW:

(gdb) up
#5  0x804e8d0 in process_direc (state=0x8093b2c, seenpause=0xbfffd998)
    at draw.c:755
755                     debug0(cp);
(gdb) p* state
$19 = {page = 6, line = 24, cp = 0x824fb78, phase = P_PAGE,
  curprefix = 0x8243628 " ", tabprefix = 0x0, align = 3, special = 0,
  leftfillpos = 0, target = 121634817, height = 600, width = 800, ypos = 446,
  have_mark = 0, mark_ypos = 0, repaint = 0, maxascent = 18, maxdescent = 5,
  linewidth = 11, xfont = 0x82d16f8, obj = 0x0, objlast = 0x0}
(gdb) p* state->cp
$20 = {ct_op = 176 '°', ct_flag = 43 '+', ct_page = 137402760, ct_next = 0x0,
  ct_val = {ctrl_double = {ct_value = 0}, ctrl_int = {ct_value = 0},
    ctrl_long = {ct_value = 0}, ctrl_char = {ct_value = 0x0}, ctrl_char2 = {
      ct_value1 = 0x0, ct_value2 = 0x0}, ctrl_image = {ct_fname = 0x0,
      ct_numcolor = 0, ct_ximagesize = 0, ct_yimagesize = 0, ct_zoomflag = 0},
    ctrl_grad = {ct_numcolor = 0, ct_direction = 0, ct_width = 0,
      ct_height = 0, ct_zoomflag = 0, ct_mode = 0, ct_g_colors = 17,
      colors = 0x647473}, ctrl_bar = {ct_color = 0, ct_width = 0,
      ct_start = 0, ct_length = 0}, ctrl_args = {ct_argc = 0, ct_argv = 0x0,
      ct_flag = 0}, ctrl_icon = {ct_value = 0x0, ct_color = 0, ct_size = 0},
    ctrl_pcache = {ct_cflag = 0, ct_cmode = 0, ct_ceffect = 0, ct_cvalue = 0}}}


I kept the corefile in case more info is needed.
Please tell me if I can help further.

I just got a failed assertion which seems quite related to this
problem:

mgp: parse.c:1507: ctlcmp: Assertion `a' failed.
Aborted (core dumped)

(gdb) bt
#0  0x40108601 in kill () from /lib/libc.so.6
#1  0x4010842f in raise () from /lib/libc.so.6
#2  0x4010964f in abort () from /lib/libc.so.6
#3  0x401031e6 in __assert_fail () from /lib/libc.so.6
#4  0x805767c in ctlcmp (a=0x0, b=0x8253098) at parse.c:1507
#5  0x80543ad in set_bgwindow (ctl=0x8253098) at draw.c:3930
#6  0x804e6f9 in process_direc (state=0x8093554, seenpause=0xbfffd9a0)
    at draw.c:630
#7  0x804dedd in draw_one (state=0x8093554, e=0xbfffdb10) at draw.c:347
#8  0x804c895 in main_loop (start_page=1) at mgp.c:731
#9  0x804bf6b in main (argc=1, argv=0xbffffc6c) at mgp.c:423
(gdb) f 4
#4  0x805767c in ctlcmp (a=0x0, b=0x8253098) at parse.c:1507
1507            assert(a);
(gdb) l
1502            struct ctrl *a;
1503            struct ctrl *b;
1504    {
1505            int i;
1506
1507            assert(a);
1508            assert(b);
1509
1510            if (a->ct_op != b->ct_op)
1511                    return 1;
(gdb) up
#5  0x80543ad in set_bgwindow (ctl=0x8253098) at draw.c:3930
3930            if (!ctl || !ctlcmp(bg_ctl_last, ctl)) return;
(gdb) p bg_ctl_last
$1 = (struct ctrl *) 0x0
(gdb) l
3925    set_bgwindow(ctl)
3926            struct ctrl *ctl;
3927    {
3928            int     i;
3929
3930            if (!ctl || !ctlcmp(bg_ctl_last, ctl)) return;
3931
3932            bg_ctl_last = ctl;
3933            if (ctl->ct_op == CTL_BIMAGE || ctl->ct_op == CTL_BGRAD) {
3934                    for (i = 0; i < MAXBGPIXMAP; i ++){


The fact that the NULL pointer is called bg_ctl_last makes me strongly
suspicious that this is a result of the same memory corruption
reported earlier, hence the followup.

Again the problems always occur after the source has been modified and
reloaded by a running mgp.



Also, I still occasionally see such messages:

undefined directive 32 at page 25 line 7:
        0x824a018:  include "(null)"

...which do not reflect anything present in the .mgp source - that is
line exists, but does not contain such a directive.

This bug has been forwarded to mgp-users-jp 00659
http://www.mew.org/archive/mgp-users-jp/A/msg00655.html

This is not a Spam ,I RECIEVEED YOUR EMAIL FROM A POSTED WEB
SITE.

I went to the web  site in your country, I'm the Representative
for all calls going
to  your country.I beleive I can save you alot of money.This
letter is intended for people
in your country only

These rates can only be offered to people out side USA, the rate
I give you is a special rate
only for You.IF you want conformation about the rates email me
and I Will confirm the rate for you.



 I promise ,I WILL  CUT YOUR PHONE BILL IN  1/2 IF YOU JUST GIVE
ME A CHANCE!!
AT&T,SPRINT and MCI long distance carriers are getting rich off
of You and ME !
Please take a look at my rates, I'm  sure I will beat their
price.

There are no monthly or minimum fees or any other hidden costs.

You just pay for the time your are on the phone. If your paying
less,I will beat what your paying no matter what   !!!!!!

For a complete rate chart and sign-up info
http://www.hometown.aol.com/cheaprates99