Thanks for your reply, Eli.
 
First, please file a bug about this via "M-x report-emacs-bug RET".

When? :)
(after the crash, the process is gone, so can't M-x anything; before the crash, there's nothing interesting to report :))
In case it's interesting, appended the info from r-e-b (from an emacs -Q instance) to the bottom of this email.
 
Second, please show the value of it->current in frame #7 (inside
next_overlay_string).

(gdb) p it->current
$3 = {
  pos = {
    charpos = 1295, 
    bytepos = 1295
  }, 
  overlay_string_index = 0, 
  string_pos = {
    charpos = -1, 
    bytepos = -1
  }, 
  dpvec_index = -1
}
 
Third, could you please try the latest development code, and possibly compile without optimizations?

Will do & report back in a few days (or sooner, if the bug recurs in HEAD). 

Cheers,
-a


In GNU Emacs 24.2.1 (x86_64-unknown-linux-gnu, X toolkit, Xaw scroll bars)
 of 2012-09-11 on <REDACTED>
Windowing system distributor `The X.Org Foundation', version 11.0.70000000
Configured using:
 `configure '--prefix=/usr/gmacs-24.2' '--mandir=${prefix}/share/man'
 '--infodir=${prefix}/share/info' '--with-x-toolkit=lucid' '--with-xpm'
 '--with-jpeg' '--with-tiff' '--with-gif' '--with-png' '--with-x'
 '--program-transform-name=s/emacs/gmacs/g' '--without-dbug'
 '--without-gconf' 'CC=clang
 -B/home/fischman/src/chromium/src/third_party/gold/' 'CFLAGS=-Wall -g
 -O2' 'LDFLAGS=-Wl,-Bsymbolic-functions -Wl,-z,relro'
 'CPPFLAGS=-D_FORTIFY_SOURCE=2''

Important settings:
  value of $LC_ALL: 
  value of $LC_COLLATE: nil
  value of $LC_CTYPE: nil
  value of $LC_MESSAGES: nil
  value of $LC_MONETARY: nil
  value of $LC_NUMERIC: nil
  value of $LC_TIME: nil
  value of $LANG: en_US.UTF-8
  value of $XMODIFIERS: nil
  locale-coding-system: utf-8-unix
  default enable-multibyte-characters: t

Major mode: Lisp Interaction

Minor modes in effect:
  tooltip-mode: t
  mouse-wheel-mode: t
  tool-bar-mode: t
  menu-bar-mode: t
  file-name-shadow-mode: t
  global-font-lock-mode: t
  font-lock-mode: t
  blink-cursor-mode: t
  auto-composition-mode: t
  auto-encryption-mode: t
  auto-compression-mode: t
  line-number-mode: t
  transient-mark-mode: t

Recent input:
M-x r e p o r <tab> <return>

Recent messages:
For information about GNU Emacs and the GNU system, type C-h C-a.

Load-path shadows:
None found.

Features:
(shadow sort gnus-util mail-extr emacsbug message format-spec rfc822 mml
easymenu mml-sec mm-decode mm-bodies mm-encode mail-parse rfc2231
mailabbrev gmm-utils mailheader sendmail regexp-opt rfc2047 rfc2045
ietf-drums mm-util mail-prsvr mail-utils time-date tooltip ediff-hook
vc-hooks lisp-float-type mwheel x-win x-dnd tool-bar dnd fontset image
fringe lisp-mode register page menu-bar rfn-eshadow timer select
scroll-bar mouse jit-lock font-lock syntax facemenu font-core frame cham
georgian utf-8-lang misc-lang vietnamese tibetan thai tai-viet lao
korean japanese hebrew greek romanian slovak czech european ethiopic
indian cyrillic chinese case-table epa-hook jka-cmpr-hook help simple
abbrev minibuffer loaddefs button faces cus-face files text-properties
overlay sha1 md5 base64 format env code-pages mule custom widget
hashtable-print-readable backquote make-network-process dbusbind
dynamic-setting system-font-setting font-render-setting x-toolkit x
multi-tty emacs)