This is my failing test script:

"""
. ./lib

# the epoch we use below is Unix specific
abort_windows

rm -rf R
darcs init R
cd R

# create a file with zero size and timestamp
touch -d "1970-01-01 00:00:00 UTC" f
darcs record -lam 'add f'
# this should not crash darcs:
darcs unrecord -a
"""

The crash says:

| Maybe.fromJust: Nothing
| CallStack (from HasCallStack):
|   error, called at libraries/base/Data/Maybe.hs:150:21 in base:Data.Maybe
|   fromJust, called at src/Darcs/Util/Index.hs:603:69 in darcs-2.19.1-
inplace:Darcs.Util.Index

I came up with this test after an analysis of what would be needed to 
discharge the proof obligation for a certain 'fromJust hash' in the index 
code. Similar scenarios can make other commands crash, and indeed not just at 
this particular place; for instance, this sequence:

"""
[...]
touch b
darcs record -lam 'add b'

# create a file with zero size and timestamp
touch -d "1970-01-01 00:00:00 UTC" f
darcs add f
rm _darcs/index
# this should not crash darcs:
darcs whatsnew -s
"""

crashes with

| precondition of darcsFormatDir
| CallStack (from HasCallStack):
|   error, called at src/Darcs/Util/Tree/Hashed.hs:92:22 in darcs-2.19.1-
inplace:Darcs.Util.Tree.Hashed

The reason for both crashes is the assumption that a file item in the index 
can have zero (invalid, non-existing) hash only if it also has a mismatch in 
either size or timestamp, which is not true for this particular corner case.

The fix is simple: we must explicitly include 'item has invalid hash' in the 
conditions for 'item has changed' that triggers (among other things) re-
calculation of the hash.

Will send patches.