bug#48732: 28.0.50; lisp_string_width segfaults on startup under macOS

[Naofumi Yasufuku <naofumi@yasufuku.dev>]

[-- Attachment #1: Type: text/plain, Size: 9657 bytes --]

Hi Eli,

> 2021/05/30 17:38、Eli Zaretskii <eliz@gnu.org>のメール:
> 
> Maybe.  At least the user init file is processed during startup after
> the window-system was fully initialized.  The fontset you show in your
> crashed session also looks fine to me.  So I cannot explain why trying
> to find font for an Arabic character could crash for you.
> 
> Therefore, I went ahead and disabled accounting for automatic
> character compositions in 'format' and 'format-message'.  Only
> 'string-width' tries to account for that.  Please see if that solves
> your problem.
> 

No problem. I’ll try it.

>> This crash couldn’t be reproduced with full ${top_builddir}/src/.gdbinit settings,
>> so I copied ‘pp’ command definition to ${top_builddir}/.gdbinit then invoked
>> 'gdb ${top_builddir}/src/emacs' like this:
> 
> This in itself is very strange, and probably indicates that there's
> some memory-related problem somewhere.  If the change I installed
> solves your problem, I will try looking for such a problem.
> 

Yes, very strange. It seems memory or cache related.

I have tried to get simple printf logs of crashed `lface’  Lisp_Object access via
lisp_gtring_width()/find_automatic_composition() and free_realized_face().

According to the attached logs, find_automatic_composition() could attempt to access
to deallocated `lface’ objects on startup under macOS.

It could be macOS-specific because I have not seen such segfault under linux.


## Patch for realize_face, free_realized_face printf logs

attachment:
0001-free_realized_face-printf-logs-for-lisp_string_width.patch
init.el

Except for this printf patch, there is no difference of execution environment
described in previous email.

> 
> It seems that this segfault depends on some delicate matter of
> startup initialization timing.
> 
> This crash couldn’t be reproduced with full ${top_builddir}/src/.gdbinit settings,
> so I copied ‘pp’ command definition to ${top_builddir}/.gdbinit then invoked
> 'gdb ${top_builddir}/src/emacs' like this:
> 
> ```
> [naofumi@hyperion emacs (master)]% pwd
> /Users/naofumi/_git/git.sv.gnu.org/emacs
> [naofumi@hyperion emacs (master)]% 
> [naofumi@hyperion emacs (master)]% cat ./.gdbinit
> # Print out s-expressions
> define pp
>  set $tmp = $arg0
>  set $output_debug = print_output_debug_flag
>  set print_output_debug_flag = 0
>  call safe_debug_print ($tmp)
>  set print_output_debug_flag = $output_debug
> end
> document pp
> Print the argument as an emacs s-expression
> Works only when an inferior emacs is executing.
> end
> [naofumi@hyperion emacs (master)]% 
> [naofumi@hyperion emacs (master)]% 
> [naofumi@hyperion emacs (master)]% gdb ./src/emacs


## Case A) lisp_string_width segfault occurrs

attachment:
00_SEGFAULT-free_realized_face-gdb-grep-0x1032af4a0.txt
00_SEGFAULT-free_realized_face-gdb.txt.bz2
01_SEGFAULT-free_realized_face-gdb-grep-0x103435210.txt
01_SEGFAULT-free_realized_face-gdb.txt.bz2
--------------------------------------------------------------------------------------------------------------
realize_gui_face: make_realized_face: face=0x1032af4a0: face->lface=0x1032af4a0
realize_face: realize_gui_face: face=0x1032af4a0: face->lface=0x1032af4a0
free_realized_face: frame f=0x104197430: face=0x1032af4a0
xfree: block=0x1032af4a0
realize_gui_face: make_realized_face: face=0x1032af4a0: face->lface=0x1032af4a0
realize_face: realize_gui_face: face=0x1032af4a0: face->lface=0x1032af4a0
free_realized_face: frame f=0x104197430: face=0x1032af4a0
xfree: block=0x1032af4a0
realize_gui_face: make_realized_face: face=0x1032af4a0: face->lface=0x1032af4a0
realize_face: realize_gui_face: face=0x1032af4a0: face->lface=0x1032af4a0
font_range: frame f=0x104197430: face_id=0: face=0x1032af4a0
fontset_find_font: frame f=0x104197430: XFRAME(FONTSET_FRAME(fontset)=0x104197430: XFRAME(selected_frame)=0x104197430: face=0x1032af4a0
fontset_find_font: frame f=0x104197430: XFRAME(FONTSET_FRAME(fontset)=0x104197430: XFRAME(selected_frame)=0x104197430: face=0x1032af4a0
free_realized_face: frame f=0x104197430: face=0x1032af4a0
xfree: block=0x1032af4a0
font_select_entity: frame f=0x104197430: attrs=0x1032af4a0

Thread 2 received signal SIGSEGV, Segmentation fault.
0x0000000100291d05 in SYMBOL_NAME (sym=0x10421bc28) at ./lisp.h:2208
2208	  return XSYMBOL (sym)->u.s.name;
(gdb) bt
#0  0x0000000100291d05 in SYMBOL_NAME (sym=0x10421bc28) at ./lisp.h:2208
#1  0x00000001002917dd in font_style_to_value (prop=FONT_WEIGHT_INDEX, 
    val=0x10421bc28, noerror=true) at font.c:366
#2  0x000000010029a9c3 in font_select_entity (f=0x104197430, 
    entities=0x1038add13, attrs=0x1032af4a0, pixel_size=12, c=-1)
    at font.c:3158
#3  0x000000010029a569 in font_find_for_lface (f=0x104197430, 
    attrs=0x1032af4a0, spec=0x104909ded, c=-1) at font.c:3305
#4  0x000000010033c504 in fontset_find_font (fontset=0x104a05545, c=1603, 
    face=0x1032af4a0, charset_id=-1, fallback=false) at fontset.c:663
#5  0x00000001003350a4 in fontset_font (fontset=0x10421ae8d, c=1603, 
    face=0x1032af4a0, id=-1) at fontset.c:785
#6  0x000000010033569d in font_for_char (face=0x1032af4a0, c=1603, pos=308, 
    object=0x10317e5c4) at fontset.c:1066
#7  0x000000010029d15a in font_range (pos=309, pos_byte=336, 
    limit=0x7ffeefbf1310, w=0x104175c20, face=0x1032af4a0, string=0x10317e5c4)
    at font.c:3887
#8  0x00000001003283de in autocmp_chars (rule=0x105f2337d, charpos=308, 
    bytepos=334, limit=312, win=0x104175c20, face=0x0, string=0x10317e5c4, 
    direction=0x0) at composite.c:923
#9  0x000000010032932d in find_automatic_composition (pos=308, limit=308, 
    start=0x7ffeefbf15a8, end=0x7ffeefbf15a0, gstring=0x7ffeefbf15b8, 
    string=0x10317e5c4) at composite.c:1612
#10 0x0000000100127468 in lisp_string_width (string=0x10317e5c4, from=0, 
    to=479, precision=-1, nchars=0x7ffeefbf1a28, nbytes=0x7ffeefbf1a20)
    at character.c:375
#11 0x000000010025488b in styled_format (nargs=2, args=0x7ffeefbf74c0, 
    message=false) at editfns.c:3392
#12 0x000000010025283f in Fformat (nargs=2, args=0x7ffeefbf74c0)
    at editfns.c:3061
#13 0x000000010026e5eb in call3 (fn=0x100424ddd, arg1=0x1000000000, 
    arg2=0x7ffeefbf73f0, arg3=0x100271fb4 <xcdr_addr+20>) at eval.c:2912
#14 0x7830003700000806 in ?? ()
#15 0x0000000000000000 in ?? ()
(gdb) pp sym
[New Thread 0x1d0b of process 7056]
#<INVALID_LISP_OBJECT 0x10421bc28>
(gdb) up
#1  0x00000001002917dd in font_style_to_value (prop=FONT_WEIGHT_INDEX, 
    val=0x10421bc28, noerror=true) at font.c:366
366	      s = SSDATA (SYMBOL_NAME (val));
(gdb) up
#2  0x000000010029a9c3 in font_select_entity (f=0x104197430, 
    entities=0x1038add13, attrs=0x1032af4a0, pixel_size=12, c=-1)
    at font.c:3158
3158	    FONT_SET_STYLE (prefer, FONT_WEIGHT_INDEX, attrs[LFACE_WEIGHT_INDEX]);
(gdb) up
#3  0x000000010029a569 in font_find_for_lface (f=0x104197430, 
    attrs=0x1032af4a0, spec=0x104909ded, c=-1) at font.c:3305
3305			      val = font_select_entity (f, entities,
(gdb) up
#4  0x000000010033c504 in fontset_find_font (fontset=0x104a05545, c=1603, 
    face=0x1032af4a0, charset_id=-1, fallback=false) at fontset.c:663
663		  font_entity = font_find_for_lface (f, face->lface,
(gdb) pp face->lface[0]
nil
(gdb) pp face->lface[1]
#<INVALID_LISP_OBJECT 0x10421bc18>
(gdb) pp face->lface[2]
0
(gdb) pp face->lface[3]
#<INVALID_LISP_OBJECT 0xffffffffffffffff>
(gdb) pp face->lface[4]
nil
(gdb) pp face->lface[5]
#<INVALID_LISP_OBJECT 0x10421bc28>
(gdb) pp face->lface[6]
0
(gdb) pp face->lface[7]
#<INVALID_LISP_OBJECT 0xffffffffffffffff>
(gdb) pp face->lface
$1 = {0x0, 0x10421bc18, 0x2, 0xffffffffffffffff, 0x0, 0x10421bc28, 0x2, 
  0xffffffffffffffff, 0x0, 0x10421bc38, 0x2, 0xffffffffffffffff, 0x0, 
  0x10421bc48, 0x2, 0xffffffffffffffff, 0x0, 0x10421bc58, 0x2, 
  0xffffffffffffffff}
(gdb) q

--------------------------------------------------------------------------------------------------------------


##  Case B) No lisp_string_width segfault

attachment:
10_NO-SEGFAULT-free_realized_face-gdb-grep-0x1032cb260.txt
10_NO-SEGFAULT-free_realized_face-gdb.txt.bz2
11_NO-SEGFAULT-free_realized_face-gdb-grep-0x1031a5880.txt
11_NO-SEGFAULT-free_realized_face-gdb.txt.bz2
--------------------------------------------------------------------------------------------------------------
realize_gui_face: make_realized_face: face=0x1032cb260: face->lface=0x1032cb260
realize_face: realize_gui_face: face=0x1032cb260: face->lface=0x1032cb260
free_realized_face: frame f=0x108088e30: face=0x1032cb260
xfree: block=0x1032cb260
realize_gui_face: make_realized_face: face=0x1032cb260: face->lface=0x1032cb260
realize_face: realize_gui_face: face=0x1032cb260: face->lface=0x1032cb260
font_range: frame f=0x108088e30: face_id=0: face=0x1032cb260
fontset_find_font: frame f=0x108088e30: XFRAME(FONTSET_FRAME(fontset)=0x108088e30: XFRAME(selected_frame)=0x108088e30: face=0x1032cb260
fontset_find_font: frame f=0x108088e30: XFRAME(FONTSET_FRAME(fontset)=0x108088e30: XFRAME(selected_frame)=0x108088e30: face=0x1032cb260
free_realized_face: frame f=0x108088e30: face=0x1032cb260
xfree: block=0x1032cb260
realize_gui_face: make_realized_face: face=0x1032cb260: face->lface=0x1032cb260
realize_face: realize_gui_face: face=0x1032cb260: face->lface=0x1032cb260
font_select_entity: frame f=0x108088e30: attrs=0x1032cb260

--------------------------------------------------------------------------------------------------------------


Regards,
—Naofumi


[-- Attachment #2: 0001-free_realized_face-printf-logs-for-lisp_string_width.patch --]
[-- Type: application/octet-stream, Size: 6120 bytes --]

From bfa39299e88f2892a15ffabee731f7cd5c044603 Mon Sep 17 00:00:00 2001
From: Naofumi Yasufuku <naofumi@yasufuku.dev>
Date: Sun, 30 May 2021 16:33:34 +0900
Subject: [PATCH] free_realized_face printf logs for lisp_string_width segfault
 under macOS

Bug#48732 28.0.50; lisp_string_width segfaults on startup under macOS
---
 src/alloc.c   |  1 +
 src/font.c    |  4 ++++
 src/fontset.c |  3 +++
 src/xfaces.c  | 34 +++++++++++++++++++++++++++++++---
 4 files changed, 39 insertions(+), 3 deletions(-)

diff --git a/src/alloc.c b/src/alloc.c
index 76d8c7ddd1..3846c4bc18 100644
--- a/src/alloc.c
+++ b/src/alloc.c
@@ -822,6 +822,7 @@ xfree (void *block)
     return;
   MALLOC_BLOCK_INPUT;
   free (block);
+  fprintf (stderr, "%s: block=%p\n", __func__, block);
   MALLOC_UNBLOCK_INPUT;
   /* We don't call refill_memory_reserve here
      because in practice the call in r_alloc_free seems to suffice.  */
diff --git a/src/font.c b/src/font.c
index 7c1d1ff89b..b49a4536d0 100644
--- a/src/font.c
+++ b/src/font.c
@@ -3126,6 +3126,9 @@ font_clear_prop (Lisp_Object *attrs, enum font_property_index prop)
 font_select_entity (struct frame *f, Lisp_Object entities,
 		    Lisp_Object *attrs, int pixel_size, int c)
 {
+  fprintf (stderr, "%s: frame f=%p: attrs=%p\n",
+	   __func__, f, attrs);
+
   Lisp_Object font_entity;
   Lisp_Object prefer;
   int i;
@@ -3866,6 +3869,7 @@ font_range (ptrdiff_t pos, ptrdiff_t pos_byte, ptrdiff_t *limit,
 	                                     face_id, false, 0);
 	}
       face = FACE_FROM_ID (f, face_id);
+      fprintf (stderr, "%s: frame f=%p: face_id=%d: face=%p\n", __func__, f, face_id, face);
     }
 
   while (pos < *limit)
diff --git a/src/fontset.c b/src/fontset.c
index 332be6c39d..213c2b6786 100644
--- a/src/fontset.c
+++ b/src/fontset.c
@@ -557,6 +557,9 @@ fontset_find_font (Lisp_Object fontset, int c, struct face *face,
 		     : XFRAME (selected_frame));
   Lisp_Object rfont_def;
 
+  fprintf (stderr, "%s: frame f=%p: XFRAME(FONTSET_FRAME(fontset)=%p: XFRAME(selected_frame)=%p: face=%p\n",
+	   __func__, f, XFRAME (FONTSET_FRAME (fontset)), XFRAME (selected_frame), face);
+
   font_group = fontset_get_font_group (fontset, fallback ? -1 : c);
   if (! CONSP (font_group))
     return font_group;
diff --git a/src/xfaces.c b/src/xfaces.c
index ab4440f46a..a3b74926e3 100644
--- a/src/xfaces.c
+++ b/src/xfaces.c
@@ -4407,6 +4407,8 @@ make_realized_face (Lisp_Object *attr)
 static void
 free_realized_face (struct frame *f, struct face *face)
 {
+  fprintf (stderr, "%s: frame f=%p: face=%p\n",
+	   __func__, f, face);
   if (face)
     {
 #ifdef HAVE_WINDOW_SYSTEM
@@ -4613,6 +4615,8 @@ free_realized_faces (struct face_cache *c)
 
       for (i = 0; i < c->used; ++i)
 	{
+	  fprintf (stderr, "%s: frame f=%p: c->faces_by_id[i]\n",
+		   __func__, f, c->faces_by_id[i]);
 	  free_realized_face (f, c->faces_by_id[i]);
 	  c->faces_by_id[i] = NULL;
 	}
@@ -4647,13 +4651,18 @@ free_all_realized_faces (Lisp_Object frame)
 {
   if (NILP (frame))
     {
+      fprintf (stderr, "%s: NILP (frame)\n",
+	       __func__);
       Lisp_Object rest;
       FOR_EACH_FRAME (rest, frame)
 	free_realized_faces (FRAME_FACE_CACHE (XFRAME (frame)));
       windows_or_buffers_changed = 58;
     }
-  else
+  else {
+    fprintf (stderr, "%s: ! NILP (frame)\n",
+	     __func__);
     free_realized_faces (FRAME_FACE_CACHE (XFRAME (frame)));
+  }
 }
 
 
@@ -4664,6 +4673,8 @@ free_face_cache (struct face_cache *c)
 {
   if (c)
     {
+      fprintf (stderr, "%s: frame c->f=%p\n",
+	       __func__, c->f);
       free_realized_faces (c);
       xfree (c->buckets);
       xfree (c->faces_by_id);
@@ -4765,6 +4776,9 @@ uncache_face (struct face_cache *c, struct face *face)
   c->faces_by_id[face->id] = NULL;
   if (face->id == c->used)
     --c->used;
+
+  fprintf (stderr, "%s: face->id=%d: c->faces_by_id[face->id]=%p: c->used=%d\n",
+	   __func__, face->id, c->faces_by_id[face->id], c->used);
 }
 
 
@@ -5822,18 +5836,28 @@ realize_face (struct face_cache *cache, Lisp_Object attrs[LFACE_VECTOR_SIZE],
       /* Remove the former face.  */
       struct face *former_face = cache->faces_by_id[former_face_id];
       uncache_face (cache, former_face);
+      fprintf (stderr, "%s: frame cache->f=%p: former_face_id=%d: former_face=%p\n",
+	       __func__, cache->f, former_face_id, former_face);
       free_realized_face (cache->f, former_face);
       SET_FRAME_GARBAGED (cache->f);
     }
 
-  if (FRAME_WINDOW_P (cache->f))
+  if (FRAME_WINDOW_P (cache->f)) {
     face = realize_gui_face (cache, attrs);
-  else if (FRAME_TERMCAP_P (cache->f) || FRAME_MSDOS_P (cache->f))
+    fprintf (stderr, "%s: realize_gui_face: face=%p: face->lface=%p\n",
+	     __func__, face, face->lface);
+  }
+  else if (FRAME_TERMCAP_P (cache->f) || FRAME_MSDOS_P (cache->f)) {
     face = realize_tty_face (cache, attrs);
+    fprintf (stderr, "%s: realize_tty_face: face=%p: face->lface=%p\n",
+	     __func__, face, face->lface);
+  }
   else if (FRAME_INITIAL_P (cache->f))
     {
       /* Create a dummy face. */
       face = make_realized_face (attrs);
+      fprintf (stderr, "%s: make_realized_face: face=%p: face->lface=%p\n",
+	       __func__, face, face->lface);
     }
   else
     emacs_abort ();
@@ -5897,6 +5921,8 @@ realize_gui_face (struct face_cache *cache, Lisp_Object attrs[LFACE_VECTOR_SIZE]
 
   /* Allocate a new realized face.  */
   face = make_realized_face (attrs);
+  fprintf (stderr, "%s: make_realized_face: face=%p: face->lface=%p\n",
+	   __func__, face, face->lface);
   face->ascii_face = face;
 
   f = cache->f;
@@ -6245,6 +6271,8 @@ realize_tty_face (struct face_cache *cache,
 
   /* Allocate a new realized face.  */
   face = make_realized_face (attrs);
+  fprintf (stderr, "%s: make_realized_face: face=%p: face->lface=%p\n",
+	   __func__, face, face->lface);
 #if false
   face->font_name = FRAME_MSDOS_P (cache->f) ? "ms-dos" : "tty";
 #endif
-- 
2.31.1


[-- Attachment #3: init.el --]
[-- Type: application/octet-stream, Size: 61 bytes --]

(custom-set-variables
 '(tramp-syntax 'default nil (tramp)))

[-- Attachment #4: 00_SEGFAULT-free_realized_face-gdb-grep-0x1032af4a0.txt --]
[-- Type: text/plain, Size: 4938 bytes --]

realize_gui_face: make_realized_face: face=0x1032af4a0: face->lface=0x1032af4a0
realize_face: realize_gui_face: face=0x1032af4a0: face->lface=0x1032af4a0
free_realized_face: frame f=0x104197430: face=0x1032af4a0
xfree: block=0x1032af4a0
realize_gui_face: make_realized_face: face=0x1032af4a0: face->lface=0x1032af4a0
realize_face: realize_gui_face: face=0x1032af4a0: face->lface=0x1032af4a0
free_realized_face: frame f=0x104197430: face=0x1032af4a0
xfree: block=0x1032af4a0
realize_gui_face: make_realized_face: face=0x1032af4a0: face->lface=0x1032af4a0
realize_face: realize_gui_face: face=0x1032af4a0: face->lface=0x1032af4a0
font_range: frame f=0x104197430: face_id=0: face=0x1032af4a0
fontset_find_font: frame f=0x104197430: XFRAME(FONTSET_FRAME(fontset)=0x104197430: XFRAME(selected_frame)=0x104197430: face=0x1032af4a0
fontset_find_font: frame f=0x104197430: XFRAME(FONTSET_FRAME(fontset)=0x104197430: XFRAME(selected_frame)=0x104197430: face=0x1032af4a0
free_realized_face: frame f=0x104197430: face=0x1032af4a0
xfree: block=0x1032af4a0
font_select_entity: frame f=0x104197430: attrs=0x1032af4a0

Thread 2 received signal SIGSEGV, Segmentation fault.
0x0000000100291d05 in SYMBOL_NAME (sym=0x10421bc28) at ./lisp.h:2208
2208	  return XSYMBOL (sym)->u.s.name;
(gdb) bt
#0  0x0000000100291d05 in SYMBOL_NAME (sym=0x10421bc28) at ./lisp.h:2208
#1  0x00000001002917dd in font_style_to_value (prop=FONT_WEIGHT_INDEX, 
    val=0x10421bc28, noerror=true) at font.c:366
#2  0x000000010029a9c3 in font_select_entity (f=0x104197430, 
    entities=0x1038add13, attrs=0x1032af4a0, pixel_size=12, c=-1)
    at font.c:3158
#3  0x000000010029a569 in font_find_for_lface (f=0x104197430, 
    attrs=0x1032af4a0, spec=0x104909ded, c=-1) at font.c:3305
#4  0x000000010033c504 in fontset_find_font (fontset=0x104a05545, c=1603, 
    face=0x1032af4a0, charset_id=-1, fallback=false) at fontset.c:663
#5  0x00000001003350a4 in fontset_font (fontset=0x10421ae8d, c=1603, 
    face=0x1032af4a0, id=-1) at fontset.c:785
#6  0x000000010033569d in font_for_char (face=0x1032af4a0, c=1603, pos=308, 
    object=0x10317e5c4) at fontset.c:1066
#7  0x000000010029d15a in font_range (pos=309, pos_byte=336, 
    limit=0x7ffeefbf1310, w=0x104175c20, face=0x1032af4a0, string=0x10317e5c4)
    at font.c:3887
#8  0x00000001003283de in autocmp_chars (rule=0x105f2337d, charpos=308, 
    bytepos=334, limit=312, win=0x104175c20, face=0x0, string=0x10317e5c4, 
    direction=0x0) at composite.c:923
#9  0x000000010032932d in find_automatic_composition (pos=308, limit=308, 
    start=0x7ffeefbf15a8, end=0x7ffeefbf15a0, gstring=0x7ffeefbf15b8, 
    string=0x10317e5c4) at composite.c:1612
#10 0x0000000100127468 in lisp_string_width (string=0x10317e5c4, from=0, 
    to=479, precision=-1, nchars=0x7ffeefbf1a28, nbytes=0x7ffeefbf1a20)
    at character.c:375
#11 0x000000010025488b in styled_format (nargs=2, args=0x7ffeefbf74c0, 
    message=false) at editfns.c:3392
#12 0x000000010025283f in Fformat (nargs=2, args=0x7ffeefbf74c0)
    at editfns.c:3061
#13 0x000000010026e5eb in call3 (fn=0x100424ddd, arg1=0x1000000000, 
    arg2=0x7ffeefbf73f0, arg3=0x100271fb4 <xcdr_addr+20>) at eval.c:2912
#14 0x7830003700000806 in ?? ()
#15 0x0000000000000000 in ?? ()
(gdb) pp sym
[New Thread 0x1d0b of process 7056]
#<INVALID_LISP_OBJECT 0x10421bc28>
(gdb) up
#1  0x00000001002917dd in font_style_to_value (prop=FONT_WEIGHT_INDEX, 
    val=0x10421bc28, noerror=true) at font.c:366
366	      s = SSDATA (SYMBOL_NAME (val));
(gdb) up
#2  0x000000010029a9c3 in font_select_entity (f=0x104197430, 
    entities=0x1038add13, attrs=0x1032af4a0, pixel_size=12, c=-1)
    at font.c:3158
3158	    FONT_SET_STYLE (prefer, FONT_WEIGHT_INDEX, attrs[LFACE_WEIGHT_INDEX]);
(gdb) up
#3  0x000000010029a569 in font_find_for_lface (f=0x104197430, 
    attrs=0x1032af4a0, spec=0x104909ded, c=-1) at font.c:3305
3305			      val = font_select_entity (f, entities,
(gdb) up
#4  0x000000010033c504 in fontset_find_font (fontset=0x104a05545, c=1603, 
    face=0x1032af4a0, charset_id=-1, fallback=false) at fontset.c:663
663		  font_entity = font_find_for_lface (f, face->lface,
(gdb) pp face->lface[0]
nil
(gdb) pp face->lface[1]
#<INVALID_LISP_OBJECT 0x10421bc18>
(gdb) pp face->lface[2]
0
(gdb) pp face->lface[3]
#<INVALID_LISP_OBJECT 0xffffffffffffffff>
(gdb) pp face->lface[4]
nil
(gdb) pp face->lface[5]
#<INVALID_LISP_OBJECT 0x10421bc28>
(gdb) pp face->lface[6]
0
(gdb) pp face->lface[7]
#<INVALID_LISP_OBJECT 0xffffffffffffffff>
(gdb) pp face->lface
$1 = {0x0, 0x10421bc18, 0x2, 0xffffffffffffffff, 0x0, 0x10421bc28, 0x2, 
  0xffffffffffffffff, 0x0, 0x10421bc38, 0x2, 0xffffffffffffffff, 0x0, 
  0x10421bc48, 0x2, 0xffffffffffffffff, 0x0, 0x10421bc58, 0x2, 
  0xffffffffffffffff}
(gdb) q
A debugging session is active.

	Inferior 1 [process 7056] will be killed.

Quit anyway? (y or n) y

[-- Attachment #5: 00_SEGFAULT-free_realized_face-gdb.txt.bz2 --]
[-- Type: application/x-bzip2, Size: 18271 bytes --]

[-- Attachment #6: 01_SEGFAULT-free_realized_face-gdb-grep-0x103435210.txt --]
[-- Type: text/plain, Size: 4051 bytes --]

realize_gui_face: make_realized_face: face=0x103435210: face->lface=0x103435210
realize_face: realize_gui_face: face=0x103435210: face->lface=0x103435210
font_range: frame f=0x1050d4030: face_id=0: face=0x103435210
fontset_find_font: frame f=0x1050d4030: XFRAME(FONTSET_FRAME(fontset)=0x1050d4030: XFRAME(selected_frame)=0x1050d4030: face=0x103435210
fontset_find_font: frame f=0x1050d4030: XFRAME(FONTSET_FRAME(fontset)=0x1050d4030: XFRAME(selected_frame)=0x1050d4030: face=0x103435210
free_realized_face: frame f=0x1050d4030: face=0x103435210
xfree: block=0x103435210
font_select_entity: frame f=0x1050d4030: attrs=0x103435210

Thread 2 received signal SIGSEGV, Segmentation fault.
0x0000000100291d05 in SYMBOL_NAME (sym=0x103461eb0) at ./lisp.h:2208
2208	  return XSYMBOL (sym)->u.s.name;
(gdb) bt
#0  0x0000000100291d05 in SYMBOL_NAME (sym=0x103461eb0) at ./lisp.h:2208
#1  0x00000001002917dd in font_style_to_value (prop=FONT_WIDTH_INDEX, 
    val=0x103461eb0, noerror=true) at font.c:366
#2  0x000000010029aab9 in font_select_entity (f=0x1050d4030, 
    entities=0x1048fd913, attrs=0x103435210, pixel_size=12, c=-1)
    at font.c:3162
#3  0x000000010029a569 in font_find_for_lface (f=0x1050d4030, 
    attrs=0x103435210, spec=0x1039339ed, c=-1) at font.c:3305
#4  0x000000010033c504 in fontset_find_font (fontset=0x1049d0235, c=1603, 
    face=0x103435210, charset_id=-1, fallback=false) at fontset.c:663
#5  0x00000001003350a4 in fontset_font (fontset=0x103a3788d, c=1603, 
    face=0x103435210, id=-1) at fontset.c:785
#6  0x000000010033569d in font_for_char (face=0x103435210, c=1603, pos=308, 
    object=0x1033a93d4) at fontset.c:1066
#7  0x000000010029d15a in font_range (pos=309, pos_byte=336, 
    limit=0x7ffeefbf1310, w=0x1050dac20, face=0x103435210, string=0x1033a93d4)
    at font.c:3887
#8  0x00000001003283de in autocmp_chars (rule=0x105f2337d, charpos=308, 
    bytepos=334, limit=312, win=0x1050dac20, face=0x0, string=0x1033a93d4, 
    direction=0x0) at composite.c:923
#9  0x000000010032932d in find_automatic_composition (pos=308, limit=308, 
    start=0x7ffeefbf15a8, end=0x7ffeefbf15a0, gstring=0x7ffeefbf15b8, 
    string=0x1033a93d4) at composite.c:1612
#10 0x0000000100127468 in lisp_string_width (string=0x1033a93d4, from=0, 
    to=479, precision=-1, nchars=0x7ffeefbf1a28, nbytes=0x7ffeefbf1a20)
    at character.c:375
#11 0x000000010025488b in styled_format (nargs=2, args=0x7ffeefbf74c0, 
    message=false) at editfns.c:3392
#12 0x000000010025283f in Fformat (nargs=2, args=0x7ffeefbf74c0)
    at editfns.c:3061
#13 0x000000010026e5eb in call3 (fn=0x100424ddd, arg1=0x1000000000, 
    arg2=0x7ffeefbf73f0, arg3=0x100271fb4 <xcdr_addr+20>) at eval.c:2912
#14 0x7830003700000806 in ?? ()
#15 0x0000000000000000 in ?? ()
(gdb) up 4
#4  0x000000010033c504 in fontset_find_font (fontset=0x1049d0235, c=1603, 
    face=0x103435210, charset_id=-1, fallback=false) at fontset.c:663
663		  font_entity = font_find_for_lface (f, face->lface,
(gdb) l
658		    return Qnil;
659		  /* Find a font best-matching with the spec without checking
660		     the support of the character C.  That checking is costly,
661		     and even without the checking, the found font supports C
662		     in high possibility.  */
663		  font_entity = font_find_for_lface (f, face->lface,
664						     FONT_DEF_SPEC (font_def), -1);
665		  if (NILP (font_entity))
666		    {
667		      /* Record that no font matches the spec.  */
(gdb) p face->lface
$1 = {0x11dffff802bc6f5, 0x0, 0x0, 0x103461eb0, 0x0 <repeats 16 times>}
(gdb) pp face->lface[0]
[New Thread 0x1d0b of process 7459]
#<INVALID_LISP_OBJECT 0x11dffff802bc6f5>
(gdb) pp face->lface[1]
nil
(gdb) pp face->lface[2]
nil
(gdb) pp face->lface[3]
#<INVALID_LISP_OBJECT 0x103461eb0>
(gdb) pp face->lface[4]
nil
(gdb) pp face->lface[5]
nil
(gdb) pp face->lface[6]
nil
(gdb) pp face->lface[7]
nil
(gdb) q
A debugging session is active.

	Inferior 1 [process 7459] will be killed.

Quit anyway? (y or n) y

[-- Attachment #7: 01_SEGFAULT-free_realized_face-gdb.txt.bz2 --]
[-- Type: application/x-bzip2, Size: 18742 bytes --]

[-- Attachment #8: 10_NO-SEGFAULT-free_realized_face-gdb-grep-0x1032cb260.txt --]
[-- Type: text/plain, Size: 1034 bytes --]

realize_gui_face: make_realized_face: face=0x1032cb260: face->lface=0x1032cb260
realize_face: realize_gui_face: face=0x1032cb260: face->lface=0x1032cb260
free_realized_face: frame f=0x108088e30: face=0x1032cb260
xfree: block=0x1032cb260
realize_gui_face: make_realized_face: face=0x1032cb260: face->lface=0x1032cb260
realize_face: realize_gui_face: face=0x1032cb260: face->lface=0x1032cb260
font_range: frame f=0x108088e30: face_id=0: face=0x1032cb260
fontset_find_font: frame f=0x108088e30: XFRAME(FONTSET_FRAME(fontset)=0x108088e30: XFRAME(selected_frame)=0x108088e30: face=0x1032cb260
fontset_find_font: frame f=0x108088e30: XFRAME(FONTSET_FRAME(fontset)=0x108088e30: XFRAME(selected_frame)=0x108088e30: face=0x1032cb260
free_realized_face: frame f=0x108088e30: face=0x1032cb260
xfree: block=0x1032cb260
realize_gui_face: make_realized_face: face=0x1032cb260: face->lface=0x1032cb260
realize_face: realize_gui_face: face=0x1032cb260: face->lface=0x1032cb260
font_select_entity: frame f=0x108088e30: attrs=0x1032cb260

[-- Attachment #9: 10_NO-SEGFAULT-free_realized_face-gdb.txt.bz2 --]
[-- Type: application/x-bzip2, Size: 21446 bytes --]

[-- Attachment #10: 11_NO-SEGFAULT-free_realized_face-gdb-grep-0x1031a5880.txt --]
[-- Type: text/plain, Size: 1119 bytes --]

realize_gui_face: make_realized_face: face=0x1031a5880: face->lface=0x1031a5880
realize_face: realize_gui_face: face=0x1031a5880: face->lface=0x1031a5880
free_realized_face: frame f=0x10486da30: face=0x1031a5880
xfree: block=0x1031a5880
realize_gui_face: make_realized_face: face=0x1031a5880: face->lface=0x1031a5880
realize_face: realize_gui_face: face=0x1031a5880: face->lface=0x1031a5880
free_realized_face: frame f=0x10486da30: face=0x1031a5880
xfree: block=0x1031a5880
realize_gui_face: make_realized_face: face=0x1031a5880: face->lface=0x1031a5880
realize_face: realize_gui_face: face=0x1031a5880: face->lface=0x1031a5880
font_range: frame f=0x10486da30: face_id=0: face=0x1031a5880
fontset_find_font: frame f=0x10486da30: XFRAME(FONTSET_FRAME(fontset)=0x10486da30: XFRAME(selected_frame)=0x10486da30: face=0x1031a5880
fontset_find_font: frame f=0x10486da30: XFRAME(FONTSET_FRAME(fontset)=0x10486da30: XFRAME(selected_frame)=0x10486da30: face=0x1031a5880
free_realized_face: frame f=0x10486da30: face=0x1031a5880
xfree: block=0x1031a5880
font_select_entity: frame f=0x10486da30: attrs=0x1031a5880

[-- Attachment #11: 11_NO-SEGFAULT-free_realized_face-gdb.txt.bz2 --]
[-- Type: application/x-bzip2, Size: 21913 bytes --]

[-- Attachment #12: Type: text/plain, Size: 2 bytes --]