bug#34256: 27.0.50; Crash on draw_glyphs()

[Eli Zaretskii <eliz@gnu.org>]

> From: Kaushal Modi <kaushal.modi@gmail.com>
> Date: Thu, 31 Jan 2019 22:25:35 -0500
> Cc: 34256@debbugs.gnu.org
> 
> Thread 1 "emacs" hit Hardware watchpoint 6: -location
> s->f->terminal->image_cache->images[0]
> 
> Old value = (struct image *) 0x2346430
> New value = (struct image *) 0x0
> free_image (f=f@entry=0x143b1b0, img=img@entry=0x2346430) at image.c:1022
> 1022          if (img->picture)
> (gdb) bt
> #0  free_image (f=f@entry=0x143b1b0, img=img@entry=0x2346430) at
> image.c:1022
> #1  0x00000000006646a1 in clear_image_cache (f=0x143b1b0,
> filter=filter@entry=XIL(0xc5a0)) at image.c:1574
> #2  0x000000000066a35d in Fclear_image_cache (filter=...) at image.c:1658
> [...]
> Lisp Backtrace:
> "clear-image-cache" (0xffff0650)
> "org-display-inline-images" (0xffff0a88)
> "org-mode" (0xffff1020)
> "set-auto-mode-0" (0xffff1308)
> "set-auto-mode" (0xffff17d0)
> "vc-find-revision-no-save" (0xffff1bb0)
> "diff-syntax-fontify-hunk" (0xffff2130)
> "diff-syntax-fontify" (0xffff23f0)
> "diff--font-lock-syntax" (0xffff2788)
> "font-lock-fontify-keywords-region" (0xffff2d40)
> "font-lock-default-fontify-region" (0xffff30b8)
> "font-lock-fontify-region" (0xffff3358)
> 0x4a1a8c0 PVEC_COMPILED
> "run-hook-wrapped" (0xffff37a0)
> "jit-lock--run-functions" (0xffff3ae0)
> "jit-lock-fontify-now" (0xffff3ef8)
> "jit-lock-function" (0xffff4248)
> "redisplay_internal (C function)" (0x0)

Thanks, I think I understand what happened here.  Does the patch below
fix the problem?  If it doesn't, please repeat the procedure with the
patched Emacs.

diff --git a/src/frame.h b/src/frame.h
index ab3efdf..e0dab51 100644
--- a/src/frame.h
+++ b/src/frame.h
@@ -413,6 +413,10 @@ struct frame
   /* Non-zero if this frame's faces need to be recomputed.  */
   bool_bf face_change : 1;
 
+  /* Non-zero if this frame's image cache cannot be freed because the
+     frame is in the process of being redisplayed.  */
+  bool_bf inhibit_clear_image_cache : 1;
+
   /* Bitfield area ends here.  */
 
   /* This frame's change stamp, set the last time window change
diff --git a/src/image.c b/src/image.c
index 2014860..342b647 100644
--- a/src/image.c
+++ b/src/image.c
@@ -1554,7 +1554,7 @@ clear_image_cache (struct frame *f, Lisp_Object filter)
 {
   struct image_cache *c = FRAME_IMAGE_CACHE (f);
 
-  if (c)
+  if (c && !f->inhibit_clear_image_cache)
     {
       ptrdiff_t i, nfreed = 0;
 
diff --git a/src/xdisp.c b/src/xdisp.c
index ec8dd86..b43777a 100644
--- a/src/xdisp.c
+++ b/src/xdisp.c
@@ -14440,7 +14440,17 @@ redisplay_internal (void)
 		FRAME_TERMINAL (f)->condemn_scroll_bars_hook (f);
 
 	      if (FRAME_VISIBLE_P (f) && !FRAME_OBSCURED_P (f))
-		redisplay_windows (FRAME_ROOT_WINDOW (f));
+		{
+
+		  /* Don't allow freeing images for this frame as long
+		     as the frame's update wasn't completed.  This
+		     prevents crashes when some Lisp that runs from
+		     the various hooks or font-lock decides to clear
+		     the frame's image cache, when the images in that
+		     cache are referenced by the desired matrix.  */
+		  f->inhibit_clear_image_cache = true;
+		  redisplay_windows (FRAME_ROOT_WINDOW (f));
+		}
 	      /* Remember that the invisible frames need to be redisplayed next
 		 time they're visible.  */
 	      else if (!REDISPLAY_SOME_P ())
@@ -14521,6 +14531,7 @@ redisplay_internal (void)
 		  pending |= update_frame (f, false, false);
 		  f->cursor_type_changed = false;
 		  f->updated_p = true;
+		  f->inhibit_clear_image_cache = false;
 		}
 	    }
 	}
@@ -14548,6 +14559,7 @@ redisplay_internal (void)
     }
   else if (FRAME_VISIBLE_P (sf) && !FRAME_OBSCURED_P (sf))
     {
+      sf->inhibit_clear_image_cache = true;
       displayed_buffer = XBUFFER (XWINDOW (selected_window)->contents);
       /* Use list_of_error, not Qerror, so that
 	 we catch only errors and don't run the debugger.  */
@@ -14603,6 +14615,7 @@ redisplay_internal (void)
 	  XWINDOW (selected_window)->must_be_updated_p = true;
 	  pending = update_frame (sf, false, false);
 	  sf->cursor_type_changed = false;
+	  sf->inhibit_clear_image_cache = false;
 	}
 
       /* We may have called echo_area_display at the top of this