bug#20802: Segfault when showing non-GTK+ tooltip

[Eli Zaretskii <eliz@gnu.org>]

> Date: Sat, 13 Jun 2015 15:24:02 +0200
> From: martin rudalics <rudalics@gmx.at>
> CC: tobias.getzner@gmx.de, 20802@debbugs.gnu.org
> 
>  > Thanks, but I still cannot reproduce this.  (On what OS did you
>  > reproduce it?)
> 
> A Gtk build on Debian.  Run with all my customizations.

I see that x_decode_color in xfns.c signals an error, while the same
function in w32fns.c doesn't.  But even if I add the call to
signal_error to w32fns.c's implementation, I still cannot reproduce
the crash.  I do see an error message in the echo area, but no
debugger pops up.

> Sorry, I forgot to tell.  Line 1775 of image.c here is
> 
>    for (i = 0; i < c->used; ++i)
> 
> in the context of
> 
>    struct image_cache *c = FRAME_IMAGE_CACHE (f);
>    ptrdiff_t i;
> 
>    /* Find a free slot in c->images.  */
>    for (i = 0; i < c->used; ++i)
>      if (c->images[i] == NULL)
>        break;
> 
>    /* If no free slot found, maybe enlarge c->images.  */
> 
> in cache_image.  i is still 0 and I get
> 
> (gdb) p c->used
> Cannot access memory at address 0x18

So FRAME_IMAGE_CACHE returns a NULL pointer, I guess.  But how did
that happen?  We allocate the cache in xfaces.c:init_frame_faces.  I
could understand why init_frame_faces was not yet called for the tip
frame we were trying to create, but the crash happens because of a
different frame.  Look:

  #37 0x000000000054c091 in x_decode_color (f=0x24d2c30, color_name=..., mono_color=16777215) at ../../src/xfns.c:495
  #38 0x000000000054c566 in x_set_background_color (f=0x24d2c30, arg=..., oldval=...) at ../../src/xfns.c:638
  #39 0x000000000042d45d in x_set_frame_parameters (f=0x24d2c30, alist=...) at ../../src/frame.c:3152
  #40 0x0000000000431ce6 in x_default_parameter (f=0x24d2c30, alist=..., prop=..., deflt=..., xprop=0x6fd49d "background", xclass=0x6fd908 "Background", type=RES_TYPE_STRING) at ../../src/frame.c:4374
  #41 0x000000000055549d in x_create_tip_frame (dpyinfo=0x1621ee0, parms=..., text=...) at ../../src/xfns.c:5173

This is the tip frame we are creating, its pointer is 0x24d2c30.  But
when we crash, it's for a different frame, whose pointer is 0x13a7e00:

  #0  0x00000000006c9b5c in cache_image (f=0x13a7e00, img=0x249e010) at ../../src/image.c:1775
  #1  0x00000000006c96e3 in lookup_image (f=0x13a7e00, spec=...) at ../../src/image.c:1686

Can you see what is that frame, and why we didn't call
init_frame_faces for it?  Also, which image are we trying to display
here?  Something on the toolbar, perhaps?  Did you move mouse pointer
over a tool-bar button to trigger a tooltip that failed?