> The recipe in effect invokes undefined behavior in posn-at-point,
> because fci-mode uses a zero-length (a.k.a. "empty") overlay to
> place, in a very convoluted way, a stretch of whitespace followed
> by an image, before the newline.
[snip]
> Since the buffer position of the newline is not "covered" by the
> empty overlay, Emacs happily stops when it reaches the newline,
> oblivious to the fact that on the way it produced the stretch
> glyph of a very large width.

I'm not sure it's due to the overlay having zero length.  Here's a minimal recipe that provokes the same behavior using a overlay of length 1 (covering the newline):

(progn
  (delete-all-overlays)
  (goto-char (point-min))
  (insert "\n")
  (setq o (make-overlay 1 2)
        s (propertize " "
                      'display '(space :align-to 10)
                      'cursor t))
  (overlay-put o 'before-string s)
  (goto-char (point-min))
  (setq col (car (posn-col-row (posn-at-point (point)))))
  (message (concat "Current column: " (number-to-string col))))