I think the problem is the call to do_pending_window_change in xg_frame_resized in gtkutil.c: the commit message (commit 3477e27021db) says: Author: Martin Rudalics AuthorDate: Sun Jul 27 15:21:30 2014 +0200 Commit: Martin Rudalics CommitDate: Sun Jul 27 15:21:30 2014 +0200 Complete pixelwise frame/window resizing, add horizontal scrollbar support. [...] * gtkutil.c (xg_frame_resized): Don't call do_pending_window_change. but the diff is: @@ -883,6 +884,8 @@ xg_frame_resized (struct frame *f, int pixelwidth, int pixelheight) change_frame_size (f, width, height, 0, 1, 0, 1); SET_FRAME_GARBAGED (f); cancel_mouse_face (f); + + do_pending_window_change (0); } } And my current understanding is this bug would not occur if that call were removed. The same issue applies to the change to x_set_window_size, but I'm not certain about removing either call. On Sun, Aug 30, 2015 at 3:27 PM, Pip Cet wrote: > I forgot to make clear that I verified with gdb that args[0] == > Vtimer_list. And if there's anything else you would like me to debug, > please let me know. It's very unfortunate I can't reproduce it with emacs > -Q and I realize that makes it impossible for you to deal with this bug > except through information I provide. > > Thanks for trying anyway, > Pip > > On Sun, Aug 30, 2015 at 3:24 PM, Pip Cet wrote: > >> >> >> On Sun, Aug 30, 2015 at 3:01 PM, Eli Zaretskii wrote: >> >>> > Date: Sun, 30 Aug 2015 12:51:26 +0000 >>> > From: Pip Cet >>> > Somehow, the argument to Fcopy_sequence was changed while concat was >>> > underway. >>> >>> How do you see that? >>> >> >> I originally concluded it was the only way to trigger the bug, but I just >> managed to trigger it again and have it open in a GDB session: >> >> #1 0x00000000005efdb3 in concat (nargs=1, args=0x7fffffff76e8, >> target_type=Lisp_Cons, last_special=false) at fns.c:747 >> 747 XSETCAR (tail, elt); >> (gdb) p result_len >> $22 = 4 >> (gdb) p debug_print(Flength(args[0])) >> 5 >> $23 = void >> (gdb) >> >> >>> > Further investigation indicates that >>> > window-configuration-change-hook was called in the middle of concat: >>> >>> Did you understand how this fact is related to the segfault? >>> >> >> I _think_ I do. >> >> 1. concat called with args[0] == Vtimer_list >> 2. concat stores result_len (=4) >> 3. concat calls make_list (4) >> 4. make_list interrupted by QUIT >> 5. see stack trace >> 6. window-configuration-change-hook modifies Vtimer_list, which now has >> length 5 >> 7. control returns to concat >> 8. concat tries to write 5 elements into a 4-element list, which causes >> the segfault because `tail' is unexpectedly NULL. >> >> Does that make sense to you? >> >> Thanks, >> Pip >> > >