On Tue, Sep 1, 2015 at 4:57 PM, Eli Zaretskii <eliz@gnu.org> wrote:
> Date: Tue, 1 Sep 2015 16:43:13 +0000
> From: Pip Cet <pipcet@gmail.com>
>
> Launch emacs -Q.
>
> C-x C-f emacs-bug-038.el
> M-x eval-buffer
>
> Wait for approximately one minute.

I waited for 1.5 minutes, and saw no crash.  But that doesn't surprise
me, since these problems are very elusive.

Well, obviously it's a race condition and happens randomly. It certainly seems to be running a lot longer with the debugging code you requested...
 
> 26484   if (it->what == IT_CHARACTER)
> 26485     {
> 26486       XChar2b char2b;
> 26487       struct face *face = FACE_FROM_ID (it->f, it->face_id);
> 26488       struct font *font = face->font;
> 26489       struct font_metrics *pcm = NULL;
> 26490       int boff;                 /* Baseline offset.  */
> 26491
> 26492       if (font == NULL)
> (gdb) p face
> $1 = (struct face *) 0x0
> (gdb) p it->face_id
> $2 = 18
> (gdb) p it->f->face_cache->used
> $3 = 15

This is another incarnation of several similar crashes we've seen for
the past year or so (you can see them on the bug tracker).

I hope you're right, obviously. I'll try finding them on the bug tracker, but if you have bug #s that would be very much appreciated.
 
If you can somehow produce a trace of face caching and un-caching in
this recipe, with backtraces to show who calls those, perhaps we could
finally nail this sucker.

I think I've got what you want here. However, I'm not sure how far back in the log is relevant to you; I'm attaching the end of the log here, but will send the full log by private email, if that's okay?

I've used these gdb commands:

----
b free_realized_faces
b uncache_face
b cache_face
command 1
bt
c
end
command 2
p c->used
bt
c
end
command 3
p c->used
bt
c
end
----

Please feel free to respond with a list of alternative commands, and I'll be happy to attempt producing another backtrace here.

I'm currently trying with the same commands with .gdbinit loaded, so we have xbacktraces, but xbacktrace is really slow so it might take a while (or never trigger the bug, obviously). It appears to be slower by about a factor of 100, so this will probably run for a few hours.