bug#21380: 25.0.50; GTK-induced segfault when scheduling timer from window-configuration-change-hook

[Pip Cet]

It appears it's unsafe to schedule an immediate timer in
window-configuration-change-hook:

  (add-hook 'window-configuration-change-hook (lambda () (run-with-timer
                                                          0 nil 'exwm-layout--refresh)))

I saw the following segfault:
#0  0x0000000000547ec0 in XSETCAR (c=0, n=51872517) at lisp.h:1188
#1  0x00000000005efdb3 in concat (nargs=1, args=0x7fffffffd868, target_type=Lisp_Cons, last_special=false) at fns.c:747
#2  0x00000000005ef0f3 in Fcopy_sequence (arg=53371635) at fns.c:510
#3  0x0000000000557252 in timer_check () at keyboard.c:4569
#4  0x0000000000639f1b in wait_reading_process_output (time_limit=30, nsecs=0, read_kbd=-1, do_display=true, wait_for_cell=0, wait_proc=0x0, just_wait_proc=0) at process.c:4611
#5  0x00000000004233b2 in sit_for (timeout=122, reading=true, display_option=1) at dispnew.c:5756
#6  0x0000000000553942 in read_char (commandflag=1, map=53372867, prev_event=0, used_mouse_menu=0x7fffffffe06f, end_time=0x0) at keyboard.c:2775
#7  0x00000000005602ef in read_key_sequence (keybuf=0x7fffffffe220, bufsize=30, prompt=0, dont_downcase_last=false, can_return_switch_frame=true, fix_current_buffer=true, prevent_redisplay=false) at keyboard.c:9139
#8  0x00000000005507b1 in command_loop_1 () at keyboard.c:1406
#9  0x00000000005e77e4 in internal_condition_case (bfun=0x550386 <command_loop_1>, handlers=18912, hfun=0x54fb70 <cmd_error>) at eval.c:1293
#10 0x000000000055008d in command_loop_2 (ignore=0) at keyboard.c:1138
#11 0x00000000005e6fa6 in internal_catch (tag=45264, func=0x550064 <command_loop_2>, arg=0) at eval.c:1057
#12 0x000000000055002f in command_loop () at keyboard.c:1117
#13 0x000000000054f738 in recursive_edit_1 () at keyboard.c:723
#14 0x000000000054f8cc in Frecursive_edit () at keyboard.c:794
#15 0x000000000054d706 in main (argc=5, argv=0x7fffffffe6a8) at emacs.c:1643

Somehow, the argument to Fcopy_sequence was changed while concat was
underway. Further investigation indicates that
window-configuration-change-hook was called in the middle of concat:

Breakpoint 8, run_window_configuration_change_hook (f=0x1718660) at window.c:3141
3141      ptrdiff_t count = SPECPDL_INDEX ();
#0  run_window_configuration_change_hook (f=0x1718660) at window.c:3141
#1  0x0000000000425882 in adjust_frame_size (f=0x1718660, new_width=824, new_height=516, inhibit=5, pretend=false, parameter=13152) at frame.c:599
#2  0x0000000000422c01 in change_frame_size_1 (f=0x1718660, new_width=824, new_height=516, pretend=false, delay=false, safe=false, pixelwise=true) at dispnew.c:5507
#3  0x0000000000422c57 in change_frame_size (f=0x1718660, new_width=824, new_height=516, pretend=false, delay=false, safe=false, pixelwise=true) at dispnew.c:5539
#4  0x0000000000422a2f in do_pending_window_change (safe=false) at dispnew.c:5465
#5  0x0000000000536c22 in xg_frame_resized (f=0x1718660, pixelwidth=842, pixelheight=518) at gtkutil.c:924
#6  0x0000000000518a9f in handle_one_xevent (dpyinfo=0x15b07d0, event=0x7fffffff7210, finish=0xbfaacc, hold_quit=0x7fffffff74a0) at xterm.c:8294
#7  0x0000000000516a69 in event_handler_gdk (gxev=0x7fffffff7210, ev=0x568b410, data="" at xterm.c:7294
#8  0x00007ffff6769661 in gdk_event_apply_filters (xevent=xevent@entry=0x7fffffff7210, event=event@entry=0x568b410, window=window@entry=0x0) at /tmp/buildd/gtk+3.0-3.16.6/./gdk/x11/gdkeventsource.c:81
#9  0x00007ffff6769929 in gdk_event_source_translate_event (xevent=0x7fffffff7210, event_source=0x14e4090) at /tmp/buildd/gtk+3.0-3.16.6/./gdk/x11/gdkeventsource.c:195
#10 _gdk_x11_display_queue_events (display=0x1506050) at /tmp/buildd/gtk+3.0-3.16.6/./gdk/x11/gdkeventsource.c:338
#11 0x00007ffff673cae9 in gdk_display_get_event (display=display@entry=0x1506050) at /tmp/buildd/gtk+3.0-3.16.6/./gdk/gdkdisplay.c:340
#12 0x00007ffff67696e2 in gdk_event_source_dispatch (source=<optimized out>, callback=<optimized out>, user_data=<optimized out>) at /tmp/buildd/gtk+3.0-3.16.6/./gdk/x11/gdkeventsource.c:360
#13 0x00007ffff50bac3d in g_main_dispatch (context=0x14f1f80) at /tmp/buildd/glib2.0-2.44.1/./glib/gmain.c:3122
#14 g_main_context_dispatch (context=context@entry=0x14f1f80) at /tmp/buildd/glib2.0-2.44.1/./glib/gmain.c:3737
#15 0x00007ffff50baf20 in g_main_context_iterate (context=context@entry=0x14f1f80, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at /tmp/buildd/glib2.0-2.44.1/./glib/gmain.c:3808
#16 0x00007ffff50bafcc in g_main_context_iteration (context=0x14f1f80, context@entry=0x0, may_block=may_block@entry=1) at /tmp/buildd/glib2.0-2.44.1/./glib/gmain.c:3869
#17 0x00007ffff6be1ff5 in gtk_main_iteration () at /tmp/buildd/gtk+3.0-3.16.6/./gtk/gtkmain.c:1320
#18 0x0000000000519220 in XTread_socket (terminal=0x11ecdd0, hold_quit=0x7fffffff74a0) at xterm.c:8644
#19 0x000000000055bbe2 in gobble_input () at keyboard.c:6893
#20 0x000000000055bfcc in handle_async_input () at keyboard.c:7145
#21 0x000000000055bfeb in process_pending_signals () at keyboard.c:7159
#22 0x00000000005c3d3a in Fmake_list (length=0, init=0) at alloc.c:2676
#23 0x00000000005ef6f8 in concat (nargs=1, args=0x7fffffff76e8, target_type=Lisp_Cons, last_special=false) at fns.c:642
#24 0x00000000005ef0f3 in Fcopy_sequence (arg=49369891) at fns.c:510
#25 0x0000000000557252 in timer_check () at keyboard.c:4569
#26 0x0000000000555106 in readable_events (flags=1) at keyboard.c:3422
#27 0x000000000055ba2b in get_input_pending (flags=1) at keyboard.c:6808
#28 0x0000000000556a49 in swallow_events (do_display=false) at keyboard.c:4320
#29 0x000000000063af9c in wait_reading_process_output (time_limit=1, nsecs=0, read_kbd=0, do_display=false, wait_for_cell=0, wait_proc=0x2fd6078, just_wait_proc=0) at process.c:4992
#30 0x0000000000638f6c in Faccept_process_output (process=50159736, seconds=6, millisec=0, just_this_one=0) at process.c:4241

I'm not sure whether the bug is in my code (and, if so, how to fix
it—if scheduling an immediate timer isn't safe, what could possibly
be?), in Fmake_list, in QUIT, or in the X or GTK code, but at least
one of them is buggy.

M-x report-emacs-bug information:

I have been unable, so far, to reproduce this bug reliably from `emacs
-Q'.

In GNU Emacs 25.0.50.52 (x86_64-unknown-linux-gnu, GTK+ Version 3.16.6)
 of 2015-08-30
Repository revision: c6af816affb36d512f806725518e6e5f2353b197
Windowing system distributor `The X.Org Foundation', version 11.0.11702000
System Description:    Debian GNU/Linux unstable (sid)

Configured using:
 `configure 'CFLAGS=-O0 -g3''

Configured features:
XPM JPEG TIFF GIF PNG RSVG SOUND DBUS GCONF GSETTINGS NOTIFY LIBSELINUX
GNUTLS LIBXML2 FREETYPE XFT ZLIB TOOLKIT_SCROLL_BARS GTK3 X11

Important settings:
  value of $LANG: en_US.UTF-8
  locale-coding-system: utf-8-unix

Major mode: Text

Minor modes in effect:
  diff-auto-refine-mode: t
  tooltip-mode: t
  global-eldoc-mode: t
  electric-indent-mode: t
  mouse-wheel-mode: t
  tool-bar-mode: t
  menu-bar-mode: t
  file-name-shadow-mode: t
  global-font-lock-mode: t
  font-lock-mode: t
  blink-cursor-mode: t
  auto-composition-mode: t
  auto-encryption-mode: t
  auto-compression-mode: t
  line-number-mode: t
  transient-mark-mode: t

Load-path shadows:
None found.

Features:
(shadow sort gnus-util mail-extr emacsbug message dired format-spec
rfc822 mml mml-sec mm-decode mm-bodies mm-encode mail-parse rfc2231
mailabbrev gmm-utils mailheader sendmail rfc2047 rfc2045 ietf-drums
mm-util help-fns help-mode cl-loaddefs pcase cl-lib mail-prsvr
mail-utils vc-git diff-mode easymenu easy-mmode time-date mule-util
tooltip eldoc electric uniquify ediff-hook vc-hooks lisp-float-type
mwheel x-win term/common-win x-dnd tool-bar dnd fontset image regexp-opt
fringe tabulated-list newcomment elisp-mode lisp-mode prog-mode register
page menu-bar rfn-eshadow timer select scroll-bar mouse jit-lock
font-lock syntax facemenu font-core frame cl-generic cham georgian
utf-8-lang misc-lang vietnamese tibetan thai tai-viet lao korean
japanese eucjp-ms cp51932 hebrew greek romanian slovak czech european
ethiopic indian cyrillic chinese charscript case-table epa-hook
jka-cmpr-hook help simple abbrev minibuffer cl-preloaded nadvice
loaddefs button faces cus-face macroexp files text-properties overlay
sha1 md5 base64 format env code-pages mule custom widget
hashtable-print-readable backquote dbusbind inotify dynamic-setting
system-font-setting font-render-setting move-toolbar gtk x-toolkit x
multi-tty make-network-process emacs)

Memory information:
((conses 16 84908 4447)
 (symbols 48 19432 0)
 (miscs 40 43 147)
 (strings 32 14795 4332)
 (string-bytes 1 417071)
 (vectors 16 11731)
 (vector-slots 8 419664 4375)
 (floats 8 138 302)
 (intervals 56 225 13)
 (buffers 976 12)
 (heap 1024 19426 1811))