This is a segfault during GC, in mark_object.

1. Start emacs

$ emacs -Q

2. Call some code which kills and creates a frame between 2 and 25 
times.

This segfault is reasonably straightforward to reproduce, I can cause 
the crash within 2 minutes of starting emacs.

On the emacs-24 branch, this seems to occur in mark_object. The issue is 
also found on the trunk branch so I have supplied details of this also, 
however the backtrace is slightly different.

The issue may relate to bugs #15583 and #17168.

Finally, I have a core dumps which I don't mind sharing for both of 
these crashes which are ~350MB each, please ask.

Regards,
Mat

System Info:

In GNU Emacs 24.3.92.3 (x86_64-unknown-linux-gnu, GTK+ Version 3.10.8)
  of 2014-08-03 on zz
Windowing system distributor `The X.Org Foundation', version 
11.0.11501000
System Description:	Ubuntu 14.04 LTS

Important settings:
   value of $LC_CTYPE: en_US.UTF-8
   value of $LANG: en_US.UTF-8
   value of $XMODIFIERS: @im=ibus
   locale-coding-system: utf-8-unix

Details of the two segfaults:

Crash on emacs-24 branch
(gdb) p Fsymbol_value(intern("emacs-bzr-version"))
$3 = 12112050
Attachment: backtrace.6212 (Output from bt full)

Crash on trunk:
(gdb) p Fsymbol_value(intern("emacs-bzr-version"))
$1 = 12341426
Attachment: backtrace.6069

2 shorter backtraces follow:

6212 - (gdb) bt full 6
#0  mark_object (arg=<optimized out>) at alloc.c:6248
         obj = 139640014399843
         cdr_count = 0
#1  0x000000000053b8a0 in Fgarbage_collect () at alloc.c:5647
         nextb = 0x19a2c10
         stack_top_variable = 0 '\000'
         i = <optimized out>
         message_p = false
         retval = <optimized out>
         tot_before = 0
#2  0x00000000005534d2 in maybe_gc () at lisp.h:4564
No locals.
#3  Ffuncall (nargs=5, args=0x7fffffffc738) at eval.c:2766
         fun = <optimized out>
         original_fun = <optimized out>
         numargs = 4
         val = <optimized out>
         internal_args = <optimized out>
         i = <optimized out>
#4  0x00000000005878e5 in exec_byte_code (bytestr=3, vector=2866666, 
maxdepth=182,
     args_template=12112050, nargs=140737488340816, args=0x5) at 
bytecode.c:916
         targets = {0x58797c <exec_byte_code+988>, 0x58813f 
<exec_byte_code+2975>,
           0x588144 <exec_byte_code+2980>, 0x588149 
<exec_byte_code+2985>,
           0x587772 <exec_byte_code+466>, 0x587778 <exec_byte_code+472>,
           0x588919 <exec_byte_code+4985>, 0x588956 
<exec_byte_code+5046>,
           0x5889d8 <exec_byte_code+5176>, 0x5889dd 
<exec_byte_code+5181>,
           0x5889a7 <exec_byte_code+5127>, 0x5889ac 
<exec_byte_code+5132>,
           0x5877a9 <exec_byte_code+521>, 0x5877b0 <exec_byte_code+528>,
           0x587e17 <exec_byte_code+2167>, 0x5889b1 
<exec_byte_code+5137>,
           0x587f83 <exec_byte_code+2531>, 0x587f88 
<exec_byte_code+2536>,
           0x588005 <exec_byte_code+2661>, 0x58800a 
<exec_byte_code+2666>,
           0x587815 <exec_byte_code+629>, 0x587818 <exec_byte_code+632>,
           0x587fb4 <exec_byte_code+2580>, 0x587f8d 
<exec_byte_code+2541>,
           0x588036 <exec_byte_code+2710>, 0x58803b 
<exec_byte_code+2715>,
           0x588040 <exec_byte_code+2720>, 0x588045 
<exec_byte_code+2725>,
           0x587881 <exec_byte_code+737>, 0x587888 <exec_byte_code+744>,
           0x587ff0 <exec_byte_code+2640>, 0x58800f 
<exec_byte_code+2671>,
           0x588091 <exec_byte_code+2801>, 0x588096 
<exec_byte_code+2806>,
           0x58809b <exec_byte_code+2811>, 0x5880a5 
<exec_byte_code+2821>,
           0x5878c3 <exec_byte_code+803>, 0x5878c8 <exec_byte_code+808>,
           0x588055 <exec_byte_code+2741>, 0x58806a 
<exec_byte_code+2762>,
           0x5879f2 <exec_byte_code+1106>, 0x5879f7 
<exec_byte_code+1111>,
           0x5879fc <exec_byte_code+1116>, 0x5880ca 
<exec_byte_code+2858>,
           0x587905 <exec_byte_code+869>, 0x587908 <exec_byte_code+872>,
           0x5880b5 <exec_byte_code+2837>, 0x5879cb 
<exec_byte_code+1067>,
           0x58881e <exec_byte_code+4734>, 0x588813 
<exec_byte_code+4723>,
           0x58871f <exec_byte_code+4479>, 0x58797c <exec_byte_code+988>,
           0x58797c <exec_byte_code+988>, 0x58797c <exec_byte_code+988>,
           0x58797c <exec_byte_code+988>, 0x58797c <exec_byte_code+988>,
           0x588b3e <exec_byte_code+5534>, 0x588bcc 
<exec_byte_code+5676>,
           0x588c03 <exec_byte_code+5731>, 0x588c3a 
<exec_byte_code+5786>,
           0x588c71 <exec_byte_code+5841>, 0x587eda 
<exec_byte_code+2362>,
           0x587f14 <exec_byte_code+2420>, 0x588cb2 
<exec_byte_code+5906>,
           0x587e9f <exec_byte_code+2303>, 0x587f48 
<exec_byte_code+2472>,
           0x588ce4 <exec_byte_code+5956>, 0x588d18 
<exec_byte_code+6008>,
           0x588d40 <exec_byte_code+6048>, 0x588d74 
<exec_byte_code+6100>,
           0x588da9 <exec_byte_code+6153>, 0x588e20 
<exec_byte_code+6272>,
           0x588e48 <exec_byte_code+6312>, 0x588e7c 
<exec_byte_code+6364>,
           0x588eb4 <exec_byte_code+6420>, 0x588edc 
<exec_byte_code+6460>,
           0x588f04 <exec_byte_code+6500>, 0x588f38 
<exec_byte_code+6552>,
           0x588f6c <exec_byte_code+6604>, 0x588fa0 
<exec_byte_code+6656>,
           0x588fd8 <exec_byte_code+6712>, 0x58900d 
<exec_byte_code+6765>,
           0x589042 <exec_byte_code+6818>, 0x5890b9 
<exec_byte_code+6937>,
           0x5890f2 <exec_byte_code+6994>, 0x58912b 
<exec_byte_code+7051>,
           0x589244 <exec_byte_code+7332>, 0x5891d2 
<exec_byte_code+7218>,
           0x58920b <exec_byte_code+7275>, 0x58927d 
<exec_byte_code+7389>,
           0x5892b6 <exec_byte_code+7446>, 0x5892eb 
<exec_byte_code+7499>,
           0x58931d <exec_byte_code+7549>, 0x589352 
<exec_byte_code+7602>,
           0x589387 <exec_byte_code+7655>, 0x5893bc 
<exec_byte_code+7708>,
           0x58945a <exec_byte_code+7866>, 0x58794d <exec_byte_code+941>,
           0x589490 <exec_byte_code+7920>, 0x5894b8 
<exec_byte_code+7960>,
           0x589527 <exec_byte_code+8071>, 0x58955d 
<exec_byte_code+8125>,
           0x589593 <exec_byte_code+8179>, 0x5895bb 
<exec_byte_code+8219>,
           0x5895e5 <exec_byte_code+8261>, 0x58960f 
<exec_byte_code+8303>,
           0x58963c <exec_byte_code+8348>, 0x58797c <exec_byte_code+988>,
           0x58966b <exec_byte_code+8395>, 0x589698 
<exec_byte_code+8440>,
           0x5896c5 <exec_byte_code+8485>, 0x5896f2 
<exec_byte_code+8530>,
           0x58971f <exec_byte_code+8575>, 0x58974c 
<exec_byte_code+8620>,
           0x58794d <exec_byte_code+941>, 0x58797c <exec_byte_code+988>,
           0x589774 <exec_byte_code+8660>, 0x5897b3 
<exec_byte_code+8723>,
           0x5897db <exec_byte_code+8763>, 0x589803 
<exec_byte_code+8803>,
           0x589837 <exec_byte_code+8855>, 0x58986b 
<exec_byte_code+8907>,
           0x5882f2 <exec_byte_code+3410>, 0x5883c8 
<exec_byte_code+3624>,
           0x589a74 <exec_byte_code+9428>, 0x589aa8 
<exec_byte_code+9480>,
           0x5883fc <exec_byte_code+3676>, 0x588429 
<exec_byte_code+3721>,
           0x58797c <exec_byte_code+988>, 0x58866b <exec_byte_code+4299>,
           0x587a05 <exec_byte_code+1125>, 0x587e2c 
<exec_byte_code+2188>,
           0x587c71 <exec_byte_code+1745>, 0x587b13 
<exec_byte_code+1395>,
           0x587d73 <exec_byte_code+2003>, 0x5885f7 
<exec_byte_code+4183>,
           0x58864a <exec_byte_code+4266>, 0x587fc9 
<exec_byte_code+2601>,
           0x58853c <exec_byte_code+3996>, 0x5884de 
<exec_byte_code+3902>,
           0x5886b7 <exec_byte_code+4375>, 0x5886e6 
<exec_byte_code+4422>,
           0x58884d <exec_byte_code+4781>, 0x588899 
<exec_byte_code+4857>,
           0x5888d1 <exec_byte_code+4913>, 0x588ae8 
<exec_byte_code+5448>,
           0x5884b1 <exec_byte_code+3857>, 0x588451 
<exec_byte_code+3761>,
           0x588489 <exec_byte_code+3817>, 0x589893 
<exec_byte_code+8947>,
           0x5898bb <exec_byte_code+8987>, 0x5898e3 
<exec_byte_code+9027>,
           0x58990b <exec_byte_code+9067>, 0x58993f 
<exec_byte_code+9119>,
           0x589973 <exec_byte_code+9171>, 0x5899a7 
<exec_byte_code+9223>,
           0x5899db <exec_byte_code+9275>, 0x588155 
<exec_byte_code+2997>,
           0x588189 <exec_byte_code+3049>, 0x5881bd 
<exec_byte_code+3101>,
           0x5881e5 <exec_byte_code+3141>, 0x588219 
<exec_byte_code+3193>,
           0x58824d <exec_byte_code+3245>, 0x588285 
<exec_byte_code+3301>,
           0x5882bd <exec_byte_code+3357>, 0x5893f1 
<exec_byte_code+7761>,
           0x589426 <exec_byte_code+7814>, 0x5880cf 
<exec_byte_code+2863>,
           0x58810d <exec_byte_code+2925>, 0x58797c <exec_byte_code+988>,
           0x587a99 <exec_byte_code+1273>, 0x587d18 
<exec_byte_code+1912>,
           0x587b83 <exec_byte_code+1507>, 0x587c0e 
<exec_byte_code+1646>,
           0x58856b <exec_byte_code+4043>, 0x588dde 
<exec_byte_code+6206>,
           0x589077 <exec_byte_code+6871>, 0x5894e5 
<exec_byte_code+8005>,
           0x5889e2 <exec_byte_code+5186>, 0x588a1f 
<exec_byte_code+5247>,
           0x58797c <exec_byte_code+988>, 0x58797c <exec_byte_code+988>,
           0x588a70 <exec_byte_code+5328>, 0x58797c <exec_byte_code+988>,
           0x58797c <exec_byte_code+988>, 0x58797c <exec_byte_code+988>,
           0x58797c <exec_byte_code+988>, 0x58797c <exec_byte_code+988>,
           0x58797c <exec_byte_code+988>, 0x58797c <exec_byte_code+988>,
           0x58797c <exec_byte_code+988>, 0x58797c <exec_byte_code+988>,
           0x588ab8 <exec_byte_code+5400> <repeats 64 times>}
         stack = {
           pc = 0xac48b8 <pure+2671224> "\207",
           byte_string = 9140745,
           byte_string_start = 0xac486b <pure+2671147> 
"\303\304\b\t\b\305=\203E",
           next = 0x7fffffffc9e0
         }
         result = 3
         type = (unknown: 4294952784)
#5  0x000000000055318f in funcall_lambda (fun=9140701, 
nargs=nargs@entry=2,
     arg_vector=arg_vector@entry=0x7fffffffc990) at eval.c:3049
         val = <optimized out>
         syms_left = 12112050
         lexenv = 12112050
         i = <optimized out>
         optional = <optimized out>
         rest = <optimized out>
(More stack frames follow...)

Lisp Backtrace:
"Automatic GC" (0xb73088)
"apply" (0xffffc740)
"face-spec-reset-face" (0xffffc990)
"face-spec-recalc" (0xffffcb40)
"byte-code" (0xffffcc30)
"face-set-after-frame-default" (0xffffcf20)
"x-create-frame-with-faces" (0xffffd0d0)
"make-frame" (0xffffd200)
"let*" (0xffffd3f8)
"setq" (0xffffd4e8)
"stupider-speed-read" (0xffffd6c8)
"call-interactively" (0xffffd8d0)
"command-execute" (0xffffda40)
"execute-extended-command" (0xffffdba8)
"call-interactively" (0xffffde20)
"command-execute" (0xffffdf68)

6069 - (gdb) bt full 6
**** bt full 6
#0  XCAR (c=3255377271362580334) at lisp.h:1052
No locals.
#1  compact_undo_list (list=3255377271362580334) at alloc.c:5506
         tail = 3255377271362580334
         prev = 0x7fffffffb678
#2  garbage_collect_1 (end=0x7fffffffb668) at alloc.c:5675
         nextb = 0x194b800
         i = <optimized out>
         retval = <optimized out>
         stack_top_variable = 0 '\000'
         message_p = false
         tot_before = 0
#3  Fgarbage_collect () at alloc.c:5896
         end = 0x7fffffffb668
#4  0x0000000000558ee2 in maybe_gc () at lisp.h:4547
No locals.
#5  Ffuncall (nargs=2, args=0x7fffffffb7f8) at eval.c:2759
         fun = <optimized out>
         original_fun = <optimized out>
         numargs = 1
         val = <optimized out>
         internal_args = <optimized out>
         i = <optimized out>
(More stack frames follow...)

Lisp Backtrace:
"Automatic GC" (0xbaa970)
"purecopy" (0xffffb800)
"set-face-attribute" (0xffffb9b8)
"apply" (0xffffbbc0)
"face-spec-reset-face" (0xffffbe10)
"face-spec-recalc" (0xffffbfc0)
"byte-code" (0xffffc0b0)
"face-set-after-frame-default" (0xffffc3a0)
"x-create-frame-with-faces" (0xffffc550)
"make-frame" (0xffffc680)
"let*" (0xffffc878)
"setq" (0xffffc968)
"stupider-speed-read" (0xffffcbf0)
"funcall-interactively" (0xffffcbe8)
"call-interactively" (0xffffce20)
"command-execute" (0xffffcf90)
"execute-extended-command" (0xffffd190)
"funcall-interactively" (0xffffd188)
"call-interactively" (0xffffd3f0)
"command-execute" (0xffffd538)
"call-last-kbd-macro" (0xffffd780)
"kmacro-call-macro" (0xffffd970)
"kmacro-end-and-call-macro" (0xffffdc00)
"funcall-interactively" (0xffffdbf8)
"call-interactively" (0xffffde00)
"command-execute" (0xffffdf48)