If you put a breakpoint in lookup_image, on the line indicated below:
ptrdiff_t
lookup_image (struct frame *f, Lisp_Object spec, int face_id)
{
struct image *img;
EMACS_UINT hash;
struct face *face = (face_id >= 0) ? FACE_FROM_ID (f, face_id)
: FACE_FROM_ID (f, DEFAULT_FACE_ID);
unsigned long foreground = FACE_COLOR_TO_PIXEL (face->foreground, f); <<<<
unsigned long background = FACE_COLOR_TO_PIXEL (face->background, f);
and condition the breakpoint by face == 0, does it break before the
crash when you perform the steps that reproduces the problem?
If 'face' is a NULL pointer there (as your backtrace shows), the next
line will segfault, and the rest is more-or-less clear. What I don't
understand is this part:
#11 0x00000004002c86e5 in lookup_image (f=0x5123410, spec=XIL(0xbc42793),
face_id=0xffffffff) at C:/emacs/git/emacs/master/src/image.c:2334
Why does face_id have the value 0xffffffff? The caller passes -1: