Comment 2 for bug 1072112

This bug is introduced by commit 373df66 for optimizing &REST arguments.

The (CAR ARGS) in #'TEST is source-transformed to
        (%REST-REF 0 ARGS #:REST-CONTEXT #:REST-COUNT) which might be (the optimized case) finally ir1-transformed to
        (%MORE-ARG #:REST-CONTEXT 0) for accessing the CAR of ARGS in more context.
The bad thing is %MORE-ARG can't check context boundary itself and %REST-REF doesn't help it either.

Unfortunately, more context won't be established if caller of #'TEST doesn't supply any rest arguments, see COPY-MORE-ARG.

This bug is just the case. %MORE-ARG accesses stack area which is not a more context at all; Any unexpected low level bits can be returned as the CAR of ARGS, including things not a lisp object.

The same reason bug also happens in NTH, ELT. try:

    (defun test (n &rest args)
          (nth n args))

    (loop for i from 0 to 1000
              collect (test i))

I'm not very familiar with the more context actually, so to ensure I don't have miss understanding. To fix the bug,
Is it ok to let %REST-ARGS to check the context boundary,
or 'd better extend %MORE-ARG to check the context boundary.
or 'd better change %MORE-ARG-CONTEXT to return (values NIL 0) if no context established?