Comment 18 for bug 774978

I have tracked down the crash a bit further, by adding debug prints when input buffers are freed.

[ 18735.941] REQUEST: ClientIDX: 6, type: 0x89 data: 0xa len: 8 buffer: 0x7fba90fa8010 name: DRI2
[ 18735.943] Add buffer to FreeInputs, aci: 0x2e7d8c0 buffer: 0x7fba90fa8010
[ 18735.943] REQUEST: ClientIDX: 32, type: 0x35 data: 0x18 len: 4 buffer: 0x7fba90fa8010 name: CreatePixmap
[ 18735.943] REQUEST: ClientIDX: 32, type: 0x37 data: 0x7 len: 4 buffer: 0x7fba90fa8020 name: CreateGC
[ 18735.943] Reallocating to make buffer bigger, oci->buffer: 0x7fba90fa8010
** Here the requestbuffer used by the compiz DRI2WaitMSC request gets freed
[ 18735.943] REQUEST: ClientIDX: 32, type: 0x48 data: 0x2 len: 23670 buffer: 0x7fba92a5d010 name: PutImage
[ 18735.944] Reallocating to free up space, oci->buffer: 0x7fba92a5d010
[ 18735.960] REPLY: ClientIDX: 6 buffer: 0x7fba90fa8010 Xreply: type: 0x1 data: 0xff len: 0 seq#: 0x17aa
** here we get the use after free segfault
[ 18867.362] Segmentation fault at address 0x7fba90fa8010

idx 6 is compiz, idx 32 is calibre

In maverick I didn't see the RecordAReply calls at all. It turns out these are enabled by xserver-xorg-input-synaptics in natty. After removing xxi-synaptics I no longer see the RecordAReply calls and the crash does not happen anymore.