Comment 47 for bug 220628

Just got another crash, and this time I saved a core file from inside gdk_x_error. It's 250 MB compressed and only useful if you have Ubuntu 8.10 debugging packages available, so I'm not attaching it, but I can provide it on request.

Relevant bit of backtrace:
#5 0x00007f7d774a71ab in _XSyncFunction (dpy=0x8c4c00)
    at ../../src/Synchro.c:37
#6 0x00007f7d774b398b in _XIDHandler (dpy=0x8c4c00) at ../../src/xcb_io.c:275
#7 0x00007f7d77775f77 in XRenderCreatePicture () from /usr/lib/libXrender.so.1

So in _XIDHandler, we have dpy->xcb->next_xid == 57206503. Not an obviously invalid value.

The xid comes from xcb_generate_id, so I peeked in there at the algorithm it uses, and noticed something funny. xcb_generate_id stores its state in the dpy->xcb->connection->xid struct. At the time of the crash, some members of this struct:
  xid.base == 56623104
  xid.inc == 1
  xid.last == 57206504
  xid.max == 57206499

By my reading, it should be impossible for xid.last to exceed xid.max, yet here we are.