Comment 9 for bug 205979

Pascal, excellent, thanks for getting the backtrace and testing with another keyboard, this has really narrowed down the issue.

So, looking at the backtrace I see what's going on:

_XkbFreeGeomNonLeafElems(...) {
   ...
    if (freeFunc) {
        ptr= *elems;
        ptr+= first*elem_sz;
        for (i=0;i<count;i++) {
            (*freeFunc)(ptr);
            ptr+= elem_sz;
        }
    }

ptr is not checked for being NULL, and is getting passed to freeFunc() (a function pointer to _XkbClearRow):

#3 0x081aa85c in _XkbClearRow (row_in=0x0) at ../../xkb/XKBGAlloc.c:342

Then _XkbClearRow tries dereferencing the NULL pointer:

static void
_XkbClearRow(char *row_in)
{
XkbRowPtr row= (XkbRowPtr)row_in;

    if (row->keys!=NULL)
        XkbFreeGeomKeys(row,0,row->num_keys,True);
    return;
}

I bet that call should be something like:

    if (row && row->keys!=NULL)

The code doesn't seem to be fixed in current git either, near as I can tell. We can forward this upstream.