<html>
    <head>
      <base href="https://bugs.freedesktop.org/" />
    </head>
    <body>
      <p>
        <div>
            <b><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - xserver crash in gtk+ application"
   href="https://bugs.freedesktop.org/show_bug.cgi?id=90940#c6">Comment # 6</a>
              on <a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - xserver crash in gtk+ application"
   href="https://bugs.freedesktop.org/show_bug.cgi?id=90940">bug 90940</a>
              from <span class="vcard"><a class="email" href="mailto:chris@chris-wilson.co.uk" title="Chris Wilson <chris@chris-wilson.co.uk>"> <span class="fn">Chris Wilson</span></a>
</span></b>
        <pre>Definitely looks like if we overflow the rects_embedded array we would cause
that crash. Can you apply

diff --git a/src/sna/sna_tiling.c b/src/sna/sna_tiling.c
index 308efc0..e4796ec 100644
--- a/src/sna/sna_tiling.c
+++ b/src/sna/sna_tiling.c
@@ -334,6 +334,7 @@ sna_tiling_composite_spans_box(struct sna *sna,
        struct sna_tile_state *tile = op->base.priv;
        struct sna_tile_span *a;

+       ErrorF("%s(%d/%d)\n", __func__, tile->rect_count, tile->rect_size);
        if (tile->rect_count == tile->rect_size) {
                int newsize = tile->rect_size * 2;

@@ -582,6 +583,9 @@ sna_tiling_composite_spans(uint32_t op,
        tile->rect_count = 0;
        tile->rect_size = ARRAY_SIZE(tile->rects_embedded);

+       ErrorF("%s: sizeof(tile->rects_embedded)=%d, sizeof(span_box)=%d\n",
+                       __func__, sizeof(tile->rects_embedded), sizeof(struct
sna_tile_span));
+
        tmp->box   = sna_tiling_composite_spans_box;
        tmp->boxes = sna_tiling_composite_spans_boxes;
        tmp->done  = sna_tiling_composite_spans_done;

and attach the new Xorg.0.log?</pre>
        </div>
      </p>
      <hr>
      <span>You are receiving this mail because:</span>
      
      <ul>
          <li>You are the QA Contact for the bug.</li>
      </ul>
    </body>
</html>