X server 1.8.0 crashes on termination

[Nix]

So far, every time I've quit X 1.8.0 (1.8-stable tip of tree), it's
coredumped and left my console unusable until I restart. (I'm using the
tip of the xf86-video-ati tree, and KMS, both of which worked fine with
1.7.5. Obviously I've recompiled all the drivers I'm usingt, or X
wouldn't work at all...)

The backtrace differs depending on whether auditing is enabled or not.

With auditing on, we are hit with a segfault here:

#0  0x00007f7e06148985 in _xstat () from /lib/libc.so.6
#1  0x00007f7e061198d0 in __tzfile_read () from /lib/libc.so.6
#2  0x00007f7e06118c8a in tzset_internal () from /lib/libc.so.6
#3  0x00007f7e06118df9 in __tz_convert () from /lib/libc.so.6
#4  0x00007f7e06117439 in ctime () from /lib/libc.so.6
#5  0x00000000004533c8 in AuditPrefix ()
#6  0x0000000000453956 in VAuditF ()
#7  0x0000000000453add in AuditF ()
#8  0x000000000043e5c6 in CloseDownClient ()
#9  0x0000000000443af8 in Dispatch ()
#10 0x0000000000420dc5 in main ()

With it off, I see this instead:

Program received signal SIGTERM, Terminated.
0x000000000042904c in FreeClientResources ()
(gdb) bt
#0  0x000000000042904c in FreeClientResources ()
#1  0x000000000043e4c2 in CloseDownClient ()
#2  0x0000000000443af8 in Dispatch ()
#3  0x0000000000420dc5 in main ()

which might look like normal termination, except that
FreeClientResources() of course does not contain an exit(), and the
console is still unusable.

I suspect a double-free() somewhere, and/or heap corruption.

I'll kick on malloc() debugging and look more closely (assuming that
works: in my experience it often introduces more problems than you might
wish for).