nxagent crashes when xeyes is started

I am running a Debian/Squeeze system with the following nx packages:
  freenx-server 0.7.3.git110520.3884279 2011-06-21 10:23
  nx-common 0.3.1+svn59-0~ppa1~luci 2011-06-21 09:36
  nxagent 1:3.5.0-1-2-0ubuntu1ppa 2011-06-21 09:36
  nxlibs 1:3.5.0-1-2-0ubuntu1ppa 2011-06-21 09:36

The xeyes that lets the nxagent crash comes from: x11-apps_7.5+5

When you do a gdb-stacktrace on the coredump produced, you'll get:
Core was generated by `/usr/bin/nxagent -persistent -D -name NX - lw230024@newlabgw1:2000 - newlab (GP'.
Program terminated with signal 11, Segmentation fault.
#0 0x00000000004a8bac in nxagentTrapezoids (op=3 '\003', pSrc=0x2f35850,
    pDst=0x2f2f9c0, maskFormat=<value optimized out>, xSrc=0, ySrc=0, ntrap=7,
    traps=0x2a9e5c8) at Render.c:1724
1724 if (NXAGENT_SHOULD_DEFER_TRAPEZOIDS(pDst -> pDrawable))
(gdb) bt
#0 0x00000000004a8bac in nxagentTrapezoids (op=3 '\003', pSrc=0x2f35850,
    pDst=0x2f2f9c0, maskFormat=<value optimized out>, xSrc=0, ySrc=0, ntrap=7,
    traps=0x2a9e5c8) at Render.c:1724
#1 0x00000000004300d6 in ProcRenderTrapezoids (client=0x2f1f2b0)
    at X/NXrender.c:1124
#2 0x000000000042b9cd in ProcRenderDispatch (client=0x0) at X/NXrender.c:2520
#3 0x000000000042b08f in Dispatch () at X/NXdispatch.c:747
#4 0x0000000000458657 in CreateConnectionBlock (argc=<value optimized out>,
    argv=<value optimized out>, envp=<value optimized out>) at main.c:663
#5 main (argc=<value optimized out>, argv=<value optimized out>,
    envp=<value optimized out>) at main.c:446

Digging a tiny bit further, I noticed that the crash is caused by pSrc->pDrawable being a NULL pointer in ProcRenderTrapezoids(). The following patch prevents the crash:

--- ./programs/Xserver/hw/nxagent/X/NXrender.c.org 2011-06-20 15:34:31.000000000 +0200
+++ ./programs/Xserver/hw/nxagent/X/NXrender.c 2011-06-20 15:34:14.000000000 +0200
@@ -1082,6 +1082,7 @@
                    RenderErrBase + BadPicture);
     VERIFY_PICTURE (pDst, stuff->dst, client, SecurityWriteAccess,
                    RenderErrBase + BadPicture);
+ if (!pSrc->pDrawable) return BadDrawable; /* Leo */
     if (!pDst->pDrawable)
         return BadDrawable;
     if (pSrc->pDrawable && pSrc->pDrawable->pScreen != pDst->pDrawable->pScreen)

When xeyes is started with this patch, you'll get:
X Error of failed request: BadDrawable (invalid Pixmap or Window parameter)
  Major opcode of failed request: 149 (RENDER)
  Minor opcode of failed request: 10 (RenderTrapezoids)
  Resource id in failed request: 0x80000a
  Serial number of failed request: 61
  Current serial number in output stream: 65

Which is much better than crashing ;-) But since my 'normal' Xserver does not crash, there must be a better solution...

The crash is very reproducable. It has something to do with the use of the Xrender library. If xeyes is compiled without XRENDER nxagent will do fine.

As an extra datapoint. I believe this is exactly the same bug: https://bugzilla.redhat.com/show_bug.cgi?format=multiple&id=593199