Running Xvfb under valgrind reveals:

aaron@erding ~ $ valgrind  Xvfb :20 -ac
==18741== Memcheck, a memory error detector.
==18741== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et al.
==18741== Using LibVEX rev 1854, a library for dynamic binary translation.
==18741== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks LLP.
==18741== Using valgrind-3.3.1, a dynamic binary instrumentation framework.
==18741== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et al.
==18741== For more details, rerun with: -v
==18741==
==18741== Conditional jump or move depends on uninitialised value(s)
==18741==    at 0x43E861: fbBltOne (in /usr/bin/Xvfb)
==18741==    by 0x4332BF: fbPushFill (in /usr/bin/Xvfb)
==18741==    by 0x43347B: fbPushImage (in /usr/bin/Xvfb)
==18741==    by 0x433507: fbPushPixels (in /usr/bin/Xvfb)
==18741==    by 0x4AA68B: (within /usr/bin/Xvfb)
==18741==    by 0x52043B: (within /usr/bin/Xvfb)
==18741==    by 0x5209A8: (within /usr/bin/Xvfb)
==18741==    by 0x5299A7: (within /usr/bin/Xvfb)
==18741==    by 0x52473A: miPointerUpdateSprite (in /usr/bin/Xvfb)
==18741==    by 0x524864: (within /usr/bin/Xvfb)
==18741==    by 0x441593: (within /usr/bin/Xvfb)
==18741==    by 0x49ED6B: (within /usr/bin/Xvfb)
==18741==
==18741== Conditional jump or move depends on uninitialised value(s)
==18741==    at 0x43E8C8: fbBltOne (in /usr/bin/Xvfb)
==18741==    by 0x4332BF: fbPushFill (in /usr/bin/Xvfb)
==18741==    by 0x43347B: fbPushImage (in /usr/bin/Xvfb)
==18741==    by 0x433507: fbPushPixels (in /usr/bin/Xvfb)
==18741==    by 0x4AA68B: (within /usr/bin/Xvfb)
==18741==    by 0x52043B: (within /usr/bin/Xvfb)
==18741==    by 0x5209A8: (within /usr/bin/Xvfb)
==18741==    by 0x5299A7: (within /usr/bin/Xvfb)
==18741==    by 0x52473A: miPointerUpdateSprite (in /usr/bin/Xvfb)
==18741==    by 0x524864: (within /usr/bin/Xvfb)
==18741==    by 0x441593: (within /usr/bin/Xvfb)
==18741==    by 0x49ED6B: (within /usr/bin/Xvfb)
==18741==
==18741== Use of uninitialised value of size 8
==18741==    at 0x43E929: fbBltOne (in /usr/bin/Xvfb)
==18741==    by 0x4332BF: fbPushFill (in /usr/bin/Xvfb)
==18741==    by 0x43347B: fbPushImage (in /usr/bin/Xvfb)
==18741==    by 0x433507: fbPushPixels (in /usr/bin/Xvfb)
==18741==    by 0x4AA68B: (within /usr/bin/Xvfb)
==18741==    by 0x52043B: (within /usr/bin/Xvfb)
==18741==    by 0x5209A8: (within /usr/bin/Xvfb)
==18741==    by 0x5299A7: (within /usr/bin/Xvfb)
==18741==    by 0x52473A: miPointerUpdateSprite (in /usr/bin/Xvfb)
==18741==    by 0x524864: (within /usr/bin/Xvfb)
==18741==    by 0x441593: (within /usr/bin/Xvfb)
==18741==    by 0x49ED6B: (within /usr/bin/Xvfb)
==18741==
==18741== Conditional jump or move depends on uninitialised value(s)
==18741==    at 0x5157C5: (within /usr/bin/Xvfb)
==18741==    by 0x515E0D: (within /usr/bin/Xvfb)
==18741==    by 0x5146D5: (within /usr/bin/Xvfb)
==18741==    by 0x535BC4: (within /usr/bin/Xvfb)
==18741==    by 0x536212: WaitForSomething (in /usr/bin/Xvfb)
==18741==    by 0x4F453A: Dispatch (in /usr/bin/Xvfb)
==18741==    by 0x50621A: main (in /usr/bin/Xvfb)
(EE) config/hal: NewInputDeviceRequest failed
(EE) config/hal: NewInputDeviceRequest failed
(EE) config/hal: NewInputDeviceRequest failed    
      
                                                                                                               
==18741==
==18741== Syscall param writev(vector[...]) points to uninitialised byte(s)
==18741==    at 0x688DA86: (within /lib64/libc-2.9.so)
==18741==    by 0x53F3E1: (within /usr/bin/Xvfb)
==18741==    by 0x539F6B: FlushClient (in /usr/bin/Xvfb)
==18741==    by 0x53A982: FlushAllOutput (in /usr/bin/Xvfb)
==18741==    by 0x4F47C1: Dispatch (in /usr/bin/Xvfb)
==18741==    by 0x50621A: main (in /usr/bin/Xvfb)
==18741==  Address 0x7b78cac is 36 bytes inside a block of size 4,096 alloc'd
==18741==    at 0x4C221A0: malloc (in /usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so)
==18741==    by 0x53C01F: Xalloc (in /usr/bin/Xvfb)
==18741==    by 0x53C2D4: Xcalloc (in /usr/bin/Xvfb)
==18741==    by 0x53A809: WriteToClient (in /usr/bin/Xvfb)
==18741==    by 0x4EF490: ProcEstablishConnection (in /usr/bin/Xvfb)
==18741==    by 0x4F4797: Dispatch (in /usr/bin/Xvfb)
==18741==    by 0x50621A: main (in /usr/bin/Xvfb)
==18741==
==18741== Invalid read of size 2
==18741==    at 0x4EA4D0: FreeColormap (in /usr/bin/Xvfb)
==18741==    by 0x509337: FreeClientResources (in /usr/bin/Xvfb)
==18741==    by 0x50940E: FreeAllResources (in /usr/bin/Xvfb)
==18741==    by 0x506246: main (in /usr/bin/Xvfb)
==18741==  Address 0x7095eb8 is 64 bytes inside a block of size 336 free'd
==18741==    at 0x4C2226E: realloc (in /usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so)
==18741==    by 0x53BF1B: Xrealloc (in /usr/bin/Xvfb)
==18741==    by 0x4696BC: __glXScreenInit (in /usr/bin/Xvfb)
==18741==    by 0x468C01: (within /usr/bin/Xvfb)
==18741==    by 0x4682E1: GlxExtensionInit (in /usr/bin/Xvfb)
==18741==    by 0x506077: main (in /usr/bin/Xvfb)
==18741==
==18741== Conditional jump or move depends on uninitialised value(s)
==18741==    at 0x4E5871C: BuiltinReadDirectory (in /usr/lib64/libXfont.so.1.4.1)
==18741==    by 0x4E58D1A: (within /usr/lib64/libXfont.so.1.4.1)
==18741==    by 0x4F557D: (within /usr/bin/Xvfb)
==18741==    by 0x4F5759: SetDefaultFontPath (in /usr/bin/Xvfb)
==18741==    by 0x5063EC: main (in /usr/bin/Xvfb)
==18741==                                                                                                                                                             
==18741== Conditional jump or move depends on uninitialised value(s)
==18741==    at 0x4E587D0: BuiltinReadDirectory (in /usr/lib64/libXfont.so.1.4.1)
==18741==    by 0x4E58D1A: (within /usr/lib64/libXfont.so.1.4.1)
==18741==    by 0x4F557D: (within /usr/bin/Xvfb)
==18741==    by 0x4F5759: SetDefaultFontPath (in /usr/bin/Xvfb)
==18741==    by 0x5063EC: main (in /usr/bin/Xvfb)
[config/dbus] couldn't register object path
(EE) config/hal: NewInputDeviceRequest failed
(EE) config/hal: NewInputDeviceRequest failed
(EE) config/hal: NewInputDeviceRequest failed
^C

The syscall with uninitialised values seems to be what crashed the Xvfb.
Any clues or any ideas how to further track down the cause?   

Reproducible: Always

Steps to Reproduce:
1. console1:
aaron@erding ~ $ Xvfb :20
(EE) config/hal: NewInputDeviceRequest failed
(EE) config/hal: NewInputDeviceRequest failed
(EE) config/hal: NewInputDeviceRequest failed

2. console2:
aaron@erding ~ $ DISPLAY=:20 xrandr -v
Xlib:  extension "RANDR" missing on display ":20.0".
RandR extension missing


3. console1:
segmentation fault



Portage 2.2_rc20 (default/linux/amd64/2008.0/desktop, gcc-4.2.4, glibc-2.9_p20081201-r0, 2.6.27-gentoo-r5 x86_64)
=================================================================                                                
System uname: Linux-2.6.27-gentoo-r5-x86_64-Intel-R-_Core-TM-2_Duo_CPU_E6750_@_2.66GHz-with-glibc2.2.5
Timestamp of tree: Tue, 06 Jan 2009 07:10:01 +0000
app-shells/bash:     3.2_p48
dev-java/java-config: 1.3.7-r1, 2.1.6-r1
dev-lang/python:     2.5.2-r8
dev-python/pycrypto: 2.0.1-r6
dev-util/cmake:      2.6.2-r1
sys-apps/baselayout: 2.0.0
sys-apps/openrc:     0.4.1-r1
sys-apps/sandbox:    1.2.18.1-r3
sys-devel/autoconf:  2.13, 2.63
sys-devel/automake:  1.5, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10.2
sys-devel/binutils:  2.19
sys-devel/gcc-config: 1.4.0-r4
sys-devel/libtool:   2.2.6a
virtual/os-headers:  2.6.27-r2
ACCEPT_KEYWORDS="amd64 ~amd64"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-O2 -pipe -march=nocona"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/kde/4.1/env /usr/kde/4.1/share/config /usr/kde/4.1/shutdown /usr/share/config /var/lib/hsqldb"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/terminfo /etc/udev/rules.d"
CXXFLAGS="-O2 -pipe -march=nocona"
DISTDIR="/usr/portage/distfiles"
FEATURES="distlocks fixpackages parallel-fetch preserve-libs protect-owned sandbox sfperms strict unmerge-orphans userfetch"
GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo"
LANG="de_DE.utf8"
LC_ALL="de_DE.utf8"
LDFLAGS="-Wl,-O1"
LINGUAS="de"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage/layman/energizedwork"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="16bit 3dnow 3dnowext X a52 aac aalib acl acpi administrator aim alsa amazon amd64 apm arts avahi bash-completion berkdb big-tables bluetooth branding browserplugin bzip2 c++ cairo cdr cdrom cjk cli connectionstatus cracklib crypt cups cxx dbus dhcp directfb divx dri dts dvd dvdr dvdread eds emboss encode esd evo exif fam fbcon fbcondecor fbdev fbsplash firefox firefox3 flac fontconfig foomaticdb fortran gconf gdbm gif glitz glut gmedia gmp gnome gnutls gphoto2 gpm graphviz grub gstreamergtk hal hddtemp iconv icq idn imap ipv6 isdnlog java java5 java6 javascript jpeg jpeg2k kde kdehiddenvisibility kdeprefix kipi ldap libnotify lm_sensors logitech-mouse mad matroska max-idx-128 mdnsresponder-compat midi mikmod mmx mmxext mng mozdevelop mozilla mp3 mp4 mpeg mudflap multilib musepack musicbrainz mysql nat ncurses nforce2 nls nptl nptlonly nsplugin nspr ntfs nvidia ogg openal opengl openmp pam parport pcre pdf perl png ppds pppd python qt3 qt3support qt4 query-browser quicktime readline realmedia reflection resolvconf sdl sensord session spell spl sqlite sqlite3 sse sse2 ssl ssse3 startup-notification subversion svg svgz sysfs tcpd theora tiff truetype type1 unicode urandom usb utempter vim-syntax vim-with-x vorbis wmp x264 xattr xcomposite xml xorg xprint xulrunner xv xvid xvmc yahoo zeroconf zip zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="evdev keyboard mouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="de" NETBEANS_MODULES="apisupport cnd gsf groovy harness ide identity j2ee java nb profiler soa visualweb webcommon websvccommon xml" USERLAND="GNU" VIDEO_CARDS="nv vesa vga fbdev"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, MAKEOPTS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS