I'm not sure this bug is really in Xorg (the server), but it has manifested in it ever since x11-drivers/xf86-video-intel >= 2.20.7:

$ gdb --batch --command=cmd.txt
[New LWP 30401]

warning: Could not load shared library symbols for linux-vdso.so.1.
Do you need "set solib-search-path" or "set sysroot"?
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
Core was generated by `/usr/bin/X.bin -core -br -novtswitch -quiet :0 vt7 -nolisten tcp -auth /var/run'.
Program terminated with signal 6, Aborted.
#0  0x0000003debc35ab5 in raise () from /lib64/libc.so.6
#0  0x0000003debc35ab5 in raise () from /lib64/libc.so.6
No symbol table info available.
#1  0x0000003debc36f36 in abort () from /lib64/libc.so.6
No symbol table info available.
#2  0x0000000000593b8e in OsAbort () at utils.c:1266
No locals.
#3  0x000000000047d30c in ddxGiveUp (error=<optimized out>) at xf86Init.c:1060
        i = <optimized out>
#4  0x00000000005989e2 in AbortServer () at log.c:652
No locals.
#5  0x00000000005991fd in FatalError (f=f@entry=0x5c1308 "Caught signal %d (%s). Server aborting\n") at log.c:793
        args = {{gp_offset = 24, fp_offset = 48, overflow_arg_area = 0x7ffff8096f60, reg_save_area = 0x7ffff8096ea0}}
        args2 = {{gp_offset = 8, fp_offset = 48, overflow_arg_area = 0x7ffff8096f60, reg_save_area = 0x7ffff8096ea0}}
        beenhere = 1
#6  0x00000000005919ce in OsSigHandler (sip=<optimized out>, signo=11, unused=<optimized out>) at osinit.c:146
No locals.
#7  OsSigHandler (signo=11, sip=<optimized out>, unused=<optimized out>) at osinit.c:107
No locals.
#8  <signal handler called>
No symbol table info available.
#9  0x000000000045040e in CreateDefaultTile (pGC=pGC@entry=0x17d6620) at gc.c:584
        tmpval = {{val = 0, ptr = 0x7fff00000000}, {val = 0, ptr = 0x0}, {val = 13, ptr = 0xd}}
        pTile = <optimized out>
        pgcScratch = <optimized out>
        rect = {x = -824, y = 382, width = 0, height = 0}
        w = 1
        h = 1
#10 0x0000000000451078 in ChangeGC (client=client@entry=0x1350c40, pGC=pGC@entry=0x17d6620, mask=0, mask@entry=65536, pUnion=0x7ffff80975e8, pUnion@entry=0x7ffff80975e0) at gc.c:405
        index2 = <optimized out>
        error = 0
        pPixmap = <optimized out>
        maskQ = 65536
        __PRETTY_FUNCTION__ = "ChangeGC"
#11 0x000000000045128b in ChangeGCXIDs (client=client@entry=0x1350c40, pGC=0x17d6620, mask=65536, pC32=pC32@entry=0x17efcf8) at gc.c:458
        vals = {{val = 0, ptr = 0x0}, {val = 17563424, ptr = 0x10bff20}, {val = 24995840, ptr = 0x1017d6800}, {val = 17563424, ptr = 0x10bff20}, {val = 17581616, ptr = 0x10c4630}, {val = 17789712, ptr = 0x10f7310}, {val = 0, ptr = 0x0}, {val = 24995616, ptr = 0x17d6720}, {val = 0, ptr = 0x0}, {val = 8438048, ptr = 0x80c120 <clientTable+448>}, {val = 0, ptr = 0x0}, {val = 373, ptr = 0x175}, {val = 22827584, ptr = 0x15c5240}, {val = 20253760, ptr = 0x1350c40}, {val = 29360937, ptr = 0x1c00329}, {val = 3, ptr = 0x3}, {val = 24995360, ptr = 0x17d6620}, {val = 0, ptr = 0x0}, {val = 24992032, ptr = 0x17d5920}, {val = 4591587, ptr = 0x460fe3 <dixLookupResourceByType+307>}, {val = 0, ptr = 0x0}, {val = 32, ptr = 0x3d00000020}, {val = 22827584, ptr = 0x15c5240}}
        i = <optimized out>
#12 0x0000000000439032 in ProcChangeGC (client=0x1350c40) at dispatch.c:1474
        pGC = 0x17d6620
        result = <optimized out>
        len = 1
        stuff = 0x17efcec
#13 0x000000000043d4c1 in Dispatch () at dispatch.c:428
        clientReady = 0x124df30
        result = <optimized out>
        client = 0x1350c40
        nready = 0
        icheck = 0x813f10 <checkForInput>
        start_tick = 0
#14 0x000000000042c0fa in main (argc=11, argv=0x7ffff80978c8, envp=<optimized out>) at main.c:295
        i = <optimized out>
        alwaysCheckForInput = {0, 1}
#9  0x000000000045040e in CreateDefaultTile (pGC=pGC@entry=0x17d6620) at gc.c:584
584	    (*pGC->pScreen->QueryBestSize) (TileShape, &w, &h, pGC->pScreen);
$1 = {pScreen = 0xbb837d7abb86c183, depth = 128 '\200', alu = 126 '~', lineWidth = 48003, dashOffset = 32122, numInDashList = 48004, dash = 0xbb837d7abba5949e <Address 0xbb837d7abba5949e out of bounds>, lineStyle = 3, capStyle = 2, joinStyle = 3, fillStyle = 1, fillRule = 1, arcMode = 1, subWindowMode = 0, graphicsExposures = 0, clientClipType = 3, miTranslate = 0, tileIsPixel = 1, fExpose = 1, freeCompClip = 1, scratch_inuse = 0, unused = 6000, planemask = 18430913026116272574, fgPixel = 2405720158, bgPixel = 1, tile = {pixmap = 0x0, pixel = 0}, stipple = 0x10f7310, patOrg = {x = 0, y = 0}, font = 0x10f8780, clipOrg = {x = 0, y = 0}, clientClip = 0x0, stateChanges = 8388607, serialNumber = 2147483648, funcs = 0x80a060 <damageGCFuncs>, ops = 0x7f771aab5880 <sna_gc_ops>, devPrivates = 0x17d66c0, pRotatedPixmap = 0x0, pCompositeClip = 0x0}
cmd.txt:4: Error in sourced command file:
Cannot access memory at address 0xbb837d7abb86c183

I'm running Gentoo Linux, x86_64, kernel 3.5.4, gcc 4.7.1, no special CFLAGS/LDFLAGS.

Steps to reproduce: login into KDE (via kdm) and try to start chromium (other apps don't trigger the crash).