Comment 18 for bug 1751252

Here's the offending source code up to the failing X call. I'm not so sure that the math is right (or how getting it wrong might trigger this bug)...

static cairo_xlib_shm_t *
_cairo_xlib_shm_pool_create(cairo_xlib_display_t *display,
                            size_t size, void **ptr)
{
    Display *dpy = display->display;
    cairo_xlib_shm_t *pool;
    size_t bytes, maxbits = 16, minbits = MIN_BITS;
    Status success;

    pool = malloc (sizeof (cairo_xlib_shm_t));
    if (pool == NULL)
        return NULL;

    bytes = 1 << maxbits;
    while (bytes <= size)
        bytes <<= 1, maxbits++;
    bytes <<= 3;

    minbits += (maxbits - 16) / 2;

    pool->shm.shmid = shmget (IPC_PRIVATE, bytes, IPC_CREAT | 0600);
    while (pool->shm.shmid == -1 && bytes >= 2*size) {
        bytes >>= 1;
        pool->shm.shmid = shmget (IPC_PRIVATE, bytes, IPC_CREAT | 0600);
    }
    if (pool->shm.shmid == -1)
        goto cleanup;

    pool->shm.readOnly = FALSE;
    pool->shm.shmaddr = shmat (pool->shm.shmid, NULL, 0);
    if (pool->shm.shmaddr == (char *) -1) {
        shmctl (pool->shm.shmid, IPC_RMID, NULL);
        goto cleanup;
    }

    pool->attached = XNextRequest (dpy);
    success = XShmAttach (dpy, &pool->shm);

Possibly worth noting is that size==4096 at scale 200%, and size==256 at scale 100%.