Crash when opening new windows

When opening a new window (via ctrl-N or e.g. javascript on a webpage), Midori often spews critical warnings about invalid treeview pointers or crashes outright with a backtrace like this:

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff68154f4 in g_type_check_instance_cast ()
   from /usr/lib/libgobject-2.0.so.0
(gdb) bt
#0 0x00007ffff68154f4 in g_type_check_instance_cast ()
   from /usr/lib/libgobject-2.0.so.0
#1 0x00007ffff7b03690 in midori_bookmarks_update_cb (array=0x6c6530,
    bookmarks=0x1932500)
    at midori/panels/midori-bookmarks.c:487
#2 0x00007ffff67f22f5 in g_closure_invoke () from /usr/lib/libgobject-2.0.so.0
#3 0x00007ffff680402c in ?? () from /usr/lib/libgobject-2.0.so.0
#4 0x00007ffff680c688 in g_signal_emit_valist ()
   from /usr/lib/libgobject-2.0.so.0
#5 0x00007ffff680c8ef in g_signal_emit () from /usr/lib/libgobject-2.0.so.0
#6 0x00007ffff7af7b39 in katze_array_update (array=0x6c6530)
    at midori/katze/katze-array.c:579
#7 0x00007ffff7afbf68 in katze_array_action_set_array (
    array_action=0x1b9cbd0, array=0x6c6530)
    at midori/katze/katze-arrayaction.c:894
#8 0x00007ffff7afa024 in katze_array_action_set_property (object=0x1b9cbd0,
    prop_id=1, value=0x7fffffffaee0, pspec=0xd64130)
    at midori/katze/katze-arrayaction.c:267
#9 0x00007ffff67f9c2b in g_object_set_valist ()
   from /usr/lib/libgobject-2.0.so.0
#10 0x00007ffff67fa4bc in g_object_set () from /usr/lib/libgobject-2.0.so.0
#11 0x00007ffff7b23d2e in midori_browser_set_bookmarks (browser=0xd17270,
    bookmarks=0x6c6530)
    at midori/midori/midori-browser.c:6770
#12 0x00007ffff7b24287 in midori_browser_set_property (object=0xd17270,
    prop_id=12, value=0x7fffffffb170, pspec=0xd148b0)
    at midori/midori/midori-browser.c:6849
#13 0x00007ffff67f7df6 in ?? () from /usr/lib/libgobject-2.0.so.0
#14 0x00007ffff67f96a5 in g_object_new_valist ()
   from /usr/lib/libgobject-2.0.so.0
#15 0x00007ffff67f99e1 in g_object_new () from /usr/lib/libgobject-2.0.so.0
#16 0x00007ffff7b41af8 in midori_app_create_browser (app=0x6a10f0)
    at midori/midori/midori-app.c:1048
#17 0x00007ffff7b3f844 in midori_browser_new_window_cb (browser=0xd160f0,
    new_browser=0x0, app=0x6a10f0)
    at midori/midori/midori-app.c:149
#18 0x00007ffff7b50d15 in midori_cclosure_marshal_OBJECT__OBJECT (
    closure=0xfc7f20, return_value=0x7fffffffb9b0, n_param_values=2,
    param_values=0x7fffffffb900, invocation_hint=0x7fffffffb8a0,
    marshal_data=0x0) at midori/marshal.c:325
#19 0x00007ffff67f22f5 in g_closure_invoke () from /usr/lib/libgobject-2.0.so.0
#20 0x00007ffff680402c in ?? () from /usr/lib/libgobject-2.0.so.0
#21 0x00007ffff680c195 in g_signal_emit_valist ()
   from /usr/lib/libgobject-2.0.so.0
#22 0x00007ffff680c8ef in g_signal_emit () from /usr/lib/libgobject-2.0.so.0
#23 0x00007ffff7b1646f in midori_view_new_view_cb (view=0x20de090,
    new_view=0x20deea0, where=MIDORI_NEW_VIEW_BACKGROUND, user_initiated=0,
    browser=0xd160f0)
    at midori/midori/midori-browser.c:1729
#24 0x00007ffff7b50ed8 in midori_cclosure_marshal_VOID__OBJECT_ENUM_BOOLEAN (
    closure=0x15e6730, return_value=0x0, n_param_values=4,
    param_values=0x7fffffffbdf0, invocation_hint=0x7fffffffbd90,
    marshal_data=0x0) at midori/marshal.c:401
#25 0x00007ffff67f22f5 in g_closure_invoke () from /usr/lib/libgobject-2.0.so.0
#26 0x00007ffff680402c in ?? () from /usr/lib/libgobject-2.0.so.0
#27 0x00007ffff680c688 in g_signal_emit_valist ()
   from /usr/lib/libgobject-2.0.so.0
#28 0x00007ffff680c8ef in g_signal_emit () from /usr/lib/libgobject-2.0.so.0
#29 0x00007ffff7b2c39c in webkit_web_view_web_view_ready_cb (
    web_view=0x1d64c40, view=0x20de090)
    at midori/midori/midori-view.c:2676
#30 0x00007ffff3b33f51 in webkit_marshal_BOOLEAN__VOID ()
   from /usr/lib/libwebkitgtk-1.0.so.0
#31 0x00007ffff67f22f5 in g_closure_invoke () from /usr/lib/libgobject-2.0.so.0
#32 0x00007ffff680402c in ?? () from /usr/lib/libgobject-2.0.so.0
#33 0x00007ffff680c195 in g_signal_emit_valist ()
   from /usr/lib/libgobject-2.0.so.0
#34 0x00007ffff680c8ef in g_signal_emit () from /usr/lib/libgobject-2.0.so.0
#35 0x00007ffff3b2933d in webkit_web_view_notify_ready ()
   from /usr/lib/libwebkitgtk-1.0.so.0
#36 0x00007ffff41d381e in WebCore::createWindow(WebCore::Frame*, WebCore::Frame*, WebCore::FrameLoadRequest const&, WebCore::WindowFeatures const&, bool&) ()
   from /usr/lib/libwebkitgtk-1.0.so.0
#37 0x00007ffff425c4ec in WebCore::DOMWindow::createWindow(WTF::String const&, WTF::AtomicString const&, WebCore::WindowFeatures const&, WebCore::DOMWindow&, WebCore::Frame*, WebCore::Frame*, std::function<void (WebCore::DOMWindow&)>) ()
   from /usr/lib/libwebkitgtk-1.0.so.0
#38 0x00007ffff425d0df in WebCore::DOMWindow::open(WTF::String const&, WTF::AtomicString const&, WTF::String const&, WebCore::DOMWindow&, WebCore::DOMWindow&)
    () from /usr/lib/libwebkitgtk-1.0.so.0
#39 0x00007ffff3c9a7f6 in WebCore::JSDOMWindow::open(JSC::ExecState*) ()
   from /usr/lib/libwebkitgtk-1.0.so.0
#40 0x00007ffff46bbd2b in WebCore::jsDOMWindowPrototypeFunctionOpen(JSC::ExecState*) () from /usr/lib/libwebkitgtk-1.0.so.0
#41 0x00007fffa39b60e5 in ?? ()
#42 0x00007fff8453aee0 in ?? ()
#43 0x00007ffff15ad1b2 in llint_op_call ()
   from /usr/lib/libjavascriptcoregtk-1.0.so.0
#44 0x00007fffffffcdc0 in ?? ()
#45 0x00007fffa2985000 in ?? ()
#46 0x00007fff56aa8308 in ?? ()
#47 0x00007fffffffce30 in ?? ()
#48 0x00007fff8453aff8 in ?? ()
#49 0x00007fffffffce40 in ?? ()
#50 0x00007fffffffcdc0 in ?? ()
#51 0x00007ffff1553d23 in JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*, JSC::Register*) () from /usr/lib/libjavascriptcoregtk-1.0.so.0
Backtrace stopped: previous frame inner to this frame (corrupt stack?)