gnome-panel reads free memory in panel_object_loader_stop_loading

Running valgrind on gnome-panel I noticed:

==4781== Invalid read of size 1
==4781== at 0x4C29FEE: strcmp (mc_replace_strmem.c:538)
==4781== by 0x45C297: panel_object_loader_stop_loading (panel-object-loader.c:125)
==4781== by 0x45C947: panel_object_loader_idle_handler (panel-object-loader.c:241)
==4781== by 0x7515B6C: g_main_context_dispatch (gmain.c:2441)
==4781== by 0x7516367: g_main_context_iterate.isra.21 (gmain.c:3089)
==4781== by 0x75168A1: g_main_loop_run (gmain.c:3297)
==4781== by 0x55E389C: gtk_main (gtkmain.c:1367)
==4781== by 0x4220EE: main (main.c:117)
==4781== Address 0x17262f40 is 0 bytes inside a block of size 9 free'd
==4781== at 0x4C282E0: free (vg_replace_malloc.c:366)
==4781== by 0x45C12B: free_object_to_load (panel-object-loader.c:75)
==4781== by 0x45C271: panel_object_loader_stop_loading (panel-object-loader.c:120)
==4781== by 0x45C947: panel_object_loader_idle_handler (panel-object-loader.c:241)
==4781== by 0x7515B6C: g_main_context_dispatch (gmain.c:2441)
==4781== by 0x7516367: g_main_context_iterate.isra.21 (gmain.c:3089)
==4781== by 0x75168A1: g_main_loop_run (gmain.c:3297)
==4781== by 0x55E389C: gtk_main (gtkmain.c:1367)
==4781== by 0x4220EE: main (main.c:117)
==4781==

The code is:

void
panel_object_loader_stop_loading (const char *id)
{
        PanelObjectToLoad *object;
        GSList *l;

        for (l = panel_objects_loading; l; l = l->next) {
                object = l->data;
                if (g_strcmp0 (object->id, id) == 0)
                        break;
        }
        if (l != NULL) {
                panel_objects_loading = g_slist_delete_link (panel_objects_loading, l);
                free_object_to_load (object);
        }

        for (l = panel_objects_to_load; l; l = l->next) {
                object = l->data;
                if (g_strcmp0 (object->id, id) == 0)
                        break;
        }
        if (l != NULL) {
                panel_objects_to_load = g_slist_delete_link (panel_objects_to_load, l);
                free_object_to_load (object);
        }

        if (panel_objects_loading == NULL && panel_objects_to_load == NULL)
                panel_object_loader_queue_initial_unhide_toplevels (NULL);
}

free_object_to_load (object) gets called only 5 lines before strcmp on the same object.