Comment 9 for bug 867565

I searched a bit and found several duplicates of this bug (now merged). The ways of reproducing are many, but are always related to working with tabs. Detaching a tab, dragging and dropping a tab between two windows, etc. In my case, one time it happened when closing a window with no tabs while keeping two other windows with tabs.

The GNOME upstream bug says it's related to accessibility, which I guess it's due to the "accessible-value" property that we see in the backtrace.

The line that is segfaulting is 1154 from this function:

1148: void
1149: g_object_notify (GObject *object,
1150: const gchar *property_name)
1151: {
1152: GParamSpec *pspec;
1153:
1154: g_return_if_fail (G_IS_OBJECT (object));
1155: g_return_if_fail (property_name != NULL);

The macros expand to:
#define G_IS_OBJECT(object) (G_TYPE_CHECK_INSTANCE_TYPE ((object), G_TYPE_OBJECT))
#define G_TYPE_CHECK_INSTANCE_TYPE(instance, g_type) (_G_TYPE_CIT ((instance), (g_type)))
# define _G_TYPE_CIT(ip, gt) (G_GNUC_EXTENSION ({ \
  GTypeInstance *__inst = (GTypeInstance*) ip; GType __t = gt; gboolean __r; \
  if (!__inst) \
    __r = FALSE; \
  else if (__inst->g_class && __inst->g_class->g_type == __t) \
    __r = TRUE; \
  else \
    __r = g_type_check_instance_is_a (__inst, __t); \
  __r; \
}))

In this last macro, the first thing that's checked is that the object passed is not NULL. Thus, this is pointing to some piece of memory, different than NULL, but on which it's not valid to access it's ->g_class member.

In my stack trace, the object is "optimized out", but in the one provided in the Debian bug report, it says: object@entry=0x8469a38.