gnome-shell SIGSEGV in g_slice_alloc() on monitor hotplug

I've seen this at least twice now: plug in an external monitor and gnome-shell segfaults. This doesn't happen on every hotplug, just sometimes (maybe once a month).

The apport crash report is broken because of bug 1453011, but I can get a gdb with apport-retrace -g /var/crash//var/crash/_usr_bin_gnome-shell.1000.crash.

Here's a stack trace:

#0 0x00007fa9fb8ff645 in g_slice_alloc (magazine_chunks=0x7299b0) at /build/buildd/glib2.0-2.44.0/./glib/gslice.c:539
#1 0x00007fa9fb8ff645 in g_slice_alloc (tmem=<optimized out>, ix=1) at /build/buildd/glib2.0-2.44.0/./glib/gslice.c:842
#2 0x00007fa9fb8ff645 in g_slice_alloc (mem_size=mem_size@entry=24) at /build/buildd/glib2.0-2.44.0/./glib/gslice.c:998
#3 0x00007fa9fb8de7f6 in g_list_prepend (list=list@entry=0x1bf0320 = {...}, data=data@entry=0x5565940)
    at /build/buildd/glib2.0-2.44.0/./glib/glist.c:311
#4 0x00007fa9fd257a26 in meta_workspace_list_windows (workspace=workspace@entry=0x1caa690 [MetaWorkspace]) at core/workspace.c:670
#5 0x00007fa9fd258183 in meta_workspace_invalidate_work_area (workspace=0x1caa690 [MetaWorkspace]) at core/workspace.c:721
#6 0x00007fa9fd2446e0 in reload_monitor_infos (screen=screen@entry=0x756480 [MetaScreen]) at core/screen.c:415
#7 0x00007fa9fd2485ed in on_monitors_changed (manager=<optimized out>, screen=0x756480 [MetaScreen]) at core/screen.c:2362
#8 0x00007fa9f646fd90 in ffi_call_unix64 () at ../src/x86/unix64.S:76
#9 0x00007fa9f646f7f8 in ffi_call (cif=cif@entry=0x7ffc6983b150, fn=<optimized out>, rvalue=0x7ffc6983b0b0, avalue=avalue@entry=0x7ffc6983b070) at ../src/x86/ffi64.c:525
#14 0x00007fa9fbbd2e4a in <emit signal 0x10 <error: Cannot access memory at address 0x10> on instance 0x7562a0 [MetaMonitorManagerXrandr]> (instance=0x20, instance@entry=0x7562a0, detailed_signal=0x10 <error: Cannot access memory at address 0x10>,
    detailed_signal@entry=0x7fa9fd284c77 "monitors-changed") at /build/buildd/glib2.0-2.44.0/./gobject/gsignal.c:3401
    #10 0x00007fa9fbbb8ae4 in g_cclosure_marshal_generic (closure=0x1d60bb0, return_gvalue=0x0, n_param_values=<optimized out>, param_values=<optimized out>, invocation_hint=<optimized out>, marshal_data=0x0) at /build/buildd/glib2.0-2.44.0/./gobject/gclosure.c:1448
    #11 0x00007fa9fbbb82d5 in g_closure_invoke (closure=0x1d60bb0, return_value=0x0, n_param_values=1, param_values=0x7ffc6983b380, invocation_hint=0x7ffc6983b320) at /build/buildd/glib2.0-2.44.0/./gobject/gclosure.c:768
    #12 0x00007fa9fbbca03c in signal_emit_unlocked_R (node=node@entry=0x1bd2e20, detail=detail@entry=0, instance=instance@entry=0x7562a0, emission_return=emission_return@entry=0x0, instance_and_params=instance_and_params@entry=0x7ffc6983b380)
    at /build/buildd/glib2.0-2.44.0/./gobject/gsignal.c:3549
    #13 0x00007fa9fbbd2698 in g_signal_emit_valist (instance=<optimized out>, signal_id=<optimized out>, detail=<optimized out>, var_args=<optimized out>) at /build/buildd/glib2.0-2.44.0/./gobject/gsignal.c:3305
#15 0x00007fa9fd218cc9 in meta_monitor_manager_rebuild_derived (manager=0x7562a0 [MetaMonitorManagerXrandr])
    at backends/meta-monitor-manager.c:1228
#16 0x00007fa9fd21ea38 in meta_monitor_manager_xrandr_handle_xevent (manager_xrandr=0x7562a0 [MetaMonitorManagerXrandr], event=event@entry=0x7ffc6983b740) at backends/x11/meta-monitor-manager-xrandr.c:1238
#17 0x00007fa9fd21b3db in x_event_source_dispatch (event=0x7ffc6983b740, backend=0x7428b0 [MetaBackendX11])
    at backends/x11/meta-backend-x11.c:276
#18 0x00007fa9fd21b3db in x_event_source_dispatch (source=<optimized out>, callback=<optimized out>, user_data=<optimized out>)
    at backends/x11/meta-backend-x11.c:336
#19 0x00007fa9fb8e2c3d in g_main_context_dispatch (context=0x739180) at /build/buildd/glib2.0-2.44.0/./glib/gmain.c:3122
#20 0x00007fa9fb8e2c3d in g_main_context_dispatch (context=context@entry=0x739180) at /build/buildd/glib2.0-2.44.0/./glib/gmain.c:3737
#21 0x00007fa9fb8e2f20 in g_main_context_iterate (context=0x739180, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>)
    at /build/buildd/glib2.0-2.44.0/./glib/gmain.c:3808
#22 0x00007fa9fb8e3242 in g_main_loop_run (loop=0x1bffe40) at /build/buildd/glib2.0-2.44.0/./glib/gmain.c:4002
#23 0x00007fa9fd2409d6 in meta_run () at core/main.c:437
#24 0x000000000040208d in main ()

Here's the innermost frame:

(gdb) frame 0
#0 magazine_chain_pop_head (magazine_chunks=0x7299b0) at /build/buildd/glib2.0-2.44.0/./glib/gslice.c:539
539 (*magazine_chunks)->data = chunk->next;
(gdb) p chunk
$10 = (ChunkLink *) 0xe000000000000000

ProblemType: Bug
DistroRelease: Ubuntu 15.04
Package: gnome-shell 3.16.1-0ubuntu1~vivid1 [origin: LP-PPA-gnome3-team-gnome3-staging]
ProcVersionSignature: Ubuntu 3.19.0-16.16-generic 3.19.3
Uname: Linux 3.19.0-16-generic x86_64
ApportVersion: 2.17.2-0ubuntu1
Architecture: amd64
CurrentDesktop: GNOME
Date: Fri May 8 13:02:25 2015
DisplayManager: gdm
EcryptfsInUse: Yes
GsettingsChanges:
 b'org.gnome.shell.calendar' b'show-weekdate' b'true'
 b'org.gnome.desktop.interface' b'clock-show-seconds' b'true'
 b'org.gnome.desktop.interface' b'gtk-im-module' b"'gtk-im-context-simple'"
 b'org.gnome.desktop.interface' b'clock-show-date' b'true'
InstallationDate: Installed on 2012-07-25 (1016 days ago)
InstallationMedia: Ubuntu 12.04 LTS "Precise Pangolin" - Release amd64 (20120425)
SourcePackage: gnome-shell
UpgradeStatus: Upgraded to vivid on 2015-04-23 (14 days ago)