gvfs-udisks2-volume-monitor crashed with SIGSEGV in malloc_consolidate()

StacktraceTop:
 malloc_consolidate (av=0x7f43dccd4740) at malloc.c:4246
 malloc_consolidate (av=0x7f43dccd4740) at malloc.c:4215
 _int_malloc (av=0x7f43dccd4740, bytes=1174) at malloc.c:3532
 __libc_calloc (n=<optimized out>, elem_size=<optimized out>) at malloc.c:3274
 ?? () from /tmp/tmpfoV3KW/lib64/ld-linux-x86-64.so.2

Status changed to 'Confirmed' because the bug affects multiple users.

This crash occurred on my system after ejecting a btrfs volume and unplugging the USB drive.

Trusty - unmounting a partition where a file was still active. Closed active app with file from partition. Crash followed.

got that under valgrind

==29286== Invalid read of size 1
==29286== at 0x433B79A: g_str_hash (ghash.c:1792)
==29286== by 0x433A309: g_hash_table_remove_internal (ghash.c:367)
==29286== by 0x805D729: on_name_owner_vanished (gvfsproxyvolumemonitordaemon.c:491)
==29286== by 0x420AA56: actually_do_call (gdbusnamewatching.c:162)
==29286== by 0x420ABCB: do_call (gdbusnamewatching.c:214)
==29286== by 0x420B182: on_name_owner_changed (gdbusnamewatching.c:305)
==29286== by 0x41FAC85: emit_signal_instance_in_idle_cb (gdbusconnection.c:3738)
==29286== by 0x43489FF: g_idle_dispatch (gmain.c:5280)
==29286== by 0x434BE66: g_main_context_dispatch (gmain.c:3065)
==29286== by 0x434C227: g_main_context_iterate.isra.23 (gmain.c:3711)
==29286== by 0x434C52A: g_main_loop_run (gmain.c:3905)
==29286== by 0x805F288: g_vfs_proxy_volume_monitor_daemon_main (gvfsproxyvolumemonitordaemon.c:2009)
==29286== by 0x804F9DC: main (udisks2volumemonitordaemon.c:42)
==29286== Address 0x6f0afa8 is 0 bytes inside a block of size 7 free'd
==29286== at 0x402AD58: free (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==29286== by 0x4351AAF: g_free (gmem.c:190)
==29286== by 0x420AC17: client_unref (gdbusnamewatching.c:102)
==29286== by 0x805D717: on_name_owner_vanished (gvfsproxyvolumemonitordaemon.c:488)
==29286== by 0x420AA56: actually_do_call (gdbusnamewatching.c:162)
==29286== by 0x420ABCB: do_call (gdbusnamewatching.c:214)
==29286== by 0x420B182: on_name_owner_changed (gdbusnamewatching.c:305)
==29286== by 0x41FAC85: emit_signal_instance_in_idle_cb (gdbusconnection.c:3738)
==29286== by 0x43489FF: g_idle_dispatch (gmain.c:5280)
==29286== by 0x434BE66: g_main_context_dispatch (gmain.c:3065)
==29286== by 0x434C227: g_main_context_iterate.isra.23 (gmain.c:3711)
==29286== by 0x434C52A: g_main_loop_run (gmain.c:3905)
==29286== by 0x805F288: g_vfs_proxy_volume_monitor_daemon_main (gvfsproxyvolumemonitordaemon.c:2009)
==29286== by 0x804F9DC: main (udisks2volumemonitordaemon.c:42)
==29286==
==29286== Invalid read of size 1
==29286== at 0x433B7B4: g_str_hash (ghash.c:1792)
==29286== by 0x433A309: g_hash_table_remove_internal (ghash.c:367)
==29286== by 0x805D729: on_name_owner_vanished (gvfsproxyvolumemonitordaemon.c:491)
==29286== by 0x420AA56: actually_do_call (gdbusnamewatching.c:162)
==29286== by 0x420ABCB: do_call (gdbusnamewatching.c:214)
==29286== by 0x420B182: on_name_owner_changed (gdbusnamewatching.c:305)
==29286== by 0x41FAC85: emit_signal_instance_in_idle_cb (gdbusconnection.c:3738)
==29286== by 0x43489FF: g_idle_dispatch (gmain.c:5280)
==29286== by 0x434BE66: g_main_context_dispatch (gmain.c:3065)
==29286== by 0x434C227: g_main_context_iterate.isra.23 (gmain.c:3711)
==29286== by 0x434C52A: g_main_loop_run (gmain.c:3905)
==29286== by 0x805F288: g_vfs_proxy_volume_monitor_daemon_main (gvfsproxyvolumemonitordaemon.c:2009)
==29286== by 0x804F9DC: main (udisks2volumemonitordaemon.c:42)
==29286== Address 0x6f0afa9 is 1 bytes inside a block of size 7 free'd
==29286== at 0x402AD58: free (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==29286== by...