Comment 26 for bug 1886115

Thanks - in Ubuntu releases 18.04 onwards debug symbols are provided via the separate -dbgsyms packages which require extra configuration - https://wiki.ubuntu.com/DebuggingProgramCrash

TL;DR:

echo "deb http://ddebs.ubuntu.com $(lsb_release -cs) main restricted universe multiverse" | sudo tee -a /etc/apt/sources.list.d/ddebs.list
echo -e "deb http://ddebs.ubuntu.com $(lsb_release -cs)-updates main restricted universe multiverse\ndeb http://ddebs.ubuntu.com $(lsb_release -cs)-proposed main restricted universe multiverse" | sudo tee -a /etc/apt/sources.list.d/ddebs.list
sudo apt install ubuntu-dbgsym-keyring
sudo apt update
sudo apt install systemd-dbgsym
gdb /sbin/init bug1886115.core
(gdb) bt

Which gives the following more complete stack trace (sadly a bunch of stuff has been optimised out, but also since this is crashing in freep() it seems that memory corruption has already occurred prior to this point and we don't have any info as to where this happened):

#0 0x00007f16807ba187 in kill () at ../sysdeps/unix/syscall-template.S:78
#1 0x0000563b957223b7 in crash (sig=11) at ../src/core/main.c:196
#2 <signal handler called>
#3 __GI___libc_free (mem=0x4a60d140dfd9a5) at malloc.c:3103
#4 0x0000563b9577c22e in freep () at ../src/basic/alloc-util.h:61
#5 unit_fail_if_noncanonical (u=<optimised out>, where=<optimised out>) at ../src/core/unit.c:4774
#6 0x0000563b957672d6 in mount_enter_mounting (m=0x563b9782dba0) at ../src/core/mount.c:946
#7 mount_start.lto_priv.216 (u=0x563b9782dba0) at ../src/core/mount.c:1092
#8 0x0000563b9576ba22 in unit_start (u=0x563b9782dba0) at ../src/core/unit.c:1861
#9 job_perform_on_unit.lto_priv.424 (j=0x7ffe78153248) at ../src/core/job.c:553
#10 0x0000563b9574f51a in job_run_and_invalidate (j=<optimised out>) at ../src/core/job.c:618
#11 manager_dispatch_run_queue.lto_priv.429 (source=<optimised out>, userdata=<optimised out>, userdata=<optimised out>) at ../src/core/manager.c:1830
#12 0x00007f16803a509a in source_dispatch (s=s@entry=0x563b9780e8c0) at ../src/libsystemd/sd-event/sd-event.c:2341
#13 0x00007f16803a53ea in sd_event_dispatch (e=<optimised out>, e@entry=0x563b9780e620) at ../src/libsystemd/sd-event/sd-event.c:2663
#14 0x00007f16803a5579 in sd_event_run (e=<optimised out>, timeout=18446744073709551615) at ../src/libsystemd/sd-event/sd-event.c:2723
#15 0x0000563b9572a49d in manager_loop (m=0x563b97810d90) at ../src/core/manager.c:2541
#16 invoke_main_loop (m=0x563b97810d90, ret_reexecute=0x7ffe7815347a, ret_retval=<optimised out>, ret_shutdown_verb=<optimised out>, ret_fds=0x7ffe78153480, ret_switch_root_dir=0x7ffe781534a8, ret_switch_root_init=0x7ffe781534a0, ret_error_message=0x7ffe78153490)
    at ../src/core/main.c:1778
#17 0x0000563b9571560c in main (argc=<optimised out>, argv=<optimised out>) at ../src/core/main.c:2561

What is really needed is to try and catch the memory corruption as it happens - I am not sure if it is possible to run systemd via valgrind but this could be one option.