As I mentioned to Joanie via IRC, although crash happens on the bridge, I will try to check if the real problem is any issue with the ATK implementation at clutter/st. Anyway, if any at-spi2-atk expert (Mike?) have any other kind of idea, you are invited to solve it ;)

Created attachment 202151 [details] [review]
Possible fix

Joanie, could you please try the attached patch and let me know if it fixes the crash? I can't reproduce it, although Matthias mentioned what I think is the same bug.

The code implementing GetItems seems unsafe, now that I look at it--if querying one accessible has the side effect of dereferncing a different accessible, then I'm guessing we might still iterate over the latter accessible, causing a crash if it had been finalized, since the cache only holds a weak reference to it. I saw a similar issue a long time ago with Firefox and calling ref_state_set on an accessible having the side-effect of the accessible's reference count being decremented, since apparently Firefox lazily realized at that point that the accessible had gone away and it could unreference it somewhere, but this would cause a crash when at-spi2-atk tried to query it again in the same function.

So it seems better to ref all accessibles in the cache first.

(In reply to comment #2)
> Created an attachment (id=202151) [details] [review]
> Possible fix
> 
> Joanie, could you please try the attached patch and let me know if it fixes the
> crash? I can't reproduce it, although Matthias mentioned what I think is the
> same bug.

Mike thanks so much for doing this! I gave it a quick spin and didn't see gnome-shell crash. Yay! :) I'll keep using it over the days to come and let you know if it seems stable (or get you a new backtrace).

I think that the patch is safe, so I've committed, and I'm marking this resolved. Please re-open if you see it again. I'll probably roll a 2.2.3 of at-spi2-atk soon if you don't see the crash again.