Segfault in _clutter_actor_queue_only_relayout during window icon update

[theesp]

(found and reported by Claude Code)

Description

Cinnamon crashes with a segfault in libmuffin-clutter-0.so when updating
window icons. This is a race condition where a window is destroyed while an
icon update is still scheduled, causing access to a NULL or freed Clutter
actor.

Environment

• Distro: Linux Mint Zena (based on Ubuntu 24.04 Noble)
• Cinnamon: 6.6.5
• Muffin: 6.6.2+zena
• Kernel: 6.8.0-90-generic
• GPU: NVIDIA RTX 4060 Ti (driver 580.126.09) + AMD GPU (amdgpu driver)
• Display: Dual monitor (2560x1440 + 1440x2560)

Crash frequency

10 crashes over 8 days before workaround was applied.

Stack trace

#0 0x00007896df9a069b _clutter_actor_queue_only_relayout
(libmuffin-clutter-0.so.0 + 0x4b69b)
#1 0x00007896df399809 st_bin_set_child (libst.so + 0x24809)
#2 ... libffi / libcjs ...
#26 0x00007896df716455 meta_window_update_icon_now (libmuffin.so.0 + 0xc1455)
#27 0x00007896df716bbd idle_update_icon (libmuffin.so.0 + 0xc1bbd)
#28 0x00007896df70d4d4 call_later_func (libmuffin.so.0 + 0xb84d4)
#29 0x00007896df9da29b _clutter_run_repaint_functions
(libmuffin-clutter-0.so.0 + 0x8529b)
#30 0x00007896df9dc6c8 master_clock_update_stages (libmuffin-clutter-0.so.0 +
0x876c8)
#34 0x00007896df70aaef meta_run (libmuffin.so.0 + 0xb5aef)

Kernel log

cinnamon[2596]: segfault at 20 ip 00007896df9a069b sp 00007ffd5a234db0 error 4
in libmuffin-clutter-0.so.0.0.0[7896df982000+a4000]

• at 20: NULL pointer dereference (offset 0x20 from NULL, accessing struct
  member)
• error 4: read access to non-present page (user mode)

Root cause analysis

The crash occurs in the following sequence:

1. master_clock_update_stages triggers repaint functions
2. idle_update_icon is called as a scheduled "later" function
3. meta_window_update_icon_now attempts to update a window's icon
4. st_bin_set_child tries to set the icon in a St.Bin container
5. _clutter_actor_queue_only_relayout crashes because the actor is NULL or
   already destroyed

This is a race condition: a window is closed/destroyed, but the scheduled icon
update callback is not cancelled, leading to access of a freed or NULL actor.

Trigger / Workaround

The crash was significantly more frequent when using two
grouped-window-list applets (one on each panel). This doubles the number
of icon update operations.

Workaround: Removing the second grouped-window-list applet (or removing
the entire second panel) stopped the crashes. No crashes observed for 5+ days
after applying this workaround.

Suggested fix

The idle_update_icon callback should check if the window and its associated
Clutter actor still exist before attempting to update the icon. Alternatively,
the scheduled callback should be cancelled when the window is destroyed.

Additional notes

• Setting unredirect-fullscreen-windows = false did NOT help
• Multiple librsvg threads were active during crash (SVG icon rendering),
  suggesting heavy icon processing